Windows Server 2008 R2 Unleashed (199 page)

1020

CHAPTER 26

Windows Server 2008 R2 Administration Tools for Desktops

FIGURE 26.12

Selecting the desired multicast transmission type.

9. On the Operation Complete page, click Finish to return to the WDS console.

10. In the tree pane, select and expand the Multicast Transmissions node to reveal the

ptg

new multicast transmission.

11. Select the new multicast transmission and in the tasks pane, after clients connect to

the transmission, each client will be listed and their progress can be tracked.

12. When the multicast transmission is no longer required, right-click the multicast

transmission, and select Delete. Confirm the deletion by clicking Yes, and then close

the WDS console and log off of the server.

When WDS clients need to connect to the multicast transmission, they only need to select

the install image used to create the multicast transmission and they will connect appropri-

ately. This also means that this install image cannot be used by unicast clients until the

multicast transmission is removed.

General Desktop Administration Tasks

Aside from deploying operating systems to servers and desktops, managing or remotely

updating the systems and the end users after deployment can be an even more challeng-

ing task. Windows Server 2008 R2 provides several tools to assist with the management of

the computer and network infrastructure, but for managing users and desktops, one of the

most functional tools is domain-based group policies. With group policies, Windows

Update settings can be configured, network configurations can be managed from a central

console, end-user data can be migrated to the server and synchronized with the local

desktop folder for mobile users, and much more. For more information on how group

policies can be used to manage Windows systems and users, refer to Chapter 27, “Group

Policy Management for Network Clients.”

Best Practices

1021

Additionally, when end users need one-on-one support, Windows systems deployed in an

Active Directory Domain Services domain can easily leverage the Remote Assistance appli-

cation. This application allows administrators and end users to share their desktop in

either a view-only or fully interactive sessions. Remote Assistance works outside of domain

deployments, but within a domain, the IT staff can offer Remote Assistance to the user. To

start the process, the user only needs to accept the offer by clicking on the link. Going

even one step further, when organizations leverage Remote Desktop Services Host systems,

administrators can also interact with end users within their session using a remote control

function that allows both the end user and administrator to view and share control of the

shared desktop.

Summary

Windows Server 2008 R2 provides administrators and organizations with many features,

applications, and services that can be used to help deploy and manage Windows servers

and desktops. Tools such as Windows Deployment Services and domain group policies

allow organizations to define configurations and security settings as standards once, and

automate the process to reduce the risk of user error or inconsistent configurations across

the infrastructure. Of course, as with any powerful technology or service, before any new

ptg

applications or services are introduced in an existing computer and network infrastruc-

ture, the applications and services should be carefully tested and reviewed in an isolated

26

lab environment to ensure that it is really necessary and will increase productivity or

enhance the infrastructure’s functionality or security.

Best Practices

The following are best practices from this chapter:

. Deploy Windows Deployment Services on the computer and network infrastructure

only if the organization frequently deploys many servers or desktops or wants to

ensure consistent and quickly recoverable systems.

. Place the WDS image repository on a NTFS volume that is not the system volume, to

improve server performance and to also reduce the risk of filling up the system drive.

. When customized desktop images will be captured to the WDS server as new install

images, ensure that the Sysprep utility is run before booting into a capture image;

otherwise, the image will be a duplicate of the workstation and there will be name

and computer SID conflicts.

. Instead of re-creating RIS images from scratch, deploy the images to compatible

systems, prepare the systems using Sysprep, and boot into a WDS capture boot

image to save the system image to the WDS server in the WIM format.

1022

CHAPTER 26

Windows Server 2008 R2 Administration Tools for Desktops

. Update images when hardware platforms change enough that heavy customization

to the install and boot images are required to support the deployment of WDS

images to the systems or when major operating system upgrades have been released.

. When selecting new server and desktop hardware, ensure that the systems and all

related hardware components are certified to work with Windows 7, Windows Server

2008, Windows Vista, or Windows Server 2008 R2 and that all the necessary drivers

are digitally signed by the Windows Hardware Quality labs.

. After images are deployed, the systems should be placed on isolated networks until

postimaging deployment tasks can be completed, including installing any security

updates and software packages to provide adequate security to the production net-

work and the newly deployed system.

ptg

CHAPTER 27

IN THIS CHAPTER

Group Policy
. The Need for Group Policies

. Windows Group Policies

Management for
. Group Policy Feature Set

Network Clients
. Planning Workgroup and

Standalone Local Group Policy

Configuration

. Planning Domain Group Policy

The management and configuration of Windows Server

Objects

2008 R2, Windows 7, and some legacy Windows systems

. Managing Computers with

can be simplified and standardized with the use of group

Domain Policies

policies. Group policies are designed to simplify and

centralize the configuration and management of Windows

. Managing Users with Policies

systems and the users who log on to the systems. Group

. Managing Active Directory with

Policy management is segmented into two policy nodes

Policies

including the Computer Configuration and the User

Configuration nodes. The policy settings contained in the

ptg

Computer Configuration node can be used to configure

Registry and file system permissions, define user password

policies, change network configuration and firewall settings,

manage system services, define and control power profiles,

and much more. The User Configuration node contains

policy settings that can manage desktop environment

settings, including automatically enforcing a standard

screensaver and lockout duration, installing printers,

running logon scripts, redirecting user folders to a network

share and configuring folder synchronization, locking down

the desktop environment, and much more.

Windows systems can be managed individually with local

group policies, and when the systems are members of

Active Directory domains, they can also be managed using

domain group policies. Local group policies and domain

group policies are similar in function but domain group

policies provide additional functionality, as many of the

settings included within the policy templates apply only to

Active Directory domains. One of the reasons many organi-

zations deploy Active Directory domains is to leverage the

capabilities of domain Group Policy Objects. Chapter 19,

“Windows Server 2008 R2 Group Policies and Policy

1024

CHAPTER 27

Group Policy Management for Network Clients

Management,” details Group Policy infrastructure concepts and how to create, link, back

up, and manage Group Policy Objects.

This chapter provides an overview and examples of how local and domain Group Policy

Objects can be used to manage and configure Windows systems and users.

The Need for Group Policies

Many businesses today are challenged and short-staffed when it comes to managing and

properly configuring their information technology (IT) systems. For IT staff, managing the

infrastructure involves standardizing and configuring application and security settings,

keeping network resources readily available, and having the ability to effectively support

end users. Providing a reliable computer and network infrastructure is also a key task for

these administrators and part of that requirement includes deploying reliable servers and

end-user workstations.

Providing reliable servers and workstations often includes tuning the system settings,

installing the latest security updates and bug fixes, and managing the end-user desktop.

For small environments, performing these tasks manually can be effective and the right

approach, but, in most cases, this can result in inconsistent configurations and an ineffi-

ptg

cient use of the technical staff member’s time.

Using group policies to control the configuration of computer and user settings and

centrally managing these settings can help stabilize the overall computer network and

greatly reduce the total number of hours required to manage the infrastructure. For

example, if a network printer is replaced, the new printer can be deployed using Group

Policy; the next time a user logs on, the printer can be automatically installed and the

original can be automatically removed. Without Group Policy, each user desktop would

need a visit to manually install and replace the printers.

Only 10 years ago, the bulk of computer and user configuration and management tasks

were performed on a per-user and per-computer basis. Organizations that required higher

efficiency had to hire specialized staff to develop and support standard desktop building

and cloning procedures and had to create their own applications and scripts to perform

many of the management functions that are now included with Windows Server 2008 R2

and Windows 7 group policies. With more specialized technical staff members, the ratio of

technical staff to end users commonly ranged from 5 to 8 technical resources for every

200 employees. Even at this ratio, however, when corporatewide changes were necessary,

outside consultants and contractors were commonly brought on board to provide exper-

tise and extra manpower to develop custom applications or processes and to implement

the necessary changes.

In many of today’s organizations, with the advancements in systems and end-user

management, it is not uncommon to find organizations now able to support an average of

100 to 250 users with 1 to 2 technical resources. This is only possible when desktop and

end-user management policy and procedural standards are developed and group policies

are leveraged to support these standards.

Windows Group Policies

1025

Windows Group Policies

Windows Server 2008 R2 and Windows 7 provide several different types of policies that

can be used to manage computer systems and user accounts. Depending on the security

groups a user account is a member of, and whether or not the computer system is a

member of an Active Directory domain or a Windows workgroup, the number of policy

settings applicable will vary.

Local Computer Policy

Every Windows system will contain a default local computer policy. The local computer

policy is a Local Group Policy Object (LGPO). The local computer policy contains separate

Computer and User Configuration nodes. The local computer policy, as its name states,

only applies configured settings to the individual local computer system and the users

who log on. The local computer policy on a new system is blank, except for the default

settings defined within the Computer Configuration\Windows Settings\Security Settings

policy node. The Security Settings policy node is also the local security policy.

Local Security Policy

ptg

The local security policy of a system contains the only configured policy settings on newly

deployed Windows systems. Settings such as user rights assignments, password policies,

Windows Firewall with advanced security settings, and system security settings are

managed and configurable within the local security policy. Furthermore, the local security

policy can be exported from one system as a single text file and imported to other systems

27

to simplify security configuration in workgroup environments and to customize security

for new system deployments.

Local Administrators and Non-Administrators User Policies

Windows Server 2008 R2 and Windows 7 support multiple local group policies for user

accounts. If any settings are configured in the User Configuration node of the local

computer policy, the settings are applied to all users who log on to the system, including

the local Administrators group. In previous versions of Windows, if the local computer

Other books

Fast Break by Mike Lupica
Someone Else's Garden by Dipika Rai
A Regular Guy by Mona Simpson
Woman of Three Worlds by Jeanne Williams
Vision Impossible by Victoria Laurie
Viviane by Julia Deck
Branded By Kesh by Lee-Ann Wallace
Sepulcro by Kate Mosse