Microsoft Press Windows Vista Administrator's Pocket Consultant ebook
Page 29
To control the availability of offline files, in Computer ConfigurationAdministrative TemplatesNetworkOffline Files, double-click Allow Or Disallow Use Of The Offline Files Feature. On the Setting tab, select either Enabled or Disabled as appropriate. Click OK. Users can now select specific files and folders that they want to have available when working offline. To prevent this user selection of files but assign specific offline files to be used, you'll need to prohibit this feature and administratively assign offline files.
To prevent users from changing offline file configuration settings, double-click Prohibit User Configuration Of Offline Files. On the Setting tab, select Enabled. Once this policy is set, users can't configure offline file options.
To prevent users from accessing the offline files folder but still allow them to work offline, double-click Prevent Use Of Offline Files Folder. On the Setting tab, select Enabled. Once you select this option, users cannot view or open copies of cached files. They can, however, save current work and continue to use active files when offline.
Administratively Controlling Offline Files and Folders
You can administratively control which files and folders are available for offline use. Typically, you'll want to do this on file servers or other systems sharing resources on the network. You can use several different techniques to administratively control which resources are available offline.
You can prevent users from making files available offline and, instead, assign specific offline resources by following these steps:
Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer ConfigurationAdministrative TemplatesNetworkOffline Files or User ConfigurationAdministrative TemplatesNetworkOffline Files.
To prevent users from making files available offline, double-click Remove "Make Available Offline." On the Setting tab, select Enabled. Click OK. Once this policy is enforced, users are unable to specify files that should be used offline.
To assign resources that are automatically available offline, double-click Administratively Assigned Offline Files. On the Setting tab, select Enabled. Next, click Show. Then, in the Show Contents dialog box, specify resources according to their UNC path, such as \corpserverdata. Figure 8-5 shows a list of resources that have been added to the Show Contents list.
Figure 8-5: Use the Show Contents dialog box to specify resources according to their UNC path.
Caution
You should carefully consider which resources are automatically made available offline. The more resources you assign through this technique, the more network traffic is generated to maintain offline file caches.
You can make specific files automatically available, and prevent others from being used offline, by following these steps:
Access Group Policy for the system that you want to work with. Next, access the Offline Files node by expanding Computer ConfigurationAdministrative TemplatesNetworkOffline Files or User ConfigurationAdministrative TemplatesNetworkOffline Files.
To assign resources that are available offline automatically, double-click Administratively Assigned Offline Files. On the Setting tab, select Enabled. Click Show and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \corpserverdata.
To specify resources that users shouldn't be able to make available offline, double click Prohibit "Make Available Offline" For These Files And Folders. On the Setting tab, select Enabled. Click Show and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \corpserverdata. This setting doesn't prevent automatic caching of resources assigned through step 2.
Click OK until all open dialog boxes are closed.
Setting Offline File Synchronization Policies
Offline file synchronization is normally controlled using the Synchronization Manager, accessed by selecting Start, All Programs or Programs, Accessories, Synchronize. However, you can set specific synchronization timing and techniques through policies. Normally, resources are either fully synchronized (meaning that all files are checked to ensure they are complete and current) or quickly synchronized (meaning files are checked to ensure they are complete, but file contents are not examined for currency).
Several events can trigger automatic synchronization, such as logon, logoff, standby, and hibernate. Again, the Synchronization Manager normally determines which events are used. Using policies, you can override this behavior. In most circumstances, you'll want to synchronize files only when a user logs on. The advantage to synchronizing when users log on is that they'll always have the freshest copies of files. The disadvantage is that the logon process might take longer. The notable exception for synchronizing at logon is for laptop users. Here, you might want to synchronize at logoff to ensure that users have the freshest copy of files when they go home and use their laptop offline.
To configure synchronization policies, follow these steps:
Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer ConfigurationAdministrative TemplatesNetworkOffline Files.
The policies that control synchronization are Synchronize All Offline Files When Logging On, Synchronize All Offline Files Before Logging Off, and Synchronize Offline Files Before Suspend. Double-click the policy related to the synchronization technique that you want to use for this computer. On the Setting tab, select Enabled. For the Synchronize Offline Files Before Suspend policy, ensure that the appropriate Action is selected; choose either Full or Quick.
Tip
A full synchronization ensures the latest version of the user's offline files are stored prior to the suspend operation. A quick synchronize ensures all the offline files are available but not necessarily in the most current version.
Click OK.
Setting Offline File Cache Policies
Careful configuration of the offline file cache is essential to managing the system and network overhead generated by offline file usage. You can specify a maximum file cache size, whether the cache is encrypted for security, and which file types should never be cached. To configure policies for the offline file cache, follow these steps:
Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer ConfigurationAdministrative TemplatesNetworkOffline Files or User ConfigurationAdministrative TemplatesNetworkOffline Files.
To set the maximum cache size, double-click Default Cache Size. On the Setting tab, select Enabled. Afterward, use the Default Cache Size Properties dialog box, shown in Figure 8-6, to set the default cache size. The value entered is the percentage of disk space used times 10,000, meaning that if you enter 15,000, the cache can use up to 15 percent of the free space on the system drive.
Figure 8-6: Set a default cache size for offline files in the Default Cache Size Properties dialog box.
Note
If you don't configure the Default Cache Size policy or if you disable it, the cache size limit is 10 percent of the free space on the system drive.
To specify file types that are not cached, double-click Files Not Cached and then select Enabled. Next, in the Extensions field, type a semicolon-separated list of file extensions to exclude. Each extension must be preceded by an asterisk and a period. You could enter *.wbk; *.tmp; *.lnk; *.ndx to block caching of many temporary types of files.
To encrypt the cache, double-click Encrypt The Offline Files Cache and then select Enabled. Once enabled, all existing and new files in the cache are encrypted. The user can see his or her own files, but others user will not be able to use them.
Working with Access and Connectivity Policies
Access and connectivity policies control network connections, dial-up connections, and Remote Assistance configurations. These policies affect a system's connectivity to the network as well as remote access to the system.
Configuring Network Policies
Many network policies are
available. Network policies that control Internet Connection Sharing, Internet Connection Firewall, Windows Firewall, and Network Bridge are configured at the computer level. Network policies that control local area network (LAN) connections, Transmission Control Protocol/Internet Protocol (TCP/IP) configuration, and remote access are configured at the user level. The primary policies that you'll want to use are summarized in Table 8-3. You'll find Network policies under Computer ConfigurationAdministrative TemplatesNetworkNetwork Connections and User ConfigurationAdministrative TemplatesNetworkNetwork Connections.
Table 8-3: Network Policies
Policy Type
Policy Name
Description
Computer
Prohibit Installation And Configuration Of Network Bridge On Your DNS Domain Network
Determines whether users can install and configure network bridges. This policy only applies to the domain in which it is assigned.
Computer
Prohibit Use Of Internet Connection Firewall On Your DNS Domain Network
Determines whether users can enable the Internet Connection Firewall. This policy only applies to the domain in which it is assigned.
Computer
Prohibit Use Of Internet Connection Sharing On Your DNS Domain Network
Determines whether administrators can enable and configure connection sharing. This policy only applies to the domain in which it is assigned.
User
Ability To Change Properties Of An All User Remote Access Connection
Determines whether users can view and modify the properties of remote access connections available to all users of the computer.
User
Ability To Delete All User Remote Access Connections
Determines whether users can delete remote access connections available to all users of the computer.
User
Ability To Enable/Disable A LAN Connection
Determines whether users can enable or disable LAN connections.
User
Prohibit Access To Properties Of A LAN Connection
Determines whether users can change the properties of LAN connections.
User
Prohibit Access To Properties Of Components Of A Remote Access Connection
Determines whether users can access and change properties of remote access connections.
User
Prohibit Deletion Of Remote Access Connections
Determines whether users can delete remote access connections.
User
Prohibit TCP/IP Advanced Configuration
Determines whether users can access advanced TCP/IP settings.
As shown in the table, network policies for computers are designed to restrict actions on the organization's network. When you enforce these restrictions, users are prohibited from using features such as Internet Connection Sharing in the applicable domain. This is designed to protect the security of corporate networks, but it doesn't prevent users with laptops, for example, from taking their computers home and using these features on their own networks. To enable or disable these restrictions, follow these steps:
Access Group Policy for the resource you want to work with. Next, access the Network Connections node by expanding Computer ConfigurationAdministrative TemplatesNetworkNetwork Connections.
Double-click the policy that you want to configure. On the Setting tab, select Enabled or Disabled as appropriate. Click OK.
User policies for network connections usually prevent access to certain configuration features, such as the advanced TCP/IP property settings. To configure these policies, follow these steps:
Access Group Policy for the resource you want to work with. Next, access User ConfigurationAdministrative TemplatesNetworkNetwork Connections.
Double-click the policy that you want to configure. On the Setting tab, select Enabled or Disabled as appropriate. Click OK.
Configuring Remote Assistance Policies
Remote Assistance policies can be used to prevent or permit use of remote assistance on computers. Typically, when you set Remote Assistance policies, you'll want to prevent unsolicited offers for remote assistance while allowing requested offers. You can also force a specific expiration time limit for invitations through policy rather than setting this through the System Properties dialog box of each computer. To improve security, you can use strong invitation encryption. This enhancement, however, limits who can answer Remote Assistance invitations to only those running Windows Vista or later releases of Windows.
To configure policy in this manner, follow these steps:
Access Group Policy for the computer you want to work with. Next, access Computer ConfigurationAdministrative TemplatesSystemRemote Assistance.
Double-click Solicited Remote Assistance. On the Setting tab, select Enabled. When enabled, this policy allows authorized users to respond to remote assistance invitations.
You can now specify the level of access for assistants. The Permit Remote Control Of This Computer selection list has two options:
Allow Helpers To Remotely Control This Computer Permits viewing and remote control of the computer.
Allow Helpers To Only View This Computer Permits only viewing; assistants cannot take control to make changes.
Next, as shown in Figure 8-7, use the Maximum Ticket Time (Value) and Maximum Ticket Time (Units) fields to set the maximum time limit for remote assistance invitations. The default maximum time limit is one hour. Click OK.
Figure 8-7: Set a time expiration limit for Remote Assistance invitations.
Real World
The method for sending e-mail invitations is set to Mailto by default. This is a browser-based mail submission technique in which the invitation recipient connects through an Internet link. You can also select Simple MAPI to use Messaging Application Programming Interface (MAPI) for sending the e-mail invitation. When you do this, the invitation is sent as an attachment to the invitation e-mail message. As long as computers can establish a connection with each other over port 80 and you're using a standard e-mail program, such as Microsoft Outlook or Outlook Express, you'll probably want to use Mailto.
Double-click Offer Remote Assistance. In the Offer Remote Assistance Properties dialog box, select Disabled. Disabling this policy prevents unsolicited assistance offers. Click OK.
If you want to use strong invitation encryption and limit connections so they can only come from computers running Windows Vista or later releases of Windows, double-click Allow Only Vista Or Later Connections. In the Allow Only Vista Or Later Connections dialog box, select Enabled. Click OK.
To prevent remote assistance and remote control, follow these steps:
Access Group Policy for the computer you want to work with. Next, access Computer ConfigurationAdministrative TemplatesSystemRemote Assistance.
Double-click Solicited Remote Assistance. On the Setting tab, select Disabled and then click Previous Setting or Next Setting as appropriate.
In the Offer Remote Assistance dialog box, select Disabled and then click OK.
Working with Computer and User Script Policies
Script policies control the behavior and assignment of computer and user scripts. Four types of scripts can be configured:
Computer startup Executed during startup
Computer shutdown Executed prior to shutdown
User logon Executed when a user logs on
User logoff Executed when a user logs off
You can write these scripts as command-shell batch or Windows scripts. Batch scripts use the shell command language. Windows scripts use Windows Script Host (WSH) and are written in a scripting language, such as Microsoft Visual Basic, Scripting Edition (VBScript) or Microsoft JScript.
Controlling Script Behavior Through Policy
Policies that control script behavior are found under Computer ConfigurationAdministrative TemplatesSystemScripts and User ConfigurationAdministrative TemplatesSystemScripts. Through policy, you
can control the behavior of startup, shutdown, logon, and logoff scripts. The key policies that you'll use are described in Table 8-4. As you'll see, there are numerous options for configuring script behavior.
Table 8-4: Computer and User Script Policies
Policy Type
Policy Name
Description
Computer
Maximum Wait Time For Group Policy Scripts
Sets the maximum time to wait for scripts to finish running. The default value is 600 seconds (10 minutes).
Computer
Run Shutdown Scripts Visible
Displays shutdown scripts and their instructions as they execute.
Computer
Run Startup Scripts Asynchronously
Allows the system to run startup scripts simultaneously rather than one at a time.
Computer
Run Startup Scripts Visible
Displays startup scripts and their instructions as they execute.
Computer/User
Run Logon Scripts Synchronously
Ensures the system waits for logon scripts to finish before displaying the Windows interface.
User
Run Legacy Logon Scripts Hidden
Hides logon scripts configured through System Policy Editor in Windows NT 4.
User
Run Logoff Scripts Visible
Displays logoff scripts and their instructions as they execute.
User
Run Logon Scripts Visible
Displays logon scripts and their instructions as they execute.
Although there are many ways to control script behavior, you'll usually want scripts to behave as follows: