NMA

Practical 23 Manage Desktop Configuration using

group policy and remote installation services.

Group Policy Collection:Group Policy is an infrastructure that allows you to implement

specific configurations for users and computers. Group Policy
settings are contained in Group Policy objects (GPOs), which are
linked to the following Active Directory directory service containers:
sites, domains, or organizational units (OUs). The settings within
GPOs are then evaluated by the affected targets, using the
hierarchical nature of Active Directory. Consequently, Group Policy is
one of the top reasons to deploy Active Directory because it allows
you to manage user and computer objects.
Group Policy is one of a group of management technologies,
collectively known as IntelliMirror management technologies, which
provide users with consistent access to their applications,
application settings, roaming user profiles, and user data, from any
managed computereven when they are disconnected from the
network. IntelliMirror is implemented through a set of Microsoft
Windows features, including Active Directory, Group Policy, Software
Installation, Windows Installer, Folder Redirection, Offline Folders,
and Roaming User Profiles.
This collection includes detailed information about each of the
following areas of Group Policy:
Core Group Policy
Group Policy Components
Group Policy Administrative Tools
This page introduces Group Policy management concepts and
architecture, summarizes the areas included in the Group Policy
collection, and describes Group Policy scenarios.
Group Policy Management
Administrators face increasingly complex challenges in managing
the IT infrastructure. You must deliver and maintain customized
desktop configurations for more types of workers such as mobile
users, information workers, or others assigned to strictly defined

NMA
tasks, such as data entry. Security settings and updates must be
delivered efficiently to all the computers and devices in the
organization. New users need to be productive quickly without costly
training. In the event of a computer breakdown or disaster, service
must be restored with a minimum of data loss and interruption. All
of these tasks, known collectively as Change and Configuration
Management, must be achieved at the lowest possible cost. You
need to be able to implement change quickly and affect large
numbers of users and computers. Group Policy is the infrastructure
that allows you to implement change on the object level in Active
Directory.
You need to be able to define configurations once and rely on the
operating system to enforce that state. With Active Directory, GPOs
can be linked to sites, domains, and OUs, allowing Group Policy
settings to be applied to users and computers. In addition, GPOs can
be used to help manage server computers, through many serverspecific operational and security settings. This infrastructure
provides a high degree of flexibility, allowing you to customize
configurations, such as delivering a specific piece of software to
specialized users based on their membership in an OU. In addition,
the Group Policy Management Console (GPMC) simplifies
implementation and management of Group Policy.
Group Policy Architecture
Group Policy uses a document-centric approach to creating, storing,
and associating Group Policy settings. Similar to the way in which
Microsoft Word stores information in .doc files, Group Policy settings
are contained in GPOs. A GPO is a virtual object; policy-setting
information is stored in two locations: the Active Directory container
to which the GPO is linked, and the Sysvol on the domain controller.
Group Policy is configured primarily through the use of two tools:
Group Policy Object Editor, (previously known as the Group Policy
snap-in, Group Policy Editor, or Gpedit) and Group Policy
Management Console (GPMC), available for download from the
Microsoft Web site. Whereas Group Policy Object Editor is used to
configure and modify settings within GPOs, GPMC is used to create,
view, and manage GPOs. Group Policy architecture is shown in the
following diagram, which shows how the primary components
interact through read or write access. Components are described in
the figure below.
Group Policy Architecture

NMA

Group Policy Components

Component

Description

Server (Domain
Controller)

In an Active Directory forest, the domain controller is a serve

of the Active Directory database, participates in Active Direc
access to network resources.

Active Directory

Active Directory, the Windows-based directory service, store

network and makes this information available to users and n
Administrators link GPOs to Active Directory containers such
that include user and computer objects. In this way, Group P
to users and computers throughout the organization.

