Book description
Get the comprehensive, essential resource for improving Windows administrator productivity. This book delivers solutions to the common issues Windows administrators face every day. Unlike other administrator resources available that cover features and functionality of Windows Server and the Windows client operating system, this unique guide provides the tools that help you do more with less and make the most of your time. Based on a popular talk that author Dan Holme gives at conferences throughout the world, this book walks you through the process of selecting your tools, configuring your work environment, and incorporating scripts and third-party utilities into your administrative toolkit. You ll even learn how to customize and automate solutions to meet the needs of your unique Windows-based environment. Covering Windows Server 2003, Windows Server 2008, Windows XP, and Windows VistaTM, this book helps you manage your environment from end to end. The companion CD includes a fully searchable eBook, tools, and other essential job resources.
Key Book Benefits
Brings together tools and practical advice providing solutions
to a wide variety of administration problems
Provides comprehensive coverage focusing on manageability,
security, provisioning, and role-based management
Delivers insights from a leading expert on Windows management
and productivity
Features a CD with a fully searchable eBook, tools, and essential resources
Table of contents
-
Windows® Administration Resource Kit: Productivity Solutions for IT Professionals
- Acknowledgments
- Introduction
-
1. Solution Collection 1: Role-Based Management
- Scenarios, Pain, and Solution
- 1-1: Enumerate a User's (or Computer's) Group Memberships
- 1-2: Create a GUI Tool to Enumerate Group Memberships
- 1-3: Extend Active Directory Users and Computers to Enumerate Group Memberships
- 1-4: Understand Role-Based Management
- 1-5: Implement Role-Based Access Control
- 1-6: Reporting and Auditing RBAC and Role-Based Management
- 1-7: Getting to Role-Based Management
-
2. Solution Collection 2: Managing Files, Folders, and Shares
- Scenarios, Pain, and Solution
- 2-1: Work Effectively with the ACL Editor User Interfaces
- 2-2: Manage Folder Structure
- 2-3: Manage Access to Root Data Folders
- 2-4: Delegate the Management of Shared Folders
- 2-5: Determine Which Folders Should Be Shared
-
2-6: Implement Folder Access Permissions Based on Required Capabilities
- Solution overview
- Introduction
- Implement a Read capability
- Implement a Browse To capability
- Implement an Edit capability
- Implement a Contribute capability
- Implement a Drop capability
- Implementing a Support capability
- Create scripts to apply permissions consistently
- Manage folder access capabilities using role-based access control
- Solution summary
- 2-7: Understand Shared Folder Permissions (SMB Permissions)
- 2-8: Script the Creation of an SMB Share
- 2-9: Provision the Creation of a Shared Folder
- 2-10: Avoid the ACL Inheritance Propagation Danger of File and Folder Movement
- 2-11: Preventing Users from Changing Permissions on Their Own Files
- 2-12: Prevent Users from Seeing What They Cannot Access
- 2-13: Determine Who Has a File Open
- 2-14: Send Messages to Users
- 2-15: Distribute Files Across Servers
- 2-16: Use Quotas to Manage Storage
- 2-17: Reduce Help Desk Calls to Recover Deleted or Overwritten Files
- 2-18: Create an Effective, Delegated DFS Namespace
-
3. Solution Collection 3: Managing User Data and Settings
- Scenarios, Pain, and Solution
-
3-1: Define Requirements for a User Data and Settings Framework
- Solution overview
- Introduction
- Understand the business requirements definition exercise
- Define the high-level business requirements
- Determine key design decision that is derived from high-level business requirements
-
Define requirements derived from key design decisions
- Security: The UDS framework will comply with the enterprise information security and information technology policies regarding network storage of files.
- Mobility: Users who work while disconnected (for example, laptop users) will be able to access their files using the same namespace, whether they are connected or disconnected.
- Availability: Performance shall be sufficient to meet business requirements.
