by MS
If you want to ensure that a computer uses specific IP address and network configuration settings when no DHCP server is available, you need to specify an alternate configuration manually. One of the key reasons for using an alternate configuration is to accommodate laptop users who take their computers home from work. In this way, the user's laptop could be configured to use a dynamically assigned IP address at work and an alternate IP address configuration at home. Before you get started, you might want to ask the users for their home networking settings, including the IP address, gateway, and DNS server addresses required by their service provider.
To configure alternate private IP addresses, complete the following steps:
Click Start and then click Control Panel.
In Control Panel, under the Network And Internet heading, click View Network Status And Tasks.
In the left pane in Network Center, click Manage Network Connections.
Network Connections displays a list of all network connections configured for use on the computer. Right-click the connection you want to configure and then select Properties.
Open the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box by double-clicking Internet Protocol Version 4 (TCP/IPv4). You can also select Internet Protocol Version 4 (TCP/IPv4) and then click Properties.
Provided you've already configured the adapter to obtain an IP address automatically, you should be able to click the Alternate Configuration tab, shown in Figure 7-8.
Figure 7-8: Use the Alternate Configuration tab to configure private IP addresses for the computer.
On the Alternate Configuration tab, select the User Configured option. Then in the IP Address field, type the IP address you want to use. The IP address you assign to the computer should be a private IP address, and it must not be in use anywhere else at the time the settings are applied. Private IP addresses normally used by computers are in the ranges 10.0.0.1 to 10.255.255.254, 172.16.0.1 to 172.31.255.254, and 192.168.0.1 to 192.168.255.254.
The Subnet Mask field ensures that the computer communicates over the network properly. Windows Vista should insert a default value into this field for the subnet mask. If the network doesn't use subnets, the default value should suffice. However, if it does use subnets, you'll need to change this value as appropriate for the target network.
If the computer needs to access other TCP/IP networks, the Internet, or other subnets, you must specify a default gateway. Type the IP address of the network's default router in the Default Gateway field.
DNS servers are needed for domain name resolution. Type a preferred and alternate DNS server address in the fields provided.
If WINS is used on the network for backward compatibility with previous versions of Windows, configure a preferred and alternate WINS server using the fields provided.
When you're finished, click OK twice and then click Close.
Connecting to Networked Projectors
Many meeting rooms and conference centers have networked projectors that are available for use during presentations. To use this type of projector, you must connect your computer to the local area network (LAN) and then access the projector over the network by using the Connect To A Network Projector Wizard. This wizard walks you through the steps of finding projectors on a network and establishing a connection.
You can start and use the Connect To A Network Projector Wizard by following these steps:
Click Start, All Programs, Accessories, Connect To A Network Projector.
If you haven't previously attempted to connect to a network projector and Windows Firewall is active, click Yes to allow the network projector to communicate with the computer through Windows Firewall.
If you want to select from projectors found on the local network, click Choose From Available Network Projectors. The wizard searches for projectors on the network and returns its results along with a list of any projectors you've used recently. Click the projector you want to use, provide the access password for the projector if necessary, and then click Next.
If you know the network address of the projector, click Enter The Projector Address. On the Enter The Network Address Of A Projector page, type the network address of the project, such as http://www.intranet.cpandl.local/projectors/confb-proj1. Enter any required access password and then click Next.
Once you've established a connection to the projector, click Finish to exit the wizard and begin using the projector.
Chapter 8: Configuring User and Computer Policies
Group Policy is a set of rules that you can apply to help manage users and computers. Two types of Group Policy are available: local group policy and Microsoft Active Directory directory service group policy. Local group policy is used to manage the settings of a local machine only. Active Directory group policy is used to manage the settings of computers throughout sites, domains, and organizational units (OUs).
Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. You can think of a group policy as a set of rules that helps you manage users and computers. Group policies can be applied to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory directory service.
In this chapter, you'll learn how to manage group policy settings. The chapter examines policies that you might want to configure in the domain and on local computers. These policies are organized by topic area, such as file and data management. Group policies apply only to systems running Microsoft Windows 2000, Windows XP Professional, Windows Vista, Windows Server 2003, or any combination of these.
Group Policy Essentials
Careful management of policies is essential to proper operations. Policy settings are divided into two broad categories: those that apply to computers and those that apply to users. Computer policies are normally applied during system startup, and user policies are normally applied during logon.
Understanding Policy Application
During startup and logon, policies are applied in an exact sequence, which is often important in troubleshooting system behavior.
When multiple policies are in place, they are applied in the following order:
Local group policies
Site group policies
Domain group policies
Organizational unit (OU) group policies
Child OU group policies
If there are conflicts among the policy settings, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain group policies. As you might expect, there are exceptions to the precedence rule that enable administrators to block, oversee, and disable policies.
Generally speaking, the events that take place during startup and logon are as follows:
The network starts, and then Windows Vista applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while foreground computer policies are being processed. Some computer policies can be processed asynchronously in the background, allowing for faster user logon.
Windows Vista runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn't displayed to the user unless specified.
A user logs on. After the user account is authenticated, Windows Vista loads the user profile.
Windows Vista applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
Windows Vista runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn't displayed to the user unless specified. Scripts in the Net
logon share are run last in a normal command-shell window.
Windows Vista displays the start shell interface configured in Group Policy.
Accessing and Using Local Group Policies
Each computer running Windows Vista has one local group policy stored in its %SystemRoot%System32GroupPolicy folder. You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy Object Editor.
Using the Group Policy Object Editor, access and use policies on a computer by completing these steps:
Click Start, type mmc and then press Enter. This opens an empty MMC console.
Select Add/Remove Snap-In on the File menu.
In the Add Or Remove Snap-In dialog box, select Group Policy Object Editor under Available Snap-Ins and then click Add.
By default, the Group Policy Object Editor works with the local computer's Group Policy Object (GPO), so you need only click Finish to accept this as the default.
Click OK. You can now manage the policy on the selected computer. For more details, see the "Configuring Policies" section of this chapter.
Tip
Another way to start the Group Policy Object Editor for the local computer is to click Start, type gpedit.msc, and then press Enter.
Accessing and Using Site, Domain, and Organizational Unit Policies
With Active Directory, each site, domain, and OU can have one or more group policies. Policies displayed higher in the Group Policy list have a higher precedence than policies lower in the list. This ensures that site policies are applied appropriately throughout the domains and OUs on the same high-speed network if sites have been configured. Site, domain, and OU group policies are stored in the %SystemRoot% Sysvolsysvol DomainNamePolicies folder on domain controllers, where Domain-Name is the Domain Name System (DNS) name of the domain. In this folder, you'll find one subfolder for each policy you've defined on the domain controller. You shouldn't edit these folders and files directly. Instead, use the appropriate features of a Group Policy console.
Two graphical user interface (GUI) tools are provided for managing Active Directory Group Policy:
Group Policy Object Editor
Group Policy Management Console
Although both are used to manage Active Directory Group Policy, you can think of Group Policy Object Editor as a basic editor and Group Policy Management Console as an advanced editor. Using Group Policy Object Editor, you can view and configure policy settings for a specific Group Policy Object. Using Group Policy Management Console, you can view, configure, and manage policy settings for group policy objects in any forest and domain to which you can connect and have appropriate administrator permissions. Management features in Group Policy Management Console enable you to import, export, back up, and restore group policy objects. You can also use Group Policy Management Console to plan Group Policy changes and to determine how Group Policy is being applied to particular computers and users.
Using Group Policy Object Editor and related features, you access and use site, domain, and OU policies by completing the following steps:
For sites, open the Active Directory Sites and Services console to create a Group Policy Object that is linked to the site. For domains and OUs, open the Active Directory Users and Computers console to create a Group Policy Object that is linked to the domain or OU.
In the left pane of the appropriate Active Directory window, right-click the site, domain, or OU for which you want to create or manage a Group Policy. Then select Properties on the shortcut menu, which opens the Properties dialog box.
In the Properties dialog box, click the Group Policy tab. You can now:
q Create a new policy To create a new policy, click New. Enter a name for the policy and press Enter. Then click Edit to configure the new policy.
q Edit an existing policy To edit an existing policy, select the policy and then click Edit. Then you can edit the policy. For more details, see the "Configuring Policies" section of this chapter.
q Change the priority of a policy To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.
Note
Group Policy Management Console is included with Windows Vista and later releases of the Windows operating system.
Using the Group Policy Object Editor, you access and work with site, domain, and OU policies by completing the following steps:
Click Start, type mmc and then press Enter. This opens an empty MMC console.
On the File menu, select Add/Remove Snap-In.
In the Add Or Remove Snap-In dialog box, under Available Snap-Ins, select Group Policy Management and then click Add.
