Professional Documents
Culture Documents
Active Directory
Active Directory
-Yes you can connect other vendors Directory Services with Microsofts version.
-Yes, you can use dirXML or LDAP to connect to other directories (ie. E-directory
from Novell or NDS (Novel directory System).
-Yes you can Connect Active Directory to other 3rd -party Directory Services
such as dictonaries used by SAP, Domino etc with the help of MIIS ( Microsoft
Identity Integration Server )
Where is the AD database held? What other folders are related to
AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in this
folder. These are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
During the installation of AD, Windows creates two files: res1.log and res2.log.
The initial size of each is 10MB. These files are used to ensure that changes can
be written to disk should the system run out of free disk space. The checkpoint
file (edb.chk) records transactions committed to the AD database (ntds.dit).
During shutdown, a shutdown statement is written to the edb.chk file. Then,
during a reboot, AD determines that all transactions in the edb.log file have
been committed to the AD database. If, for some reason, the edb.chk file
doesnt exist on reboot or the shutdown statement isnt present, AD will use
the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself, ntds.dit. By
default, the file is located in\NTDS, along with the other files weve discussed
What is the SYSVOL folder?
All active directory data base security related information store in SYSVOL
folder and its only created on NTFS partition.
This is a quote from microsoft themselves, basically the domain controller info
stored in files like your group policy stuff is replicated through this folder
structure
Name the AD NCs and replication issues for each NC
http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition
How do you view replication properties for AD partitions and DCs?
The global catalog contains a complete replica of all objects in Active Directory
for its Host domain, and contains a partial replica of all objects in Active
Directory for every other domain in the forest.
C:\>repadmin/showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
Why not make all DCs in a large forest as GCs?
The reason that all DCs are not GCs to start is that in large (or even Giant)
forests the DCs would all have to hold a reference to every object in the entire
forest which could be quite large and quite a replication burden.
For a few hundred, or a few thousand users even, this not likely to matter unless
you have really poor WAN lines.
Trying to look at the Schema, how can I do that?
adsiedit.exe
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc > add snapin > add Active directory schema
name it as schema.msc
Support Tools are the tools that are used for performing the complicated tasks
easily. These can also be the third party tools. Some of the Support tools include
DebugViewer, DependencyViewer, RegistryMonitor, etc. -edit by Casquehead I
beleive this question is reffering to the Windows Server 2003 Support Tools,
which are included with Microsoft Windows Server 2003 Service Pack 2. They
are also available for download here:
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-
419D-939B-A772EA2DF90&displaylang=en
You need them because you cannot properly manage an Active Directory
network without them.
Here they are, it would do you well to familiarize yourself with all of them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
ADSIEDIT.DLL
ADSIEDIT.MSC
A:
Enables administrators to manage Active Directory domains and trust
relationships from the command prompt.
REPADMIN doesnt actually fix replication problems for you. But, you can use it
to help determine the source of a malfunction.
What are sites? What are they used for?
The KCC is a built-in process that runs on all domain controllers and generates
replication topology for the Active Directory forest. The KCC creates separate
replication topologies depending on whether replication is occurring within a
site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the
topology to accommodate new domain controllers, domain controllers moved to
and from sites, changing costs and schedules, and domain controllers that are
temporarily unavailable.
What is the ISTG? Who has that role by default?
A NIC
Properly configured TCP/IP (IP address, subnet mask and optional default
gateway)
The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder)
From the Petri IT Knowledge base. For more info, follow this link:
http://www.petri.co.il/active_directory_installation_requirements.htm
What can you do to promote a server to DC if youre in a remote
location with slow WAN link?
First available in Windows 2003, you will create a copy of the system state from
an existing DC and copy it to the new remote server. Run Dcpromo /adv. You
will be prompted for the location of the system state files
How can you forcibly remove AD from a server, and what do you do
later? Can I get user passwords from the AD database?
Demote the server using dcpromo /forceremoval, then remove the metadata
from Active directory using ndtsutil. There is no way to get user passwords from
AD that I am aware of, but you should still be able to change them.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
c. Type ServerNT in the Value data box, and then click OK.
its a member server now but AD entries are still there. Promote teh server to a
fake domain say ABC.com and then remove gracefully using DCpromo. Else
after restart you can also use ntdsutil to do metadata as told in teh earlier post
What tool would I use to try to grab security related packets from
the wire?
you must use sniffer-detecting tools to help stop the snoops. A good
packet sniffer would be ethereal
www.ethereal.com
Name some OU design considerations ?
The number of days before a deleted object is removed from the directory
services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in the
Directory Service object in the configuration NIC by default 2000 (60 days) 2003
(180 days)
What do you do to install a new Windows 2003 DC in a Windows
2000 AD?
If you plan to install windows 2003 server domain controllers into an existing
windows 2000 domain or upgrade a windows 2000 domain controllers to
windows server 2003, you first need to run the Adprep.exe utility on the
windows 2000 domain controllers currently holding the schema master and
infrastructure master roles. The adprep / forestprer command must first be
issued on the windows 2000 server holding schema master role in the forest
root doman to prepare the existing schema to support windows 2003 active
directory. The adprep /domainprep command must be issued on the sever
holding the infrastructure master role in the domain where 2000 server will be
deployed.
What do you do to install a new Windows 2003 R2 DC in a Windows
2003 AD?
If youre installing R2 on a domain controller (DC), you must first upgrade the
schema to the R2 version (this is a minor change and mostly related to the new
Dfs replication engine). To update the schema, run the Adprep utility, which
youll find in the Cmpnents\r2\adprep folder on the second CD-ROM. Before
running this command, ensure all DCs are running Windows 2003 or Windows
2000 with SP2 (or later)
How would you find all users that have not logged on since last
month?
http://wiki.answers.com/Q/How_would_you_find_all_users_that_have_not_logg
ed_on_since_last_month
What are the DScommands?
When it comes to choosing a scripting tool for Active Directory objects, you
really are spoilt for choice. The the DS family of built-in command line
executables offer alternative strategies to CSVDE, LDIFDE and VBScript.
It has 5 Roles:
Schema Master:
The schema master domain controller controls all updates and modifications to
the schema. Once the Schema update is complete, it is replicated from the
schema master to all other DCs in the directory. To update the schema of a
forest, you must have access to the schema master. There can be only one
schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal
of domains in the forest. This DC is the only one that can add or remove a
domain from the directory. It can also add or remove cross references to
domains in external directories. There can be only one domain naming master
in the whole forest.
Infrastructure Master:
The RID master is responsible for processing RID pool requests from all domain
controllers in a particular domain. When a DC creates a security principal object
such as a user or group, it attaches a unique Security ID (SID) to the object. This
SID consists of a domain SID (the same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID created in a
domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to
assign to the security principals it creates. When a DCs allocated RID pool falls
below a threshold, that DC issues a request for additional RIDs to the domains
RID master. The domain RID master responds to the request by retrieving RIDs
from the domains unallocated RID pool and assigns them to the pool of the
requesting DC. At any one time, there can be only one domain controller acting
as the RID master in the domain.
PDC Emulator:
The PDC emulator of a domain is authoritative for the domain. The PDC
emulator at the root of the forest becomes authoritative for the enterprise, and
should be configured to gather the time from an external source. All PDC FSMO
role holders follow the hierarchy of domains in the selection of their in-bound
time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the
following functions:
Editing or creation of Group Policy Objects (GPO) is always done from the GPO
copy found in the PDC Emulators SYSVOL share, unless configured not to do so
by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT
4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or
earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations,
member servers, and domain controllers that are running Windows NT 4.0 or
earlier are all upgraded to Windows 2000/2003. The PDC emulator still performs
the other functions as described in a Windows 2000/2003 environment.
What FSMO placement considerations do you know of?
Certain domain and enterprise-wide operations that are not good for multi-
master updates are performed by a single domain controller in an Active
Directory domain or forest. The domain controllers that are assigned to perform
these unique operations are called operations masters or FSMO role holders.
The following list describes the 5 unique FSMO roles in an Active Directory forest
and the dependent operations that they perform:
Schema master The Schema master role is forest-wide and there is one for
each forest. This role is required to extend the schema of an Active Directory
forest or to run the adprep /domainprep command.
Domain naming master The Domain naming master role is forest-wide and
there is one for each forest. This role is required to add or remove domains or
application partitions to or from a forest.
RID master The RID master role is domain-wide and there is one for each
domain. This role is required to allocate the RID pool so that new or existing
domain controllers can create user accounts, computer accounts or security
groups.
PDC emulator The PDC emulator role is domain-wide and there is one for
each domain. This role is required for the domain controller that sends
database updates to Windows NT backup domain controllers. The domain
controller that owns this role is also targeted by certain administration tools
and updates to user account and computer account passwords.
