ADMX files are language neutral. The plain language descriptions of the settings are not part of the ADMX files. They are stored in language-specific ADML files. This means that administrators who speak different languages, such as English and Spanish, can look at the same GPO and see the policy descriptions in their own language, because they can each use their own language-specific ADML files. ADML files are stored in a subfolder of the PolicyDefinitions folder. By default, only the ADML language files for the language of the installed operating system are added.
A major drawback of ADM files is that they are copied into every GPO that is created, and
consume about 3 megabytes (MB) of space. This can cause the System Volume (SYSVOL) folder to become very large and increase replication traffic.
ADMX Files
What Are ADM and ADMX Files?
ADM Files
Traditionally, ADM files have been used to define the settings that an administrator can configure through Group Policy. Each successive Windows operating system and service pack has included a newer version of these files. ADM files use their own markup language. Therefore, it is difficult to customize ADM files. The ADM templates are located in the %SystemRoot%\Inf folder.
Administering Windows Server® 2012 6MCT-3
ONLY USE
Group Policy tools on Windows Vista and newer operating systems, and Windows Server 2008, continue to recognize the custom ADM files that you have in your existing environment, but ignore any ADM file that ADMX files have superseded. Unlike ADM files, ADMX files are not stored in individual GPOs. The GPO Editor automatically reads and displays settings from the local ADMX file store. By default, ADMX files are stored in the Windows\PolicyDefinitions folder, but they can be stored in a central location.
Windows Vista® and Windows Server® 2008 introduced a new format for displaying registry-based policy.STUDENT settings. These settings are defined by using a standards-based XML file format known as ADMX files.
These new files replace ADM files. USE
ADMX Migrator is a snap-in for the Microsoft® Management Console (MMC) that simplifies the process of converting your existing Group Policy ADM templates to the new ADMX format and provides a graphicalPROHIBITED user interface for creating and editing Administrative Templates. You can download the ADMX Migrator
from the Microsoft Download website at http://go.microsoft.com/fwlink/?linkID=270013.
6-4Managing User Desktops with Group Policy
The Central Store
For domain-based enterprises, you can create a central store location of ADMX files, which anyone with permission to create or edit GPOs can access. The GPO Editor on Windows Vista and Windows Server 2008 (or newer) automatically reads and displays Administrative Template policy settings from ADMX files that the central store caches, and then ignores the ones stored locally. If the domain controller is not available, the local store is used.
You must create the central store, and then update it manually on a domain controller. The use of ADMX files is dependent on the computer’s
operating system where you are creating or editing the GPO. Therefore, the domain controller can be a server with Windows 2000 or newer. The File Replication Service (FRS) will not replicate the domain controller to that domain’s other controllers. Depending on your server operating system and
configuration, you can use either FRS or Distributed File System Replication (DFS-R) to replicate the data.
To create a central store for .admx and .adml files, create a folder that is named PolicyDefinitions in the following location: \\FQDN\SYSVOL\FQDN\policies.
For example, to create a central store for the Test.Microsoft.com domain, create a PolicyDefinitions folder in the following location: \\Test.Microsoft.Com\SYSVOL\Test.Microsoft.Com\Policies.
A user must copy all files and subfolders of the PolicyDefinitions folder. The PolicyDefinitions folder on a Windows 7–based computer resides in the Windows folder. The PolicyDefinitions folder stores all .admx files and .adml files for all languages that are enabled on the client computer.
Note: You must update the PolicyDefintions for each service pack and for other additional software, such as Microsoft Office 2010 ADMX files.
Discussion: Practical Uses of Administrative Templates
Spend a few minutes examining the Administrative Templates, and consider how you could employ some of them in your organization.
Be prepared to share information about your organization’s current use of GPOs and logon scripts, such as:
•How do you provide desktop security currently?
•How much administrative access do users have to their systems?
•Which Group Policy settings will you find useful in your organization?
PROHIBITED USE STUDENT .ONLY USE MCT
How to Copy GPO Settings
Unfortunately, the filter only applies to settings in the Administrative Templates nodes.