In the MMC, you'll see two top-level nodes: Group Policy Management (the label for the console root) and Forest (a node representing the current forest to which you are connected). When you expand the Forest node, you'll then see the following nodes:
q Domains Provides access to the policy settings for domains in the related forest. By default, you are connected to your logon domain and can add connections to other domains. If you expand a domain, you'll be able to access Default Domain Policy, the Domain Controllers OU (and the related Default Domain Controllers Policy), and Group Policy Objects defined in the domain.
q Sites Provides access to the policy settings for sites in the forest. Sites are hidden by default.
q Group Policy Modeling Provides access to the Group Policy Modeling Wizard, which you can use to help you plan policy deployment and simulate settings for testing purposes, as well as any saved policy models.
q Group Policy Results Provides access to the Group Policy Results Wizard. For each domain to which you are connected, you have all the related Group Policy Objects and OUs available to work with in one location.
You can now perform the following tasks:
q Create a new policy Right-click the site, domain, or OU you want to work with and then select Create And Link A GPO Here. In the New GPO dialog box, type a descriptive name for the new GPO and then click OK. The GPO is now created and linked to the site, domain, or OU. Right-click the GPO and then choose Edit. This opens the Group Policy Object Editor. For more details, see the "Configuring Policies" section of this chapter.
q Edit an existing policy Expand the site, domain, or OU node in which the related policy is stored. Right-click the policy and then choose Edit. This opens the Group Policy Object Editor. For more details, see the "Configuring Policies" section of this chapter.
Using the Group Policy Object Editor
Once you've selected a policy for editing or created a new policy, use the Group Policy Object Editor to work with group policies. As Figure 8-1 shows, the Group Policy Object Editor has two main nodes:
Computer Configuration Enables you to set policies that should be applied to computers, regardless of who logs on
User Configuration Enables you to set policies that should be applied to users, regardless of which computer they log on to
Figure 8-1: Group Policy options depend on the type of policy you're creating and the add-ons installed.
Note
Keep in mind that user configuration options set through local group policies apply only to computers on which the options are configured. If you want the options to apply to all computers that the user might use, you must use domain, site, or OU group policies.
The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you're creating. You'll usually find that both nodes have subnodes for the following:
Software Settings Sets policies for software settings and software installation.
When you install software, subnodes may be added to Software Settings.
Windows Settings Sets policies for folder redirection, scripts, and security.
Administrative Templates Sets policies for the operating system, Windows components, and programs. These policies, examined later in this chapter, app
ly specifically to users and computers.
Updating Group Policy Objects for Windows Vista
Windows Vista supports additional group policies. Some of these additional policies can be used with other operating systems as well as with later versions of the Windows. On a Windows Vista computer, you'll see the new policies as well as the standard policies if you examine the Local Computer policy. However, if you try to use the Windows Vista policies in a domain, you're going to have problems: the new policies won't be there. Don't worry; there's an easy way to fix this, and you'll then be able to set and enforce the new policies as appropriate throughout your domain.
In Group Policy, new policies are implemented through a set of administrative templates. These templates contain the policy definitions for both the new policies and the standard policies. To push the policies out into the domain, you will need to update the appropriate GPOs in your domain. Once you make the update, compatible clients can take advantage of the enhanced policy set, and incompatible clients simply ignore the settings they don't support.
Normally, nothing else about using Group Policy would change when you make this update. However, Windows Vista supports a new file format for administrative templates called ADMX. ADMX is eXtensible Markup Language to format policies within administrative templates. Unlike ADM files, which are stored in the GPO to which they relate, ADMX files are not by default stored with the GPOs with which they are associated. Instead, ADMX files are stored centrally on a domain controller and are accessible by anyone with permissions to create or edit GPOs. Central storage of ADMX files makes them easier to work with and manage.
The ADMX file format is entirely different from the ADM format previously used. Because of this, only policy editors that are compatible with the ADMX file format can read the administrative templates that have been updated to use ADMX. Windows XP, Windows Server 2003 and earlier releases of Windows include a version of the Group Policy Object Editor, which is not compatible with the ADMX file format. Windows Vista and later versions of the Windows operating system include a version of the Group Policy Object Editor and a version of the Group Policy Management Console (GPMC), which are compatible with the ADMX file format. Any version of GPMC with Service Pack 1 or later downloaded from the Microsoft Download Web Site is also compatible with the ADMX file format.