Group Policy
object (GPO)

A GPO is a collection of Group Policy settings, stored at the d

consisting of a Group Policy container (GPC) and a Group Pol
which contains information on the properties of a GPO, is sto
domain controller in the domain. The GPT contains the data

NMA
Sysvol in the /Policies sub-directory. GPOs affect users and
sites, domains, and OUs.
Sysvol

Sysvol is a shared directory that stores the server copy of th

are replicated among all domain controllers in the domain. T
GPO: the GPT, which includes Administrative Template-based
settings, script files, and information regarding applications
installation. It is replicated using the File Replication Service

Local Group
Policy object

The local Group Policy object (local GPO) is stored on each in

hidden %systemroot%\System32\GroupPolicy directory.
Windows 2000, Windows XP Professional, Windows XP 64-Bit
Center Edition, or Windows Server 2003 has exactly one loca
the computers are part of an Active Directory environment.
Local GPOs do not support certain extensions, such as Folde
Software Installation. Local GPOs do support many security s
Settings extension of Group Policy Object Editor does not su
local GPOs. Local GPOs are always processed, but are the lea
Directory environment, because Active Directory-based GPO
Although you can configure local GPOs on individual comput
Policy can only be realized in a Windows Server network with
addition, some features and Group Policy settings require cli
Windows XP.

Group Policy
Object Editor

Group Policy Object Editor is a Microsoft Management Conso

edit GPOs. It was previously known as the Group Policy snap
Gpedit.

Server-Side
Snap-Ins

The MMC snap-in is loaded, by default, in Group Policy Objec

extensions provide the user interface to allow you to configu
client-side extensions implement the actual policy settings o
Snap-in extensions include Administrative Templates, Scripts
Installation, Folder Redirection, Remote Installation Services
Disk Quotas, Wireless Network Policy, and QoS Packet Sched
extended. For example, the Security Settings snap-in include
Developers can also create their own MMC extension snap-in
to provide additional Group Policy settings.

Client-Side
Extensions

Client-side extensions (CSEs) run within dynamic-link librarie

implementing Group Policy at the client computer. The follow

NMA

default, in Windows Server 2003:

Administrative Templates, Wireless Network Policies, Folder R
Packet Scheduler, Scripts, Security, Internet Explorer Mainte
Installation, and IP Security.
Group Policy
Management
Console (GPMC)

GPMC is a new tool designed to simplify implementation and

consists of a new MMC snap-in and a set of scriptable interfa
The Group Policy Management Console provides:

A user interface based on how customers use and man

on how the technology is built.
Import/Export, Copy/Paste, and searching of GPOs.

Simplified management of Group Policy-related securit

Reporting (printing, saving, read-only access to GPOs)
Policy (RSoP) data.
Backup/Restore of GPOs.

Scripting of GPO operations that are exposed within thi

settings within a GPO).
Resultant Set of
Policy (RSoP)
snap-in

The Resultant Set of Policy (RSoP) snap-in is an MMC snap-in

Policy implementation and troubleshooting. RSoP uses Wind
Instrumentation (WMI) to determine how Group Policy settin
computers. For RSoP functionality, it is recommended to use
GPMC.

Winlogon

A component of the Windows operating system that provide

Winlogon is the service in which the Group Policy engine run

Group Policy
engine

The Group Policy engine is the framework that handles comm

client-side extensions including scheduling of Group Policy a
relevant configuration locations, and filtering and ordering o

File System

The NTFS file system on client computers.

NMA
Registry

A database repository for information about a computers co

contains information that Windows continually references du
1. Profiles for each user.

2. The programs installed on the computer and the types

create.
3. Property settings for folders and program icons.
4. The hardware on the system.
5. Which ports are being used.

The registry is organized hierarchically as a tree, and it is ma

subkeys, hives, and entries. The Group Policy engine has rea
Registry.
Registry settings can be controlled via the Group Policy Adm
Event Log

The Event log is a service, located in Event Viewer, which re

security, and application logs. The Group Policy engine has w
client computers and domain controllers. The Help and Supp
has read access to the Event Log.

Help and
Support Center

The Help and Support Center is a component on each compu

on the Group Policy settings currently in effect on the compu

Resultant Set of
Policy (RSoP)
infrastructure

All Group Policy processing information is collected and store

Model Object Management (CIMOM) database on the local co
as the list, content and logging of processing details for each
tools using WMI.
In logging mode (Group Policy Results), RSoP queries the CIM
computer, receives information about the policies and displa
(Group Policy Modeling), RSoP simulates the application of p
Directory Access Service (GPDAS) on a domain controller. GP
of GPOs and passes them to virtual client-side extensions on
results of this simulation are stored to a local CIMOM databa
before the information is passed back and displayed in GPMC

WMI

WMI is a management infrastructure that supports monitorin

NMA

resources through a common set of interfaces and provides

model of Windows operation, configuration, and status.
WMI makes data about a target computer available for admi
include hardware and software inventory, settings, and confi
example, WMI exposes hardware configuration data such as
manufacturer, as well as software configuration data from th
Active Directory, the Windows Installer service, networking c
data. WMI Filtering in Windows Server 2003 allows you to cre
These queries (also called WMI filters) determine which user
the policy configured in the GPO where you create the filter.
Core Group Policy
This subject explains Group Policy infrastructure including how the
Group Policy engine controls policy processing, including retrieval of
GPOs, invocation of individual extensions, and other infrastructure
functionality.
Group Policy Components
The Group Policy Components subcollection describes the role of
extensions including server-side snap-in extensions and client-side
extensions. These extensions include: Administrative Templates,
Software Installation, Security Settings, Scripts, Remote Installation
Services, Internet Explorer Maintenance, Folder Redirection, QoS
Packet Scheduler, Disk Quotas, and Wireless Network Policies.
Group Policy Administrative Tools
This subcollection explains administrative tools including the Group
Policy Object Editor, Group Policy Management Console, and the
Resultant Set of Policy (RSoP) snap-in.
Group Policy Scenarios
Group Policy is used to define configurations for groups of users and
computers. With Group Policy, you can specify specific
configurations for a wide range of areas including Administrative
Templates (registry-based policies), security, software installation,
scripts, folder redirection, remote installation services, and Internet
Explorer maintenance. Group Policy settings are contained in a GPO.
By associating a GPO with selected Active Directory system
containerssites, domains, and organizational unitsthe GPO's
Group Policy settings are applied to the users and computers in
those Active Directory containers. This section provides an overview
of what you can do with Group Policy.
Managing Desktops, Applications, and Components with RegistryBased Policies

NMA
Administrative Templates (or .adm files) enable you to control
registry settings using Group Policy, providing the means to
configure the behavior and appearance of the desktop, including the
operating system, components, and applications. Windows comes
with a predefined set of Administrative template files, which are
implemented as text files (with an .adm extension), that define the
registry settings that can be configured in a GPO. These .adm files
are stored in two locations by default: inside GPOs in
the Sysvol folder and in the %windir%\inf directory on the local
computer.
Managing Security
Group Policy is used to manage the following types of
securityoptions for users, clients, servers, and domain controllers:
Security settings. These Group Policy settings are used to
define values for various security-relevant operating system
parameters, such as password policy, user rights assignment,
audit policy, registry values, file and registry ACLs, and service
startup modes.
IPSec policies. These Group Policy settings are used to
configure IPSec services for authenticating or encrypting
network traffic. An IPSec policy consists of a set of security
rules, and each security rule consists of an IP filter with an
action.
Software restriction policies. These Group Policy settings
are used to help protect computers from code that is not
trusted by identifying and specifying which applications are
permitted to run.
Wireless network policies. These Group Policy settings are
used to configure settings for the Wireless Configuration
Service, a user-mode service that operates on each of the IEEE
802.11 wireless network adapters that are installed on a
computer.
Public Key Policies. These Group Policy settings are used to:

NMA
o Specify that computers automatically submit a certificate
request to an enterprise certification authority and install
the issued certificate.
o Create and distribute a certificate trust list.
o Establish common trusted root certification authorities.
o Add encrypted data recovery agents and change the
encrypted data recovery policy settings.
Implementing Group Policybased Software Installation
The Software Installation snap-in is used to centrally manage
software. Software can be assigned or published to users and
assigned to computers. Group Policy-based software installation can
be used to install software applications when a computer is started,
when the user logs on, or on demand. Software installation Group
Policy settings can be applied to users or computers in an Active
Directory structure.
Group Policy-based software installation can also be used to upgrade
deployed applications or remove earlier applications that are no
longer required. Users can be restricted from installing any software
from local media, such as a CD-ROM, or disk, or other unapproved
applications.
Medium and large organizations may wish to consider using Systems
Management Server (SMS). SMS provides advanced capabilities such
as inventory-based targeting, status reporting, server- and clientside scheduling, multisite facilities, complex targeting, centralized
hardware and software inventory, remote diagnostic tools, software
metering, software distribution-point population and maintenance,
support for Windows 95, Windows 98, Windows NT 4.0, Windows
2000, and Windows XP clients, and enhanced software deployment
features. SMS does not require Active Directory.
Managing Remote Operating System Installations
Remote Installation Services (RIS) is used to control the behavior of
the Remote Operating System Installation feature as displayed to
client computers. Remote Installation enables administrators to
perform a new installation of Windows on Preboot eXecution
Environment (PXE) remote boot-enabled client computers
throughout an organization. Using a customized, fully automated
installation process from a remote source, an administrator does not

NMA
have to visit the new computer to install a new operating system
and core applications.

Remote Installation Services Extension

Overview
Administrators who install multiple client operating systems on
bare-metal computerscomputers that do not have an operating
systemone at a time from the installation CD, can spend a lot of
time at each computer. This takes administrators away from their
other responsibilities. Customizing and configuring each newly
installed operating system to meet organization needs is susceptible
to errors and takes even more time. Having an inexperienced end
user install the operating system from the CD can be frustrating for
the end user, result in installation errors, and increase the number of
technical support service calls.
With Windows Server 2003, Microsoft provides two features to help
administrators deploy Windows clients and servers over a network.
These two features are RIS and Automated Deployment Services
(ADS). Administrators can use ADS for deploying server farms. For
more information about ADS, see
AutomatedDeploymentServicesSupportResources under
ManagementServices on Windows Server 2003 Support Center.
You can use RIS to:
Provide an operating system to users on demand.
Provide an operating system image that includes specific settings
and applications.
Create automated installation images of products in the
Windows Server 2003 family, Windows XP, and Windows 2000.
You can also combine RIS with IntelliMirror features such as user
documents and settings, Software Installation, and Group Policy. This
combination can improve the efficiency of computer management in
your organization, and reduce the number of technical support
service calls.
The following figure shows the Remote Installation Services node of
the Group Policy Object Editor, which is used to configure RIS policy
settings. This figure shows the RIS server-side extension user

NMA
interface, provided by rigpsnap.dll. There is no RIS client-side
extension.
Group Policy Object Editor

The settings you make in the RIS SSE determine which of the four
options the user sees in the Client Installation Wizard of the target
computer, as seen in the following figure.

Client Installation Wizard

NMA

This figure shows each of the options that are presented to the user
on the target computer during a remote installation of an operating
system. Because all four settings are enabled in the SSE, all four
settings appear in the wizard. Maintenance and Troubleshooting in
the wizard corresponds to Tools in the SSE.
Remote Installation Services Extension Core Scenarios
The core scenario for Remote Installation Services is operating
system installation with no involvement of the administrator during
client installation. By using the Remote Installation Services
Extension node in the Group Policy Object Editor to configure RIS
policy settings, the administrator can predetermine the options
presented to users during installation. This saves the administrator
time, and ensures consistent deployment of client computers across
the organization.
Remote Installation Services Extension Dependencies
You can edit Remote Installation Group Policy settings on any
computer that has the Group Policy Object Editor with the Remote

NMA
Installation Services node (rigpsnap.dll). However, note the following
about Remote Installation Services:
The Microsoft version of Active Directory is required.
The client computer using RIS to install an operating system must
have a network card that:
Supports Pre-boot Execution Environment (PXE), or
Is supported by the RIS remote boot floppy disk.
Windows XP Professional must have Windows Server 2003
Administration Tools Pack installed to show RIS settings in Group
Policy Object Editor.
RIS Help is not available by default in the Group Policy Management
Console (GPMC) running on Windows XP Professional. Install
Windows Help from the Windows Server 2003 CD onto the computer
running Windows XP Professional.
RIS is not included in the Windows Server 2003, Web Edition
operating system.
RIS installation image files must be located on a Windows NT File
System (NTFS) partition not containing the system or boot files.