- Solution summary
- 3-2: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part I)
-
3-3: Create, Secure, Manage, and Provision Server-Side User Data Stores
- Solution overview
- Introduction
- Create the user data store root folder
-
Align physical namespace with management requirements such as quotas
- Manage quotas collectively for the Desktop and Documents folders
- Create quota templates that give you wiggle room
- Autoapply quota templates
- Do not configure quotas for roaming profile stores
- Understand the problem with placement of profiles and other data stores
- Solution #1: Separate physical namespaces for different classes of data stores
- Solution #2: Manage individual data stores rather than data store classes
- My recommendation
- Provision the creation of data stores
- Configure file screens
- Solution summary
-
3-4: Create the SMB and DFS Namespaces for User Data Stores
- Solution overview
- Introduction
-
Create the SMB namespace for user data and settings stores
- Understand the undesirable interaction between roaming profiles and offline files
- Design an SMB namespace that avoids the cached copy of the roaming profile problem
- Provision the creation of SMB shares for a user data store root
- Understand how a separate SMB namespace for profiles can prevent the cached copy of the roaming profile problem
- Design the logical view of user data and settings stores with DFS Namespaces
- Build a DFS namespace to support thousands of users
- Understand the impact of data movement and namespace changes
- Consider the impact of %username% changes
- Build an abstract DFS namespace for user data and settings (no site-based namespace, preferably no human names)
- Automate and provision the creation of user data stores and DFS namespaces
- Solution summary
-
3-5: Design and Implement Folder Redirection
- Solution overview
- Introduction
- Understand the role of folder redirection
- Configure folder redirection policies
- Configure folder redirection targets
- Configure folder redirection settings
- Support redirection for users on both Windows XP and Windows Vista
- Redirect without Group Policy: Favorites, Music, Pictures, and Videos
- Achieve a unified redirected folder environment for Windows XP and Windows Vista
- Solution summary
-
3-6: Configure Offline Files
- Solution overview
- Introduction
- Understand the cache
- Understand caching
- Understand synchronization
- Understand offline mode
-
Leverage offline files for the UDS framework
- Allow redirected folders to be automatically made available offline
- Recognize that folders redirected using the registry are not automatically cached
- Administratively assign ("push") specific files or folders to be available offline
- Plan for a long initial synchronization when large folders are made available offline
- Recognize that when folders are made available offline, they are synchronized to every machine to which the user logs on
- Determine that you don't want redirected folders to be automatically made available offline for every machine
- Identify where you do want redirected folders to be available offline
- Manage offline files to that specification
- Disable offline files on all systems other than user laptops
- Disable the automatic caching of redirected folders for systems other than laptops
- Throw in the towel: Manually cache redirected folders
- Prevent Windows XP from synchronizing all files at logoff
- Eliminate unnecessary error messages from blocked file types
- Provide Windows XP users a way to force themselves offline
- Manage offline files notifications
- Remember cached files when sources are moved
- Put offline files to use
- Solution summary
-
3-7: Design and Implement Roaming Profiles
- Solution overview
- Introduction
- Analyze the structure of the Windows Vista user profile
- Review the components that create the user profile
- Configure the folders that will not roam
- Configure roaming profiles
- Recognize the "V2" of Windows Vista roaming profiles
- Unify the experience of Windows XP and Windows Vista users
- Work through the FOLKLORE of roaming profiles
- Identify the benefit of roaming profiles
- Manage the Application Data (AppData\Roaming) folder
- Solution summary
-
3-8: Manage User Data That Should Not Be Stored on Servers
- Solution overview
- Introduction
- Identify the types of data you want to manage as local only
- Design a local-only data folder structure
- Implement local-only file folders
- Ensure that applications will find relocated media folders
- Redirect Windows XP media folders that you are treating as local only
- Provide a way for users to find relocated folders
- Communicate to users and train them regarding local-only data
- Solution summary
- 3-9: Manage User Data That Should Be Accessed Locally
-
3-10: Back Up Local Data Stores for Availability, Mobility, and Resiliency
- Solution overview
- Introduction
- Define the goals of a synchronization solution
- Utilize Robocopy as a backup engine
- Leverage Folder_Synch.vbs as a wrapper for Robocopy
- Deploy Folder_Synch.vbs and Robocopoy
- Determine how and when to run Folder_Synch.vbs for each local store
- Launch Folder_Synch.vbs manually
- Enable users to right-click a folder and back it up using a shell command
- Compare manual options for Folder_Synch.vbs
- Run Folder_Synch.vbs automatically
- Run Folder_Synch.vbs as a scheduled task
- Run Folder_Synch.vbs as a logon, logoff, startup, or shutdown script
- Log and monitor synchronization
- Solution summary
- 3-11: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part II)
-
4. Solution Collection 4: Implementing Document Management and Collaboration with SharePoint
- Scenarios, Pain, and Solution
-
4-1: Create and Configure a Document Library
- Solution overview
- Introduction
- Create a site
- Create a document library
- Configure document library settings
- Configure the document library title
- Enable or disable folders within the document library
- Change the default template for the library
- Configure security for a document library
- Solution summary
-
4-2: Manage Document Metadata Using Library and Site Columns
- Solution overview
- Introduction
- Create a column
- Work with custom columns from Microsoft Office clients
- Work with document properties from the SharePoint Web interface
- Modify or delete library columns
- Reorder columns
- Manage site columns
- Create site columns
- Use a site column in a list or library
- Modify and delete site columns
- Solution summary
- 4-3: Implement Managed Content Types
- 4-4: Configure Multiple Templates for a Document Library
- 4-5: Add, Save, and Upload Documents to a Document Library
- 4-6: Create Shortcuts to Document Libraries for End Users
- 4-7: Quarantine and Manage Uploads to a Document Library with Multiple Content Types
- 4-8: Work with Documents in a Document Library
- 4-9: Monitor Changes to Libraries or Documents with Alerts and RSS
- 4-10: Control Document Editing with Check Out
- 4-11: Implement and Maintain Document Version History
- 4-12: Implement Content Approval
- 4-13: Implement a Three-State Workflow
- 4-14: Organize and Manage Documents with Folders and Views
- 4-15: Configure WSS Indexing of PDF Files
- 4-16: Work with SharePoint Files Offline
-
5. Solution Collection 5: Active Directory Delegation and Administrative Lock Down
- Scenarios, Pain, and Solution
-
5-1: Explore the Components and Tools of Active Directory Delegation
- Solution overview
- Introduction
- Use Active Directory object ACLs and ACL editor interfaces
- Manage access control entries on Active Directory objects
- Adhere to the golden rules of delegation
- Apply permissions with a friend: The Delegation Of Control Wizard
- Manage the presentation of your delegation
- Solution summary
- 5-2: Customize the Delegation Of Control Wizard
- 5-3: Customize the Permissions Listed in the ACL Editor Interfaces
-
5-4: Evaluate, Report, and Revoke Active Directory Permissions
- Solution overview
- Introduction
- Use Dsacls to report Active Directory permissions
- Use ACLDiag to report Active Directory permissions
- Use ADFind to report Active Directory permissions
- Use DSRevoke to report Active Directory permissions
- Evaluate permissions assigned to a specific user or group
- Revoke Active Directory permissions with DSRevoke
- Revoke Active Directory permissions with Dsacls
- Reset permissions to Schema defaults
- Solution summary
-
5-5: Assign and Revoke Permissions with Dsacls
- Solution overview
- Introduction
- Identify the basic syntax of Dsacls
- Delegate permissions to manage computer objects
- Grant permissions to manage other common object classes
-
Use Dsacls to delegate other common tasks
- Unlock user accounts
- Force users to change passwords at the next logon
- Reset user passwords
- Disable user accounts
- Change the logon names for a user account
- Change user properties
- Delegate with property sets
- Manage group membership
- Join computers to the domain
- Prestage a computer account
- Disable and enable computer accounts
- Rename computers
- Reset computer accounts
- Manage group properties
- Link GPOs to an OU
- Run resultant set of policy reports
- Delegate the ability to move objects
- Delegate the ability to delegate
- Tightly control the delegation of OUs
- Solution summary
- 5-6: Define Your Administrative Model
-
5-7: Role-Based Management of Active Directory Delegation
- Solution overview
- Introduction
- Identify the pain points of an unmanaged delegation model
- Create capability management groups to manage delegation
- Assign permissions to capability management groups
- Delegate control by adding roles to capability management groups
- Create granular capability management groups
- Report permissions in a role-based delegation
- Solution summary
- 5-8: Scripting the Delegation of Active Directory
- 5-9: Delegating Administration and Support of Computers
- 5-10: Empty as Many of the Built-in Groups as Possible
-
6. Solution Collection 6: Improving the Management and Administration of Computers
- Scenarios, Pain, and Solution
-
6-1: Implement Best Practices for Managing Computers in Active Directory
- Solution overview
- Introduction
- Establish naming standards for computers
- Identify requirements for joining a computer to the domain
- Design Active Directory to delegate the management of computer objects
- Delegate permissions to create computers in the domain
- Create a computer object in Active Directory
- Delegate permissions to join computers using existing computer objects
- Join a computer to the domain
- Ensure correct logon after joining the domain
- Solution summary
- 6-2: Control the Addition of Unmanaged Computers to the Domain
- 6-3: Provision Computers
- 6-4: Manage Computer Roles and Capabilities
- 6-5: Reset and Reassign Computers
- 6-6: Establish the Relationship Between Users and Their Computers with Built-in Properties
-
6-7: Track Computer-to-User Assignments by Extending the Schema
- Solution overview
- Introduction
- Understand the impact of extending the schema
- Plan the ComputerAssignedTo attribute and ComputerInfo object class
- Obtain an OID
- Register the Active Directory schema snap-in
- Make sure you have permission to change the schema
- Connect to the schema master
- Create the ComputerAssignedTo attribute
- Create the ComputerInfo object class
- Associate the ComputerInfo object class with the Computer object class
- Give the ComputerAssignedTo attribute a friendly display name
- Allow the changes to replicate
- Delegate permission to modify the attribute
- Integrate the Computer_AssignTo.hta tool with Active Directory Users and Computers
- Customize Comptuer_AssignTo.hta
- Create a task for computer assignment
- Add other attributes to computer objects
- Solution summary
-
6-8: Establish Self-Reporting of Computer Information
- Solution overview
- Introduction
- Determine the information you wish you had
- Decide where you want the information to appear
- Report computer information with Computer_InfoToDescription.vbs
- Understand Computer_InfoToDescription.vbs
- Expose the report attributes in the Active Directory Users and Computers snap-in
- Delegate permissions for computer information reporting
- Automate computer information reporting with startup and logon scripts or scheduled tasks
- Take it to the next level
- Solution summary
- 6-9: Integrate Computer Support Tools into Active Directory Users and Computers
-
7. Solution Collection 7: Extending User Attributes and Management Tools
- Scenarios, Pain, and Solution
-
7-1: Best Practices for User Names
- Solution overview
- Introduction
-
Establish best practice standards for user object name attributes
- Do not configure common name (cn) attributes as LastName, FirstName
- Add the Last Name column to your view to sort and find by last name
- Add the Last Name column to views of saved queries
- Change Display Name to LastName, FirstName
- Alternately use LastName FirstName as a common name without a comma
- Clean up sins of the past
- Implement manageable user logon names
- Prepare to add the second "John Doe" to your Active Directory
- Solution summary
-
7-2: Using Saved Queries to Administer Active Directory Objects
- Solution overview
- Introduction
- Create a custom console that shows all domain users
- Control the scope of a saved query
- Build saved queries that target specific objects
- Understand LDAP query syntax
- Identify some useful LDAP queries
- Transfer saved queries between consoles and administrators
- Leverage saved queries for most types of administration
- Solution summary
-
7-3: Create MMC Consoles for Down-Level Administrators
- Solution overview
- Introduction
- Create a console with saved queries
- Create a taskpad with tasks for each delegated ability
- Add productive tools and scripts to the taskpads
- Add procedures and documentation to the console
- Create an administrative home page within the console
- Add each taskpad to the MMC favorites
- Create navigation tasks
- Save the console in User mode
- Lock down the console view
- Distribute the console
- Solution summary
- 7-4: Extending the Attributes of User Objects
- 7-5: Creating Administrative Tools to Manage Unused and Custom Attributes
-
7-6: Moving Users and Other Objects
- Solution overview
- Introduction
- Understand the permissions required to move an object in Active Directory
- Recognize the denial-of-service exposure
- Carefully restrict the delegation to move (delete) objects
- Delegate highly sensitive tasks such as object deletion to tertiary administrative credentials
- Proxy the task of moving objects
- Solution summary
-
7-7: Provisioning the Creation of Users
- Solution overview
- Introduction
-
Examine a user-provisioning script
- Structure the script in subroutines and functions
- Declare important configuration variables in the global scope
- Identify arguments passed to the script
- Apply business logic to derive additional attributes
- Validate the attributes prior to making changes
- Execute the task
- Provision object creation and management
- Create graphical provisioning tools
- Solution summary
-
8. Solution Collection 8: Reimagining the Administration of Groups and Membership
- Scenarios, Pain, and Solution
- 8-1: Best Practices for Creating Group Objects
- 8-2: Delegate Management of Group Membership
- 8-3: Create Subscription Groups
- 8-4: Create an HTA for Subscription Groups
-
8-5: Create Shadow Groups
- Solution overview
- Introduction
- Shadow groups and fine-grained password and account lockout policies
- Understand the elements of a shadow group framework
- Define the group membership query
- Define the base scopes of the query
- Develop a script to manage the group's member attribute based on the query, while minimizing the impact on replication
- Execute the script on a regular interval
- Trigger the script based on changes to an OU
- Solution summary
-
8-6: Provide Friendly Tools for Group Management
- Solution overview
- Introduction
- Enumerate memberOf and member
- Report direct, indirect, and primary group memberships
- List a user's membership by group type
- Display all members of a group
- Add or remove group members with Group_ChangeMember.hta
- Give users control over the groups they manage
- Identify notes and next steps for group management tools
- Solution summary
-
8-7: Proxy Administrative Tasks to Enforce Rules and Logging
- Solution overview
- Introduction
- Understand proxying
-
Explore the components of the Proxy Framework
- Understand the model of the Proxy Framework
- Create Active Directory objects required to support the Proxy Framework
- Create the shared folders required by the Proxy Framework
- Create scripts that perform tasks
- Add the Access database
- Establish the proxy service
- Submit task request files with custom administrative tools
- Implement business logic and rules
- Imagine what proxying can do for you
- Delegate group management to users with increased confidence and security
-
9. Solution Collection 9: Improving the Deployment and Management of Applications and Configuration
- Scenarios, Pain, and Solution
-
9-1: Providing Software Distribution Points
- Solution overview
- Introduction
- Rationalize your software folder namespace
- Manage access to software distribution folders
- Share the Software folder, and abstract its location with a DFS namespace
- Replicate software distribution folders to remote sites and branch offices
- Create a place for your own tools and scripts
- Solution summary
-
9-2: New Approaches to Software Packaging
- Solution overview
- Introduction
- Determine how to automate the installation of an application
- Identify the success codes produced by application installation
- Use Software_Setup.vbs to install almost any application
- Separate the configuration from the application installation
- Install the current version of an application
- Solution summary
-
9-3: Software Management with Group Policy
- Solution overview
- Introduction
- Prepare an application for deployment with GPSI
- Configure a GPO to deploy an application
- Scope the deployment of an application using application groups
- Filter the software deployment GPO with the application group
- Link the GPO as high as necessary to support its scope
- When to use GPSI
- GPSI and Microsoft Office 2007
- Take it to the next level
- Solution summary
- 9-4: Deploy Files and Configuration Using Group Policy Preferences
-
9-5: A Build-It-Yourself Software Management Infrastructure
- Solution overview
- Introduction
- Identify the challenges of deploying applications such as Microsoft Office 2007
- Prepare a software distribution folder for Microsoft Office 2007
- Create a setup customization file
- Launch an unattended installation of Office 2007
- Identify the requirements for a build-it-yourself software management framework
- Customize Software_Deploy.vbs to enable application deployment
- Manage change using group membership
- Deploy an application using a scheduled task
- Give users control over the timing of installation
- Solution summary
- 9-6: Automate Actions with SendKeys
-
10. Solution Collection 10: Implementing Change, Configuration, and Policies
- Scenarios, Pain, and Solution
-
10-1: Create a Change Control Workflow
- Solution overview
- Introduction
- Identify the need for change
- Translate the change to Group Policy settings
- Test the change in a lab environment
- Communicate the change to users
- Test the change in the production environment
- Migrate users and computers in the production environment to the scope of the change
- Implement more GPOs with fewer settings
- Establish a GPO naming convention
- Ensure a new GPO is not being applied while you are configuring its settings
- Back up a GPO prior to and after changing it
- Document the settings and the GPO
- Carefully implement the scope of a GPO
- Establish a change management workflow with service levels
- Understand the behavior of client-side Group Policy application
- Solution summary
- 10-2: Extend Role-Based Management to the Management of Change and Configuration
-
10-3: Implement Your Organization's Password and Account Lockout Policies
- Solution overview
- Introduction
- Determine the password policies that are appropriate for your organization
- Customize the default GPOs to align with your enterprise policies
- Implement your password, lockout, and Kerberos policies
- Implement fine-grained password policies to protect sensitive and privileged accounts
- Understand PSO precedence
- Solution summary
-
10-4: Implement Your Authentication and Active Directory Auditing Policies
- Solution overview
- Introduction
- Implement your auditing policies by modifying the Default Domain Controllers Policy GPO
- Consider auditing failure events
- Align auditing policies, corporate policies, and reality
- Audit changes to Active Directory objects
- View audit events in the Security log
- Leverage Directory Service Changes auditing
- Solution summary
-
10-5: Enforce Corporate Policies with Group Policy
- Solution overview
- Introduction
- Translate corporate policies to security and nonsecurity settings
- Create GPOs to configure settings derived from corporate policies
- Scope GPOs to the domain
- Enforce corporate security and configuration policies
- Proactively manage exemptions
- Provide a managed migration path to policy implementation
- Determine whether you need more than one GPO for corporate policy implementation
- Solution summary
- 10-6: Create a Delegated Group Policy Management Hierarchy
- 10-7: Testing, Piloting, Validating, and Migrating Policy Settings
-
10-8: No-Brainer Group Policy Tips
- Solution overview
- Introduction
- Deploy registry changes with templates or registry preferences
- Use loopback policy processing in merge mode
- Run GPUpdate on a remote system to push changes
- Delegate permissions to perform RSoP reporting
- Scope network-related settings using sites or shadow groups
- Avoid WMI filters and targeting when possible: Use shadow groups instead
- No-brainer Group Policy settings
- Index
Product information
- Title: Windows® Administration Resource Kit: Productivity Solutions for IT Professionals
- Author(s):
- Release date: February 2008
- Publisher(s): Microsoft Press
- ISBN: 9780735624313
You might also like
book
Windows 10 for Enterprise Administrators
Tag line About This Book Learn the art of configuring, deploying, managing and securing Windows 10 …
book
Windows® Sysinternals Administrator’s Reference
Get in-depth guidance—and inside insights—for using the Windows Sysinternals tools available from Microsoft TechNet. Guided by …
book
MCSA 70-697 and 70-698 Cert Guide: Configuring Windows Devices; Installing and Configuring Windows 10
Learn, prepare, and practice for MCSA 70-697 and 70-698 exam success with this Cert Guide from …
book
Windows® Command-Line Administrators Pocket Consultant, Second Edition
Now updated for Windows Server 2008 and Windows Vista, this practical, pocket-sized reference delivers ready answers …