Tài liệu Windows Administration Productivity Solutions for IT Professionals ppt

infor-Microsoft, Microsoft Press, Active Directory, ActiveX, Excel, Expression, FrontPage, Groove, Internet Explorer, MSDN, MSN, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Visua

Microsoft Press

A Division of Microsoft Corporation

One Microsoft Way

Redmond, Washington 98052-6399

Copyright © 2008 by Dan Holme

All rights reserved No part of the contents of this book may be reproduced or transmitted in any form or

by any means without the written permission of the publisher

Library of Congress Control Number: 2007941090

Printed and bound in the United States of America

1 2 3 4 5 6 7 8 9 QWT 3 2 1 0 9 8

Distributed in Canada by H.B Fenn and Company Ltd

A CIP catalogue record for this book is available from the British Library

Microsoft Press books are available through booksellers and distributors worldwide For further mation about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329 Visit our Web site at www.microsoft.com/mspress Send comments to rkinput@microsoft.com

infor-Microsoft, Microsoft Press, Active Directory, ActiveX, Excel, Expression, FrontPage, Groove, Internet Explorer, MSDN, MSN, Outlook, PowerPoint, SharePoint, SQL Server, Visio, Visual Basic, Visual Studio, Windows, Windows Media, Windows NT, Windows PowerShell, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries Other product and company names mentioned herein may be the trademarks of their respective owners

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred

7KLVERRNH[SUHVVHVWKHDXWKRU¶VYLHZVDQGRSLQions The information contained in this book is provided without any express, statutory, or implied warranties Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly

or indirectly by this book

Acquisitions Editor: Martin DelRe

Developmental Editor: Karen Szall

Project Editor: Melissa von Tschudi-Sutton

Project Management: Publishing.Com

Compositor: Curtis Philips

Copy Editor: Roger LeBlanc

Body Part No X14-38533

Technical Reviewer: Rozanne Whalen;

Technical Review services provided by Content Master, a member of CM Group, Ltd

Proofreader: Teresa Barensfeld Indexer: Potomac Indexing, LLC: Julie

Kawabata & Seth Maislin

Cover: Design by Tom Draper Design;

Illustration by Todd Daman

a lifetime of experiences, and a wealth of knowledge This book is to them, but it is also from them, through me,

to you, the community of Windows administrators.

Dan Holme is a graduate of Yale University and the Thunderbird School of Global

Manage-ment He has spent over a decade as a consultant and trainer, delivering solutions to tens of thousands of IT professionals from the most prestigious organizations and corporations around the world Dan’s company, Intelliem, specializes in boosting the productivity of IT professionals and end users by creating advanced, customized solutions that integrate clients’ specific design and configuration into productivity-focused tools, training, and knowledge management services

Dan is also a contributing editor for Windows IT Pro magazine, a Microsoft MVP (Microsoft

Office SharePoint Server), and the community lead of OfficeSharePointPro.com From his base in beautiful Maui, Dan travels around the globe supporting customers and delivering Windows technologies training Immediately following the release of this resource kit, he will

be preparing for the Beijing Olympic Games as the Windows Technologies Consultant for NBC television, a role he also played in Torino in 2006

The book you hold in your hands has a long history shaped by the many wonderful people who’ve helped me along the way

First, there are my clients—you slave-driving, insane, and awe-inspiring friends who trust me

to guide you and your enterprise, and who share your expertise and experience with me Without you, there’d be no body of knowledge, solutions, and experience from which to create this resource kit Thank you for making my career one of constant learning Thank you for your business and your faith in me Thank you for providing me many opportunities of a lifetime

Next, there are my colleagues—you über-crazy, über-guru guys and gals who blow me away with your brains and brawn Jeremy, Don, Darren, Mark, Rhonda, Derek, Alan, Gil, Sean,

Guido, Jim, Brian, Steve, Richard, Joel, Tom, and I’m so sorry if I missed someone Thanks

for setting the bar so high and encouraging me to reach it!

Then, there are the incredible folks at Microsoft Press Starting with Martin Del Re You saw

me presenting solutions-based content back in 2003 and said, “Someday we need to write this stuff down,” and you stuck by me all the way We made it! Karen Szall, I cashed in my entire bank of credits on this project, and I owe you the next one! Melissa von Tschudi-Sutton, you came on board this big train without ever having worked with me before, and you gracefully extracted more than 650 pages of content and dozens of scripts in a period of just 10 weeks There aren’t enough words to thank you, Melissa! And, of course, Curtis Philips, Rozanne Whalen, Roger LeBlanc, and Teresa Barensfeld—you tackled this new type of resource kit with amazing skill This project was mammoth, and it could not have happened without each of you I am so lucky to have worked with you!

Finally, and most importantly, to my friends and family: Lyman, Maddie, Mom and Dad, Bob and Joni, Stan and Marylyn, Julie, Joe, and the entire gang in Maui and Phoenix Your patience and support and love have been the fuel in my fire Thank you for cheering me on, picking me

up, and waiting for me at the finish line I owe you all a lot of quality time when this project is finished You have taught me the meaning of ohana! Mahalo!

