book

Windows Administration Resource Kit: Productivity Solutions for IT Professionals

Name: Windows Administration Resource Kit: Productivity Solutions for IT Professionals
Author: Dan Holme
ISBN: 9780735624313

by Dan Holme

February 2008

Intermediate to advanced

752 pages

24h 5m

English

Microsoft Press

Read now

Unlock full access

Windows® Administration Resource Kit: Productivity Solutions for IT Professionals
Acknowledgments
Introduction
Document ConventionsReader AidsCommand-Line Examples
System Requirements
Web-Based Content
Find Additional Content Online
Companion Media
Using the Scripts
Resource Kit Support Policy
1. Solution Collection 1: Role-Based Management
Scenarios, Pain, and SolutionThe 80/20 ruleScripts and tools on the companion mediaMicrosoft and third-party toolsThe Windows Administration Resource Kit online communityEnough, already!

1-1: Enumerate a User's (or Computer's) Group Memberships
Solution overviewIntroductionActive Directory Users and ComputersDS commandsCreating a batch scriptEnumerating group membership with VBScriptUnderstanding ADObject_MemberOf_Enum.vbsUsing ADObject_MemberOf_Enum.vbsWhy VBScript?Next stepsFor more informationSolution summary
1-2: Create a GUI Tool to Enumerate Group Memberships
Solution overviewIntroductionHTML ApplicationsCreate an HTAWrite the functional code firstCreating a user interface: the HTMLCreating a user interface: inputsWiring up eventsCreating a user interface: outputThe final HTAFor more informationSolution summary
1-3: Extend Active Directory Users and Computers to Enumerate Group Memberships
Solution overviewIntroductionArguments and HTAsUsing the MemberOf_Report.htaIntegrating a custom HTA with an MMC snap-in using tasksSaving the HTA to an accessible locationCreating a taskpad and shell task to launch the HTAUsing the HTARemoving a task or taskpadFor more informationIntegrating a custom HTA with an MMC snap-in using display specifiersUsing AdminContextMenu.htaRemoving a custom commandDisplay specifiers, delegation, and the forestManaging changes to the context menuFor more informationTasks or display specifiersSolution summary
1-4: Understand Role-Based Management
Solution overviewIntroductionRole groupsThe problem with having only role groupsCapability management groupsThe problem with having only capability management groupsRole groups are nested into capability management groupsOther nestingData, business logic, and presentationThird-party toolsSolution summary
1-5: Implement Role-Based Access Control
Solution overviewIntroductionRole groupsGroup naming conventionsRole groups summaryRole groups in our RBAC scenarioCapability management groupsGroup naming conventionCapability management groups summaryCapability management groups in our RBAC scenarioRepresenting business requirementsImplementing capabilitiesAutomating and provisioningSolution summary
1-6: Reporting and Auditing RBAC and Role-Based Management
Solution overviewIntroductionMy MembershipsUsing My MembershipsUnderstanding and customizing My MembershipsAccess ReportUsing Access ReportUnderstanding and customizing Access ReportAuditing internal compliance of your role-based access controlUsing Folder ACL Report.vbsNext steps for Folder ACL Report.vbsSolution summary
1-7: Getting to Role-Based Management
Solution overviewIntroductionA review of role-based managementReliance on groups and group management"Scars" from group management days of yoreDiscussing and selling role-based management"Won't there be a lot of groups?"The road to role-based managementAnalyze your environmentDefine your naming convention and processesEncourage or mandate disciplineCreate a transition planToken sizeIncrease MaxTokenSizeConsider implementing groups as global (or universal) instead of domain localClean up your sIDHistory attributesSolution summary
2. Solution Collection 2: Managing Files, Folders, and Shares
Scenarios, Pain, and Solution
2-1: Work Effectively with the ACL Editor User Interfaces
Solution overviewIntroductionThe ACL editorThe Security tab of the Properties dialog boxThe Permissions tab of the Advanced Security Settings dialog boxThe Permission Entry dialog boxEvaluating effective permissionsSolution summary
2-2: Manage Folder Structure
Solution overviewIntroductionCreate a folder structure that is wide rather than deepA quick review of inheritance fundamentalsManaging inheritanceThe impact of inheritance on folder hierarchyUse DFS namespaces to present shared folders in a logical hierarchySolution summary
2-3: Manage Access to Root Data Folders
Solution overviewIntroductionCreate one or more consistent root data folders on each file serverUse Group Policy to manage and enforce ACLs on root data foldersSolution summary
2-4: Delegate the Management of Shared Folders
Solution overviewIntroductionDedicate servers that perform a file server roleManage the delegation of administration of shared foldersSolution summary
2-5: Determine Which Folders Should Be Shared
Solution overviewIntroductionDetermine which folders should be sharedPresentation of information to usersManagement of SMB settingsSolution summary
2-6: Implement Folder Access Permissions Based on Required Capabilities
Solution overviewIntroductionImplement a Read capabilityImplement a Browse To capabilityImplement an Edit capabilityImplement a Contribute capabilityImplement a Drop capabilityImplementing a Support capabilityCreate scripts to apply permissions consistentlyManage folder access capabilities using role-based access controlSolution summary
2-7: Understand Shared Folder Permissions (SMB Permissions)
