Posts Tagged ‘Server 2003’

Post-setup configuration

Posted: September 19, 2010 in Active Directory, Exchange Server, Server 2003, Server 2008, System Information
Tags: , , , ,
0


When the installations of both the internal Exchange organization and the Edge Transport

Server are finished, the “post setup” configuration can be started. As in Exchange Server 2007,

there are a couple of additions and changes in the configuration that have to be made to the

Exchange Server 2010 instance before mail can be sent or received from the Internet.

• Enter an Exchange Server 2010 license key.

• Enter accepted domains and setup email address policies.

• Configure a Send Connector to send e-mail to the Internet.

• Configure the Hub Transport Server to accept anonymous SMTP if an Edge Transport

Server is not used.

• Add a Certificate to the Client Access Server role.

• Configure the Client Access Server role.

Installing the Edge Transport Server role

Posted: July 20, 2010 in Active Directory, Exchange Server, Server 2003, Server 2008, System Information
Tags: , , ,
0


When all the prerequisite software for the Exchange Server 2010 Edge Transport Server role is

installed, you can move on to the Exchange server itself

1. Logon to the server with local administrator credentials, go to the installation media and

start the setup.exe installation program

2. Once all prerequisite software is installed correctly, the first two options are grayed out

and you can directly select “Install Exchange Server 2010”

3. On the Introduction Page click Next

4. Accept the License Agreement and click Next

5. Select whether or not you want to participate in the Error Reporting Feature and click

Next

6. On the Installation Type page select “Custom Installation” and click Next. If needed you

can select another directory where the Exchange software is installed

7. On the Server Role Selection page select the Edge Transport Server role. Notice that

when you select this role the other roles (Mailbox, Client Access & others) are grayed out

immediately. Click Next to continue.

8. The setup program will now perform a readiness to check to see if your server is capable

of running the Edge Transport Server role. When successfully completed click Install to

continue.

9. The Exchange binaries will now be copied to the local disk, the Management Tools will

be installed and the Edge Transport Server will be installed. This can take quite some

time to finish.

10. When finished you can continue configuring the Edge Transport Server using the

Exchange Management Console.

The Edge Transport Server is now installed, but not yet configured. It is possible to configure

everything, like the Accepted Domains, Send Connectors etc., manually using the Exchange

Management Console. An easier way is to use a synchronization process which synchronizes

information from the Hub Transport Server within the company’s Active Directory and

Exchange organization to the Edge Transport Server in the DMZ. This process is called the

Edge Transport Synchronization, or Edge sync.

Default Mailbox Management Configuration

Posted: June 9, 2010 in Exchange Server, Server 2003, System Information
Tags: ,
1

During setup Exchange features are easily configured through the use of the Configure Email and Internet Connection Wizard. The wizard configures the following settings by default.

  • Deleted Items RetentionSet to 30 days. Changes can be made as well by running the Backup Configuration Wizard. Here you can change the value or turn the value on or off.
  • Circular LoggingEnabled to save drive space. It is recommended that you use this configuration only if a backup solution has not been selected. Circular logging is disabled after the Backup Configuration Wizard has been run.
  • Idle User SessionsThe timeout interval is set to 10 minutes.
  • SMTP ConnectorThe connector is created and configured with any send/receive options you select for Internet email.
  • Default Recipient PolicyThe default policy is created and set to your domain name. It also applies the policy to all for SMTP email addresses.
  • The Microsoft Connector for POP3 MailboxesThe connector is installed. Through the CEICW or the POP3 Connector manager you can define POP3 mailboxes that are to be downloaded to Exchange mailboxes.
  • Maximum Number of Concurrent ConnectionsFor Message Delivery the maximum number of concurrent connections is set to 500.
  • Outbound ConnectionsLimited to 10.
  • Email Attachment TypesAttachment filtering can be utilized.
  • Mail ClientsClients assigned an address within the specified local IP range are allowed to relay mail through the SMTP virtual server.

In addition to these settings, you should also be aware of the mailbox management process in Exchange and what it does for your mail server. By default, the mailbox management process is set to Never Run. However, the mailbox management process can perform some important tasks and should be enabled on the SBS server.

One of the most important tasks handled by the mailbox management process is the online defrag of the mail databases. Through the course of normal operation, mail data is added and removed from the mail database, and over time a large amount of unused space becomes scattered across the database. The online defrag process rearranges the storage within the database so that all the empty database records are moved to the end of the database file. You can also start the mailbox management process manually by right-clicking on the server object in Exchange System Manager and selecting Start Mailbox Management Process.

Types of Recovery from System Failures in Server 2003

Posted: May 23, 2010 in Active Directory, Server, Server 2003, System Information
Tags: ,
0

Here are some of the new features:

  • Automated System Recovery (ASR). This feature simplifies the restoration of the operating system partition.
  • Goodbye, Emergency Repair Disk. There is no more ERD in Windows Server 2003. The only repair options are the Recovery Console or ASR.
  • Emergency Management Services (EMS). If a server cannot be reached via the network, EMS provides an out-of-band connection to the server via a serial port.
  • Online Crash Analysis. The kernel-mode debugging utilities in Windows Server 2003 can now run on the same machine as the operating system they are monitoring. This permits running a variety of debugging chores at the console.
  • Volume Shadow. Locked files create problems for backup programs. Users get irate when you tell them that you can’t restore a file because it was locked during the backup while they were working from home. The Volume Shadow service takes a snapshot of a locked file so that the backup program can save the snapshot.
  • System Restore. This feature, only present on XP, periodically takes snapshots of the system configuration that you can use as checkpoints for rolling back the system to a previous configuration.
  • Online event tracking. If an application fails or otherwise causes a system error, the system collects information about the failure and sends that information to Microsoft, where it is compiled and analyzed for trends.
  • Shutdown Event Tracker. This “feature,” if you want to call it that, requires that you specify a reason each time you shut down a system. This reason is put in the Event log. If the system crashes, you must specify a reason when the system restarts.

How to View Personal Certificates via the Certificates Snap-In

Posted: May 23, 2010 in Active Directory, Server, Server 2003, Server 2008, System Information
Tags: , ,
0
  1. Open an empty MMC console using START | RUN | MMC.
  2. From the console menu, select CONSOLE | ADD/REMOVE SNAP-IN. The Add/Remove Snap-in window opens.
  3. Click Add. The Add Standalone Snap-in window opens.
  4. Double-click Certificates to load the snap-in. If you are logged on with an account that does not have administrator privileges, the only option is to load the your own personal certificates. Otherwise, you get additional choices of computer and service certificates.
  5. With the snap-in loaded, save the console with a descriptive name, such as Cert.msc. You may want to save it in \WINNT\System32 along with the rest of the console files so that another administrator can use it. The console does not point at your specific certificate. It loads the certificates of the user who launches the console.
  6. Expand the tree to CertificatesCurrent User | Personal | Certificates. Certificates issued to you are listed in the right pane. The Intended Purposes column lists the certificate’s function. If you have ever encrypted a file, you will have at least one EFS certificate. The domain Administrator account will have two certificates, one for EFS and one for File Recovery (FR).
  7. Double-click a certificate to view the contents.

You can use the Certificates snap-in to obtain new certificates. This is not generally necessary for EFS certificates because the EFS service obtains the certificate automatically when you encrypt a file. If you want to designate more Data Recovery Agents, though, you’ll need to obtain File Recovery (FR) certificates for them. You can request them using the Certificates snap-in.

EFS only issues one self-signed FR certificate. In a domain, it is issued to the domain Administrator account. For a local machine, it is issued to the first user who logs on to the machine following Setup. You’ll need a Certification Authority (CA) to issue any further FR certificates.

Types of File Encryption in Server 2003

Posted: May 23, 2010 in Security, Server, Server 2003, System Information
Tags: , ,
0


If you have evaluated EFS in Windows 2000 and found critical features missing, it’s worth taking a second look at EFS in Windows Server 2003 and XP. The changes include the following:

  • New and more cryptographically robust encryption methods. You can now choose between DESX encryption (used by Windows 2000) and 3DES (Triple-DES), an algorithm that complies with government standards for handling of non-classified documents.
  • Offline file encryption. This feature is one of the most significant improvements in Windows Server 2003 and XP. It enables users to use a highly convenient feature, offline file storage, while retaining the ability to protect their files with encryption.
  • Encrypted file transfer over WebDAV. The Web-based Distributed Authorizing and Versioning redirector uses HTTP rather than SMB. Encrypted files are transferred in their encrypted state rather than being decrypted prior to transport as happens with SMB. Also, servers can store encrypted files using WebDAV without compromising security with Kerberos delegations.
  • More flexible group policy control. EFS can now be disabled throughout a domain with a single click of the mouse in a group policy. This contrasts with Windows 2000, which requires removing and re-importing X.509 certificates to control encryption.
  • Shared encrypted files. Users with encrypted files can assign access to other users. This enhances the use of EFS in a workgroup. Only individual users can be given access, not groups. Additional users can only be selected by users who already have access.
  • Copy warnings. Explorer now warns users when they attempt to copy or move encrypted files to an unprotected location such as a Zip drive, floppy drive, or FAT partition. New switches in COPY and XCOPY permit overriding these protections, if necessary.
  • Visual cues. The Explorer shell now shows the names of encrypted files and folders in a different color, similar to the way compressed files are displayed in Windows 2000.
  • Improved command-line administration. The CIPHER command-line utility has been updated with several new features, including the ability to generate file recovery certificates, the ability to search for encrypted files on a volume, the ability to refresh certificates for all encrypted files on a volume, and the ability to wipe all unused disk space to remove temporary files. (The wipe feature was released in Windows 2000 SP3.)
  • Security improvements. Although not strictly an EFS improvement, the handling of the crypto Master key has been changed so that it is not updated when a local user password is changed by anyone other than the user. This eliminates a serious deficiency for standalone laptops and desktops. Now a hacker cannot use utilities to change a user’s password (or the Administrator password) on a standalone machine to gain access to encrypted files.

Not every change is a welcome one, however. In Windows 2000, files cannot be encrypted without the certificate of a Data Recovery Agent (DRA). This ensures that a user cannot encrypt files and then quit the company and leave you without a means of recovering the files. In Windows Server 2003 and XP, it is possible to encrypt files without a DRA. This “feature” has potentially serious consequences because users could encrypt their files and then lose the private key, thereby losing access to the files permanently.

Registry Keys Intended for Power Management

Posted: May 22, 2010 in Registry, Server 2003, Server 2008, System Information, Vista, Windows 7, Windows XP
Tags: , , , ,
2

In this section, we’ll discuss the registry keys that are used for power management. You may edit any of them using one of the registry editors.

Note Changing registry entries responsible for power management won’t have an immediate effect. Windows only reads settings from the registry when you log on, when you click OK in Control Panel, or when a Powerprof.dll function is called on to read the registry.

The registry keys used for power management are listed below.

  • HKCU\AppEvents\EventLabels\LowBatteryAlarm – descriptive name of a low battery-power-alarm event
  • HKCU\AppEvents\EventLabels\CriticalBatteryAlarm – descriptive name of a critical battery-power-alarm event
  • HKCU\AppEvents\Schemes\Apps\PowerCfg\LowBatteryAlarm\.Current, HKCU\AppEvents\Schemes\Apps\PowerCfg\LowBatteryAlarm\.Default, HKCU\AppEvents\Schemes\Apps\PowerCfg\CriticalBatteryAlarm\.Current, HKCU\AppEvents\Schemes\Apps\PowerCfg\CriticalBatteryAlarm\.Default – filenames of the WAV files that will play as a low and critical power-alarm events
  • HKCU\Control Panel\PowerCfg\CurrentPowerPolicy – index of current user and machine power policy
  • HKCU\Control Panel\PowerCfg\GlobalPowerPolicy\Policies – the user global power policy (binary encoded data)
  • HKCU\Control Panel\PowerCfg\PowerPolicies\n\Name – name of power scheme n, where n = 0, 1, 2, etc.
  • HKCU\Control Panel\PowerCfg\PowerPolicies\n\Description – descriptive string for power scheme n, where n = 0, 1, 2, etc.
  • HKCU\Control Panel\PowerCfg\PowerPolicies\n\Policies – user power policy n, where n = 0, 1, 2, etc. (binary encoded data)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\LastID – index of the last power policy in the lists of user and machine power policies (for example, if there are six user power policies and six machine power policies in the registry, the value of this key is 5)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\DiskSpinDownMax – the maximum disk spin-down time that Control Panel will allow the user to set
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\DiskSpinDownMin – the minimum disk spin-down time that Control Panel will allow the user to set
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\GlobalPowerPolicy\Policies – the machine global power policy (binary encoded data)
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg\PowerPolicies\n\Policies – machine power policy n, where n = 0, 1, 2, etc. (binary encoded data)

Power Schemes Configuration in Registry

Posted: May 22, 2010 in Registry, Server 2003, System Information, Windows 7, Windows XP
Tags: , , , , ,
0


Power management configuration in Windows 2000, Windows XP, and Windows Server 2003 is based on the concept of power schemes. A power scheme is a group of preset power options that are passed to the Power Policy Manager component of the operating system to control the machine’s power-management behavior.

Each power scheme consists of a global power-policy structure and a power-policy structure.

  • Global power-policy structures contain preset power options that are global across all power schemes.
  • Non-global power-policy structures contain power options that are unique to a particular power scheme.

These power-policy structures are further divided into machine structures and user structures.

  • Values in machine structures are stored in the HKEY_LOCAL_MACHINE registry key, and none of these values are exposed in the user interface. For example, you can’t set any of these values using the Power Options applet in the Control Panel.
  • Values in user structures are stored in the HKEY_CURRENT_USER registry key and some of these values are displayed in the user interface. Some of these parameters can be set using the Power Options applet in Control Panel.

The data structures defining power management policy are listed below:

  • GLOBAL_POWER_POLICY – used to manage global power policies. This structure contains the data common to all power schemes. This structure is a container for a GLOBAL_USER_POWER_POLICY structure and a GLOBAL_MACHINE_POWER_POLICY structure, which contains elements that are read from and written to the registry.
  • GLOBAL_MACHINE_POWER_POLICY – this structure is a part of the GLOBAL_POWER_POLICY structure. It contains the data common to all power schemes and users. The elements in this structure are read from and written to the HKLM key in the registry.
  • GLOBAL_USER_POWER_POLICY – this structure is a part of the GLOBAL_POWER_POLICY structure. It contains the data common to all power schemes for the user. The elements in this structure are read from and written to the HKCU key in the registry.
  • POWER_POLICY – used to manage non-global power policies. This structure contains the data unique for all power schemes. This structure is a container for the USER_POWER_POLICY and MACHINE_POWER_POLICY structures that contain the elements to be read from and written to the registry. There is one POWER_POLICY structure for each power scheme on a machine.
  • MACHINE_POWER_POLICY – this structure is a part of the POWER_POLICY structure. It contains the data unique to each power scheme, but common to all users. The elements in this structure are read from and written to the HKLM key in the registry.
  • USER_POWER_POLICY – this structure is a part of the POWER_POLICY structure. It contains the data unique to each user and power scheme. The elements in this structure are read from and written to the HKCU key in the registry.

Group Policy Management in Windows Server 2003

Posted: April 25, 2010 in Active Directory, Exchange Server, Server, Server 2003, System Information
Tags: , , ,
3


Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. Through group policies you can

  • Create centrally managed directories for special folders, such as My Documents. This is covered in the section of this chapter entitled “Centrally Managing Special Folders.”
  • Control access to Windows components, system resources, network resources, Control Panel utilities, the desktop, and the Start menu. This is covered in the section of this chapter entitled “Using Administrative Templates to Set Policies.”
  • Define user and computer scripts to run at specified times. This is covered in the section of this chapter entitled “User and Computer Script Management.”
  • Configure policies for account lockout and passwords, auditing, user rights assignment, and security. This is covered in Part II of this book, “Microsoft Windows Server 2003 Directory Service Administration.”

Understanding Group Policies

You can think of a group policy as a set of rules that helps you manage users and computers. You can apply group policies to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory directory service.

To understand group policies, you need to know a bit about the structure of Active Directory. In Active Directory, logical groupings of domains are called sites and subgroups within a domain are called organizational units. Thus, your network could have sites called NewYorkMain, CaliforniaMain, and WashingtonMain. Within the WashingtonMain site, you could have domains called SeattleEast, SeattleWest, SeattleNorth, and SeattleSouth. Within the SeattleEast domain, you could have organizational units called Information Services (IS), Engineering, and Sales.

Group policies apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. You set policies for Windows NT 4.0 systems with the System Policy Editor (Poledit.exe). For Windows 95 and Windows 98, you need to use the System Policy Editor provided with Windows 95 or Windows 98, respectively, and then copy the policy file to the Sysvol share on a domain controller.

Group Policy settings are stored in a Group Policy Object (GPO). One way to think of a GPO is as a container for the policies you apply and their settings. You can apply multiple GPOs to a single site, domain, or organizational unit. Because policy is described using objects, many object-oriented concepts apply. If you know a bit about object-oriented programming, you might expect the concepts of parent-child relationships and inheritance to apply to GPOs—and you’d be right.

Through inheritance, a policy applied to a parent container is inherited by a child container. Essentially, this means that a policy setting applied to a parent object is passed down to a child object. For example, if you apply a policy setting in a domain, the setting is inherited by organizational units within the domain. In this case, the GPO for the domain is the parent object and the GPOs for the organizational units are the child objects.

The order of inheritance is as follows:

Site –> Domain –> Organizational Unit

This means that the group policy settings for a site are passed down to the domains within that site and the settings for a domain are passed down to the organizational units within that domain.

As you might expect, you can override inheritance. To do this, you specifically assign a policy setting for a child container that contradicts the policy setting for the parent. As long as overriding of the policy is allowed (that is, overriding isn’t blocked), the child’s policy setting will be applied appropriately. To learn more about overriding and blocking GPOs, see the section of this chapter entitled “Blocking, Overriding, and Disabling Policies.”

In What Order Are Multiple Policies Applied?

When multiple policies are in place, policies are applied in the following order:

  1. Windows NT 4.0 policies (Ntconfig.pol)
  2. Local group policies
  3. Site group policies
  4. Domain group policies
  5. Organizational unit group policies
  6. Child organizational unit group policies

If there are conflicts among the policy settings, the policy settings applied later have precedence and overwrite previously set policy settings. For example, organizational unit policies have precedence over domain group policies. As you might expect, there are exceptions to the precedence rule. These exceptions are discussed later in the section of this chapter entitled “Blocking, Overriding, and Disabling Policies.”

When Are Group Policies Applied?

As you’ll discover when you start working with group policies, policy settings are divided into two broad categories:

  • Those that apply to computers
  • Those that apply to users

Although computer policies are normally applied during system startup, user policies are normally applied during logon. The exact sequence of events is often important in troubleshooting system behavior. The events that take place during startup and logon are as follows:

  1. The network starts and then Windows Server 2003 applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
  2. Windows Server 2003 runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next one starts. Script execution isn’t displayed to the user unless specified.
  3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows Server 2003 loads the user profile.
  4. Windows Server 2003 applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
  5. Windows Server 2003 runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn’t displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window as in Windows NT 4.0.
  6. Windows Server 2003 displays the start shell interface configured in Group Policy.

By default, Group Policy is refreshed only when a user logs off or a computer is restarted. You can change this behavior by setting a Group Policy refresh interval as discussed in the section of this chapter entitled “Refreshing Group Policy.” To do this, open a command prompt and type gpupdate.

Group Policy Requirements and Version Compatibility

Group policies were introduced with Windows 2000 and apply only to systems running Windows 2000, Windows XP Professional, and Windows Server 2003. As you might expect, each new version of the Windows operating system has brought with it changes to Group Policy. Sometimes these changes have made older policies obsolete on newer versions of Windows. In this case, the policy only works on a specific version of the Windows operating system, such as only on Windows 2000.

Generally speaking, however, most policies are forward compatible. This means that policies introduced in Windows 2000 can, in most cases, be used on Windows 2000, Windows XP Professional, and Windows Server 2003. It also means that in most cases Windows XP Professional policies aren’t applicable to Windows 2000, and that policies introduced in Windows Server 2003 aren’t applicable to Windows 2000 or Windows XP Professional.

If a policy isn’t applicable to a particular version of the Windows operating system, you can’t enforce the policy on computers running those versions of the Windows operating system.

How will you know if a policy is supported on a particular version of Windows? Easy. The properties dialog box for each policy has a Supported On field in the Setting tab. This text-only field lists the policy’s compatibility with various versions of the Windows operating system. If you select the policy with the Extended display in the Group Policy Object Editor, you’ll also see a Requirements entry that lists compatibility.

You can also install new policies when you add a service pack, install Windows applications, or add Windows components. This means that you’ll see a wide range of compatibility entries.

Managing Local Group Policies

Each computer running Windows Server 2003 has one local group policy. You manage local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.
  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
  3. In MMC, click File, and then click Add/Remove Snap-In. This opens the Add/ Remove Snap-In dialog box.
  4. In the Standalone tab, click Add.
  5. In the Add Standalone Snap-In dialog box, click Group Policy Object Editor, and then click Add. This starts the Group Policy Wizard.
  6. Under Group Policy Object, Local Computer should be selected by default. If you want to edit the local policy on your computer, simply click Finish. To find the local policy on another computer, click Browse. After you find the policy you want to work with, click OK and then click Finish.
  7. Click Close and then click OK. You can now manage the local policy on the selected computer. For details, see the section of this chapter entitled “Working with Group Policies.”

Local group policies are stored in the %SystemRoot%\System32\GroupPolicy folder on each Windows Server 2003 computer. In this folder you’ll find the following subfolders:

  • Adm

Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Warning: You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console. By default, these files and folders are hidden. If you want to view hidden files and folders in Windows Explorer, select Folder Options from the Tools menu, click the View tab, choose Show Hidden Files And Folders, clear Hide Protected Operating System Files, and then click OK.

Creating and Editing Site, Domain, and Organizational Unit Policies

You create and edit site, domain, and organizational unit policies by completing the following steps:

  1. For sites, you start the Group Policy snap-in from the Active Directory Sites And Services console. Open the Active Directory Sites And Services console.
  2. For domains and organizational units, you start the Group Policy snap-in from the Active Directory Users And Computers console. Open the Active Directory Users And Computers console.
  3. In the appropriate console root, right-click the site, domain, or organizational unit on which you want to create or manage a group policy. Then select Properties on the shortcut menu. This opens a properties dialog box.
  4. In the properties dialog box, select the Group Policy tab. existing policies are listed in the Group Policy Object Links list.
  5. To create a new policy, click New. You can now configure the policy as explained in the section of this chapter entitled “Working with Group Policies.”
  6. To edit an existing policy, select the policy and then click Edit. You can now edit the policy as explained in the section of this chapter entitled “Working with Group Policies.”
  7. To change the priority of a policy, select the policy that you want to work with and then use the Up or Down button to change its position in the Group Policy Object Links list.

Site, domain, and organizational unit group policies are stored in the %SystemRoot%\ Sysvol\Domain\Policies folder on domain controllers. In this folder you’ll find one subfolder for each policy you’ve defined on the domain controller. The policy folder names are the policy’s Global Unique Identifier (GUID). The GUIDs can be found on the policy’s properties page in the General tab in the summary frame. Within these individual policy folders, you’ll find the following subfolders:

  • Adm

Stores administrative template files currently being used. These files end with the .adm file extension. The Adm folder is only on domain controllers.

  • Machine

Stores computer scripts in the Script folder and registry-based policy information for HKEY_LOCAL_MACHINE (HKLM) in the Registry.pol file.

  • User

Stores user scripts in the Script folder and registry-based policy information for HKEY_CURRENT_USER (HKCU) in the Registry.pol file.

Blocking, Overriding, and Disabling Policies

You can block policy inheritance at the site, domain, and organizational unit level. This means that you could block policies that would otherwise be applied. At the site and domain level, you can also enforce policies that would otherwise be contradicted or blocked. This gives top-level administrators the ability to enforce policies and prevent them from being blocked. Another available option is to disable policies. You can disable a policy partially or entirely without deleting its definition.

You configure these policy options by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the “Creating and Editing Site, Domain, and Organizational Unit Policies” section earlier in this chapter.
  2. Select Block Policy Inheritance to prevent the inheritance of higher-level policies (unless those policies have the No Override option set).
  3. Use the No Override option to prevent lower-level policies from blocking the policy settings. Select or clear the No Override option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.
  4. Use the Disabled option to prevent the policy from being used. Select or clear the Disabled option by double-clicking in the appropriate column to the right of the group policy entry. A check mark indicates the option is selected.
Disabling an Unused Part of Group Policy

Another way to disable a policy is to disable an unused part of the GPO. When you do this, you block the Computer Configuration or User Configuration settings, or both, and don’t allow them to be applied. By disabling part of a policy that isn’t used, the application of GPOs and security will be faster.

You can enable or disable configuration settings in Group Policy by following these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the “Creating and Editing Site, Domain, and Organizational Unit Policies” section earlier in this chapter.
  2. Click Properties in the Global Policy tab, and then select or clear Disable Computer Configuration Settings and Disable User Configuration Settings.

Caution

Any settings of the blocked node aren’t applied and are essentially lost. To get these settings back, you’ll have to clear the Disable … Settings options.

Applying an Existing Policy to a New Location

Any group policy that you’ve created can be associated with another computer, unit, domain, or site. By associating the policy with another object, you can use the policy settings without having to recreate them.

You apply an existing policy to a new location by completing the following steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with.
  2. In the Group Policy tab, click Add. As shown in Figure 4-2, this opens the Add A Group Policy Object Link dialog box.
  3. Use the tabs and fields provided to find the group policy you want to apply to the current location. When you find the policy, click OK.
Deleting a Group Policy

You can disable or delete group policies that you don’t use. To disable a policy, double-click in the Disabled column to the right of the group policy entry. A check mark indicates that the option is selected. To delete a policy, follow these steps:

  1. Access the Group Policy tab for the site, domain, or organizational unit you want to work with as specified in Steps 1–4 of the section of this chapter entitled “Creating and Editing Site, Domain, and Organizational Unit Policies.”
  2. Select the policy you want to delete and then click Delete.
  3. If the policy is linked, you have the option of deleting the link without affecting other containers that use the policy. To do this, in the Delete dialog box select Remove The Link From The List.
  4. If the policy is linked, you can also delete the link and the related policy object, which permanently deletes the policy. To do this, select Remove The Link And Delete The Group Policy Object Permanently.
Refreshing Group Policy

When you make changes to Group Policy, those changes are immediate. However, they aren’t propagated automatically. Client computers request policy when

  • The computer starts
  • A user logs on
  • An application or user requests a refresh
  • A refresh interval is set for Group Policy and the interval has elapsed

As you learned previously in this chapter, you can request that a policy be refreshed on a local computer using the Gpupdate command-line utility. Simply type gpupdate at the command prompt. You can also refresh a policy by setting a specific refresh interval, which thereby periodically forces a refresh. Either way, however, the refresh is only a background refresh and some policies might not be updated. The only way to ensure that all user policies are updated is to have the user log off. The only way to ensure that all computer policies are updated is to restart the computer.

To set a refresh interval in Group Policy, follow these steps:

  1. Access the Group Policy console for the site, domain, or organizational unit you want to work with as specified in the section of this chapter entitled “Creating and Editing Site, Domain, and Organizational Unit Policies.”
  2. Access the Group Policy node by expanding Computer Configuration\ Administrative Templates\System\Group Policy.
  3. In the details pane, double-click Group Policy Refresh Interval For Computers. This policy controls the background refresh rate for computer policies.
  4. In the Setting tab, Select Enabled. You can now set the refresh interval for computer policies using the options provided. With the default settings, Group Policy is updated every 90 minutes with a random offset of 0 to 30 minutes. The offset makes it less likely that multiple computers will request updates at the same time. Click OK.
  5. Access User Configuration\Administrative Templates\System\Group Policy.
  6. In the details pane, double-click Group Policy Refresh Interval For Users. This policy controls the background refresh rate for computer policies.
  7. In the Setting tab, select Enabled. You can now set the refresh interval for user policies using the options provided. Click OK when finished.
  8. When applying a refresh, network traffic is generated. During the update, the local computer might be less responsive than normal, which might affect the user’s work.

Note

The refresh interval for computers doesn’t apply to domain controllers. If you want domain controllers to regularly refresh a policy, access Computer Configuration\Administrative Templates\System\Group Policy and then double-click Group Policy Refresh Interval For Domain Controllers. You can now set the refresh interval.

Exchange Public Folders

Posted: April 25, 2010 in Active Directory, Exchange Server, Server, Server 2003, System Information
Tags: , , ,
0


Exchange Server supports public folders. Public folders are for common access to messages and files. Files

can be dragged from file−access interfaces, such as Explorer in Windows 98, NT 4, 2000, and 2003, and can

be dropped into public folders.

You can set up sorting rules for a public folder so that items in the folder are organized by a range of

attributes, such as the name of the sender or the creator of the item, or the date that the item arrived or was

placed in the folder. Items in a public folder can be sorted by conversation threads. You can also put

applications built on existing products such as Word or Excel or with Exchange or Outlook Forms Designer,

client or server scripting, or the Exchange API set into public folders. You can use public folders to replace

many of the maddening paper−based processes that abound in every organization.

For easy access to items in a public folder, you can use a folder link. You can send a link to a folder in a

message. When someone goes to the folder and double−clicks a file you put in the folder, the file opens.

Everyone who receives the message works with the same linked attachment, so everyone reads and can

modify the same file. As with document routing, applications such as Microsoft Word can keep track of each

person’s changes to and comments on file contents. Of course, your users will have to learn to live with the

fact that only one person can edit an application file at a time. Most modern end−user applications warn the

user that someone else is using the file and allow the user to open a read−only copy of the file, which, of

course, can’t be edited. Third−party applications offer tighter document checkout control (see the Appendix,

‘Cool Third−Party Applications for Exchange Server and Outlook Clients’).

If all this isn’t already enough, Exchange is very much Internet aware. With Exchange Server 2003, you can

publish all or selected public folders on the Internet, where they become accessible with a simple Internet

browser. You can limit Internet access to public folders only to users who have access under Windows Server

2003’s security system, or you can open public folders to anyone on the Internet. Just think about it:

Internet−enabled public folders let you put information on the Internet without the fuss and bother of website

design and development. Any item can be placed on the Internet by simply adding a message or other object

to a public folder.

Before we leave public folder applications, I want to mention one more option: Exchange Server 2003 enables

you to bring any or all of those Usenet Internet newsgroups to your public folder environment. With their

Outlook clients, users then can read and reply to newsgroup items just as though they were using a standard

newsgroup reader application. Exchange Server comes with all the tools that you need to do this. All you need

is an Internet connection, access to a host computer that can provide you with a feed of newsgroup messages,

and a set of rules about which groups to exclude. Remember, this is where the infamous alt.sex newsgroups

live. But you don’t have to use public newsgroups. Rather, you can create your own private newsgroups for

internal communications.

Older Entries
Newer Entries