Contents at a Glance

Solution Collection 1: Role-Based Management 1

Solution Collection 2: Managing Files, Folders, and Shares 89

Solution Collection 3: Managing User Data and Settings 171

Solution Collection 4: Implementing Document Management

and Collaboration with SharePoint 299

Solution Collection 5: Active Directory Delegation and Administrative

Solution Collection 9: Improving the Deployment and Management

of Applications and Configuration 583

Solution Collection 10: Implementing Change, Configuration,

and Policies 635

www.microsoft.com/learning/booksurvey

Microsoft is interested in hearing your feedback so we can continually improve our books and

learning resources for you To participate in a brief online survey, please visit:

What do you think of this book? We want to hear from you!

Table of Contents

Introduction xiii

Document Conventions .xiii

System Requirements .xiii

Web-Based Content .xiii

Find Additional Content Online xiv

Companion Media xiv

Using the Scripts xv

Resource Kit Support Policy xvi

Solution Collection 1: Role-Based Management 1

Scenarios, Pain, and Solution 2

The 80/20 rule 8

Scripts and tools on the companion media 8

Microsoft and third-party tools 9

The Windows Administration Resource Kit online community 10

Enough, already! 11

1-1: Enumerate a User’s (or Computer’s) Group Memberships 11

Solution overview 11

Introduction 12

Active Directory Users and Computers 12

DS commands 13

Creating a batch script 14

Enumerating group membership with VBScript 15

Why VBScript? 25

Next steps 25

For more information 26

Solution summary 26

1-2: Create a GUI Tool to Enumerate Group Memberships 26

Solution overview 26

Introduction 27

HTML Applications 27

Create an HTA 28

For more information 35

Solution summary 35

1-3: Extend Active Directory Users and Computers to Enumerate Group Memberships 35

Solution overview 35

Introduction 36

Arguments and HTAs 36

Integrating a custom HTA with an MMC snap-in using tasks 38

Integrating a custom HTA with an MMC snap-in using display specifiers 42

Tasks or display specifiers 46

Solution summary 46

1-4: Understand Role-Based Management 46

Solution overview 46

Introduction 47

Role groups 48

Capability management groups 49

Role groups are nested into capability management groups 51

Other nesting 52

Data, business logic, and presentation 53

Third-party tools 54

Solution summary 54

1-5: Implement Role-Based Access Control 55

Solution overview 55

Introduction 55

Role groups 55

Capability management groups 61

Representing business requirements 64

Implementing capabilities 65

Automating and provisioning 65

Solution summary 65

1-6: Reporting and Auditing RBAC and Role-Based Management 66

Solution overview 66

Introduction 66

My Memberships 67

Access Report 71

Auditing internal compliance of your role-based access control 73

Solution summary 76

1-7: Getting to Role-Based Management 77

Solution overview 77

Introduction 77

A review of role-based management 77

Discussing and selling role-based management 79

The road to role-based management 81

Token size 83

Solution summary 87

Solution Collection 2: Managing Files, Folders, and Shares 89

Scenarios, Pain, and Solution 90

2-1: Work Effectively with the ACL Editor User Interfaces 92

Solution overview 92

Introduction 92

The ACL editor 92

Evaluating effective permissions 96

Solution summary 99

2-2: Manage Folder Structure 99

Solution overview 99

Introduction 100

Create a folder structure that is wide rather than deep 100

Use DFS namespaces to present shared folders in a logical hierarchy 103

Solution summary 103

2-3: Manage Access to Root Data Folders 104

Solution overview 104

Introduction 104

Create one or more consistent root data folders on each file server 104

Use Group Policy to manage and enforce ACLs on root data folders 105

Solution summary 107

2-4: Delegate the Management of Shared Folders 107

Solution overview 107

Introduction 107

Dedicate servers that perform a file server role 107

Manage the delegation of administration of shared folders 108

Solution summary 110

2-5: Determine Which Folders Should Be Shared 110

Solution overview 110

Introduction 110

Determine which folders should be shared 111

Solution summary 112

2-6: Implement Folder Access Permissions Based on Required Capabilities 112

Solution overview 112

Introduction 112

Implement a Read capability 113

Implement a Browse To capability 114

Implement an Edit capability 116

Implement a Contribute capability 117

Implement a Drop capability 118

Implementing a Support capability 118

Create scripts to apply permissions consistently 119

Manage folder access capabilities using role-based access control 119

Solution summary 120

2-7: Understand Shared Folder Permissions (SMB Permissions) 120

Solution overview 120

Introduction 121

Scripting SMB permissions on local and remote systems 123

Solution summary 123

2-8: Script the Creation of an SMB Share 124

Solution overview 124

Introduction 124

Using Share_Create.vbs 124

Customizing Share_Create.vbs 124

Understanding Share_Create.vbs 125

Solution summary 126

2-9: Provision the Creation of a Shared Folder 126

Solution overview 126

Introduction 127

Using Folder_Provision.hta 127

Basic customization of Folder_Provision.hta 130

Understanding the code behind Folder_Provision.hta and

advanced customization 131

Solution summary 135

2-10: Avoid the ACL Inheritance Propagation Danger of File and Folder Movement 136

Solution overview 136

Introduction 136

See the bug-like feature in action 137

What in the world is going on? 138

Solving the problem 139

Change the culture, change the configuration 140

Solution summary 140

2-11: Preventing Users from Changing Permissions on Their Own Files 141

Solution overview 141

Introduction 141

What about object lockout? 143

Solution summary 143

2-12: Prevent Users from Seeing What They Cannot Access 143

Solution overview 143

Introduction 143

One perspective: Don’t worry about it 144

A second perspective: Manage your folders 144

A third perspective and a solution: Access-based Enumeration 144

Solution summary 145

2-13: Determine Who Has a File Open 145

Solution overview 145

Introduction 145

Using FileServer_OpenFile.vbs 146

Understanding FileServer_OpenFile.vbs 146

Solution summary 146

2-14: Send Messages to Users 147

Solution overview 147

Introduction 147

Using Message_Notification.vbs 147

Understanding Message_Notification.vbs 148

Using PSExec to execute a script on a remote machine 148

Listing the open sessions on a server 150

Using and customizing FileServer_NotifyConnectedUsers.vbs 150

Solution summary 151

2-15: Distribute Files Across Servers 151

Solution overview 151

Introduction 151

Using Robocopy to distribute files 151

Using DFS Replication to distribute files 152

Solution summary 154

2-16: Use Quotas to Manage Storage 154

Solution overview 154

Introduction 154

What’s new in quota management 155

Quota templates 155

Apply a quota to a folder 156

Solution summary 157

2-17: Reduce Help Desk Calls to Recover Deleted or Overwritten Files 157

Solution overview 157

Introduction 157

Enabling shadow copies 158

Understanding and configuring shadow copies 160

Accessing previous versions 161

Solution summary 162

2-18: Create an Effective, Delegated DFS Namespace 163

Solution overview 163

Introduction 163

Creating DFS namespaces 164

Delegating DFS namespaces 164

Linking DFS namespaces 166

Presenting DFS namespaces to users 168

Solution summary 169

Solution Collection 3: Managing User Data and Settings 171

Scenarios, Pain, and Solution 172

3-1: Define Requirements for a User Data and Settings Framework 174

Solution overview 174

Introduction 174

Understand the business requirements definition exercise 174

Define the high-level business requirements 177

Determine key design decision that is derived from high-level business

requirements 180

Define requirements derived from key design decisions 181

Solution summary 184

3-2: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part I) 185

Solution overview 185

Introduction 185

Understand UDS options 186

Align user data and settings options with requirements and scenarios 189

Validate the outcome for desktop, roaming, relocated, and traveling users 191

Solution summary 192

3-3: Create, Secure, Manage, and Provision Server-Side User Data Stores 193

Solution overview 193

Introduction 193

Create the user data store root folder 195

Align physical namespace with management requirements such as quotas 200

Provision the creation of data stores 208

Configure file screens 210

Solution summary 210

3-4: Create the SMB and DFS Namespaces for User Data Stores 211

Solution overview 211

Introduction 211

Create the SMB namespace for user data and settings stores 212

Design the logical view of user data and settings stores with DFS Namespaces 215

Build a DFS namespace to support thousands of users 217

Understand the impact of data movement and namespace changes 218

Consider the impact of %username% changes 220

Build an abstract DFS namespace for user data and settings (no site-based namespace, preferably no human names) 221

Automate and provision the creation of user data stores and DFS namespaces 222

Solution summary 223

3-5: Design and Implement Folder Redirection 224

Solution overview 224

Introduction 224

Understand the role of folder redirection 225

Configure folder redirection policies 227

Configure folder redirection targets 228

Configure folder redirection settings 232

Support redirection for users on both Windows XP and Windows Vista 236

Redirect without Group Policy: Favorites, Music, Pictures, and Videos 238

Achieve a unified redirected folder environment for Windows XP and Windows Vista 242

Solution summary 245

3-6: Configure Offline Files 245

Solution overview 245

Introduction 245

Understand the cache 246

Understand caching 246

Understand synchronization 247

Understand offline mode 247

Leverage offline files for the UDS framework 248

Put offline files to use 256

Solution summary 257

3-7: Design and Implement Roaming Profiles 257

Solution overview 257

Introduction 257

Analyze the structure of the Windows Vista user profile 258

Review the components that create the user profile 260

Configure the folders that will not roam 262

Configure roaming profiles 263

Recognize the “V2” of Windows Vista roaming profiles 263

Unify the experience of Windows XP and Windows Vista users 264

Work through the FOLKLORE of roaming profiles 264

Identify the benefit of roaming profiles 266

Manage the Application Data (AppData\Roaming) folder 266

Solution summary 267

3-8: Manage User Data That Should Not Be Stored on Servers 267

Solution overview 267

Introduction 267

Identify the types of data you want to manage as local only 269

Design a local-only data folder structure 269

Implement local-only file folders 271

Ensure that applications will find relocated media folders 271

Redirect Windows XP media folders that you are treating as local only 272

Provide a way for users to find relocated folders 272

Communicate to users and train them regarding local-only data 274

Solution summary 274

3-9: Manage User Data That Should Be Accessed Locally 274

Solution overview 274

Introduction 274

Determine the name for a local files folder 275

Option 1: Use a roaming profile folder 276

Option 2: Leverage offline files (Windows Vista only) 276

Option 3: Create a local folder that is backed up to a network store 278

Solution summary 279

3-10: Back Up Local Data Stores for Availability, Mobility, and Resiliency 279

Solution overview 279

Introduction 279

Define the goals of a synchronization solution 280

Utilize Robocopy as a backup engine 281

Leverage Folder_Synch.vbs as a wrapper for Robocopy 282

Deploy Folder_Synch.vbs and Robocopoy 283

Determine how and when to run Folder_Synch.vbs for each local store 284

Launch Folder_Synch.vbs manually 284

Enable users to right-click a folder and back it up using a shell command 286

Compare manual options for Folder_Synch.vbs 288

Run Folder_Synch.vbs automatically 288

Run Folder_Synch.vbs as a scheduled task 289

Run Folder_Synch.vbs as a logon, logoff, startup, or shutdown script 290

Log and monitor synchronization 291

Solution summary 292

3-11: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part II) 293

Solution overview 293

Introduction 293

Recognize the crux of the challenge 293

Identify the desired classes of data stores 294

Analyze and classify your user data stores and data 294

Solution summary 297

Solution Collection 4: Implementing Document Management

and Collaboration with SharePoint 299

Scenarios, Pain, and Solution 300

4-1: Create and Configure a Document Library 301

Solution overview 301

Introduction 302

Create a site 302

Create a document library 303

Configure document library settings 304

Configure the document library title 306

Enable or disable folders within the document library 307

Change the default template for the library 307

Configure security for a document library 309

Solution summary 311

4-2: Manage Document Metadata Using Library and Site Columns 312

Solution overview 312

Introduction 312

Create a column 313

Work with custom columns from Microsoft Office clients 314

Work with document properties from the SharePoint Web interface 316

Modify or delete library columns 318

Reorder columns 319

Manage site columns 319

Create site columns 319

Use a site column in a list or library 320

Modify and delete site columns 320

Solution summary 321

4-3: Implement Managed Content Types 321

Solution overview 321

Introduction 321

Create a content type 322

Add one or more content types to a list or library 324

Understand child site and list content types 324

Protect a content type by making it read-only 326

Do not change default SharePoint content types 326

Solution summary 326

4-4: Configure Multiple Templates for a Document Library 327

Solution overview 327

Introduction 327

Create a central library for templates 327

Configure a content type for a template 328

Configure a library to support the content types 328

Solution summary 329

4-5: Add, Save, and Upload Documents to a Document Library 329

Solution overview 329

Introduction 329

Create a new document with the New command 330

Upload documents with the Upload commands 330

Add documents to document libraries with Windows Explorer 331

Save to a document library from a SharePoint-compatible application 332

E-mail–enable a document library 332

Solution summary 333

4-6: Create Shortcuts to Document Libraries for End Users 334

Solution overview 334

Introduction 334

Create Network Places (Windows XP) 334

Create Network Locations (Vista) 335

Solution summary 336

4-7: Quarantine and Manage Uploads to a Document Library with Multiple Content Types 336

Solution overview 336

Introduction 336

Solution summary 337

4-8: Work with Documents in a Document Library 338

Solution overview 338

Introduction 338

View a document in a document library 338

Edit a document in a document library 338

Open a document with Office 2007 clients installed 338

Solution summary 339

4-9: Monitor Changes to Libraries or Documents with Alerts and RSS 339

Solution overview 339

Introduction 339

Subscribe to e-mail alerts for a library or document 340Monitor library activity using RSS 341Solution summary 3414-10: Control Document Editing with Check Out 341Solution overview 341Introduction 341Require document checkout 342Check out a document 342Understand the user experience while a document is checked out 343Manage document check in 343Solution summary 3454-11: Implement and Maintain Document Version History 345Solution overview 345Introduction 345Configure version history 346Manage the creation of major and minor versions 346Manage document versions 347Compare document versions 347Solution summary 3474-12: Implement Content Approval 347Solution overview 347Introduction 347Configure content approval 348Understand the interaction of content approval, versioning,

and checkout 348Solution summary 3484-13: Implement a Three-State Workflow 349Solution overview 349Introduction 349Configure the choice field for the state 349Configure the three-state workflow 350Launch and manage workflows 352Solution summary 3524-14: Organize and Manage Documents with Folders and Views 353Solution overview 353Introduction 353Use folders to scope document management 353

Use views to scope the presentation and management of documents 354Solution summary 3544-15: Configure WSS Indexing of PDF Files 355Solution overview 355Introduction 355Disable search within a library 355Enable indexing of PDFs 355Assign an icon to unrecognized file types 358Solution summary 3594-16: Work with SharePoint Files Offline 359Solution overview 359Introduction 359Download a copy of a file 360Provide offline access to files using the local cache 360Use Outlook 2007 to take libraries and lists offline 361Other options for offline use of SharePoint document libraries 362Solution summary 362

Solution Collection 5: Active Directory Delegation and Administrative

Lock Down 363

Scenarios, Pain, and Solution 3635-1: Explore the Components and Tools of Active Directory Delegation 365Solution overview 365Introduction 365Use Active Directory object ACLs and ACL editor interfaces 365Manage access control entries on Active Directory objects 367Adhere to the golden rules of delegation 369Apply permissions with a friend: The Delegation Of Control Wizard 370Manage the presentation of your delegation 372Solution summary 3735-2: Customize the Delegation Of Control Wizard 373Solution overview 373Introduction 373Locate and understand Delegwiz.inf 374Customize Delegwiz.inf 377Use Microsoft’s super-duper Delegwiz.inf 378Solution summary 379

5-3: Customize the Permissions Listed in the ACL Editor Interfaces 380Solution overview 380Introduction 380Recognize that some permissions are hidden 380Modify Dssec.dat 381Ensure the visibility of permissions that you are delegating 383Solution summary 3835-4: Evaluate, Report, and Revoke Active Directory Permissions 384Solution overview 384Introduction 384Use Dsacls to report Active Directory permissions 384Use ACLDiag to report Active Directory permissions 385Use ADFind to report Active Directory permissions 386Use DSRevoke to report Active Directory permissions 387Evaluate permissions assigned to a specific user or group 388Revoke Active Directory permissions with DSRevoke 389Revoke Active Directory permissions with Dsacls 389Reset permissions to Schema defaults 390Solution summary 3915-5: Assign and Revoke Permissions with Dsacls 391Solution overview 391Introduction 391Identify the basic syntax of Dsacls 392Delegate permissions to manage computer objects 392Grant permissions to manage other common object classes 394Use Dsacls to delegate other common tasks 394Solution summary 4005-6: Define Your Administrative Model 401Solution overview 401Introduction 401Define the tasks that are performed 401Define the distinct scopes of each task 402Bundle tasks within a scope 402Identify the rules that currently perform task bundles 402Solution summary 4025-7: Role-Based Management of Active Directory Delegation 403Solution overview 403Introduction 403

Identify the pain points of an unmanaged delegation model 403Create capability management groups to manage delegation 405Assign permissions to capability management groups 405Delegate control by adding roles to capability management groups 406Create granular capability management groups 406Report permissions in a role-based delegation 407Solution summary 4085-8: Scripting the Delegation of Active Directory 408Solution overview 408Introduction 409Recognize the need for scripted delegation 409Script delegation with Dsacls 410Solution summary 4105-9: Delegating Administration and Support of Computers 411Solution overview 411Introduction 411Define scopes of computers 411Create capability management groups to represent

administrative scopes 412Implement the delegation of local administration 412Manage the scope of delegation 414Get the Domain Admins group out of the local Administrators groups 416Solution summary 4165-10: Empty as Many of the Built-in Groups as Possible 416Solution overview 416Introduction 417Delegate control to custom groups 417Identify protected groups 417Don’t bother trying to un-delegate the built-in groups 418Solution summary 418

Solution Collection 6: Improving the Management and Administration

of Computers 419

Scenarios, Pain, and Solution 4196-1: Implement Best Practices for Managing Computers in Active Directory 421Solution overview 421Introduction 421Establish naming standards for computers 422

Identify requirements for joining a computer to the domain 423Design Active Directory to delegate the management

of computer objects 423Delegate permissions to create computers in the domain 425Create a computer object in Active Directory 425Delegate permissions to join computers using existing

computer objects 426Join a computer to the domain 428Ensure correct logon after joining the domain 429Solution summary 4306-2: Control the Addition of Unmanaged Computers to the Domain 431Solution overview 431Introduction 431Configure the default computer container 432Solution summary 4356-3: Provision Computers 435Solution overview 435Introduction 436Use Computer_JoinDomain.hta 436Provision computer accounts with Computer_JoinDomain.hta 438Create an account and join the domain with

Computer_JoinDomain.hta 440Understand Computer_JoinDomain.hta 441Distribute Computer_JoinDomain.hta 441Solution summary 4426-4: Manage Computer Roles and Capabilities 442Solution overview 442Introduction 442Automate the management of desktop and laptop groups 442Deploy software with computer groups 445Identify and manage other computer roles and capabilities 445Solution summary 4466-5: Reset and Reassign Computers 447Solution overview 447Introduction 447Rejoin a domain without destroying a computer’s group memberships 447Replace a computer correctly by resetting and renaming

the computer object 448

Replace a computer by copying group memberships and attributes 449Solution summary 4506-6: Establish the Relationship Between Users and Their Computers

with Built-in Properties 450Solution overview 450Introduction 450Use the managedBy attribute to track asset assignment of a computer

to a single user or group 451Use the manager attribute to track asset assignment of computers

to a user 452Solution summary 4536-7: Track Computer-to-User Assignments by Extending the Schema 454Solution overview 454Introduction 454Understand the impact of extending the schema 454Plan the ComputerAssignedTo attribute and ComputerInfo object class 455Obtain an OID 456Register the Active Directory schema snap-in 456Make sure you have permission to change the schema 457Connect to the schema master 457Create the ComputerAssignedTo attribute 457Create the ComputerInfo object class 459Associate the ComputerInfo object class with the Computer

object class 461Give the ComputerAssignedTo attribute a friendly display name 462Allow the changes to replicate 462Delegate permission to modify the attribute 463Integrate the Computer_AssignTo.hta tool with Active Directory Users

and Computers 463Add other attributes to computer objects 467Solution summary 4676-8: Establish Self-Reporting of Computer Information 468Solution overview 468Introduction 468Determine the information you wish you had 468Decide where you want the information to appear 469Report computer information with Computer_InfoToDescription.vbs 469Understand Computer_InfoToDescription.vbs 469

Expose the report attributes in the Active Directory Users and Computers snap-in 470Delegate permissions for computer information reporting 470Automate computer information reporting with startup and logon

scripts or scheduled tasks 472Take it to the next level 473Solution summary 4736-9: Integrate Computer Support Tools into Active Directory Users

and Computers 474Solution overview 474Introduction 474Add a “Connect with Remote Desktop” command 474Add an “Open Command Prompt” command 475Execute any command remotely on any system 476Use Remote_Command.hta to create specific command tasks

for remote administration 477Solution summary 478

Solution Collection 7: Extending User Attributes

and Management Tools 479

Scenarios, Pain, and Solution 4797-1: Best Practices for User Names 481Solution overview 481Introduction 481Establish best practice standards for user object name attributes 481Implement manageable user logon names 487Prepare to add the second “John Doe” to your Active Directory 490Solution summary 4917-2: Using Saved Queries to Administer Active Directory Objects 491Solution overview 491Introduction 491Create a custom console that shows all domain users 492Control the scope of a saved query 493Build saved queries that target specific objects 494Understand LDAP query syntax 496Identify some useful LDAP queries 497Transfer saved queries between consoles and administrators 498Leverage saved queries for most types of administration 499Solution summary 499

7-3: Create MMC Consoles for Down-Level Administrators 499Solution overview 499Introduction 499Create a console with saved queries 500Create a taskpad with tasks for each delegated ability 500Add productive tools and scripts to the taskpads 503Add procedures and documentation to the console 503Create an administrative home page within the console 503Add each taskpad to the MMC favorites 504Create navigation tasks 504Save the console in User mode 504Lock down the console view 505Distribute the console 505Solution summary 5067-4: Extending the Attributes of User Objects 506Solution overview 506Introduction 506Leverage unused and unexposed attributes of user objects 507Extend the schema with custom attributes and object classes 509Create an attribute that exposes the computer to which a user

is logged on 511Create an attribute that supports users’ software requests 512Solution summary 5137-5: Creating Administrative Tools to Manage Unused and Custom Attributes 513Solution overview 513Introduction 513Display and edit the value of an unexposed attribute 514Use the Object_Attribute.vbs script to display or edit any single-valued attribute 521Use Object_Attribute.hta to view or edit single-valued or multivalued

attributes 522Solution summary 5237-6: Moving Users and Other Objects 523Solution overview 523Introduction 524Understand the permissions required to move an object in Active

Directory 524Recognize the denial-of-service exposure 524

Carefully restrict the delegation to move (delete) objects 524Delegate highly sensitive tasks such as object deletion to tertiary

administrative credentials 525Proxy the task of moving objects 525Solution summary 5257-7: Provisioning the Creation of Users 526Solution overview 526Introduction 526Examine a user-provisioning script 526Create graphical provisioning tools 529Solution summary 529

Solution Collection 8: Reimagining the Administration of Groups

and Membership 531

Scenarios, Pain, and Solution 5318-1: Best Practices for Creating Group Objects 533Solution overview 533Introduction 533Create groups that document their purpose 533Protect groups from accidental deletion 535Consider the group type: security vs distribution 536Consider group scope: global, domain local, and universal 539Solution summary 5408-2: Delegate Management of Group Membership 541Solution overview 541Introduction 541Examine the member and memberOf attributes 541Delegate permission to write the member attribute 543Solution summary 5498-3: Create Subscription Groups 549Solution overview 549Introduction 549Examine scenarios suited to the use of subscription groups 550Delegate the Add/Remove Self As Member validated write 551Provide tools with which to subscribe or unsubscribe 552Solution summary 5548-4: Create an HTA for Subscription Groups 555Solution overview 555

Introduction 555Use Group_Subscription.hta 555Understand Group_Subscription.hta 556Take away lessons in the value of group standards 557Solution summary 5588-5: Create Shadow Groups 559Solution overview 559Introduction 559Shadow groups and fine-grained password and account

lockout policies 559Understand the elements of a shadow group framework 560Define the group membership query 560Define the base scopes of the query 561Develop a script to manage the group’s member attribute based

on the query, while minimizing the impact on replication 561Execute the script on a regular interval 563Trigger the script based on changes to an OU 563Solution summary 5648-6: Provide Friendly Tools for Group Management 564Solution overview 564Introduction 564Enumerate memberOf and member 565Report direct, indirect, and primary group memberships 565List a user’s membership by group type 566Display all members of a group 567Add or remove group members with Group_ChangeMember.hta 568Give users control over the groups they manage 569Identify notes and next steps for group management tools 569Solution summary 5708-7: Proxy Administrative Tasks to Enforce Rules and Logging 570Solution overview 570Introduction 571Understand proxying 572Explore the components of the Proxy Framework 573Imagine what proxying can do for you 581Delegate group management to users with increased confidence

and security 582

Solution Collection 9: Improving the Deployment and Management

of Applications and Configuration 583

Scenarios, Pain, and Solution 5839-1: Providing Software Distribution Points 585Solution overview 585Introduction 585Rationalize your software folder namespace 586Manage access to software distribution folders 588Share the Software folder, and abstract its location

with a DFS namespace 589Replicate software distribution folders to remote sites

and branch offices 591Create a place for your own tools and scripts 593Solution summary 5939-2: New Approaches to Software Packaging 594Solution overview 594Introduction 594Determine how to automate the installation of an application 595Identify the success codes produced by application installation 597Use Software_Setup.vbs to install almost any application 597Separate the configuration from the application installation 599Install the current version of an application 601Solution summary 6029-3: Software Management with Group Policy 603Solution overview 603Introduction 603Prepare an application for deployment with GPSI 603Configure a GPO to deploy an application 603Scope the deployment of an application using application groups 605Filter the software deployment GPO with the application group 606Link the GPO as high as necessary to support its scope 607When to use GPSI 608GPSI and Microsoft Office 2007 608Take it to the next level 609Solution summary 6099-4: Deploy Files and Configuration Using Group Policy Preferences 609Solution overview 609Introduction 609

Deploy files with Group Policy Files preferences 610Push registry changes using Registry preferences 612Solution summary 6159-5: A Build-It-Yourself Software Management Infrastructure 615Solution overview 615Introduction 616Identify the challenges of deploying applications such as

Microsoft Office 2007 616Prepare a software distribution folder for Microsoft Office 2007 617Create a setup customization file 618Launch an unattended installation of Office 2007 619Identify the requirements for a build-it-yourself software

management framework 619Customize Software_Deploy.vbs to enable application deployment 620Manage change using group membership 625Deploy an application using a scheduled task 628Give users control over the timing of installation 628Solution summary 6309-6: Automate Actions with SendKeys 630Solution overview 630Introduction 630Use SendKeys to automate an action sequence 630Understand and customize Config_QuickLaunch_Toggle.vbs 633Set the default folder view to Details for all folders 634Automate with AutoIt 634Solution summary 634

Solution Collection 10: Implementing Change, Configuration,

and Policies 635

Scenarios, Pain, and Solution 63610-1: Create a Change Control Workflow 637Solution overview 637Introduction 637Identify the need for change 638Translate the change to Group Policy settings 638Test the change in a lab environment 639Communicate the change to users 639Test the change in the production environment 639

Migrate users and computers in the production environment

to the scope of the change 639Implement more GPOs with fewer settings 639Establish a GPO naming convention 640Ensure a new GPO is not being applied while you are configuring

its settings 641Back up a GPO prior to and after changing it 642Document the settings and the GPO 642Carefully implement the scope of a GPO 642Establish a change management workflow with service levels 642Understand the behavior of client-side Group Policy application 642Solution summary 64410-2: Extend Role-Based Management to the Management

of Change and Configuration 644Solution overview 644Introduction 645Scope GPOs to security groups 645Manage exemptions from an entire GPO 649Manage exemptions from some settings of a GPO 649Link group-filtered GPOs high in the structure 649Maximize group management techniques to control GPO scoping 650Solution summary 65110-3: Implement Your Organization’s Password and Account Lockout Policies 651Solution overview 651Introduction 652Determine the password policies that are appropriate for your

organization 652Customize the default GPOs to align with your enterprise policies 655Implement your password, lockout, and Kerberos policies 656Implement fine-grained password policies to protect sensitive and

privileged accounts 657Understand PSO precedence 659Solution summary 66110-4: Implement Your Authentication and Active Directory Auditing Policies 662Solution overview 662Introduction 662Implement your auditing policies by modifying the Default Domain

Controllers Policy GPO 662

Consider auditing failure events 665Align auditing policies, corporate policies, and reality 665Audit changes to Active Directory objects 665View audit events in the Security log 667Leverage Directory Service Changes auditing 667Solution summary 66910-5: Enforce Corporate Policies with Group Policy 669Solution overview 669Introduction 670Translate corporate policies to security and nonsecurity settings 670Create GPOs to configure settings derived from corporate policies 670Scope GPOs to the domain 670Enforce corporate security and configuration policies 671Proactively manage exemptions 672Provide a managed migration path to policy implementation 672Determine whether you need more than one GPO for corporate

policy implementation 673Solution summary 67310-6: Create a Delegated Group Policy Management Hierarchy 674Solution overview 674Introduction 674Delegate permissions to link existing GPOs to an OU 674Delegate the ability to manage an existing GPO 676Delegate permission to create GPOs 677Understand the business and technical concerns of Group Policy

delegation 678Solution summary 67910-7: Testing, Piloting, Validating, and Migrating Policy Settings 679Solution overview 679Introduction 679Create an effective scope of management for a pilot test 680Prepare for and model the effects of the pilot test 680Create a rollback mechanism 681Implement the pilot test 682Migrate objects to the scope of the new GPO 682Solution summary 683

10-8: No-Brainer Group Policy Tips 683Solution overview 683Introduction 683Deploy registry changes with templates or registry preferences 683Use loopback policy processing in merge mode 684Run GPUpdate on a remote system to push changes 684Delegate permissions to perform RSoP reporting 685Scope network-related settings using sites or shadow groups 685Avoid WMI filters and targeting when possible:

Use shadow groups instead 685No-brainer Group Policy settings 686

Index 689

www.microsoft.com/learning/booksurvey

Microsoft is interested in hearing your feedback so we can continually improve our books and

learning resources for you To participate in a brief online survey, please visit:

What do you think of this book? We want to hear from you!

objectives

If this sounds like something that you’d normally have to hire a consultant to do, that’s right! The impetus behind this book was the many years I’ve spent as a consultant and trainer help-ing clients overcome business and technical challenges Many times I’ve presented solutions

to clients and have been asked, “Is there a book about this stuff?” Well, now there is! I like to think of this as “Windows Consultant in a Box.” Or in a book, I guess

This book addresses dozens of the kinds of problems that I’ve seen fought by enterprises large and small My goal is to help you work SMART That’s an acronym I coined at Intelliem It means

■ Automate repetitive steps with scripts

■ Align technologies with business processes through workflows and provisioning

■ Integrate third-party utilities

■ Work around limitations of Windows’ out-of-box features and administrative tools

If those last two bullets surprised you, let me tell you they surprised me, too! I’m actually going to be able to share with you, in black and white, examples of scenarios that you simply cannot address without acknowledging, and then working around, limitations of Windows

If you appreciate this kind of candor from Microsoft, let the folks at Microsoft Press know!

I think that the approach we’re taking in this resource kit is an extremely useful complement

to the documentation and resources Microsoft provides about its technologies It puts the technologies into the context of the real world!

Speaking of the real world, what good could these solutions be if they applied only to Windows Server 2008?

Important Most solutions in this resource kit are designed to apply in a real-world, mixed environment consisting of Windows XP SP2 or later, Windows Vista, Windows Server 2003 SP2

or later, and Windows Server 2008

“Solutions” is what this resource kit is all about Some solutions are simple Some are quite complex Some solutions build upon other solutions Some stand alone Many of the solu-tions consist of guidance—the kind of guidance you’d receive from a consultant, pointing you

to best practices and helping you to align technology and business Other solutions consist of scripts

The scripts that I’ve provided on the companion media are not like the tools included with previous Windows resource kits These are not executable utilities that perform one specific task Most are meta-tools that perform provisioning and automation tasks They’re designed

to teach you how to raise the level of your administrative productivity To achieve that goal, I’ve written the vast majority of tools as scripts, in VBScript So you’ll be able to open, read, and customize the scripts! If you’re not familiar with VBScript, you’ll find that most scripts require only very simple configuration changes to work in your environment If you’re an experienced scripter, you’ll be able to extend the tools to create solutions that are even more powerful and more customized to your requirements

The scripts, and the solutions, don’t end on the last page of this book Another marked ture from previous Windows Resource Kits is the community site that I’m creating to support

depar-the resource kit: www.intelliem.com/resourcekit There you’ll find corrections, discussions,

revi-sions, and entirely new solutions provided by the community of IT professionals who read this book

You’ll find out more about all of this in Solution Collection 1 Let me just finish this by saying

“thank you” for all the work you do to support your organization with Windows technologies

I know it’s not always easy—I’m in the trenches, too I appreciate the time you’ll take to read, interpret, customize, and implement the solutions I’m sharing with you And I hope you’ll share your knowledge and experience with other readers on the resource kit Web site We’re

in it together, and I look forward to bringing the collective knowledge of the thousands of IT professionals I’ve worked with over the years together to help us do it smarter!

The scripts provided on the companion media have been fully tested against Windows Server

2008 Most are compatible with Windows Server 2003 SP2 or later, Windows XP SP2 or later, and Windows Vista, and where there are known limitations I have made notes in the resource kit text or in the script itself

Web-Based Content

In addition to the content that is included in the resource kit and on the companion media,

additional bonus content is available at http://www.intelliem.com/resourcekit.

Note Underscores the importance of a specific concept, or highlights a special

case that might not apply to every situation

Important Calls attention to essential information that should not be disregarded.Caution Highlights a problematic issue or a security concern

Best Practice Delivers advice for strategies and techniques that optimize the efficiency

or security of the technology

Guidance Summarizes a discussion to provide the “bottom line.”

Bold font Used to indicate user input (characters that you type exactly as shown)

Italic font Used to indicate variables for which you need to supply a specific value

(for example file_name can refer to any valid file name).

Monospace font Used for code samples and command-line output

%SystemRoot% Used for environment variables

Find Additional Content Online

As new or updated material becomes available that complements your book, it will be posted online on the Microsoft Press Online Developer Tools Web site The type of material you might find includes updates to book content, articles, links to companion content, errata,

sample chapters, and more This Web site will be available soon at ing/books/online/developer and will be updated periodically.

www.microsoft.com/learn-Companion Media

The companion CD is loaded with useful tools and links to help you with your Windows Server 2008 installation The CD includes:

■ Complete eBook An electronic version of Windows Administration Resource Kit:

Produc-tivity Solutions for IT Professionals in PDF format.

■ Scripts More than 75 sample scripts to help you automate system administration tasks.

■ Tools Many links to tools for IIS, PowerShell, System Center Data Operations, and more

that you can put to use right away

■ Product Information Links to information about the features and capabilities of

Windows Server 2008 as well as product guides to help you optimize Windows istration in your enterprise

admin-■ Resources Links to whitepapers, guides, webcasts, newsgroups, and more to help you

use and troubleshoot the features of Windows Server 2008

■ Sample chapters Chapters from 15 Windows Server 2008 books that contain a wealth

of information and provide a preview of other recently published titles

Using the Scripts

The use of each script is documented in the resource kit solution that presents the script Most scripts are written in Visual Basic Scripting Edition (VBScript), so you can run them from the

command prompt by typing cscript script_name.vbs followed by any parameters required by

the script Several scripts are batch files, which you can execute from the command prompt by typing the script’s name and any parameters

Finally, there are a number of HTML Applications (HTAs), which are scripts with a graphical user interface (GUI) You can run HTAs by double-clicking the HTA You can also integrate most of the HTAs into the Active Directory Users and Computers snap-in using steps found in Solution 1-3 so that they can extend the functionality of your native administrative tools