Solution overviewIntroductionScripting SMB permissions on local and remote systemsSolution summary
2-8: Script the Creation of an SMB Share
Solution overviewIntroductionUsing Share_Create.vbsCustomizing Share_Create.vbsUnderstanding Share_Create.vbsSolution summary
2-9: Provision the Creation of a Shared Folder
Solution overviewIntroductionUsing Folder_Provision.htaBasic customization of Folder_Provision.htaCustomizing the behavior of option defaultsCustomizing the list of serversUnderstanding the code behind Folder_Provision.hta and advanced customizationApplication displayForm controlsFolder provisioningSolution summary
2-10: Avoid the ACL Inheritance Propagation Danger of File and Folder Movement
Solution overviewIntroductionSee the bug-like feature in actionWhat in the world is going on?Solving the problemChange the culture, change the configurationSolution summary
2-11: Preventing Users from Changing Permissions on Their Own Files
Solution overviewIntroductionWhat about object lockout?Solution summary
2-12: Prevent Users from Seeing What They Cannot Access
Solution overviewIntroductionOne perspective: Don't worry about itA second perspective: Manage your foldersA third perspective and a solution: Access-based EnumerationSolution summary
2-13: Determine Who Has a File Open
Solution overviewIntroductionUsing FileServer_OpenFile.vbsUnderstanding FileServer_OpenFile.vbsSolution summary
2-14: Send Messages to Users
Solution overviewIntroductionUsing Message_Notification.vbsUnderstanding Message_Notification.vbsUsing PSExec to execute a script on a remote machineListing the open sessions on a serverUsing and customizing FileServer_NotifyConnectedUsers.vbsSolution summary
2-15: Distribute Files Across Servers
Solution overviewIntroductionUsing Robocopy to distribute filesUsing DFS Replication to distribute filesSolution summary
2-16: Use Quotas to Manage Storage
Solution overviewIntroductionWhat's new in quota managementQuota templatesApply a quota to a folderSolution summary
2-17: Reduce Help Desk Calls to Recover Deleted or Overwritten Files
Solution overviewIntroductionEnabling shadow copiesUnderstanding and configuring shadow copiesAccessing previous versionsSolution summary
2-18: Create an Effective, Delegated DFS Namespace
Solution overviewIntroductionCreating DFS namespacesDelegating DFS namespacesLinking DFS namespacesPresenting DFS namespaces to usersSolution summary
3. Solution Collection 3: Managing User Data and Settings
Scenarios, Pain, and Solution
3-1: Define Requirements for a User Data and Settings Framework
Solution overviewIntroductionUnderstand the business requirements definition exerciseDefine the high-level business requirementsAvailability and mobilityResiliencySecurityDetermine key design decision that is derived from high-level business requirementsUser data and settings must be stored on the networkDefine requirements derived from key design decisionsSecurity: The UDS framework will comply with the enterprise information security and information technology policies regarding network storage of files.Mobility: Users who work while disconnected (for example, laptop users) will be able to access their files using the same namespace, whether they are connected or disconnected.Availability: Performance shall be sufficient to meet business requirements.Solution summary
3-2: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part I)
Solution overviewIntroductionUnderstand UDS optionsData and settingsWindows user data and settings storesNetwork and local storesPrimary data storesSynchronization of data storesPresentation (or namespace)Network and DFS NamespacesAlign user data and settings options with requirements and scenariosValidate the outcome for desktop, roaming, relocated, and traveling usersSolution summary
3-3: Create, Secure, Manage, and Provision Server-Side User Data Stores
Solution overviewIntroductionCreate the user data store root folderApply least privilege permissions for the user data store root folderProvision the permissions of a user data store root folder with UDS_DataRoot_ACL.batAlign physical namespace with management requirements such as quotasManage quotas collectively for the Desktop and Documents foldersCreate quota templates that give you wiggle roomAutoapply quota templatesDo not configure quotas for roaming profile storesUnderstand the problem with placement of profiles and other data storesSolution #1: Separate physical namespaces for different classes of data storesSolution #2: Manage individual data stores rather than data store classesMy recommendationProvision the creation of data storesUse the UDS_UserFolders_Provision.vbs scriptConfigure file screensSolution summary
3-4: Create the SMB and DFS Namespaces for User Data Stores
Solution overviewIntroductionCreate the SMB namespace for user data and settings storesUnderstand the undesirable interaction between roaming profiles and offline filesDesign an SMB namespace that avoids the cached copy of the roaming profile problemProvision the creation of SMB shares for a user data store rootUnderstand how a separate SMB namespace for profiles can prevent the cached copy of the roaming profile problemDesign the logical view of user data and settings stores with DFS NamespacesCreate a fully enumerated DFS namespace for user data and settings stores (DFS Design Option 1)Create a DFS namespace that redirects to each SMB namespace for the user data store root share (DFS Design Option 2)Compare DFS design optionsBuild a DFS namespace to support thousands of usersUnderstand the impact of data movement and namespace changesConsider the impact of %username% changesBuild an abstract DFS namespace for user data and settings (no site-based namespace, preferably no human names)Automate and provision the creation of user data stores and DFS namespacesCustomize UDS_UserFolders_Provision_DFS.vbsSolution summary