Infrastructure master The Infrastructure master role is domain-wide and
there is one for each domain. This role is required for domain controllers to
run the adprep /forestprep command successfully and to update SID
attributes and distinguished name attributes for objects that are referenced
across domains.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles
to the first domain controller in the forest root domain. The first domain
controller in each new child or tree domain is assigned the three domain-wide
roles. Domain controllers continue to own FSMO roles until they are reassigned
by using one of the following methods:
An administrator reassigns the role by using a GUI administrative tool.
An administrator reassigns the role by using the ntdsutil /roles command.
An administrator gracefully demotes a role-holding domain controller by
using the Active Directory Installation Wizard. This wizard reassigns any
locally-held roles to an existing domain controller in the forest. Demotions
that are performed by using the dcpromo /forceremoval command leave
FSMO roles in an invalid state until they are reassigned by an administrator.
A domain controller whose FSMO roles have been seized should not be
permitted to communicate with existing domain controllers in the forest. In this
scenario, you should either format the hard disk and reinstall the operating
system on such domain controllers or forcibly demote such domain controllers
on a private network and then remove their metadata on a surviving domain
controller in the forest by using the ntdsutil /metadata cleanup command.
The risk of introducing a former FSMO role holder whose role has been seized
into the forest is that the original role holder may continue to operate as before
until it inbound-replicates knowledge of the role seizure. Known risks of two
domain controllers owning the same FSMO roles include creating security
principals that have overlapping RID pools, and other problems.
Transfer FSMO roles
To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based
member computer or domain controller that is located in the forest where
FSMO roles are being transferred. We recommend that you log on to the
domain controller that you are assigning FSMO roles to. The logged-on user
should be a member of the Enterprise Administrators group to transfer
Schema master or Domain naming master roles, or a member of the Domain
Administrators group of the domain where the PDC emulator, RID master and
the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.Note To see a list of available commands at
any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER,
where servername is the name of the domain controller you want to assign
the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of
roles that you can transfer, type ? at the fsmo maintenance prompt, and
then press ENTER, or see the list of roles at the start of this article. For
example, to transfer the RID master role, type transfer rid master. The one
exception is for the PDC emulator role, whose syntax is transfer pdc, not
transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain
access to the ntdsutil prompt. Type q, and then press ENTER to quit the
Ntdsutil utility.
Seize FSMO roles
To seize the FSMO roles by using the Ntdsutil utility, follow these steps:
1. Log on to a Windows 2000 Server-based or Windows Server 2003-based
member computer or domain controller that is located in the forest where
FSMO roles are being seized. We recommend that you log on to the domain
controller that you are assigning FSMO roles to. The logged-on user should be
a member of the Enterprise Administrators group to transfer schema or
domain naming master roles, or a member of the Domain Administrators
group of the domain where the PDC emulator, RID master and the
Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER,
where servername is the name of the domain controller that you want to
assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles
that you can seize, type ? at the fsmo maintenance prompt, and then press
ENTER, or see the list of roles at the start of this article. For example, to seize
the RID master role, type seize rid master. The one exception is for the PDC
emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain
access to the ntdsutil prompt. Type q, and then press ENTER to quit the
Ntdsutil utility.Notes
o Under typical conditions, all five roles must be assigned to live
domain controllers in the forest. If a domain controller that owns a
FSMO role is taken out of service before its roles are transferred, you
must seize all roles to an appropriate and healthy domain controller.
We recommend that you only seize all roles when the other domain
controller is not returning to the domain. If it is possible, fix the broken
domain controller that is assigned the FSMO roles. You should
determine which roles are to be on which remaining domain controllers
so that all five roles are assigned to a single domain controller. For
more information about FSMO role placement, click the following article
number to view the article in the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and
optimization on Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present
in the domain and if it has had its roles seized by using the steps in
this article, remove it from the Active Directory by following the
procedure that is outlined in the following Microsoft Knowledge Base
article: 216498 (http://support.microsoft.com/kb/216498/ ) How to
remove data in active directory after an unsuccessful domain controller
demotion
o Removing domain controller metadata with the Windows 2000 version
or the Windows Server 2003 build 3790 version of the ntdsutil
/metadata cleanup command does not relocate FSMO roles that are
assigned to live domain controllers. The Windows Server 2003 Service
Pack 1 (SP1) version of the Ntdsutil utility automates this task and
removes additional elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO
role-holders in case the role has been reassigned since the backup was
made.
o Do not put the Infrastructure master role on the same domain
controller as the global catalog server. If the Infrastructure master runs
on a global catalog server it stops updating object information because
it does not contain any references to objects that it does not hold. This
is because a global catalog server holds a partial replica of every
object in the forest.
To ensure a good backup includes at least the system state data and contents of
the system disk, you must be aware of the tombstone lifetime. By default, the
tombstone is 60 days. Any backup older than 60 days is not a good backup. Plan
to backup at least two domain controllers in each domain, one of at least one
backup to enable an authoritative restore of the data when necessary.
Active Directory system state data does not contain Active Directory unless the
server, on which you are backing up the system state data, is a domain
controller. Active Directory is present only on domain controllers.
The SYSVOL shared folder: This shared folder contains Group policy
templates and logon scripts. The SYSVOL shared folder is present only on
domain controllers.
System startup files: Windows Server 2003 requires these files during its
initial startup phase. They include the boot and system files that are under
windows file protection and used by windows to load, configure, and run the
operating system.
In Windows Server 2003 family, you can restore the Active Directory database if
it becomes corrupted or is destroyed because of hardware or software failures.
You must restore the Active Directory database when objects in Active Directory
are changed or deleted.
Primary restore: This method rebuilds the first domain controller in a domain
when there is no other way to rebuild the domain. Perform a primary restore
only when all the domain controllers in the domain are lost, and you want to
rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on local
computer, or user should have been delegated with this responsibility to
perform restore. On a domain controller only Domain Admins can perform this
restore.
Normal restore: This method reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.
Authoritative restore: You perform this method in tandem with a normal restore.
An authoritative restore marks specific data as current and prevents the
replication from overwriting that data. The authoritative data is then replicated
through the domain.
Perform an authoritative restore individual object in a domain that has multiple
domain controllers. When you perform an authoritative restore, you lose all
changes to the restore object that occurred after the backup. Ntdsutil is a
command line utility to perform an authoritative restore along with windows
server 2003 system utilities. The Ntdsutil command-line tool is an executable
file that you use to mark Active Directory objects as authoritative so that they
receive a higher version recently changed data on other domain controllers
does not overwrite system state data during replication.
How do you restore AD?
In Windows Server 2003 family, you can restore the Active Directory database if
it becomes corrupted or is destroyed because of hardware or software failures.
You must restore the Active Directory database when objects in Active Directory
are changed or deleted.
METHOD
A.
You cant restore Active Directory (AD) to a domain controller (DC) while the
Directory Service (DS) is running. To restore AD, perform the following steps.
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in normal mode to
use the restored information. The computer might hang after the restore
completes; Sometimes it takes a 30-minute wait on some machines.
How do you change the DS Restore admin password?
The Administrator password that you use when you start Recovery Console or
when you press F8 to start Directory Service Restore Mode is stored in the
registry-based Security Accounts Manager (SAM) on the local computer. The
SAM is located in the\System32\Config folder. The SAM-based account and
password are computer specific and they are not replicated to other domain
controllers in the domain.
Use the Local User and Groups snap-in (Lusrmgr.msc) to change the
Administrator password. 6. Shut down and restart the computer. You can now
use the Administrator account to log on to Recovery Console or Directory
Services Restore Mode using the new password.
Why cant you restore a DC that was backed up 4 months ago?
Group Policy gives you administrative control over users and computers in your
network. By using Group Policy, you can define the state of a users work
environment once, and then rely on Windows Server 2003 to continually force
the Group Policy settings that you apply across an entire organization or to
specific groups of users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational units.
All users and computers get reflected by group policy settings in domain, site
and organizational unit.
No one in network has rights to change the settings of Group policy; by default
only administrator has full privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the changes.
Where GPOs store Group Policy Information
Group Policy objects store their Group Policy information in two locations:
Group Policy Container: The GPC is an Active Directory object that contains GPO
status, version information, WMI filter information, and a list of components that
have settings in the GPO. Computers can access the GPC to locate Group Policy
templates, and domain controller does not have the most recent version of the
GPO, replication occurs to obtain the latest version of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared SYSVOL
folder on a domain controller. When you create GPO, Windows Server 2003
creates the corresponding GPT which contains all Group Policy settings and
information, including administrative templates, security, software installation,
scripts, and folder redirection settings. Computers connect to the SYSVOL folder
to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID) of the GPO
that you created. It is identical to the GUID that Active Directory uses to identify
the GPO in the GPC. The path to the GPT on a domain controller is
systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of domain controller,
especially because the GPO data resides in SYSVOL folder and the Active
Directory. Active Directory uses two independent replication techniques to
replicate GPO data among all domain controllers in the domain. If two
administrators changes can overwrite those made by other administrator,
depends on the replication latency. By default the Group Policy Management
console uses the PDC Emulator so that all administrators can work on the same
domain controller.
WMI Filter
WMI filters is use to get the current scope of GPOs based on attributes of the
user or computer. In this way, you can increase the GPOs filtering capabilities
beyond the security group filtering mechanisms that were previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO to the
destination computer, Active Directory evaluates the filter on the destination
computer. A WMI filter has few queries that active Directory evaluates in place
of WMI repository of the destination computer. If the set of queries is false,
Active Directory does not apply the GPO. If set of queries are true, Active
Directory applies the GPO. You write the query by using the WMI Query
Language (WQL); this language is similar to querying SQL for WMI repository.
Also consider how you will implement Group Policy for the organization. Be sure
to consider the delegation of authority, separation of administrative duties,
central versus decentralized administration, and design flexibility so that your
plan will provide for ease of use as well as administration.
Planning GPOs
Create GPOs in way that provides for the simplest and most manageable design
one in which you can use inheritance and multiple links.
1:- Local Group Policy object-each computer has exactly one Group Policy object
that is stored locally. This processes for both computer and user Group Policy
processing.
2:- Site-Any GPOs that have been linked to the site that the computer belongs to
are processed next. Processing is in the order that is specified by the
administrator, on the Linked Group Policy Objects tab for the site in Group Policy
Management Console (GPMC). The GPO with the lowest link order is processed
last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the organizational unit that is
highest in the Active Directory hierarchy are processed first, then GPOs that are
linked to its child organizational unit, and so on. Finally, the GPOs that are linked
to the organizational unit that contains the user or computer are processed.
At the level of each organizational unit in the Active Directory hierarchy, one,
many, or no GPOs can be linked. If several GPOs are linked to an organizational
unit, their processing is in the order that is specified by the administrator, on
the Linked Group Policy Objects tab for the organizational unit in GPMC. The
GPO with the lowest link order is processed last, and therefore has the highest
precedence.
This order means that the local GPO is processed first, and GPOs that are linked
to the organizational unit of which the computer or user is a direct member are
processed last, which overwrites settings in the earlier GPOs if there are
conflicts. (If there are no conflicts, then the earlier and later settings are merely
aggregated.)
Name a few benefits of using GPMC.
Microsoft released the Group Policy Management Console (GPMC) years ago,
which is an amazing innovation in Group Policy management. The tool provides
control over Group Policy in the following manner:
Easy administration of all GPOs across the entire Active Directory Forest
View of all GPOs in one single list
Reporting of GPO settings, security, filters, delegation, etc.
Control of GPO inheritance with Block Inheritance, Enforce, and Security
Filtering
Delegation model
Backup and restore of GPOs
Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the GPMC alone.
Granted, the GPMC is needed and should be used by everyone for what it is
ideal for. However, it does fall a bit short when you want to protect the GPOs
from the following:
Role based delegation of GPO management
Being edited in production, potentially causing damage to desktops and
servers
Forgetting to back up a GPO after it has been modified
Change management of each modification to every GPO
How can you determine what GPO was and was not applied for a
user? Name a few ways to do that.
Simply use the Group Policy Management Console created by MS for that very
purpose, allows you to run simulated policies on computers or users to
determine what policies are enforced. Link in sources
What are administrative templates?
Assign Users
The software application is advertised when the user logs on. It is installed when
the user clicks on the software application icon via the start menu, or accesses
a file that has been associated with the software application.
Assign Computers
The software application is advertised and installed when it is safe to do so,
such as when the computer is next restarted.
Publish to users
The software application does not appear on the start menu or desktop. This
means the user may not know that the software is available. The software
application is made available via the Add/Remove Programs option in control
panel, or by clicking on a file that has been associated with the application.
Published applications do not reinstall themselves in the event of accidental
deletion, and it is not possible to publish to computers.
Can I deploy non-MSI software with GPO?
http://support.microsoft.com/kb/257718/
You want to standardize the desktop environments (wallpaper, My
Documents, Start menu, printers etc.) on the computers in one
department. How would you do that?
Login on client as Domain Admin user change whatever you need add printers
etc go to system-User profiles copy this user profile to any location by select
Everyone in permitted to use after copy change ntuser.dat to ntuser.man and
assgin this path under user profile