Read an Excerpt
Chapter 1: Microsoft's Zero Administration InitiativePolicy-Based Management
It is important to understand how the Microsoft Management Console and the Active Directory work because they provide the framework and environment for almost everything you do in Windows 2000 Server. Policy-based management, however, is the most important subject covered in this book. A solid understanding of policy-based management is essential if you are to get the full benefit of the Zero Administration features in Windows 2000 Server.
Policy-based management enables you to tap into the existing capabilities of the underlying architectures of 32-bit Windows operating systems, and use these capabilities to manage your network more effectively. Through policy-based management, you can deal with such issues as user access and system security by creating system and group policies and user profiles on your server, and then synchronizing them with the operating systems on client workstations. You can even perform backups or scan workstations for viruses directly from the server. Finally, you can create policies to automate tasks such as updating operating systems, installing new applications, managing users, and locking down desktop systems.
The primary tool for policy-based management in Windows 2000 Server is the Group Policy Editor, which replaces the System Policy Editor of Windows NT 4. The Security Configuration Editor, which enables you to create custom security policies and assign security settings to a policy object, is also of significant interest. Other policy-based management features in Windows 2000 Server enable you to manage user profiles, set disk quotas, and managesoftware.
Windows Scripting Host
The Windows Scripting Host enables you to create simple scripts that can be executed directly from either the Windows desktop or the command shell. The scripts are similar to DOS batch files and are appropriate for simple situations in which interaction with the user is not required. A login script is a good candidate for using the capabilities of the Windows Scripting Host.
Other tools and technologies in the Zero Administration Initiative allow you to manage groups of users through policy scripts. The Windows Scripting Host gives you the opportunity to manage subgroups, or even individual users, by creating scripts that run automatically in specific circumstances, such as when a user logs onto the network. Network administrators have used login scripts for many years, of course. Windows Scripting Host scripts, however, like DOS batch files, are not limited to login situations.
TIoblem is especially common with the 3Com Impact adapter running firmware version 2.02. If you think the second telephone number might be the problem, try reconfiguring your adapter to use only one of your ISDN numbers.As of this writing, if you are a member of the Microsoft Developer Network, you can download the Windows Scripting Host for Windows 95 or Windows NT 4, as well as sample scripts, from Microsoft's Web site at msdn.microsoft.com/scripting/default.htm?/scripting/windowshost/. In the event that this URL has changed, you can log onto Microsoft's main Web site and search on both "Windows Script Host" and "Windows Scripting Host." (I have seen it referred to both ways by Microsoft.)
Drivers are not supported in Windows 98.
ISDN drivers from the ISDN version 1.0 Accelerator Pack are not supported in Windows 98. Contact your ISDN adapterc; Windows 98 comes with the Windows Scripting Host and several sample scripts. To make sure that it is installed on your Windows 98 system, open Control Panel|Add/Remove Programs. From the Windows Setup page, select Accessories, and then choose Details. If the box next to Windows Scripting Host is not checked, check the box and follow the prompts to install it. You'll find the sample scripts under your Windows folder, in the \samples\wsh folder.
Zero Administration Kit
The Zero Administration Kit was the first component of the Zero Administration Initiative to be released by Microsoft. It is a set of tools, techniques, and guidelines that help you use the existing features in Windows NT Server 4 and Systems Management Server to set and maintain policies on client workstations. At this writing, Microsoft has not announced a version for Windows 2000 Server. This is probably because many of the voids that the kit attempted to fill in Windows NT have been addressed by the management features in Windows 2000.
The purpose of the kit, which relies heavily on the System Policy Editor in Windows NT 4 Server, is to show network administrators how to manage and control the Windows desktops on their client workstations. It includes sample policies to start you on your way.
For example, you can tightly control the operating system interface that is presented to members of different groups on your network. You can give those employees who require a high level of flexibility at their workstations the tools and options that they need to do their work. In contrast, for those who use only one application, you can remove the distractions presented by their desktop operating system, so that the application loads automatically when they log on to the network-just like the old mainframe/dumb terminal days.
The Zero Administration Kit comes with two predefined profiles for workstation clients: TaskStation and AppStation. The TaskStation profile is designed for situations in which the user needs only one application, such as a proprietary line-of-business program. In TaskStation mode, the user never sees the Windows desktop shell interface. The Start menu and the Taskbar do not exist for them. When they log onto the network, their application opens immediately. No other software is installed on their system, and they cannot access any of the features of the operating system. Their files are stored on the network and simply cached on their local drive.
The AppStation profile is designed for the end user who runs several applications and needs a certain amount of flexibility at their workstation. Some, but not all, of the features of the operating system are available to them. You, as network administrator, determine what those features are in your policy for the AppStation group. For example, you can disable some or all of the applets in Control Panel, preventing the user from tinkering with configuration settings or changing the appearance of their desktop. You can also control what they see on the Start menu and can disable the Shut Down command, where appropriate.
These profiles attach to the user, not to the workstation, which permits users to "roam" from one workstation to another. If a TaskStation user logs onto another system-for instance, one normally used by a member of the AppStation group-they will see only the TaskStation interface that you have designated for them. The situation also works in reverse; an AppStation member can log onto a workstation that is normally used by a TaskStation employee and still have their AppStation interface available to them.
The Zero Administration Kit can also be used in conjunction with Systems Management Server to automate the installation of operating system software and business applications on client systems. There are separate versions of the kit for Windows 95 and Windows NT Workstation clients. The Windows 95 version lacks the security features of the Windows NT version because of differences in the operating systems.
Because the Zero Administration Kit is limited to Windows NT 4 Server, it is not covered in detail in this book. Instead, you will learn how to use the Group Policy Editor and other features of Windows 2000 Server to create equivalents of the AppStation and TaskStation interfaces.
TIoblem is especially common with the 3Com Impact adapter running firmware version 2.02. If you think the second telephone number might be the problem, try reconfiguring your adapter to use only one of your ISDN numbers.
Drivers are not supported in Windows 98.
ISDN drivers from the ISDN version 1.0 Accelerator Pack are not supported in Windows 98. Contact your ISDN adapterc; At this writing, you can download the Windows 95, Windows 98, and Windows NT 4 Workstation versions of the Zero Administration Kit from Microsoft's Web site at www.microsoft. com/windows/zak/getzak.htm. In the event that this URL has changed, you can log onto Microsoft's main Web site and search on "Zero Administration Kit."
Although not listed as a component of the Zero Administration Initiative, IntelliMirror (a sophisticated caching technology introduced in Windows 2000 Server) is seen by many as an important tool that makes life easier for administrators. Microsoft describes it as "persistent caching of data and configuration information," which is a complex way of describing a relatively simple concept.
Application software, user profiles, and user-created data files are stored on your server and downloaded to the client workstation, as needed. Instead of being used to hold installed applications and permanent copies of working files, the hard drive on the workstation is used as a very large disk cache. Software components are downloaded as they are used, not all at once. Data files are transferred the first time the user accesses them. The user works with the copy on their local drive, reducing traffic on the network except when they are saving a file.
Every time they save the file, it is saved to the network as well as to their local drive, where it is stored with a cryptic file name different from the name used for the network copy. The next time the user opens the file, the local copy is checked against the network version. If the network version is newer, it is downloaded to the user's workstation. If not, the local copy of the file is used.
One advantage of IntelliMirror is that it reduces network traffic. Another is that its ability to synchronize files enables the user to continue to work on the file offline without having to remember to copy it to the local drive and back to the network later on. The next time the user logs on, the file is copied back to the network if it is newer than the network version. If someone else has modified the network version in the meantime, the user receives an overwrite warning.
Because users' software, data files, and configuration information are stored on the network, users can change workstations and still use their familiar configurations. If a user's normal workstation fails, it becomes much easier than before to get that person up-and-running quickly on another system. On the other hand, if the network should go down, the user can continue to work on their local copy of the file.
There is at least one serious drawback to IntelliMirror. When users access a software program on the network, only the necessary components are downloaded to their workstations, not the entire installation. If users are working offline-as is often the case with notebook users-and they attempt to use a software feature that they didn't need before, it will not be available to them. Be prepared for some angry long-distance phone calls from your marketing department's road warriors.
Web Administration Utility
The Web Administration Utility makes it possible for you to administer your server remotely by using any compatible Web browser-including those running on Windows, Macintosh, and Unix platforms. Although it is not a replacement for your industrial-strength, on-site administrative tools, you will find it useful when you need to perform a simple management task away from the office. Through it, you can administer accounts, shares, sessions, servers, and printers.
The utility, which is designed to work with Windows NT 4 as well as Windows 2000 Server, works in conjunction with Internet Information Server (IIS). When you install IIS on your system, it generates Web pages with forms that you can use to administer your network. To access a form from your remote system, just enter its Uniform Resource Locator (URL) in your Web browser...
Table of ContentsIntroduction ..... xxv
Chapter 1: Microsoft's Zero Administration Initiative ..... 1
Chapter 2: Using The Microsoft Management Console ..... 21
Chapter 3: Managing Domains, Sites, And Schemas ..... 53
Chapter 4: Managing Computers, Users, And Domain Controllers ..... 111
Chapter 5: Managing Groups And Organizational Units ..... 155
Chapter 6: Using The Group Policy Editor ..... 187
Chapter 7: Managing User Profiles ..... 215
Chapter 8: Managing Disk Quotas ..... 237
Chapter 9: Using Security Templates ..... 263
Chapter 10: Managing Security Configuration And Analysis ..... 287
Chapter 11: Managing Software ..... 327
Chapter 12: Using WinINSTALL LE ..... 357
Chapter 13: Managing User Data 399
Appendix A: Where To Find Group Policy Settings ..... 431
Appendix B: Remote Installation Services ..... 459
Appendix C: The Windows Script Host ..... 463
Index ..... 469
Most Helpful Customer Reviews
If you are an Information Technology (IT) professional, reducing the Total Cost of Ownership (TCO) of your employer's or clients' investment in personal computers is no doubt one of your primary goals. The initial cost of hardware and software is only a small part of the total cost of owning a network of computer systems. Maintenance, training, and support are all significant factors as well. Many of the new features in Windows 2000 have been designed to help you reduce TCO. I wrote this book for IT administrators who are either evaluating Windows 2000 or already migrating their networks to it, and who need to learn quickly how it can help them to manage their networks effectively and efficiently. The book will be of value to anyone using Windows 2000, from the volunteer or part-time administrator upgrading from a small peer-to-peer network to the IT professional responsible for an enterprise-wide network spanning several continents. In doing research for the book, I realized that almost all of the features for reducing TCO used one or more of three underlying technologies_the Active Directory, Group Policy, and IntelliMirror. The Active Directory, which you use to administer every domain, site, organizational unit, group, user, and computer on your network, is the single most important new feature in Windows 2000. Therefore, I devoted several chapters to helping you to understand it and showing you how to use its features. Group Policy is also covered in detail. A thorough understanding of how to use group policies effectively is one of the keys to reducing TCO. For example, you would use Group Policy to implement remote software management on your network. In my opinion, software management is the single most useful new feature in Windows 2000 for reducing TCO and helping you to start getting home at a decent hour once again. The remote software management features in Windows 2000 enable you to make productivity applications available to every user who needs them by simply copying the installation files to a shared network folder and making a few simple additions to a group policy that applies to the intended users. The application will install itself automatically on the systems of the designated users and even repair itself if a key file is deleted or becomes corrupted. The Active Directory and Group Policy primarily make life easier for you. IntelliMirror, on the other hand, helps your users as well. Through it, you can create roaming user profiles, so that users have their own custom desktop settings and productivity applications available to them regardless of the system that they are using. Users can also designate files on your network to be made available to them off-line, provided that they have the necessary security permission. The original file remains on the network. A copy of the file is kept in a special cache on the user's system, so that they can continue to work on it when the network is not available. The next time that they log onto your network, the two copies are synchronized. While these concepts, especially the Active Directory, can be complex, my goal has been to help you to understand them even if you are a relative newcomer to network administration. Throughout, I share insights and perspectives based on my own experiences using a specific feature, showing you why and how it could be useful to you. The book is filled with notes, tips, and warnings. You'll find also that I've been candid with you. If a feature didn't work properly for me, didn't seem to make sense, or could easily get you into trouble, I've let you know about it. In all of my writing, I always keep the needs of you, the reader, first and foremost in my mind. My primary goal is to make it as easy as possible for you to understand the information or idea that I am attempting to convey. In describing procedures, I strive to be as precise as possible and to lea