3-5: Design and Implement Folder Redirection
Solution overviewIntroductionUnderstand the role of folder redirectionWhat are the key benefits of folder redirection?What's new in Windows Vista folder redirection?What is the downside of folder redirection?Configure folder redirection policiesConfigure folder redirection targetsBasic – Redirect everyone's folder to the same locationFollow the Documents folderAdvanced—Specify locations for various user groupsNot ConfiguredConfigure folder redirection settingsGrant the user exclusive rights to [folder]Move the contents of [folder] to the new locationPolicy removal settingsSupport redirection for users on both Windows XP and Windows VistaAlso apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systemsSide effects of the "Also apply to Windows XP" policyPictures, Music, and Videos redirection policiesRedirect without Group Policy: Favorites, Music, Pictures, and VideosQuirks and bugsAdvantages of redirection with the registryDisadvantages of redirection with the registryRecommendationGet rid of the My Music and My Pictures subfoldersGive users a way to browse to the foldersAchieve a unified redirected folder environment for Windows XP and Windows VistaProvision the creation of all user data storesConfigure folder redirection for Windows XP Favorites, Pictures, Music, and Videos using Group PolicySolution summary
3-6: Configure Offline Files
Solution overviewIntroductionUnderstand the cacheUnderstand cachingUnderstand synchronizationUnderstand offline modeLeverage offline files for the UDS frameworkAllow redirected folders to be automatically made available offlineRecognize that folders redirected using the registry are not automatically cachedAdministratively assign ("push") specific files or folders to be available offlinePlan for a long initial synchronization when large folders are made available offlineRecognize that when folders are made available offline, they are synchronized to every machine to which the user logs onDetermine that you don't want redirected folders to be automatically made available offline for every machineIdentify where you do want redirected folders to be available offlineManage offline files to that specificationDisable offline files on all systems other than user laptopsDisable the automatic caching of redirected folders for systems other than laptopsThrow in the towel: Manually cache redirected foldersPrevent Windows XP from synchronizing all files at logoffEliminate unnecessary error messages from blocked file typesProvide Windows XP users a way to force themselves offlineManage offline files notificationsRemember cached files when sources are movedPut offline files to useDesign thoroughlyCommunicate and train effectivelyRemember that the Offline Files feature is not for all filesSolution summary
3-7: Design and Implement Roaming Profiles
Solution overviewIntroductionAnalyze the structure of the Windows Vista user profileReview the components that create the user profileDefault user profileShell foldersRoaming profile synchronizationPublic profileProfile generation, summarizedConfigure the folders that will not roamConfigure roaming profilesRecognize the "V2" of Windows Vista roaming profilesUnify the experience of Windows XP and Windows Vista usersWork through the FOLKLORE of roaming profilesIdentify the benefit of roaming profilesManage the Application Data (AppData\Roaming) folderSolution summary
3-8: Manage User Data That Should Not Be Stored on Servers
Solution overviewIntroductionIdentify the types of data you want to manage as local onlyDesign a local-only data folder structureMedia folders as local onlyNonmedia personal filesImplement local-only file foldersEnsure that applications will find relocated media foldersRedirect Windows XP media folders that you are treating as local onlyProvide a way for users to find relocated foldersCommunicate to users and train them regarding local-only dataSolution summary
3-9: Manage User Data That Should Be Accessed Locally
Solution overviewIntroductionDetermine the name for a local files folderOption 1: Use a roaming profile folderOption 2: Leverage offline files (Windows Vista only)Option 3: Create a local folder that is backed up to a network storeCreate the local folderExclude the folder from roamingDetermine a backup or synchronization strategy and toolsCreate visible navigation and access points in the user interfaceSolution summary
3-10: Back Up Local Data Stores for Availability, Mobility, and Resiliency
Solution overviewIntroductionDefine the goals of a synchronization solutionUtilize Robocopy as a backup engineLeverage Folder_Synch.vbs as a wrapper for RobocopyDeploy Folder_Synch.vbs and RobocopoyDetermine how and when to run Folder_Synch.vbs for each local storeLaunch Folder_Synch.vbs manuallyEnable users to right-click a folder and back it up using a shell commandCompare manual options for Folder_Synch.vbsRun Folder_Synch.vbs automaticallyRun Folder_Synch.vbs as a scheduled taskRun Folder_Synch.vbs as a logon, logoff, startup, or shutdown scriptLog and monitor synchronizationSolution summary
3-11: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part II)
Solution overviewIntroductionRecognize the crux of the challengeIdentify the desired classes of data storesAnalyze and classify your user data stores and dataPhase I: Analyze how to manage your user data storesPhase II: Classify dataSolution summary
4. Solution Collection 4: Implementing Document Management and Collaboration with SharePoint
Scenarios, Pain, and Solution
4-1: Create and Configure a Document Library
Solution overviewIntroductionCreate a siteCreate a document libraryConfigure document library settingsConfigure the document library titleEnable or disable folders within the document libraryChange the default template for the libraryConfigure security for a document libraryManage permissions for a document library, folder, or documentAssign permissions to SharePoint or Active Directory groupsSolution summary
4-2: Manage Document Metadata Using Library and Site Columns
Solution overviewIntroductionCreate a columnWork with custom columns from Microsoft Office clientsCreate a new document from the document library with Office clientsSave a document to a library with custom columns from Microsoft Office clientsWork with document properties from the SharePoint Web interfaceUpload a document with custom columnsView document propertiesUse SharePoint's edit menuEdit document propertiesModify or delete library columnsReorder columnsManage site columnsCreate site columnsUse a site column in a list or libraryModify and delete site columnsSolution summary
4-3: Implement Managed Content Types
Solution overviewIntroductionCreate a content typeAdd one or more content types to a list or libraryUnderstand child site and list content typesProtect a content type by making it read-onlyDo not change default SharePoint content typesSolution summary
4-4: Configure Multiple Templates for a Document Library
Solution overviewIntroductionCreate a central library for templatesConfigure a content type for a templateConfigure a library to support the content typesSolution summary
4-5: Add, Save, and Upload Documents to a Document Library
Solution overviewIntroductionCreate a new document with the New commandUpload documents with the Upload commandsUpload one documentUpload multiple documentsUpload specific content typesAdd documents to document libraries with Windows ExplorerSave to a document library from a SharePoint-compatible applicationE-mail–enable a document librarySolution summary
4-6: Create Shortcuts to Document Libraries for End Users
Solution overviewIntroductionCreate Network Places (Windows XP)Create Network Locations (Vista)Solution summary
4-7: Quarantine and Manage Uploads to a Document Library with Multiple Content Types
Solution overviewIntroductionSolution summary
4-8: Work with Documents in a Document Library
Solution overviewIntroductionView a document in a document libraryEdit a document in a document libraryOpen a document with Office 2007 clients installedSolution summary
4-9: Monitor Changes to Libraries or Documents with Alerts and RSS
Solution overviewIntroductionSubscribe to e-mail alerts for a library or documentMonitor library activity using RSSSolution summary
4-10: Control Document Editing with Check Out
Solution overviewIntroductionRequire document checkoutCheck out a documentUsing the document libraryUsing Office applicationsUnderstand the user experience while a document is checked outManage document check inSave changes to a checked-out documentCheck in the documentCheck in the document but keep it checked outCheck in without saving changesDiscard check outSolution summary
4-11: Implement and Maintain Document Version History
Solution overviewIntroductionConfigure version historyManage the creation of major and minor versionsManage document versionsCompare document versionsSolution summary
4-12: Implement Content Approval
Solution overviewIntroductionConfigure content approvalUnderstand the interaction of content approval, versioning, and checkoutSolution summary
4-13: Implement a Three-State Workflow
Solution overviewIntroductionConfigure the choice field for the stateConfigure the three-state workflowLaunch and manage workflowsSolution summary
4-14: Organize and Manage Documents with Folders and Views
Solution overviewIntroductionUse folders to scope document managementUse views to scope the presentation and management of documentsSolution summary
4-15: Configure WSS Indexing of PDF Files
Solution overviewIntroductionDisable search within a libraryEnable indexing of PDFsInstall the PDF iFilterRebuild the indexAssign an icon to unrecognized file typesSolution summary
4-16: Work with SharePoint Files Offline
Solution overviewIntroductionDownload a copy of a fileProvide offline access to files using the local cacheUse Outlook 2007 to take libraries and lists offlineOther options for offline use of SharePoint document librariesSolution summary
5. Solution Collection 5: Active Directory Delegation and Administrative Lock Down
Scenarios, Pain, and Solution
5-1: Explore the Components and Tools of Active Directory Delegation
Solution overviewIntroductionUse Active Directory object ACLs and ACL editor interfacesManage access control entries on Active Directory objectsAdhere to the golden rules of delegationConfigure permissions on OUs, not on individual objectsAssign permissions to groups, not usersManage delegation with Allow permissions and inheritanceDocument your delegationApply permissions with a friend: The Delegation Of Control WizardManage the presentation of your delegationSolution summary
5-2: Customize the Delegation Of Control Wizard
Solution overviewIntroductionLocate and understand Delegwiz.infCustomize Delegwiz.infUse Microsoft's super-duper Delegwiz.infSolution summary
5-3: Customize the Permissions Listed in the ACL Editor Interfaces
Solution overviewIntroductionRecognize that some permissions are hiddenModify Dssec.datEnsure the visibility of permissions that you are delegatingSolution summary
5-4: Evaluate, Report, and Revoke Active Directory Permissions
Solution overviewIntroductionUse Dsacls to report Active Directory permissionsUse ACLDiag to report Active Directory permissionsUse ADFind to report Active Directory permissionsUse DSRevoke to report Active Directory permissionsEvaluate permissions assigned to a specific user or groupRevoke Active Directory permissions with DSRevokeRevoke Active Directory permissions with DsaclsReset permissions to Schema defaultsSolution summary
5-5: Assign and Revoke Permissions with Dsacls
Solution overviewIntroductionIdentify the basic syntax of DsaclsDelegate permissions to manage computer objectsGrant permissions to manage other common object classesUse Dsacls to delegate other common tasksUnlock user accountsForce users to change passwords at the next logonReset user passwordsDisable user accountsChange the logon names for a user accountChange user propertiesDelegate with property setsManage group membershipJoin computers to the domainPrestage a computer accountDisable and enable computer accountsRename computersReset computer accountsManage group propertiesLink GPOs to an OURun resultant set of policy reportsDelegate the ability to move objectsDelegate the ability to delegateTightly control the delegation of OUsSolution summary
5-6: Define Your Administrative Model
Solution overviewIntroductionDefine the tasks that are performedDefine the distinct scopes of each taskBundle tasks within a scopeIdentify the rules that currently perform task bundlesSolution summary
5-7: Role-Based Management of Active Directory Delegation
Solution overviewIntroductionIdentify the pain points of an unmanaged delegation modelCreate capability management groups to manage delegationAssign permissions to capability management groupsDelegate control by adding roles to capability management groupsCreate granular capability management groupsReport permissions in a role-based delegationUse Delegation_Report.htaSolution summary
5-8: Scripting the Delegation of Active Directory
Solution overviewIntroductionRecognize the need for scripted delegationScript delegation with DsaclsSolution summary
5-9: Delegating Administration and Support of Computers
Solution overviewIntroductionDefine scopes of computersCreate capability management groups to represent administrative scopesImplement the delegation of local administrationManage the scope of delegationGet the Domain Admins group out of the local Administrators groupsSolution summary
5-10: Empty as Many of the Built-in Groups as Possible
Solution overviewIntroductionDelegate control to custom groupsIdentify protected groupsDon't bother trying to un-delegate the built-in groupsSolution summary
6. Solution Collection 6: Improving the Management and Administration of Computers
Scenarios, Pain, and Solution
6-1: Implement Best Practices for Managing Computers in Active Directory
Solution overviewIntroductionEstablish naming standards for computersIdentify requirements for joining a computer to the domainDesign Active Directory to delegate the management of computer objectsDelegate permissions to create computers in the domainCreate a computer object in Active DirectoryDelegate permissions to join computers using existing computer objectsJoin a computer to the domainEnsure correct logon after joining the domainSolution summary
6-2: Control the Addition of Unmanaged Computers to the Domain
Solution overviewIntroductionConfigure the default computer containerRestrict the quota that allows any user to join computers to the domainSolution summary
6-3: Provision Computers
Solution overviewIntroductionUse Computer_JoinDomain.htaProvision computer accounts with Computer_JoinDomain.htaCreate an account and join the domain with Computer_JoinDomain.htaUnderstand Computer_JoinDomain.htaDistribute Computer_JoinDomain.htaSolution summary
6-4: Manage Computer Roles and Capabilities
Solution overviewIntroductionAutomate the management of desktop and laptop groupsDetermine how to identify desktops and laptopsDecide how to monitor Active Directory for the addition of new computer objectsUpdate the membership of the Desktops and Laptops groupsCustomize and use Computer_DesktopsLaptops.vbsDeploy software with computer groupsIdentify and manage other computer roles and capabilitiesSolution summary
6-5: Reset and Reassign Computers
Solution overviewIntroductionRejoin a domain without destroying a computer's group membershipsReplace a computer correctly by resetting and renaming the computer objectUse Computer_Rename.htaReplace a computer by copying group memberships and attributesSolution summary
6-6: Establish the Relationship Between Users and Their Computers with Built-in Properties
Solution overviewIntroductionUse the managedBy attribute to track asset assignment of a computer to a single user or groupUse the manager attribute to track asset assignment of computers to a userSolution summary
6-7: Track Computer-to-User Assignments by Extending the Schema
Solution overviewIntroductionUnderstand the impact of extending the schemaPlan the ComputerAssignedTo attribute and ComputerInfo object classObtain an OIDRegister the Active Directory schema snap-inMake sure you have permission to change the schemaConnect to the schema masterCreate the ComputerAssignedTo attributeCreate the ComputerInfo object classAssociate the ComputerInfo object class with the Computer object classGive the ComputerAssignedTo attribute a friendly display nameAllow the changes to replicateDelegate permission to modify the attributeIntegrate the Computer_AssignTo.hta tool with Active Directory Users and ComputersCustomize Comptuer_AssignTo.htaCreate a task for computer assignmentAdd computer assignments to the context menuAdd other attributes to computer objectsSolution summary
6-8: Establish Self-Reporting of Computer Information
Solution overviewIntroductionDetermine the information you wish you hadDecide where you want the information to appearReport computer information with Computer_InfoToDescription.vbsUnderstand Computer_InfoToDescription.vbsExpose the report attributes in the Active Directory Users and Computers snap-inDelegate permissions for computer information reportingAutomate computer information reporting with startup and logon scripts or scheduled tasksTake it to the next levelSolution summary
6-9: Integrate Computer Support Tools into Active Directory Users and Computers
Solution overviewIntroductionAdd a "Connect with Remote Desktop" commandAdd an "Open Command Prompt" commandExecute any command remotely on any systemUse Remote_Command.hta to create specific command tasks for remote administrationSolution summary
7. Solution Collection 7: Extending User Attributes and Management Tools
Scenarios, Pain, and Solution
7-1: Best Practices for User Names
Solution overviewIntroductionEstablish best practice standards for user object name attributesDo not configure common name (cn) attributes as LastName, FirstNameAdd the Last Name column to your view to sort and find by last nameAdd the Last Name column to views of saved queriesChange Display Name to LastName, FirstNameAlternately use LastName FirstName as a common name without a commaClean up sins of the pastImplement manageable user logon namesAssign unique and memorable user principal namesAssign pre–Windows 2000 logon names that are manageableUse User_Rename.vbs to rename user objectsPrepare to add the second "John Doe" to your Active DirectorySolution summary
7-2: Using Saved Queries to Administer Active Directory Objects
Solution overviewIntroductionCreate a custom console that shows all domain usersControl the scope of a saved queryBuild saved queries that target specific objectsUnderstand LDAP query syntaxIdentify some useful LDAP queriesTransfer saved queries between consoles and administratorsLeverage saved queries for most types of administrationSolution summary
7-3: Create MMC Consoles for Down-Level Administrators
Solution overviewIntroductionCreate a console with saved queriesCreate a taskpad with tasks for each delegated abilityAdd productive tools and scripts to the taskpadsAdd procedures and documentation to the consoleCreate an administrative home page within the consoleAdd each taskpad to the MMC favoritesCreate navigation tasksSave the console in User modeLock down the console viewDistribute the consoleSolution summary
7-4: Extending the Attributes of User Objects
Solution overviewIntroductionLeverage unused and unexposed attributes of user objectsDiscover unused attributesEvaluate unused attributesExtend the schema with custom attributes and object classesCreate an attribute that exposes the computers assigned to a userCreate an attribute that exposes the computer to which a user is logged onCreate an attribute that supports users' software requestsSolution summary
7-5: Creating Administrative Tools to Manage Unused and Custom Attributes
Solution overviewIntroductionDisplay and edit the value of an unexposed attributeLatch on to an objectDisplay an attribute of an objectMake a script more flexible using variablesEnable a script to use argumentsHandle errorsEdit an unexposed or custom attributeSave the new valueUse the Object_Attribute.vbs script to display or edit any single-valued attributeUse Object_Attribute.hta to view or edit single-valued or multivalued attributesSolution summary
7-6: Moving Users and Other Objects
Solution overviewIntroductionUnderstand the permissions required to move an object in Active DirectoryRecognize the denial-of-service exposureCarefully restrict the delegation to move (delete) objectsDelegate highly sensitive tasks such as object deletion to tertiary administrative credentialsProxy the task of moving objectsSolution summary
7-7: Provisioning the Creation of Users
Solution overviewIntroductionExamine a user-provisioning scriptStructure the script in subroutines and functionsDeclare important configuration variables in the global scopeIdentify arguments passed to the scriptApply business logic to derive additional attributesValidate the attributes prior to making changesExecute the taskProvision object creation and managementCreate graphical provisioning toolsSolution summary
8. Solution Collection 8: Reimagining the Administration of Groups and Membership
Scenarios, Pain, and Solution
8-1: Best Practices for Creating Group Objects
Solution overviewIntroductionCreate groups that document their purposeEstablish and adhere to a strict naming conventionSummarize the purpose of the group in its descriptionDetail the purpose of the group in its notesProtect groups from accidental deletionConsider the group type: security vs. distributionRemember group membership limitationsConvert security groups to distribution groupsReduce token and PAC sizeConsider group scope: global, domain local, and universalSolution summary
8-2: Delegate Management of Group Membership
Solution overviewIntroductionExamine the member and memberOf attributesDelegate permission to write the member attributeCreate a capability management groupDelegate using the Advanced Security Settings dialog boxDelegate using the Dsacls commandDelegate membership management for individual groupsDelegate individual group management with the Managed By tabBridge the tool gapSolution summary
8-3: Create Subscription Groups
Solution overviewIntroductionExamine scenarios suited to the use of subscription groupsDelegate the Add/Remove Self As Member validated writeProvide tools with which to subscribe or unsubscribeSolution summary
8-4: Create an HTA for Subscription Groups
Solution overviewIntroductionUse Group_Subscription.htaUnderstand Group_Subscription.htaTake away lessons in the value of group standardsSolution summary
8-5: Create Shadow Groups
Solution overviewIntroductionShadow groups and fine-grained password and account lockout policiesUnderstand the elements of a shadow group frameworkDefine the group membership queryDefine the base scopes of the queryDevelop a script to manage the group's member attribute based on the query, while minimizing the impact on replicationExamine the Group_Shadow.vbs scriptExecute the script on a regular intervalTrigger the script based on changes to an OUSolution summary
8-6: Provide Friendly Tools for Group Management
Solution overviewIntroductionEnumerate memberOf and memberReport direct, indirect, and primary group membershipsList a user's membership by group typeDisplay all members of a groupAdd or remove group members with Group_ChangeMember.htaGive users control over the groups they manageIdentify notes and next steps for group management toolsSolution summary
8-7: Proxy Administrative Tasks to Enforce Rules and Logging
Solution overviewIntroductionUnderstand proxyingIdentify the security concernsExplore the components of the Proxy FrameworkUnderstand the model of the Proxy FrameworkCreate Active Directory objects required to support the Proxy FrameworkCreate the shared folders required by the Proxy FrameworkCreate scripts that perform tasksAdd the Access databaseEstablish the proxy serviceSubmit task request files with custom administrative toolsImplement business logic and rulesImagine what proxying can do for youDelegate group management to users with increased confidence and security
9. Solution Collection 9: Improving the Deployment and Management of Applications and Configuration
Scenarios, Pain, and Solution
9-1: Providing Software Distribution Points
Solution overviewIntroductionRationalize your software folder namespaceManage access to software distribution foldersShare the Software folder, and abstract its location with a DFS namespaceReplicate software distribution folders to remote sites and branch officesCreate a place for your own tools and scriptsSolution summary
9-2: New Approaches to Software Packaging
Solution overviewIntroductionDetermine how to automate the installation of an applicationIdentify the success codes produced by application installationUse Software_Setup.vbs to install almost any applicationSeparate the configuration from the application installationInstall the current version of an applicationSolution summary
9-3: Software Management with Group Policy
Solution overviewIntroductionPrepare an application for deployment with GPSIConfigure a GPO to deploy an applicationScope the deployment of an application using application groupsFilter the software deployment GPO with the application groupLink the GPO as high as necessary to support its scopeWhen to use GPSIGPSI and Microsoft Office 2007Take it to the next levelSolution summary
9-4: Deploy Files and Configuration Using Group Policy Preferences
Solution overviewIntroductionDeploy files with Group Policy Files preferencesPush registry changes using Registry preferencesAdd a registry valueDelete a registry value and optimize logon timeSolution summary
9-5: A Build-It-Yourself Software Management Infrastructure
Solution overviewIntroductionIdentify the challenges of deploying applications such as Microsoft Office 2007Prepare a software distribution folder for Microsoft Office 2007Create a setup customization fileLaunch an unattended installation of Office 2007Identify the requirements for a build-it-yourself software management frameworkCustomize Software_Deploy.vbs to enable application deploymentExecute a commandInterpret the results of the commandLog the results to a central databaseEnable debug modeImplement Software_Deploy.vbs as a startup scriptManage change using group membershipScope a Group Policy object to apply to a security groupImplement fine-grained control over changeLink the GPODeploy an application using a scheduled taskGive users control over the timing of installationEnable users to add their computer to the staging groupDeploy an application using a scheduled taskSolution summary
9-6: Automate Actions with SendKeys
Solution overviewIntroductionUse SendKeys to automate an action sequenceUnderstand and customize Config_QuickLaunch_Toggle.vbsSet the default folder view to Details for all foldersAutomate with AutoItSolution summary
10. Solution Collection 10: Implementing Change, Configuration, and Policies
Scenarios, Pain, and Solution
10-1: Create a Change Control Workflow
Solution overviewIntroductionIdentify the need for changeTranslate the change to Group Policy settingsTest the change in a lab environmentCommunicate the change to usersTest the change in the production environmentMigrate users and computers in the production environment to the scope of the changeImplement more GPOs with fewer settingsEstablish a GPO naming conventionEnsure a new GPO is not being applied while you are configuring its settingsBack up a GPO prior to and after changing itDocument the settings and the GPOCarefully implement the scope of a GPOEstablish a change management workflow with service levelsUnderstand the behavior of client-side Group Policy applicationGPOs are not downloaded unless they have been changedGPOs are not reapplied unless they have been changedGPOs apply even if a system is disconnected from the networkBackground refresh does not fully implement all policy changesSolution summary
10-2: Extend Role-Based Management to the Management of Change and Configuration
Solution overviewIntroductionScope GPOs to security groupsCreate a security group with which to filter the GPOScope a GPO to apply only to a specific security groupScope a GPO to exempt a specific security groupManage exemptions from an entire GPOManage exemptions from some settings of a GPOLink group-filtered GPOs high in the structureMaximize group management techniques to control GPO scopingAvoid using Block Inheritance to exempt objects from the scope of GPOsSolution summary
10-3: Implement Your Organization's Password and Account Lockout Policies
Solution overviewIntroductionDetermine the password policies that are appropriate for your organizationPassword policy: Longer passwords are a mustLockout policies expose a denial-of-service possibilityKerberos policy settings should be modified only with a deep understanding of Kerberos authenticationCustomize the default GPOs to align with your enterprise policiesImplement your password, lockout, and Kerberos policiesImplement fine-grained password policies to protect sensitive and privileged accountsCreate Password Settings objects for each exception policyScope each PSO to the groups or users to whom the policies should applyUnderstand PSO precedenceUse a unique precedence value for each PSOView resultant PSO for a user or groupDelegate the management of password policy applicationMake it all so much easierSolution summary
10-4: Implement Your Authentication and Active Directory Auditing Policies
Solution overviewIntroductionImplement your auditing policies by modifying the Default Domain Controllers Policy GPOConsider auditing failure eventsAlign auditing policies, corporate policies, and realityAudit changes to Active Directory objectsView audit events in the Security logLeverage Directory Service Changes auditingAudit changes to the membership of Domain AdminsSolution summary
10-5: Enforce Corporate Policies with Group Policy
Solution overviewIntroductionTranslate corporate policies to security and nonsecurity settingsCreate GPOs to configure settings derived from corporate policiesScope GPOs to the domainEnforce corporate security and configuration policiesProactively manage exemptionsProvide a managed migration path to policy implementationDetermine whether you need more than one GPO for corporate policy implementationSolution summary
10-6: Create a Delegated Group Policy Management Hierarchy
Solution overviewIntroductionDelegate permissions to link existing GPOs to an OUDelegate the ability to manage an existing GPODelegate permission to create GPOsProvide a baseline GPO for new GPOsUnderstand the business and technical concerns of Group Policy delegationSolution summary
10-7: Testing, Piloting, Validating, and Migrating Policy Settings
Solution overviewIntroductionCreate an effective scope of management for a pilot testPrepare for and model the effects of the pilot testCreate a rollback mechanismImplement the pilot testMigrate objects to the scope of the new GPOSolution summary
10-8: No-Brainer Group Policy Tips
Solution overviewIntroductionDeploy registry changes with templates or registry preferencesUse loopback policy processing in merge modeRun GPUpdate on a remote system to push changesDelegate permissions to perform RSoP reportingScope network-related settings using sites or shadow groupsAvoid WMI filters and targeting when possible: Use shadow groups insteadNo-brainer Group Policy settings
Index

Overview

Get the comprehensive, essential resource for improving Windows administrator productivity. This book delivers solutions to the common issues Windows administrators face every day. Unlike other administrator resources available that cover features and functionality of Windows Server and the Windows client operating system, this unique guide provides the tools that help you do more with less and make the most of your time. Based on a popular talk that author Dan Holme gives at conferences throughout the world, this book walks you through the process of selecting your tools, configuring your work environment, and incorporating scripts and third-party utilities into your administrative toolkit. You’ll even learn how to customize and automate solutions to meet the needs of your unique Windows-based environment. Covering Windows Server 2003, Windows Server 2008, Windows XP, and Windows VistaTM, this book helps you manage your environment from end to end. The companion CD includes a fully searchable eBook, tools, and other essential job resources.

Key Book Benefits

Brings together tools and practical advice providing solutions to a wide variety of administration problems

Provides comprehensive coverage focusing on manageability, security, provisioning, and role-based management

Delivers insights from a leading expert on Windows management and productivity

Features a CD with a fully searchable eBook, tools, and essential resources

https://www.microsoftpressstore.com/store/windows-administration-resource-kit-productivity-solutions-9780735624313

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Windows 10 for Enterprise Administrators

Publisher Resources

ISBN: 9780735624313Catalog Page Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills