Windows Server 2008 R2 Unleashed (199 page)
Read Windows Server 2008 R2 Unleashed Online
Authors: Noel Morimoto
1020
CHAPTER 26
Windows Server 2008 R2 Administration Tools for Desktops
FIGURE 26.12
Selecting the desired multicast transmission type.
9. On the Operation Complete page, click Finish to return to the WDS console.
10. In the tree pane, select and expand the Multicast Transmissions node to reveal the
ptg
new multicast transmission.
11. Select the new multicast transmission and in the tasks pane, after clients connect to
the transmission, each client will be listed and their progress can be tracked.
12. When the multicast transmission is no longer required, right-click the multicast
transmission, and select Delete. Confirm the deletion by clicking Yes, and then close
the WDS console and log off of the server.
When WDS clients need to connect to the multicast transmission, they only need to select
the install image used to create the multicast transmission and they will connect appropri-
ately. This also means that this install image cannot be used by unicast clients until the
multicast transmission is removed.
General Desktop Administration Tasks
Aside from deploying operating systems to servers and desktops, managing or remotely
updating the systems and the end users after deployment can be an even more challeng-
ing task. Windows Server 2008 R2 provides several tools to assist with the management of
the computer and network infrastructure, but for managing users and desktops, one of the
most functional tools is domain-based group policies. With group policies, Windows
Update settings can be configured, network configurations can be managed from a central
console, end-user data can be migrated to the server and synchronized with the local
desktop folder for mobile users, and much more. For more information on how group
policies can be used to manage Windows systems and users, refer to Chapter 27, “Group
Policy Management for Network Clients.”
Best Practices
1021
Additionally, when end users need one-on-one support, Windows systems deployed in an
Active Directory Domain Services domain can easily leverage the Remote Assistance appli-
cation. This application allows administrators and end users to share their desktop in
either a view-only or fully interactive sessions. Remote Assistance works outside of domain
deployments, but within a domain, the IT staff can offer Remote Assistance to the user. To
start the process, the user only needs to accept the offer by clicking on the link. Going
even one step further, when organizations leverage Remote Desktop Services Host systems,
administrators can also interact with end users within their session using a remote control
function that allows both the end user and administrator to view and share control of the
shared desktop.
Windows Server 2008 R2 provides administrators and organizations with many features,
applications, and services that can be used to help deploy and manage Windows servers
and desktops. Tools such as Windows Deployment Services and domain group policies
allow organizations to define configurations and security settings as standards once, and
automate the process to reduce the risk of user error or inconsistent configurations across
the infrastructure. Of course, as with any powerful technology or service, before any new
ptg
applications or services are introduced in an existing computer and network infrastruc-
ture, the applications and services should be carefully tested and reviewed in an isolated
26
lab environment to ensure that it is really necessary and will increase productivity or
enhance the infrastructure’s functionality or security.
The following are best practices from this chapter:
. Deploy Windows Deployment Services on the computer and network infrastructure
only if the organization frequently deploys many servers or desktops or wants to
ensure consistent and quickly recoverable systems.
. Place the WDS image repository on a NTFS volume that is not the system volume, to
improve server performance and to also reduce the risk of filling up the system drive.
. When customized desktop images will be captured to the WDS server as new install
images, ensure that the Sysprep utility is run before booting into a capture image;
otherwise, the image will be a duplicate of the workstation and there will be name
and computer SID conflicts.
. Instead of re-creating RIS images from scratch, deploy the images to compatible
systems, prepare the systems using Sysprep, and boot into a WDS capture boot
image to save the system image to the WDS server in the WIM format.
1022
CHAPTER 26
Windows Server 2008 R2 Administration Tools for Desktops
. Update images when hardware platforms change enough that heavy customization
to the install and boot images are required to support the deployment of WDS
images to the systems or when major operating system upgrades have been released.
. When selecting new server and desktop hardware, ensure that the systems and all
related hardware components are certified to work with Windows 7, Windows Server
2008, Windows Vista, or Windows Server 2008 R2 and that all the necessary drivers
are digitally signed by the Windows Hardware Quality labs.
. After images are deployed, the systems should be placed on isolated networks until
postimaging deployment tasks can be completed, including installing any security
updates and software packages to provide adequate security to the production net-
work and the newly deployed system.
ptg
IN THIS CHAPTER
Group Policy
. The Need for Group Policies
. Windows Group Policies
Management for
. Group Policy Feature Set
Network Clients
. Planning Workgroup and
Standalone Local Group Policy
Configuration
. Planning Domain Group Policy
The management and configuration of Windows Server
Objects
2008 R2, Windows 7, and some legacy Windows systems
. Managing Computers with
can be simplified and standardized with the use of group
Domain Policies
policies. Group policies are designed to simplify and
centralize the configuration and management of Windows
. Managing Users with Policies
systems and the users who log on to the systems. Group
. Managing Active Directory with
Policy management is segmented into two policy nodes
Policies
including the Computer Configuration and the User
Configuration nodes. The policy settings contained in the
ptg
Computer Configuration node can be used to configure
Registry and file system permissions, define user password
policies, change network configuration and firewall settings,
manage system services, define and control power profiles,
and much more. The User Configuration node contains
policy settings that can manage desktop environment
settings, including automatically enforcing a standard
screensaver and lockout duration, installing printers,
running logon scripts, redirecting user folders to a network
share and configuring folder synchronization, locking down
the desktop environment, and much more.
Windows systems can be managed individually with local
group policies, and when the systems are members of
Active Directory domains, they can also be managed using
domain group policies. Local group policies and domain
group policies are similar in function but domain group
policies provide additional functionality, as many of the
settings included within the policy templates apply only to
Active Directory domains. One of the reasons many organi-
zations deploy Active Directory domains is to leverage the
capabilities of domain Group Policy Objects. Chapter 19,
“Windows Server 2008 R2 Group Policies and Policy
1024
CHAPTER 27
Group Policy Management for Network Clients
Management,” details Group Policy infrastructure concepts and how to create, link, back
up, and manage Group Policy Objects.
This chapter provides an overview and examples of how local and domain Group Policy
Objects can be used to manage and configure Windows systems and users.
Many businesses today are challenged and short-staffed when it comes to managing and
properly configuring their information technology (IT) systems. For IT staff, managing the
infrastructure involves standardizing and configuring application and security settings,
keeping network resources readily available, and having the ability to effectively support
end users. Providing a reliable computer and network infrastructure is also a key task for
these administrators and part of that requirement includes deploying reliable servers and
end-user workstations.
Providing reliable servers and workstations often includes tuning the system settings,
installing the latest security updates and bug fixes, and managing the end-user desktop.
For small environments, performing these tasks manually can be effective and the right
approach, but, in most cases, this can result in inconsistent configurations and an ineffi-
ptg
cient use of the technical staff member’s time.
Using group policies to control the configuration of computer and user settings and
centrally managing these settings can help stabilize the overall computer network and
greatly reduce the total number of hours required to manage the infrastructure. For
example, if a network printer is replaced, the new printer can be deployed using Group
Policy; the next time a user logs on, the printer can be automatically installed and the
original can be automatically removed. Without Group Policy, each user desktop would
need a visit to manually install and replace the printers.
Only 10 years ago, the bulk of computer and user configuration and management tasks
were performed on a per-user and per-computer basis. Organizations that required higher
efficiency had to hire specialized staff to develop and support standard desktop building
and cloning procedures and had to create their own applications and scripts to perform
many of the management functions that are now included with Windows Server 2008 R2
and Windows 7 group policies. With more specialized technical staff members, the ratio of
technical staff to end users commonly ranged from 5 to 8 technical resources for every
200 employees. Even at this ratio, however, when corporatewide changes were necessary,
outside consultants and contractors were commonly brought on board to provide exper-
tise and extra manpower to develop custom applications or processes and to implement
the necessary changes.
In many of today’s organizations, with the advancements in systems and end-user
management, it is not uncommon to find organizations now able to support an average of
100 to 250 users with 1 to 2 technical resources. This is only possible when desktop and
end-user management policy and procedural standards are developed and group policies
are leveraged to support these standards.
Windows Group Policies
1025
Windows Server 2008 R2 and Windows 7 provide several different types of policies that
can be used to manage computer systems and user accounts. Depending on the security
groups a user account is a member of, and whether or not the computer system is a
member of an Active Directory domain or a Windows workgroup, the number of policy
settings applicable will vary.
Local Computer Policy
Every Windows system will contain a default local computer policy. The local computer
policy is a Local Group Policy Object (LGPO). The local computer policy contains separate
Computer and User Configuration nodes. The local computer policy, as its name states,
only applies configured settings to the individual local computer system and the users
who log on. The local computer policy on a new system is blank, except for the default
settings defined within the Computer Configuration\Windows Settings\Security Settings
policy node. The Security Settings policy node is also the local security policy.
Local Security Policy
ptg
The local security policy of a system contains the only configured policy settings on newly
deployed Windows systems. Settings such as user rights assignments, password policies,
Windows Firewall with advanced security settings, and system security settings are
managed and configurable within the local security policy. Furthermore, the local security
policy can be exported from one system as a single text file and imported to other systems
27
to simplify security configuration in workgroup environments and to customize security
for new system deployments.
Local Administrators and Non-Administrators User Policies
Windows Server 2008 R2 and Windows 7 support multiple local group policies for user
accounts. If any settings are configured in the User Configuration node of the local
computer policy, the settings are applied to all users who log on to the system, including
the local Administrators group. In previous versions of Windows, if the local computer