Filter Based on Comments
You also can search and filter based on policy-setting comments. Windows Server 2012 enables you to add comments to policy settings in the Administrative Templates node. To do so, double-click a policy setting, and then click the Comment tab.
2. To locate a specific policy, select the Enable keyword filters to filter, and then select the fields within which to search.
Administering Windows Server® 2012 6-5
Demonstration: Configuring Settings with Administrative Templates
MCT
Group Policy editing tools in Windows Server 2012 provide several functionalities that ease configuration
and management of GPOs. In this demonstration, you will review these options.
A disadvantage in the Group Policy editing tools in previous Windows versions is the inability to search forUSE a specific policy setting. With thousands of policies to choose from, it can be difficult to locate exactly the setting you want to configure. The Group Policy Management Editor in Windows Server 2012 solves this problem for Administrative Template settings. You now can create filters to locate specific policy settings.ONLY
Filter Policy Settings for Administrative Templates
To create a filter:
1. Right-clickAdministrative Templates, and then click Filter Options.
check box, enter the words with which
.
You also can filter for Group Policy settings that apply to specific versions of Windows, Windows Internet Explorer®, and other Windows components.
It is a best practice to add comments to configured policy settings. You should document the justification for a setting and its intended effect. You also should add comments to the GPO itself. Windows Server 2012 enables you to attach comments to a GPO. In the Group Policy Management Editor, in the console tree, right-click the root node, click Properties, and then click the Comment tab.
STUDENT
•You can copy and paste entire GPOs in the Group Policy Objects container of the GPMC, so that youUSE have a new GPO with all settings of the source GPO.
•To transfer settings between GPOs in different domains or forests, right-click a GPO, and then click
Back Up. In the target domain, create a new GPO, right-click the GPO, and then click Import PROHIBITED Settings. You will be able to import the settings of the backed up GPO.
6-6Managing User Desktops with Group Policy
Demonstration Steps
Filter Administrative Template policy settings
1.On LON-DC1, open the Group Policy Management console.
2.Create a new Group Policy Object (GPO) named GPO1.
3.Open GPO1 for editing.
4.Locate the User Configuration, Policies, Administrative Templates node.
5.Filter the settings to display only those that contain the keywords screen saver.
6.Filter the settings to display only configured values.
Add comments to a policy setting
1.Locate the Personalization value from User Configuration\Policies\ Administrative Templates \Control Panel.
2.Add a comment to both the Password Protect the screen saver and Enable screen saver values.
Add comments to a GPO
•Open the GPO1 policy root node, and then add a comment to the Comment tab.
Create a new GPO by copying an existing GPO
•Copy GPO1, and then paste it to the Group Policy Objects folder.
Create a new GPO by importing settings that were exported from another GPO
1.Back up GPO1.
2.Create a new GPO called ADATUM Import.
3.Import the settings from the GPO1 backup into the ADATUM Import GPO.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012
MCT
6-7
Lesson 2
Configuring Folder Redirection and Scripts
USE
In Windows Server 2012, you can use GPOs to deploy scripts to users and computers. You also can
redirect folders that are included in the user’s profile to a central server. These features enable you to
configure the users’ desktop settings more easily and, where desirable, create a standardized desktop
environment that meets your organizational needs.
Lesson Objectives
.ONLY
After completing this lesson, you will be able to:
• Describe folder redirection.
• Explain the settings available for configuring folder redirection.
• Describe security settings for redirected folders.
• Explain how to configure folder redirection.
• Describe Group Policy settings for applying scripts.
• Explain how to configure scripts by using Group Policy.
What Is Folder Redirection?
You can use the Folder Redirection feature to
STUDENT
manage data effectively, and optionally, back up
data. By redirecting folders, you can ensure user
access to data regardless of the computers to
which the users sign in. Folder redirection has the
following characteristics:
• When you redirect folders, you change
USE
the folder’s storage location from the user
computer’s local hard disk to a shared folder
on a network file server.
• After you redirect a folder to a file server, it
PROHIBITED
still appears to the user as if it is stored on the
local hard disk.
• You can use the Offline Files technology in conjunction with redirection to synchronize data in the redirected folder to the user’s local hard drive. This ensures that users have access to their data if a network outage occurs or if the user is working offline.
• Users that sign in to multiple computers can access their data as long as they can access the network share.
• Offline folders allow users to access their data even if they disconnect from the local area network (LAN).
• Data that is stored on servers in network shares is backed up.
• Roaming profile size can be reduced greatly by redirecting data from the profile.
6-8Managing User Desktops with Group Policy
Settings for Configuring Folder Redirection
In a GPO, the following settings are available for folder redirection:
•None. None is the default setting. Folder redirection is not enabled.
•Basic. Basic folder redirection is for:
o Users who must redirect their folders to a common area.
o Users who need their data to be private.
•Advanced. You can use Advanced redirection to specify different network locations for different Active Directory® security groups.
•Follow the Documents folder. Follow the Documents folder redirection is available only for the Pictures, Music, and Videos folders. This setting makes the affected folder a subfolder of the Documents folder.
Target Folder Locations for Basic and Advanced Settings
If you choose Basic or Advanced, you can choose from the following target folder locations:
•Create a folder for each user under the root path. This option creates a folder in the form \\server\share\User Account Name\Folder Name. For example, if you want to store your users’ desktop settings in a shared folder called Documents, on a server called LON-DC1, you could define the root path as \\lon-dc1\Documents.
Each user has a unique path for the redirected folder to ensure that data remains private. By default, that user is granted exclusive rights to the folder. In the case of the Documents folder, the current contents of the folder are moved to the new location.
•Redirect to the following location. This option uses an explicit path for the redirection location. It causes multiple users to share the same path for the redirected folder. By default, that user is granted exclusive rights to the folder. In the case of the Documents folder, the current contents of the folder are moved to the new location.
•Redirect to the local user profile location. This option moves the location of the folder to the local user profile under the Users folder.
•Redirect to the user’s home directory. This option is available only for the Documents folder.
Note: After the initial creation and application of a GPO that delivers folder redirection settings, users require two logons before redirection takes effect. This is because users will sign in with cached credentials.
Question: Users in the same department often sign in to different computers. They need access to their Documents folder. They also need data to be private. What folder redirection setting would you choose?
PROHIBITED USE STUDENT .ONLY USE MCT
Security Settings for Redirected Folders
You must create and configure the permissions manually on a shared network folder to store the redirected folders. However, folder redirection also can create the user’s redirected folders.
Folder permissions are handled as follows:
•When you use this option, the correct subfolder permissions are set automatically.
•If you manually create folders, you must know the correct permissions. The slide illustrates these permissions.
Demonstration: Configuring Folder Redirection
This demonstration shows how to:
•Create a shared folder.
•Create a GPO to redirect the Documents folder.
•Test folder redirection.
Demonstration Steps
Create a shared folder
1.On LON-DC1, create a folder named C:\Redirect.
2.Share the folder to Everyone with Read/Write permission.
Administering Windows Server® 2012 6MCT-9
ONLY USE STUDENT .
1.
Open the Group Policy Management console. Create a GPO named Folder Redirection, and then
link it to the Adatum domain.
USE
2.
Edit the Folder Redirection GPO.
3.
Configure the Documents folder properties to use the Basic-Redirect everyone’s folder to the
same location setting.
4.
Ensure that the Target folder location is set to Create a folder for each user under the root path.
5.
Specify the root path as \\LON-DC1\Redirect.
PROHIBITED
6.
Close all open windows on LON-DC1.
1.
Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
2.
Check the properties of the Documents folder. The path will be \\LON-DC1\Redirect.
3.
Sign out of LON-CL1.
Demonstration: Configuring Scripts with GPOs
This demonstration shows how to:
For many of these settings, using Group Policy preferences is a better alternative to configuring them in Windows images or using logon scripts. Group Policy preferences are covered in more detail later in this module.
6-10
Managing User Desktops with Group Policy
network location stores scripts, as a best practice, use the Netlogon share because all users and computers that are authenticated to Active Directory Domain Services (AD DS) have access to this location.
Group Policy Settings for Applying Scripts
MCT
You can use Group Policy scripts to perform a
USE
number of tasks. There may be actions that you
need to perform every time a computer starts up
or shuts down, or when users sign in or sign off.
For example, you can use scripts to:
• Clean up desktops when users sign out, and
ONLY
shut down computers.
• Delete the contents of temporary directories.
• Map drives or printers.
• Set environment variables.
Scripts that are assigned to the computer run in the security context of the Local System account. Scripts
.
that are assigned to the user who is logging on run in that user’s security context.
Other Group Policy settings control aspects of how scripts run. For example, if multiple scripts are
STUDENT
assigned, you can control whether they run synchronously or asynchronously.
You can write scripts in any scripting language that the Windows client can interpret, such as VBScript,
Jscript, or simple command or batch files.
Note: In Windows Server 2008 R2 and Windows Server 2012, the user interface (UI) in
Group Policy Editor for Logon, Logoff, Startup, and Shutdown scripts provides an additional tab
for Windows PowerShell® scripts. You can
deploy your Windows PowerShell script by adding it to
this tab. Windows Server 2008 R2, Windows Server 2012, Windows 7, or Windows 8 can run
Windows PowerShell scripts through Group Policy.
Scripts are stored in shared folders on the network. You need to ensure that the client has access to
USE
that network location. If clients cannot access the network location, the scripts fail to run. Although any
•
Create a logon script to map a network drive.
PROHIBITED
• Create and link a GPO to use the script, and store the script in the Netlogon share.
•
Sign in to the client to test the results.
Administering Windows Server® 2012
MCT
6-11
Demonstration Steps
Create a logon script to map a network drive
1.On LON-DC1, launch Notepad, and then type the following command:
Net use t: \\LON-dc1\Redirect
USE
2.Save the file as Map.bat.
3.Copy the file to the clipboard.
Create and link a GPO to use the script, and store the script in the Netlogon share
.ONLY
1.
Use the Group Policy Management console to create a new GPO named Drivemap, and then link it
to the Adatum.com domain.
2.
Edit the GPO to configure a user logon script.
3.
Paste the Map.bat script into the Netlogon share.
4.
Add the Map.bat script to the logon scripts.
Sign in to the client to test the results
PROHIBITEDUSESTUDENT
1.
On LON-CL1, sign in as Adatum\Administrator with the password Pa$$word.
2.
Verify that drive is mapped.
3.
Sign out of LON-CL1.
Configuring Group Policy preferences does not require any special tools or software installation, but they are natively part of the GPMC in Windows Server 2008 (and newer), and are applied in the same manner as Group Policy settings, by default. Preferences have two distinct sections: Windows Settings and Control Panel Settings.
Lesson 3
Configuring Group Policy Preferences
6-12Managing User Desktops with Group Policy
MCT
In previous Windows Server versions, you could not use Group Policy to control common settings that USE affect the user and computer environment, such as mapped drives. Typically, these settings were delivered through logon scripts or imaging solutions.
However, Windows Server 2012 includes the Group Policy preferences built-in to the GPMC, which enable settings such as mapped drives to be delivered through Group Policy. Additionally, you can configure preferences by installing the Remote Server Administration Tools (RSAT) on a computer that is running Windows 7 or Windows 8. This allows you to deliver many common settings by using Group Policy.
Lesson Objectives
After completing this lesson, you will be able to:
ONLY
• Describe Group Policy preferences.
.
•
Identify the differences between Group Policy settings and preferences.
STUDENT
• Describe Group Policy preference features.
• Explain how to configure settings by using preferences.
What Are Group Policy Preferences?
Group Policy preference extensions include more
than 20 Group Policy extensions that expand the
range of configurable settings within a GPO. You
now can use preferences to apply a number of
settings that had to be applied by scripts in the
past, such as drive mappings.
USE
Group Policy preferences are supported natively
on Windows Server 2008 and newer versions, and
on Windows Vista Service Pack 2 (SP2) and newer
versions. You can download and install client-side
extensions (CSEs) of Group Policy preferences for
Windows Server 2003, Windows XP Service Pack 3
PROHIBITED
(SP3), and Windows Vista Service Pack 1 (SP1) to provide support for preferences on those systems.
Examples of the new Group Policy preference extensions include:
