 |
Group Policies (GPO) are not scriptable and it is possible to set thousands of settings by clicking with the mouse. We did not find a tool to backup GPOs and import them after a crash. The only possibility is to restore the ActiveDirectory and the GPOs together but this helps only if you want to restore an entire server.
We would like to have a tool that syncs a configuration file with a GPO. At the moment we manually write a description what we have changed in the GPO this requires a lot of discipline from all involved.
There exist now VBscript's from Microsoft which allows to do some kind of backup.
http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicy.asp
savepol (Backup) loadpol (Restore)
We use Group Polices primarily for application deployment. It is very important to setup a good structure for your GPOs from the start. Once you have 100s of PCs running it is very hard to change something.
First I will describe how we have setup your active Directory system.
[root]--[hades]
|
[Builtin] (Builtin groups)
|
[Computers]
|
[Domain Controllers]
|
[ ee ]----------[biwi] (Computer and User)
| |
| [isg] (Computer and User)
| |
| [dept]----[zhadum] (Terminal Server OU)
| |
| [....]
|
[plain] (Computers for msi repackage)
|
[Policy Store] (Location of all Group Polices)
|
[Users] (Builtin users)
We created three main OUs (Organizational Units) the [ee] OU represents your department (Electical Engineering). The [plain] OU is the machines with a minimal set of applications. We use these boxes to create MSIs. [Policy Store] is for Group Policies. We use this OU to store all our policies. From there we then link to into the appropriate OUs. Under the OU [ee] we have further OUs for each of the labs.
A single GPO can contain settings for all sorts of things. Security, application deployment, you name it. In order to keep the complexity down to a manageable level, we keep one or more GPOs for each kind of settings:
- general-settings (Settings for all OU)
- server-settings-[name] (Settings for a Terminal Servers)
- software-assigned (all assigned software)
- software-published(all published software)
- client-software-assigned (all assigned client software)
- client-software-published (all published client software)
Under Start --> Programs --> Administrative Tools --> Active Directory Users and Computers right mouse click on policy store go to properties click the tab Group Policy. New creates a new policy. After this the GPO is created with default settings and looks like:
[general-settings] hades@charon
|
[Computer Configuration] ------> [Software Settings]
| [Windows Settings]
| [Administrative Templates]
|
[User Configuration] ----------> [Software Settings]
[Windows Settings]
[Administrative Templates]
We decided to create all GPO at the same OU so we know where they are. In fact it has no effect on the functionality. You can assign a GPO to an OU by opening the property dialog and click the add button in the GPO tab. The linked GPO is now active for all objects below this point. In our AD we linked the settings on the [ee] OU and block all settings on a OU of a terminal server (zhadum) because a terminal server has other settings. This made it possible for us to have a quiet simple setup.
We have two types of software deployment.
Computer Assigned Software
This software is assigned to the computers and gets installed after the computer is started. There is no way for a user to change anything. We assigned the software that everzbody needs. All icons of the software will be installed under all users start menu.
Now after one year of use we realized that this is a very bad idea for big package like office. We like to update office now, bat this mens update all clients in one big go. As you can think with all dies profiles and stuff this is a high risk if something brakes we have 100 users in one step which have this problem. At the moment we do not use this "assigned software" any more.
- Office ( Word .. )
- Virus Protection
- Compression Utility
- Editor
- Mail Client
- Document Viewer
User Published Software
This software gets installed by the user. In the control panel add/remove programs, software package can be installed by the user. The installation process starts with no questions and user intervention. All icons from the software will be installed in the start menu of the user.
This has the strange effect, that if another user wants to use the same software on the this computer he has to install the software again. We would like to have Computer published software so if a software is installed on a computer, all users on this computer could use the software but this is not possible with w2k. But what can you expect form a broken concept?
In the microsoft management console (mmc) it is possible to save the views. We made a view with bookmarks on all GPO section of software. We can now add an remove software from these GPO without searching for the GPOs through the whole AD tree.
We use appmgr to save a list of currenlty installed user published applications and then restore the selected set of applications on the same or a different machine.
This is useful if we have to reinstall a windows machine. Normally, the user wants the same applications installed as before.
| 2001-05-25 | mo | Initial Version |
| 2001-05-26 | to | Spell and Wording update |
| 2002-11-21 | mo | add information about assigned and backup thanks (Dirk) |
| 2006-02-22 | dr | add chapter about the appmgr |
