Windows® Administration Resource Kit: Productivity Solutions for IT Professionals

Windows® Administration Resource Kit: Productivity Solutions for IT Professionals

Released February 2008
Publisher(s): Microsoft Press
ISBN: 9780735624313

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get the comprehensive, essential resource for improving Windows administrator productivity. This book delivers solutions to the common issues Windows administrators face every day. Unlike other administrator resources available that cover features and functionality of Windows Server and the Windows client operating system, this unique guide provides the tools that help you do more with less and make the most of your time. Based on a popular talk that author Dan Holme gives at conferences throughout the world, this book walks you through the process of selecting your tools, configuring your work environment, and incorporating scripts and third-party utilities into your administrative toolkit. You ll even learn how to customize and automate solutions to meet the needs of your unique Windows-based environment. Covering Windows Server 2003, Windows Server 2008, Windows XP, and Windows VistaTM, this book helps you manage your environment from end to end. The companion CD includes a fully searchable eBook, tools, and other essential job resources.

Key Book Benefits

Brings together tools and practical advice providing solutions to a wide variety of administration problems

Provides comprehensive coverage focusing on manageability, security, provisioning, and role-based management

Delivers insights from a leading expert on Windows management and productivity

Features a CD with a fully searchable eBook, tools, and essential resources

Table of contents

  1. Windows® Administration Resource Kit: Productivity Solutions for IT Professionals
    1. Acknowledgments
    2. Introduction
      1. Document Conventions
        1. Reader Aids
        2. Command-Line Examples
      2. System Requirements
      3. Web-Based Content
      4. Find Additional Content Online
      5. Companion Media
      6. Using the Scripts
      7. Resource Kit Support Policy
    3. 1. Solution Collection 1: Role-Based Management
      1. Scenarios, Pain, and Solution
        1. The 80/20 rule
        2. Scripts and tools on the companion media
        3. Microsoft and third-party tools
        4. The Windows Administration Resource Kit online community
        5. Enough, already!
      2. 1-1: Enumerate a User's (or Computer's) Group Memberships
        1. Solution overview
        2. Introduction
        3. Active Directory Users and Computers
        4. DS commands
        5. Creating a batch script
        6. Enumerating group membership with VBScript
          1. Understanding ADObject_MemberOf_Enum.vbs
          2. Using ADObject_MemberOf_Enum.vbs
        7. Why VBScript?
        8. Next steps
        9. For more information
        10. Solution summary
      3. 1-2: Create a GUI Tool to Enumerate Group Memberships
        1. Solution overview
        2. Introduction
        3. HTML Applications
        4. Create an HTA
          1. Write the functional code first
          2. Creating a user interface: the HTML
          3. Creating a user interface: inputs
          4. Wiring up events
          5. Creating a user interface: output
          6. The final HTA
        5. For more information
        6. Solution summary
      4. 1-3: Extend Active Directory Users and Computers to Enumerate Group Memberships
        1. Solution overview
        2. Introduction
        3. Arguments and HTAs
          1. Using the MemberOf_Report.hta
        4. Integrating a custom HTA with an MMC snap-in using tasks
          1. Saving the HTA to an accessible location
          2. Creating a taskpad and shell task to launch the HTA
          3. Using the HTA
          4. Removing a task or taskpad
          5. For more information
        5. Integrating a custom HTA with an MMC snap-in using display specifiers
          1. Using AdminContextMenu.hta
          2. Removing a custom command
          3. Display specifiers, delegation, and the forest
          4. Managing changes to the context menu
          5. For more information
        6. Tasks or display specifiers
        7. Solution summary
      5. 1-4: Understand Role-Based Management
        1. Solution overview
        2. Introduction
        3. Role groups
          1. The problem with having only role groups
        4. Capability management groups
          1. The problem with having only capability management groups
        5. Role groups are nested into capability management groups
        6. Other nesting
        7. Data, business logic, and presentation
        8. Third-party tools
        9. Solution summary
      6. 1-5: Implement Role-Based Access Control
        1. Solution overview
        2. Introduction
        3. Role groups
          1. Group naming conventions
          2. Role groups summary
          3. Role groups in our RBAC scenario
        4. Capability management groups
          1. Group naming convention
          2. Capability management groups summary
          3. Capability management groups in our RBAC scenario
        5. Representing business requirements
        6. Implementing capabilities
        7. Automating and provisioning
        8. Solution summary
      7. 1-6: Reporting and Auditing RBAC and Role-Based Management
        1. Solution overview
        2. Introduction
        3. My Memberships
          1. Using My Memberships
          2. Understanding and customizing My Memberships
        4. Access Report
          1. Using Access Report
          2. Understanding and customizing Access Report
        5. Auditing internal compliance of your role-based access control
          1. Using Folder ACL Report.vbs
          2. Next steps for Folder ACL Report.vbs
        6. Solution summary
      8. 1-7: Getting to Role-Based Management
        1. Solution overview
        2. Introduction
        3. A review of role-based management
          1. Reliance on groups and group management
          2. "Scars" from group management days of yore
        4. Discussing and selling role-based management
          1. "Won't there be a lot of groups?"
        5. The road to role-based management
          1. Analyze your environment
          2. Define your naming convention and processes
          3. Encourage or mandate discipline
          4. Create a transition plan
        6. Token size
          1. Increase MaxTokenSize
          2. Consider implementing groups as global (or universal) instead of domain local
          3. Clean up your sIDHistory attributes
        7. Solution summary
    4. 2. Solution Collection 2: Managing Files, Folders, and Shares
      1. Scenarios, Pain, and Solution
      2. 2-1: Work Effectively with the ACL Editor User Interfaces
        1. Solution overview
        2. Introduction
        3. The ACL editor
          1. The Security tab of the Properties dialog box
          2. The Permissions tab of the Advanced Security Settings dialog box
          3. The Permission Entry dialog box
        4. Evaluating effective permissions
        5. Solution summary
      3. 2-2: Manage Folder Structure
        1. Solution overview
        2. Introduction
        3. Create a folder structure that is wide rather than deep
          1. A quick review of inheritance fundamentals
          2. Managing inheritance
          3. The impact of inheritance on folder hierarchy
        4. Use DFS namespaces to present shared folders in a logical hierarchy
        5. Solution summary
      4. 2-3: Manage Access to Root Data Folders
        1. Solution overview
        2. Introduction
        3. Create one or more consistent root data folders on each file server
        4. Use Group Policy to manage and enforce ACLs on root data folders
        5. Solution summary
      5. 2-4: Delegate the Management of Shared Folders
        1. Solution overview
        2. Introduction
        3. Dedicate servers that perform a file server role
        4. Manage the delegation of administration of shared folders
        5. Solution summary
      6. 2-5: Determine Which Folders Should Be Shared
        1. Solution overview
        2. Introduction
        3. Determine which folders should be shared
          1. Presentation of information to users
          2. Management of SMB settings
        4. Solution summary
      7. 2-6: Implement Folder Access Permissions Based on Required Capabilities
        1. Solution overview
        2. Introduction
        3. Implement a Read capability
        4. Implement a Browse To capability
        5. Implement an Edit capability
        6. Implement a Contribute capability
        7. Implement a Drop capability
        8. Implementing a Support capability
        9. Create scripts to apply permissions consistently
        10. Manage folder access capabilities using role-based access control
        11. Solution summary
      8. 2-7: Understand Shared Folder Permissions (SMB Permissions)
        1. Solution overview
        2. Introduction
        3. Scripting SMB permissions on local and remote systems
        4. Solution summary
      9. 2-8: Script the Creation of an SMB Share
        1. Solution overview
        2. Introduction
        3. Using Share_Create.vbs
        4. Customizing Share_Create.vbs
        5. Understanding Share_Create.vbs
        6. Solution summary
      10. 2-9: Provision the Creation of a Shared Folder
        1. Solution overview
        2. Introduction
        3. Using Folder_Provision.hta
        4. Basic customization of Folder_Provision.hta
          1. Customizing the behavior of option defaults
          2. Customizing the list of servers
        5. Understanding the code behind Folder_Provision.hta and advanced customization
          1. Application display
          2. Form controls
          3. Folder provisioning
        6. Solution summary
      11. 2-10: Avoid the ACL Inheritance Propagation Danger of File and Folder Movement
        1. Solution overview
        2. Introduction
        3. See the bug-like feature in action
        4. What in the world is going on?
        5. Solving the problem
        6. Change the culture, change the configuration
        7. Solution summary
      12. 2-11: Preventing Users from Changing Permissions on Their Own Files
        1. Solution overview
        2. Introduction
        3. What about object lockout?
        4. Solution summary
      13. 2-12: Prevent Users from Seeing What They Cannot Access
        1. Solution overview
        2. Introduction
        3. One perspective: Don't worry about it
        4. A second perspective: Manage your folders
        5. A third perspective and a solution: Access-based Enumeration
        6. Solution summary
      14. 2-13: Determine Who Has a File Open
        1. Solution overview
        2. Introduction
        3. Using FileServer_OpenFile.vbs
        4. Understanding FileServer_OpenFile.vbs
        5. Solution summary
      15. 2-14: Send Messages to Users
        1. Solution overview
        2. Introduction
        3. Using Message_Notification.vbs
        4. Understanding Message_Notification.vbs
        5. Using PSExec to execute a script on a remote machine
        6. Listing the open sessions on a server
        7. Using and customizing FileServer_NotifyConnectedUsers.vbs
        8. Solution summary
      16. 2-15: Distribute Files Across Servers
        1. Solution overview
        2. Introduction
        3. Using Robocopy to distribute files
        4. Using DFS Replication to distribute files
        5. Solution summary
      17. 2-16: Use Quotas to Manage Storage
        1. Solution overview
        2. Introduction
        3. What's new in quota management
        4. Quota templates
        5. Apply a quota to a folder
        6. Solution summary
      18. 2-17: Reduce Help Desk Calls to Recover Deleted or Overwritten Files
        1. Solution overview
        2. Introduction
        3. Enabling shadow copies
        4. Understanding and configuring shadow copies
        5. Accessing previous versions
        6. Solution summary
      19. 2-18: Create an Effective, Delegated DFS Namespace
        1. Solution overview
        2. Introduction
        3. Creating DFS namespaces
        4. Delegating DFS namespaces
        5. Linking DFS namespaces
        6. Presenting DFS namespaces to users
        7. Solution summary
    5. 3. Solution Collection 3: Managing User Data and Settings
      1. Scenarios, Pain, and Solution
      2. 3-1: Define Requirements for a User Data and Settings Framework
        1. Solution overview
        2. Introduction
        3. Understand the business requirements definition exercise
        4. Define the high-level business requirements
          1. Availability and mobility
          2. Resiliency
          3. Security
        5. Determine key design decision that is derived from high-level business requirements
          1. User data and settings must be stored on the network
        6. Define requirements derived from key design decisions
          1. Security: The UDS framework will comply with the enterprise information security and information technology policies regarding network storage of files.
          2. Mobility: Users who work while disconnected (for example, laptop users) will be able to access their files using the same namespace, whether they are connected or disconnected.
          3. Availability: Performance shall be sufficient to meet business requirements.
        7. Solution summary
      3. 3-2: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part I)
        1. Solution overview
        2. Introduction
        3. Understand UDS options
          1. Data and settings
          2. Windows user data and settings stores
          3. Network and local stores
          4. Primary data stores
          5. Synchronization of data stores
          6. Presentation (or namespace)
          7. Network and DFS Namespaces
        4. Align user data and settings options with requirements and scenarios
        5. Validate the outcome for desktop, roaming, relocated, and traveling users
        6. Solution summary
      4. 3-3: Create, Secure, Manage, and Provision Server-Side User Data Stores
        1. Solution overview
        2. Introduction
        3. Create the user data store root folder
          1. Apply least privilege permissions for the user data store root folder
          2. Provision the permissions of a user data store root folder with UDS_DataRoot_ACL.bat
        4. Align physical namespace with management requirements such as quotas
          1. Manage quotas collectively for the Desktop and Documents folders
          2. Create quota templates that give you wiggle room
          3. Autoapply quota templates
          4. Do not configure quotas for roaming profile stores
          5. Understand the problem with placement of profiles and other data stores
          6. Solution #1: Separate physical namespaces for different classes of data stores
          7. Solution #2: Manage individual data stores rather than data store classes
          8. My recommendation
        5. Provision the creation of data stores
          1. Use the UDS_UserFolders_Provision.vbs script
        6. Configure file screens
        7. Solution summary
      5. 3-4: Create the SMB and DFS Namespaces for User Data Stores
        1. Solution overview
        2. Introduction
        3. Create the SMB namespace for user data and settings stores
          1. Understand the undesirable interaction between roaming profiles and offline files
          2. Design an SMB namespace that avoids the cached copy of the roaming profile problem
          3. Provision the creation of SMB shares for a user data store root
          4. Understand how a separate SMB namespace for profiles can prevent the cached copy of the roaming profile problem
        4. Design the logical view of user data and settings stores with DFS Namespaces
          1. Create a fully enumerated DFS namespace for user data and settings stores (DFS Design Option 1)
          2. Create a DFS namespace that redirects to each SMB namespace for the user data store root share (DFS Design Option 2)
          3. Compare DFS design options
        5. Build a DFS namespace to support thousands of users
        6. Understand the impact of data movement and namespace changes
        7. Consider the impact of %username% changes
        8. Build an abstract DFS namespace for user data and settings (no site-based namespace, preferably no human names)
        9. Automate and provision the creation of user data stores and DFS namespaces
          1. Customize UDS_UserFolders_Provision_DFS.vbs
        10. Solution summary
      6. 3-5: Design and Implement Folder Redirection
        1. Solution overview
        2. Introduction
        3. Understand the role of folder redirection
          1. What are the key benefits of folder redirection?
          2. What's new in Windows Vista folder redirection?
          3. What is the downside of folder redirection?
        4. Configure folder redirection policies
        5. Configure folder redirection targets
          1. Basic – Redirect everyone's folder to the same location
          2. Follow the Documents folder
          3. Advanced—Specify locations for various user groups
          4. Not Configured
        6. Configure folder redirection settings
          1. Grant the user exclusive rights to [folder]
          2. Move the contents of [folder] to the new location
          3. Policy removal settings
        7. Support redirection for users on both Windows XP and Windows Vista
          1. Also apply redirection policy to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems
          2. Side effects of the "Also apply to Windows XP" policy
          3. Pictures, Music, and Videos redirection policies
        8. Redirect without Group Policy: Favorites, Music, Pictures, and Videos
          1. Quirks and bugs
          2. Advantages of redirection with the registry
          3. Disadvantages of redirection with the registry
          4. Recommendation
          5. Get rid of the My Music and My Pictures subfolders
          6. Give users a way to browse to the folders
        9. Achieve a unified redirected folder environment for Windows XP and Windows Vista
          1. Provision the creation of all user data stores
          2. Configure folder redirection for Windows XP Favorites, Pictures, Music, and Videos using Group Policy
        10. Solution summary
      7. 3-6: Configure Offline Files
        1. Solution overview
        2. Introduction
        3. Understand the cache
        4. Understand caching
        5. Understand synchronization
        6. Understand offline mode
        7. Leverage offline files for the UDS framework
          1. Allow redirected folders to be automatically made available offline
          2. Recognize that folders redirected using the registry are not automatically cached
          3. Administratively assign ("push") specific files or folders to be available offline
          4. Plan for a long initial synchronization when large folders are made available offline
          5. Recognize that when folders are made available offline, they are synchronized to every machine to which the user logs on
          6. Determine that you don't want redirected folders to be automatically made available offline for every machine
          7. Identify where you do want redirected folders to be available offline
          8. Manage offline files to that specification
          9. Disable offline files on all systems other than user laptops
          10. Disable the automatic caching of redirected folders for systems other than laptops
          11. Throw in the towel: Manually cache redirected folders
          12. Prevent Windows XP from synchronizing all files at logoff
          13. Eliminate unnecessary error messages from blocked file types
          14. Provide Windows XP users a way to force themselves offline
          15. Manage offline files notifications
          16. Remember cached files when sources are moved
        8. Put offline files to use
          1. Design thoroughly
          2. Communicate and train effectively
          3. Remember that the Offline Files feature is not for all files
        9. Solution summary
      8. 3-7: Design and Implement Roaming Profiles
        1. Solution overview
        2. Introduction
        3. Analyze the structure of the Windows Vista user profile
        4. Review the components that create the user profile
          1. Default user profile
          2. Shell folders
          3. Roaming profile synchronization
          4. Public profile
          5. Profile generation, summarized
        5. Configure the folders that will not roam
        6. Configure roaming profiles
        7. Recognize the "V2" of Windows Vista roaming profiles
        8. Unify the experience of Windows XP and Windows Vista users
        9. Work through the FOLKLORE of roaming profiles
        10. Identify the benefit of roaming profiles
        11. Manage the Application Data (AppData\Roaming) folder
        12. Solution summary
      9. 3-8: Manage User Data That Should Not Be Stored on Servers
        1. Solution overview
        2. Introduction
        3. Identify the types of data you want to manage as local only
        4. Design a local-only data folder structure
          1. Media folders as local only
          2. Nonmedia personal files
        5. Implement local-only file folders
        6. Ensure that applications will find relocated media folders
        7. Redirect Windows XP media folders that you are treating as local only
        8. Provide a way for users to find relocated folders
        9. Communicate to users and train them regarding local-only data
        10. Solution summary
      10. 3-9: Manage User Data That Should Be Accessed Locally
        1. Solution overview
        2. Introduction
        3. Determine the name for a local files folder
        4. Option 1: Use a roaming profile folder
        5. Option 2: Leverage offline files (Windows Vista only)
        6. Option 3: Create a local folder that is backed up to a network store
          1. Create the local folder
          2. Exclude the folder from roaming
          3. Determine a backup or synchronization strategy and tools
          4. Create visible navigation and access points in the user interface
        7. Solution summary
      11. 3-10: Back Up Local Data Stores for Availability, Mobility, and Resiliency
        1. Solution overview
        2. Introduction
        3. Define the goals of a synchronization solution
        4. Utilize Robocopy as a backup engine
        5. Leverage Folder_Synch.vbs as a wrapper for Robocopy
        6. Deploy Folder_Synch.vbs and Robocopoy
        7. Determine how and when to run Folder_Synch.vbs for each local store
        8. Launch Folder_Synch.vbs manually
        9. Enable users to right-click a folder and back it up using a shell command
        10. Compare manual options for Folder_Synch.vbs
        11. Run Folder_Synch.vbs automatically
        12. Run Folder_Synch.vbs as a scheduled task
        13. Run Folder_Synch.vbs as a logon, logoff, startup, or shutdown script
        14. Log and monitor synchronization
        15. Solution summary
      12. 3-11: Design UDS Components That Align Requirements and Scenarios with Features and Technologies (Part II)
        1. Solution overview
        2. Introduction
        3. Recognize the crux of the challenge
        4. Identify the desired classes of data stores
        5. Analyze and classify your user data stores and data
          1. Phase I: Analyze how to manage your user data stores
          2. Phase II: Classify data
        6. Solution summary
    6. 4. Solution Collection 4: Implementing Document Management and Collaboration with SharePoint
      1. Scenarios, Pain, and Solution
      2. 4-1: Create and Configure a Document Library
        1. Solution overview
        2. Introduction
        3. Create a site
        4. Create a document library
        5. Configure document library settings
        6. Configure the document library title
        7. Enable or disable folders within the document library
        8. Change the default template for the library
        9. Configure security for a document library
          1. Manage permissions for a document library, folder, or document
          2. Assign permissions to SharePoint or Active Directory groups
        10. Solution summary
      3. 4-2: Manage Document Metadata Using Library and Site Columns
        1. Solution overview
        2. Introduction
        3. Create a column
        4. Work with custom columns from Microsoft Office clients
          1. Create a new document from the document library with Office clients
          2. Save a document to a library with custom columns from Microsoft Office clients
        5. Work with document properties from the SharePoint Web interface
          1. Upload a document with custom columns
          2. View document properties
          3. Use SharePoint's edit menu
          4. Edit document properties
        6. Modify or delete library columns
        7. Reorder columns
        8. Manage site columns
        9. Create site columns
        10. Use a site column in a list or library
        11. Modify and delete site columns
        12. Solution summary
      4. 4-3: Implement Managed Content Types
        1. Solution overview
        2. Introduction
        3. Create a content type
        4. Add one or more content types to a list or library
        5. Understand child site and list content types
        6. Protect a content type by making it read-only
        7. Do not change default SharePoint content types
        8. Solution summary
      5. 4-4: Configure Multiple Templates for a Document Library
        1. Solution overview
        2. Introduction
        3. Create a central library for templates
        4. Configure a content type for a template
        5. Configure a library to support the content types
        6. Solution summary
      6. 4-5: Add, Save, and Upload Documents to a Document Library
        1. Solution overview
        2. Introduction
        3. Create a new document with the New command
        4. Upload documents with the Upload commands
          1. Upload one document
          2. Upload multiple documents
          3. Upload specific content types
        5. Add documents to document libraries with Windows Explorer
        6. Save to a document library from a SharePoint-compatible application
        7. E-mail–enable a document library
        8. Solution summary
      7. 4-6: Create Shortcuts to Document Libraries for End Users
        1. Solution overview
        2. Introduction
        3. Create Network Places (Windows XP)
        4. Create Network Locations (Vista)
        5. Solution summary
      8. 4-7: Quarantine and Manage Uploads to a Document Library with Multiple Content Types
        1. Solution overview
        2. Introduction
        3. Solution summary
      9. 4-8: Work with Documents in a Document Library
        1. Solution overview
        2. Introduction
        3. View a document in a document library
        4. Edit a document in a document library
        5. Open a document with Office 2007 clients installed
        6. Solution summary
      10. 4-9: Monitor Changes to Libraries or Documents with Alerts and RSS
        1. Solution overview
        2. Introduction
        3. Subscribe to e-mail alerts for a library or document
        4. Monitor library activity using RSS
        5. Solution summary
      11. 4-10: Control Document Editing with Check Out
        1. Solution overview
        2. Introduction
        3. Require document checkout
        4. Check out a document
          1. Using the document library
          2. Using Office applications
        5. Understand the user experience while a document is checked out
        6. Manage document check in
          1. Save changes to a checked-out document
          2. Check in the document
          3. Check in the document but keep it checked out
          4. Check in without saving changes
          5. Discard check out
        7. Solution summary
      12. 4-11: Implement and Maintain Document Version History
        1. Solution overview
        2. Introduction
        3. Configure version history
        4. Manage the creation of major and minor versions
        5. Manage document versions
        6. Compare document versions
        7. Solution summary
      13. 4-12: Implement Content Approval
        1. Solution overview
        2. Introduction
        3. Configure content approval
        4. Understand the interaction of content approval, versioning, and checkout
        5. Solution summary
      14. 4-13: Implement a Three-State Workflow
        1. Solution overview
        2. Introduction
        3. Configure the choice field for the state
        4. Configure the three-state workflow
        5. Launch and manage workflows
        6. Solution summary
      15. 4-14: Organize and Manage Documents with Folders and Views
        1. Solution overview
        2. Introduction
        3. Use folders to scope document management
        4. Use views to scope the presentation and management of documents
        5. Solution summary
      16. 4-15: Configure WSS Indexing of PDF Files
        1. Solution overview
        2. Introduction
        3. Disable search within a library
        4. Enable indexing of PDFs
          1. Install the PDF iFilter
          2. Rebuild the index
        5. Assign an icon to unrecognized file types
        6. Solution summary
      17. 4-16: Work with SharePoint Files Offline
        1. Solution overview
        2. Introduction
        3. Download a copy of a file
        4. Provide offline access to files using the local cache
        5. Use Outlook 2007 to take libraries and lists offline
        6. Other options for offline use of SharePoint document libraries
        7. Solution summary
    7. 5. Solution Collection 5: Active Directory Delegation and Administrative Lock Down
      1. Scenarios, Pain, and Solution
      2. 5-1: Explore the Components and Tools of Active Directory Delegation
        1. Solution overview
        2. Introduction
        3. Use Active Directory object ACLs and ACL editor interfaces
        4. Manage access control entries on Active Directory objects
        5. Adhere to the golden rules of delegation
          1. Configure permissions on OUs, not on individual objects
          2. Assign permissions to groups, not users
          3. Manage delegation with Allow permissions and inheritance
          4. Document your delegation
        6. Apply permissions with a friend: The Delegation Of Control Wizard
        7. Manage the presentation of your delegation
        8. Solution summary
      3. 5-2: Customize the Delegation Of Control Wizard
        1. Solution overview
        2. Introduction
        3. Locate and understand Delegwiz.inf
        4. Customize Delegwiz.inf
        5. Use Microsoft's super-duper Delegwiz.inf
        6. Solution summary
      4. 5-3: Customize the Permissions Listed in the ACL Editor Interfaces
        1. Solution overview
        2. Introduction
        3. Recognize that some permissions are hidden
        4. Modify Dssec.dat
        5. Ensure the visibility of permissions that you are delegating
        6. Solution summary
      5. 5-4: Evaluate, Report, and Revoke Active Directory Permissions
        1. Solution overview
        2. Introduction
        3. Use Dsacls to report Active Directory permissions
        4. Use ACLDiag to report Active Directory permissions
        5. Use ADFind to report Active Directory permissions
        6. Use DSRevoke to report Active Directory permissions
        7. Evaluate permissions assigned to a specific user or group
        8. Revoke Active Directory permissions with DSRevoke
        9. Revoke Active Directory permissions with Dsacls
        10. Reset permissions to Schema defaults
        11. Solution summary
      6. 5-5: Assign and Revoke Permissions with Dsacls
        1. Solution overview
        2. Introduction
        3. Identify the basic syntax of Dsacls
        4. Delegate permissions to manage computer objects
        5. Grant permissions to manage other common object classes
        6. Use Dsacls to delegate other common tasks
          1. Unlock user accounts
          2. Force users to change passwords at the next logon
          3. Reset user passwords
          4. Disable user accounts
          5. Change the logon names for a user account
          6. Change user properties
          7. Delegate with property sets
          8. Manage group membership
          9. Join computers to the domain
          10. Prestage a computer account
          11. Disable and enable computer accounts
          12. Rename computers
          13. Reset computer accounts
          14. Manage group properties
          15. Link GPOs to an OU
          16. Run resultant set of policy reports
          17. Delegate the ability to move objects
          18. Delegate the ability to delegate
          19. Tightly control the delegation of OUs
        7. Solution summary
      7. 5-6: Define Your Administrative Model
        1. Solution overview
        2. Introduction
        3. Define the tasks that are performed
        4. Define the distinct scopes of each task
        5. Bundle tasks within a scope
        6. Identify the rules that currently perform task bundles
        7. Solution summary
      8. 5-7: Role-Based Management of Active Directory Delegation
        1. Solution overview
        2. Introduction
        3. Identify the pain points of an unmanaged delegation model
        4. Create capability management groups to manage delegation
        5. Assign permissions to capability management groups
        6. Delegate control by adding roles to capability management groups
        7. Create granular capability management groups
        8. Report permissions in a role-based delegation
          1. Use Delegation_Report.hta
        9. Solution summary
      9. 5-8: Scripting the Delegation of Active Directory
        1. Solution overview
        2. Introduction
        3. Recognize the need for scripted delegation
        4. Script delegation with Dsacls
        5. Solution summary
      10. 5-9: Delegating Administration and Support of Computers
        1. Solution overview
        2. Introduction
        3. Define scopes of computers
        4. Create capability management groups to represent administrative scopes
        5. Implement the delegation of local administration
        6. Manage the scope of delegation
        7. Get the Domain Admins group out of the local Administrators groups
        8. Solution summary
      11. 5-10: Empty as Many of the Built-in Groups as Possible
        1. Solution overview
        2. Introduction
        3. Delegate control to custom groups
        4. Identify protected groups
        5. Don't bother trying to un-delegate the built-in groups
        6. Solution summary
    8. 6. Solution Collection 6: Improving the Management and Administration of Computers
      1. Scenarios, Pain, and Solution
      2. 6-1: Implement Best Practices for Managing Computers in Active Directory
        1. Solution overview
        2. Introduction
        3. Establish naming standards for computers
        4. Identify requirements for joining a computer to the domain
        5. Design Active Directory to delegate the management of computer objects
        6. Delegate permissions to create computers in the domain
        7. Create a computer object in Active Directory
        8. Delegate permissions to join computers using existing computer objects
        9. Join a computer to the domain
        10. Ensure correct logon after joining the domain
        11. Solution summary
      3. 6-2: Control the Addition of Unmanaged Computers to the Domain
        1. Solution overview
        2. Introduction
        3. Configure the default computer container
          1. Restrict the quota that allows any user to join computers to the domain
        4. Solution summary
      4. 6-3: Provision Computers
        1. Solution overview
        2. Introduction
        3. Use Computer_JoinDomain.hta
        4. Provision computer accounts with Computer_JoinDomain.hta
        5. Create an account and join the domain with Computer_JoinDomain.hta
        6. Understand Computer_JoinDomain.hta
        7. Distribute Computer_JoinDomain.hta
        8. Solution summary
      5. 6-4: Manage Computer Roles and Capabilities
        1. Solution overview
        2. Introduction
        3. Automate the management of desktop and laptop groups
          1. Determine how to identify desktops and laptops
          2. Decide how to monitor Active Directory for the addition of new computer objects
          3. Update the membership of the Desktops and Laptops groups
          4. Customize and use Computer_DesktopsLaptops.vbs
        4. Deploy software with computer groups
        5. Identify and manage other computer roles and capabilities
        6. Solution summary
      6. 6-5: Reset and Reassign Computers
        1. Solution overview
        2. Introduction
        3. Rejoin a domain without destroying a computer's group memberships
        4. Replace a computer correctly by resetting and renaming the computer object
          1. Use Computer_Rename.hta
        5. Replace a computer by copying group memberships and attributes
        6. Solution summary
      7. 6-6: Establish the Relationship Between Users and Their Computers with Built-in Properties
        1. Solution overview
        2. Introduction
        3. Use the managedBy attribute to track asset assignment of a computer to a single user or group
        4. Use the manager attribute to track asset assignment of computers to a user
        5. Solution summary
      8. 6-7: Track Computer-to-User Assignments by Extending the Schema
        1. Solution overview
        2. Introduction
        3. Understand the impact of extending the schema
        4. Plan the ComputerAssignedTo attribute and ComputerInfo object class
        5. Obtain an OID
        6. Register the Active Directory schema snap-in
        7. Make sure you have permission to change the schema
        8. Connect to the schema master
        9. Create the ComputerAssignedTo attribute
        10. Create the ComputerInfo object class
        11. Associate the ComputerInfo object class with the Computer object class
        12. Give the ComputerAssignedTo attribute a friendly display name
        13. Allow the changes to replicate
        14. Delegate permission to modify the attribute
        15. Integrate the Computer_AssignTo.hta tool with Active Directory Users and Computers
        16. Customize Comptuer_AssignTo.hta
        17. Create a task for computer assignment
          1. Add computer assignments to the context menu
        18. Add other attributes to computer objects
        19. Solution summary
      9. 6-8: Establish Self-Reporting of Computer Information
        1. Solution overview
        2. Introduction
        3. Determine the information you wish you had
        4. Decide where you want the information to appear
        5. Report computer information with Computer_InfoToDescription.vbs
        6. Understand Computer_InfoToDescription.vbs
        7. Expose the report attributes in the Active Directory Users and Computers snap-in
        8. Delegate permissions for computer information reporting
        9. Automate computer information reporting with startup and logon scripts or scheduled tasks
        10. Take it to the next level
        11. Solution summary
      10. 6-9: Integrate Computer Support Tools into Active Directory Users and Computers
        1. Solution overview
        2. Introduction
        3. Add a "Connect with Remote Desktop" command
        4. Add an "Open Command Prompt" command
        5. Execute any command remotely on any system
        6. Use Remote_Command.hta to create specific command tasks for remote administration
        7. Solution summary
    9. 7. Solution Collection 7: Extending User Attributes and Management Tools
      1. Scenarios, Pain, and Solution
      2. 7-1: Best Practices for User Names
        1. Solution overview
        2. Introduction
        3. Establish best practice standards for user object name attributes
          1. Do not configure common name (cn) attributes as LastName, FirstName
          2. Add the Last Name column to your view to sort and find by last name
          3. Add the Last Name column to views of saved queries
          4. Change Display Name to LastName, FirstName
          5. Alternately use LastName FirstName as a common name without a comma
          6. Clean up sins of the past
        4. Implement manageable user logon names
          1. Assign unique and memorable user principal names
          2. Assign pre–Windows 2000 logon names that are manageable
          3. Use User_Rename.vbs to rename user objects
        5. Prepare to add the second "John Doe" to your Active Directory
        6. Solution summary
      3. 7-2: Using Saved Queries to Administer Active Directory Objects
        1. Solution overview
        2. Introduction
        3. Create a custom console that shows all domain users
        4. Control the scope of a saved query
        5. Build saved queries that target specific objects
        6. Understand LDAP query syntax
        7. Identify some useful LDAP queries
        8. Transfer saved queries between consoles and administrators
        9. Leverage saved queries for most types of administration
        10. Solution summary
      4. 7-3: Create MMC Consoles for Down-Level Administrators
        1. Solution overview
        2. Introduction
        3. Create a console with saved queries
        4. Create a taskpad with tasks for each delegated ability
        5. Add productive tools and scripts to the taskpads
        6. Add procedures and documentation to the console
        7. Create an administrative home page within the console
        8. Add each taskpad to the MMC favorites
        9. Create navigation tasks
        10. Save the console in User mode
        11. Lock down the console view
        12. Distribute the console
        13. Solution summary
      5. 7-4: Extending the Attributes of User Objects
        1. Solution overview
        2. Introduction
        3. Leverage unused and unexposed attributes of user objects
          1. Discover unused attributes
          2. Evaluate unused attributes
        4. Extend the schema with custom attributes and object classes
          1. Create an attribute that exposes the computers assigned to a user
        5. Create an attribute that exposes the computer to which a user is logged on
        6. Create an attribute that supports users' software requests
        7. Solution summary
      6. 7-5: Creating Administrative Tools to Manage Unused and Custom Attributes
        1. Solution overview
        2. Introduction
        3. Display and edit the value of an unexposed attribute
          1. Latch on to an object
          2. Display an attribute of an object
          3. Make a script more flexible using variables
          4. Enable a script to use arguments
          5. Handle errors
          6. Edit an unexposed or custom attribute
          7. Save the new value
        4. Use the Object_Attribute.vbs script to display or edit any single-valued attribute
        5. Use Object_Attribute.hta to view or edit single-valued or multivalued attributes
        6. Solution summary
      7. 7-6: Moving Users and Other Objects
        1. Solution overview
        2. Introduction
        3. Understand the permissions required to move an object in Active Directory
        4. Recognize the denial-of-service exposure
        5. Carefully restrict the delegation to move (delete) objects
        6. Delegate highly sensitive tasks such as object deletion to tertiary administrative credentials
        7. Proxy the task of moving objects
        8. Solution summary
      8. 7-7: Provisioning the Creation of Users
        1. Solution overview
        2. Introduction
        3. Examine a user-provisioning script
          1. Structure the script in subroutines and functions
          2. Declare important configuration variables in the global scope
          3. Identify arguments passed to the script
          4. Apply business logic to derive additional attributes
          5. Validate the attributes prior to making changes
          6. Execute the task
          7. Provision object creation and management
        4. Create graphical provisioning tools
        5. Solution summary
    10. 8. Solution Collection 8: Reimagining the Administration of Groups and Membership
      1. Scenarios, Pain, and Solution
      2. 8-1: Best Practices for Creating Group Objects
        1. Solution overview
        2. Introduction
        3. Create groups that document their purpose
          1. Establish and adhere to a strict naming convention
          2. Summarize the purpose of the group in its description
          3. Detail the purpose of the group in its notes
          4. Protect groups from accidental deletion
        4. Consider the group type: security vs. distribution
          1. Remember group membership limitations
          2. Convert security groups to distribution groups
          3. Reduce token and PAC size
        5. Consider group scope: global, domain local, and universal
        6. Solution summary
      3. 8-2: Delegate Management of Group Membership
        1. Solution overview
        2. Introduction
        3. Examine the member and memberOf attributes
        4. Delegate permission to write the member attribute
          1. Create a capability management group
          2. Delegate using the Advanced Security Settings dialog box
          3. Delegate using the Dsacls command
          4. Delegate membership management for individual groups
          5. Delegate individual group management with the Managed By tab
          6. Bridge the tool gap
        5. Solution summary
      4. 8-3: Create Subscription Groups
        1. Solution overview
        2. Introduction
        3. Examine scenarios suited to the use of subscription groups
        4. Delegate the Add/Remove Self As Member validated write
        5. Provide tools with which to subscribe or unsubscribe
        6. Solution summary
      5. 8-4: Create an HTA for Subscription Groups
        1. Solution overview
        2. Introduction
        3. Use Group_Subscription.hta
        4. Understand Group_Subscription.hta
        5. Take away lessons in the value of group standards
        6. Solution summary
      6. 8-5: Create Shadow Groups
        1. Solution overview
        2. Introduction
        3. Shadow groups and fine-grained password and account lockout policies
        4. Understand the elements of a shadow group framework
        5. Define the group membership query
        6. Define the base scopes of the query
        7. Develop a script to manage the group's member attribute based on the query, while minimizing the impact on replication
          1. Examine the Group_Shadow.vbs script
        8. Execute the script on a regular interval
        9. Trigger the script based on changes to an OU
        10. Solution summary
      7. 8-6: Provide Friendly Tools for Group Management
        1. Solution overview
        2. Introduction
        3. Enumerate memberOf and member
        4. Report direct, indirect, and primary group memberships
        5. List a user's membership by group type
        6. Display all members of a group
        7. Add or remove group members with Group_ChangeMember.hta
        8. Give users control over the groups they manage
        9. Identify notes and next steps for group management tools
        10. Solution summary
      8. 8-7: Proxy Administrative Tasks to Enforce Rules and Logging
        1. Solution overview
        2. Introduction
        3. Understand proxying
          1. Identify the security concerns
        4. Explore the components of the Proxy Framework
          1. Understand the model of the Proxy Framework
          2. Create Active Directory objects required to support the Proxy Framework
          3. Create the shared folders required by the Proxy Framework
          4. Create scripts that perform tasks
          5. Add the Access database
          6. Establish the proxy service
          7. Submit task request files with custom administrative tools
          8. Implement business logic and rules
        5. Imagine what proxying can do for you
        6. Delegate group management to users with increased confidence and security
    11. 9. Solution Collection 9: Improving the Deployment and Management of Applications and Configuration
      1. Scenarios, Pain, and Solution
      2. 9-1: Providing Software Distribution Points
        1. Solution overview
        2. Introduction
        3. Rationalize your software folder namespace
        4. Manage access to software distribution folders
        5. Share the Software folder, and abstract its location with a DFS namespace
        6. Replicate software distribution folders to remote sites and branch offices
        7. Create a place for your own tools and scripts
        8. Solution summary
      3. 9-2: New Approaches to Software Packaging
        1. Solution overview
        2. Introduction
        3. Determine how to automate the installation of an application
        4. Identify the success codes produced by application installation
        5. Use Software_Setup.vbs to install almost any application
        6. Separate the configuration from the application installation
        7. Install the current version of an application
        8. Solution summary
      4. 9-3: Software Management with Group Policy
        1. Solution overview
        2. Introduction
        3. Prepare an application for deployment with GPSI
        4. Configure a GPO to deploy an application
        5. Scope the deployment of an application using application groups
        6. Filter the software deployment GPO with the application group
        7. Link the GPO as high as necessary to support its scope
        8. When to use GPSI
        9. GPSI and Microsoft Office 2007
        10. Take it to the next level
        11. Solution summary
      5. 9-4: Deploy Files and Configuration Using Group Policy Preferences
        1. Solution overview
        2. Introduction
        3. Deploy files with Group Policy Files preferences
        4. Push registry changes using Registry preferences
          1. Add a registry value
          2. Delete a registry value and optimize logon time
        5. Solution summary
      6. 9-5: A Build-It-Yourself Software Management Infrastructure
        1. Solution overview
        2. Introduction
        3. Identify the challenges of deploying applications such as Microsoft Office 2007
        4. Prepare a software distribution folder for Microsoft Office 2007
        5. Create a setup customization file
        6. Launch an unattended installation of Office 2007
        7. Identify the requirements for a build-it-yourself software management framework
        8. Customize Software_Deploy.vbs to enable application deployment
          1. Execute a command
          2. Interpret the results of the command
          3. Log the results to a central database
          4. Enable debug mode
          5. Implement Software_Deploy.vbs as a startup script
        9. Manage change using group membership
          1. Scope a Group Policy object to apply to a security group
          2. Implement fine-grained control over change
          3. Link the GPO
        10. Deploy an application using a scheduled task
        11. Give users control over the timing of installation
          1. Enable users to add their computer to the staging group
          2. Deploy an application using a scheduled task
        12. Solution summary
      7. 9-6: Automate Actions with SendKeys
        1. Solution overview
        2. Introduction
        3. Use SendKeys to automate an action sequence
        4. Understand and customize Config_QuickLaunch_Toggle.vbs
        5. Set the default folder view to Details for all folders
        6. Automate with AutoIt
        7. Solution summary
    12. 10. Solution Collection 10: Implementing Change, Configuration, and Policies
      1. Scenarios, Pain, and Solution
      2. 10-1: Create a Change Control Workflow
        1. Solution overview
        2. Introduction
        3. Identify the need for change
        4. Translate the change to Group Policy settings
        5. Test the change in a lab environment
        6. Communicate the change to users
        7. Test the change in the production environment
        8. Migrate users and computers in the production environment to the scope of the change
        9. Implement more GPOs with fewer settings
        10. Establish a GPO naming convention
        11. Ensure a new GPO is not being applied while you are configuring its settings
        12. Back up a GPO prior to and after changing it
        13. Document the settings and the GPO
        14. Carefully implement the scope of a GPO
        15. Establish a change management workflow with service levels
        16. Understand the behavior of client-side Group Policy application
          1. GPOs are not downloaded unless they have been changed
          2. GPOs are not reapplied unless they have been changed
          3. GPOs apply even if a system is disconnected from the network
          4. Background refresh does not fully implement all policy changes
        17. Solution summary
      3. 10-2: Extend Role-Based Management to the Management of Change and Configuration
        1. Solution overview
        2. Introduction
        3. Scope GPOs to security groups
          1. Create a security group with which to filter the GPO
          2. Scope a GPO to apply only to a specific security group
          3. Scope a GPO to exempt a specific security group
        4. Manage exemptions from an entire GPO
        5. Manage exemptions from some settings of a GPO
        6. Link group-filtered GPOs high in the structure
        7. Maximize group management techniques to control GPO scoping
          1. Avoid using Block Inheritance to exempt objects from the scope of GPOs
        8. Solution summary
      4. 10-3: Implement Your Organization's Password and Account Lockout Policies
        1. Solution overview
        2. Introduction
        3. Determine the password policies that are appropriate for your organization
          1. Password policy: Longer passwords are a must
          2. Lockout policies expose a denial-of-service possibility
          3. Kerberos policy settings should be modified only with a deep understanding of Kerberos authentication
        4. Customize the default GPOs to align with your enterprise policies
        5. Implement your password, lockout, and Kerberos policies
        6. Implement fine-grained password policies to protect sensitive and privileged accounts
          1. Create Password Settings objects for each exception policy
          2. Scope each PSO to the groups or users to whom the policies should apply
        7. Understand PSO precedence
          1. Use a unique precedence value for each PSO
          2. View resultant PSO for a user or group
          3. Delegate the management of password policy application
          4. Make it all so much easier
        8. Solution summary
      5. 10-4: Implement Your Authentication and Active Directory Auditing Policies
        1. Solution overview
        2. Introduction
        3. Implement your auditing policies by modifying the Default Domain Controllers Policy GPO
        4. Consider auditing failure events
        5. Align auditing policies, corporate policies, and reality
        6. Audit changes to Active Directory objects
        7. View audit events in the Security log
        8. Leverage Directory Service Changes auditing
          1. Audit changes to the membership of Domain Admins
        9. Solution summary
      6. 10-5: Enforce Corporate Policies with Group Policy
        1. Solution overview
        2. Introduction
        3. Translate corporate policies to security and nonsecurity settings
        4. Create GPOs to configure settings derived from corporate policies
        5. Scope GPOs to the domain
        6. Enforce corporate security and configuration policies
        7. Proactively manage exemptions
        8. Provide a managed migration path to policy implementation
        9. Determine whether you need more than one GPO for corporate policy implementation
        10. Solution summary
      7. 10-6: Create a Delegated Group Policy Management Hierarchy
        1. Solution overview
        2. Introduction
        3. Delegate permissions to link existing GPOs to an OU
        4. Delegate the ability to manage an existing GPO
        5. Delegate permission to create GPOs
          1. Provide a baseline GPO for new GPOs
        6. Understand the business and technical concerns of Group Policy delegation
        7. Solution summary
      8. 10-7: Testing, Piloting, Validating, and Migrating Policy Settings
        1. Solution overview
        2. Introduction
        3. Create an effective scope of management for a pilot test
        4. Prepare for and model the effects of the pilot test
        5. Create a rollback mechanism
        6. Implement the pilot test
        7. Migrate objects to the scope of the new GPO
        8. Solution summary
      9. 10-8: No-Brainer Group Policy Tips
        1. Solution overview
        2. Introduction
        3. Deploy registry changes with templates or registry preferences
        4. Use loopback policy processing in merge mode
        5. Run GPUpdate on a remote system to push changes
        6. Delegate permissions to perform RSoP reporting
        7. Scope network-related settings using sites or shadow groups
        8. Avoid WMI filters and targeting when possible: Use shadow groups instead
        9. No-brainer Group Policy settings
    13. Index

Product information

  • Title: Windows® Administration Resource Kit: Productivity Solutions for IT Professionals
  • Author(s):
  • Release date: February 2008
  • Publisher(s): Microsoft Press
  • ISBN: 9780735624313