Tuesday, November 30, 2010

Best Practice in Group Policy Management

When using Group Policy Objects (GPO), what is the best practice for using it? I come many times at customers with a lot of policies, and most of the times people don't know what to do with it. This because new settings are needed, and everytime there will be a new policy created. When this proces goes on for years, nobody knows the reason for all these policies anymore. But what's the best practice for using it then? I will explain that, and also talk about other products for managing policies!

Group policies are exists a long time now. First there were the local policies, then group policies became available. It became even better when the Group Policy Management Console (GPMC) was available. Now there was truly management of all the policies. Today there is also an extension available. When using Group Policy Preferences (GPP) there will be also new Windows and Control Panel settings available to manage. With that the need of a login script isn't necessary anymore. And the good news is, it's free of use!

Best Practices of Group policies are:

- Don't create a new policy for every new setting you want to use (only for testing purposes)
- Minimize the number of policies, for faster logons (less files) and easy management
- Create a user policy and disable the computer part of it (screenshot)
- Create a computer policy and disable the user part of it (screenshot)
- For policies with an extra ADM file (imported in Administrative templates), create a separate policy for easy management (screenshot)
- When putting user settings on computer objects, use Loopback processing mode with the merge or replace option (screenshot)

How to disable user or computer policy settings (2 ways):
  1. Right-click the name of the GPO, and click Properties. Click Disable Computer Configuration settings or Disable User Configuration settings.
  2. Right-click the name of the GPO, and click GPO Status. Click Disable Computer Configuration settings or Disable User Configuration settings. 

Import a ADM file in Administrative Templates:
  1. Right-click on Administrative Templates in the GPO, and choose for Add/Remove Templates.
  2. Click Add and search for the ADM file to import. (this file will be copied to the Sysvol folder after that) 

Usage of User Group Policy loopback processing mode:

This setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. By default, the user's Group Policy objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies.

To use this setting, select one of the following modes from the Mode box:
  • "Replace" indicates that the user settings defined in the computer's Group Policy objects replace the user settings normally applied to the user.
  • "Merge" indicates that the user settings defined in the computer's Group Policy objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy objects take precedence over the user's normal settings.
If you disable this setting or do not configure it, the user's Group Policy objects determines which user settings apply.


Download Group Policy Management Console (GPMC):

The Group Policy Management Console is the easiest way for managing Group Policies. For using it there are different ways to follow:

  1. For Windows Server 2003 (and Windows XP) you must download and install it from the following URL: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
  2. For Windows Server 2008 you need to add it manually using the Server Manager: Add Features. After that GPMC has been installed, and you can find it as normal in the Administrative Tools.
  3. For Windows 7 you must download the Remote Server Administration Tools (RSAT) from the following URL and install it: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7d2f6ad7-656b-4313-a005-4e344e43997d&displayLang=en
    After that GPMC has been installed, and you can find it as normal in the Administrative Tools.
Managing Group Policy Preferences (GPP) settings:

This extension of Group Policy Objects (GPO) allows the use of a logon script is less applicable. Default settings like Drive Mappings, Printers, Start Menu items and Shortcuts can now be assigned with Preferences, allowing the establishment as a whole it looks easier. The configuration of Group Policy Preferences is as follows. When opening the Group Policy Management Console on a Windows 2008 server, not just the policies are shown, but also the preferences will be shown.


Here you will have the choice for configuring all new Windows and Control Panel settings available. With the Targeting Editor you can even control on which condition the new Preferences will be become active. There are many types of Targeting possible, example: Computer Name, IP Address Range, Organizational Unit, Security Group or WMI Query.

Best practice for these are creating new GPO's and placing the Preferences settings in that. All you need is a Windows Server 2008 (R2) or Windows 7 or Vista for managing the preferences. You don't need a Windows 2008 domain level for Preferences!

For more information about Preferences, download the following white paper: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=42E30E3F-6F01-4610-9D6E-F6E0FB7A0790

Managing GPO's with Advanced Group Policy Management:

Microsoft Advanced Group Policy Management (AGPM) is a component of the Microsoft Desktop Optimization Pack (MDOP). AGPM increases the capabilities of the Group Policy Management Console (GPMC), providing:

- Standard roles for delegating permissions to manage GPO's to multiple Group Policy administrators.
- An archive to enable Group Policy administrators to create and modify GPO's offline before deploying them to a production environment.
- The ability to roll back to any previous version of a GPO.
- Check-in/check-out capability for GPO's to ensure that Group Policy administrators do not overwrite each other's work.

Some features include:
  • Offline editing of GPO's
  • Difference reporting and audit logging
  • Recovery of a deleted GPO (Recycle Bin) <- Nice feature!
  • Repair of live GPO's
  • Creation of GPO template libraries
  • Subscription to policy change e-mail notifications
  • Version tracking, history capture, and quick rollback of deployed changes
  • Role-based administration (Editor, Reviewer, Approver)
  • Change request approval

I hope you have enough information about Group Policy Management by now! Check my blog regular for more information about GPO's.

And remember: Always create a back-up when deleting GPO's! When restoring them settings and rights will be restored again.

Wednesday, November 17, 2010

Useful Information from TechEd 2010 Berlin

Last week I was at TechEd 2010 in Berlin. With 6,000 delegates the event was sold out! It was a nice week with lots of useful information about Management and Windows Client (my favourite tracks). There were many companies with further additions for ConfigMgr (software catalog, mobile devices, self service portal, etc.). The sessions I've done are about the following products:
  • Deployment (best practices, issues, etc.)
  • ConfigMgr 2007 and v.Next (2012)
  • MDOP (Advanced Group Policy Management 4.0)
  • Migrate Windows XP to Windows 7
  • Windows Embedded (WES2009 and WES7)
  • MS Deployment Toolkit (MDT) 2010
  • Forefront Endpoint Protection (FEP) 2010
  • Group Policy Objects (and Preferences) 
  • MS Enterprise Desktop Virtualization (Med-V) v2
 

Useful information about Configuration Manager:
  • The name for the next release of ConfigMgr, will be System Center Configuration Manager 2012. The 2012 release will be User Centric instead of Device Centric. The product is currently in Beta 1; Beta 2 is expected to be released around H1 2011.
  • New for the user in ConfigMgr 2012 is, the Software Catalog portal on the workplace. With the Software Catalog portal you can easily search for new software and install (or request) the software on your computer.
  • There will be more support for mobile devices in ConfigMgr 2012. Not only support for Windows Mobile 6.x, but also for Android 2.2.2, iOS 4.0, Symbian 3.3.3 and Windows Phone 7. Maybe more to come!?
  • You can deploy WES2009 and WES7 in WDS, MDT 2010 and ConfigMgr 2007 on Embedded devices. With ConfigMgr 2007 there is also support for using Task Sequences.
  • Forefront Endpoint Protection (FEP) 2010 will be fully integrated with ConfigMgr 2012. You only need one console to manage your clients!
  • Choose which installation you want on different kind of devices in ConfigMgr 2012 (e.g. MSI-based on fat clients and App-V packages on Tablet devices. (works great!)
  • In ConfigMgr 2012 there is Delegation of control by default. No need for selecting functionalities by yourself! Also the ConfigMgr console shows only the information which you may see, so it's custom by default!
  • There is an Hotfix available for solving duplicate drivers issues in ConfigMgr 2007: (no more troubleshooting on driver packages)! http://support.microsoft.com/kb/2213600 
  • There is an Exchange Server connector build in ConfigMgr 2012 for managing Windows Phone 7 devices! Maybe more to come!?
  • With Collection membership rules, you can put subcollections in other collections for managing deployments and distributions.
  • You can set overall ConfigMgr client settings, for pushing new settings to all clients at once! (handle with care)
  • With Med-V v2 there will be ConfigMgr integration! It will be fully manageable with ConfigMgr, which will simplify overhead and management for IT professionals.

Useful information about Group Policy (Preferences):
  • With Advanced Group Policy Management 4.0 you can compare settings between GPO's. Also Delegation of control is possible (decide which GPO's you may see or change). And there is an History function in it, so you can go back to older versions of a GPO.
  • Another nice thing in Advanced Group Policy Management 4.0 is the Recycle bin, where all deleted GPO's will be saved for some time. Because everything will be tracked in the program, it's easy to see which administrator has done some changes in it.
  • New in version 4.0 is the search option (for searching GPO's, not in GPO's) and multiforest support. There is also support for Preferences and AppLocker!
  • When troubleshooting Group Policies, search for the userenv.log (for errors) on Windows XP or the GPO log (Event Viewer) on Windows 7.
  • There is a nice tool for troubleshooting Windows Vista & 7, called Group Policy Log View. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=BCFB1955-CA1D-4F00-9CFF-6F541BAD4563&amp%3Bdisplaylang=en 
  • Look on Jeremy Moskowitz site for more info:

Useful information about other deployment tools:

Handy URL's for best practice in deployments are:

Next year on TechEd 2011 and MMS 2011/2012 there will be more information about ConfigMgr 2012, and all new functionality in it!

Wednesday, November 3, 2010

Using Multicast functionality in ConfigMgr

By default ConfigMgr 2007 Operating System Deployment (OSD) is deploying in Unicast. Every deployment or software distribution will be bit by bit transferred to the device. With ConfigMgr 2007 R2, and specific configuration, Multicast is also possible. Then you can deploy maybe 50 or 100 devices at a time, without the data (bits) being transferred to every device for itself. It's good to know that you have a few possibilities in Multicast, and it's only working in WinPE mode. So what's the advantage of it, with Software distribution in the Task Sequences?

When you talk about Multicast in ConfigMgr R2, there are two types of it. There is a Autocast and Scheduled Multicast possibility. I will describe them both, and explain the differences between them.

Autocast: With Autocast the deployment will start on the first device. When you deploy another device (or more than one) the stream will also be transferred to the other device(s). When the first one is finished, the other device(s) must only pick the other bits for completion. The only thing you have to do for Autocast functionality, is enable Multicast. (screenshot)

Scheduled Multicast: With Scheduled Multicast the deployment will wait for a few minutes or number of clients. The deployment will then start when one of the two conditions are met. The idea behind this, that you have more time to prepare your devices. With this type of deployment the bitstream wil go once over the network, to all your machines that are ready! (screenshot)

For Multicast to get it working, there is a Distribution Point and the Transport server in Windows Deployment Services (WDS) needed. When both are installed and enabled on a Windows 2008 Server, the configuration in ConfigMgr 2007 will take place.

Distribution point: In the ConfigMgr Distribution Point properties you must enable the setting "Allow clients to transfer content from the distribution point using BITS, HTTP and HTTPS". Also on the Multicast tab you must enable the "Enable multicast" setting. Have also a look on the Transfer rate possibility. Ideally this must be set to 100 Mbps or 1 Gbps for a good transfer speed.


When you also want to make use of Scheduled Multicast, you must enable the setting "Enable scheduled multicast" and set the Session start delay (# minutes) and the Minimum session size (# clients). When one of two are met, the deployment will be started (one bitstream).


Image deployment: When you want a succesfull Multicast deployment, the default WIM image must also be Multicast enabled. Open the properties of the WIM image (example: Windows XP SP2), and enable the setting "Allow this package to be transferred via multicast". You can also see here that Multicast functionality is only possible with WinPE (so during the first part of deployment).


When you don't want any Unicast deployment, enable also the setting "Transfer this package only via multicast". Then you are sure that Multicast will be used! Because this will only works in WinPE, there isn't any need to enable this setting on your Software packages. Now there only must be set an advertisement to get it work.

Advertisement: In the advertisement enable the setting "Download content locally when needed by running task sequence". When this is set on: "Access content directly from a distribution point when needed by the running task sequence", Multicast deployment will not work.


Deployment: These are some pictures displayed during deployment. The first one is captured during deployment in Autocast; the second one is captured during Scheduled Multicast.



Because Multicast works only in WinPE mode, you have the choice to put your applications in the default WIM image. Not installing them, but only put the source in it. Then you are still flexible, and make use of full Multicast functionality! Otherwise a part of the installation will be in Multicast, and the other part (applications) will not.

In the Task Sequence don't add your packages with "Install Software", but choose for "Run Command Line". Then put in there the command which is normally placed in Programs - Command Line, for unattended installation. For get it working place the location (e.g. C:\Apps) before the command, and the application will be installed from the local source.

That's all about Multicast for now!