Contents
Overview 1
Introduction to Managing User
Environments 2
Using Administrative Templates 4
Lab A: Using Administrative Templates
to Assign Registry-Based Policies 14
Using Scripts 23
Lab B: Assigning Script Policies
to Users and Computers 28
Best Practices 34
Review 35

Module 5: Using Group
Policy to Manage User
Environments

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any

Lead Product Manager: Sandy Alto
Group Product Manager: Robert Stewart

Module 5: Using Group Policy to Manage User Environments iii

Introduction
This module provides students with the knowledge and skills to manage user
environments by using Group Policy. Students will learn to manage user
environments by configuring the administrative template settings in Group
Policy. Students will also learn how to use Group Policy to run scripts at
designated times.
In the two hands-on labs in this module, students will have a chance to
configure, apply, and test the settings in Group Policy. In the first lab, students
will configure settings in both of the Administrative Templates extensions in
Group Policy, and then test the settings that they configured. In the second lab,
students will implement the running of logon and logoff scripts by using the
Scripts extension in Group Policy.
Materials and Preparation
This section provides you with the materials and preparation needed to teach
this module.
Materials
To teach this module, you need the following materials:
?? Microsoft® PowerPoint® file 1558a_05.ppt

Preparation
To prepare for this module, you should:
?? Read all the materials for this module.
?? Complete the labs.
?? Study the review questions and prepare alternative answers to discuss.
?? Anticipate questions that students may ask. Write out the questions and

Use the following strategy to present this module:
?? Introduction to Managing User Environments
In this topic, you will introduce managing user environments by configuring
the Administrative Templates and Scripts Group Policy extensions.
Emphasize that configuring user environments by using Group Policy
allows you to immediately apply the environments to users or computers by
adding the user or computer to the organizational unit (OU) affected by the
settings. Briefly mention the task for managing user environments.
?? Using Administrative Templates
In this topic, you will explain how to use administrative template settings to
manage user environments. First, present administrative templates.
Emphasize that although they are registry-based settings, they do not
permanently change the registry. Then present how computers apply Group
Policy registry settings. Use the animated slide. Emphasize that settings and
values are located in the Registry.pol file. Next, present information on the
loopback Group Policy settings. Show students the loopback settings in
Administrative Templates.
Next, present the different types of settings in Administrative Templates.
Then present the type of settings to use if an administrator wants to
lockdown user environments. Emphasize that this is only an example and
not a recommendation. Finally, present information on implementing
administrative template settings while demonstrating the process.
?? Lab A: Using Administrative Templates to Assign Registry-Based Policies
Prepare students for the lab in which they will configure administrative
template settings for users and computers and then test the configuration.
Make sure that students run the command file for the lab and tell them that
they will have to initiate replications between their domain controllers and
their partner’s domain controllers. After students have completed the lab,
ask them if they have any questions.
?? Using Scripts

Setup Requirement 1
The labs in this module require a regular user account for the student. To
prepare student computers to meet this requirement, create the user
account manually.
Setup Requirement 2
The labs in this module require the Log on locally right for domain controllers
to be assigned to the Everyone group. To prepare student computers to meet
this requirement, perform one of the following actions:
?? Run C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05.cmd.
?? Assign the right manually.

Setup Requirement 3
The labs in this module require that a shortcut for Active Directory Domains
and Trusts, Active Directory Users and Computers, and Active Directory Sites
and Services exists on the desktop of the regular user account. To prepare
student computers to meet this requirement, perform one of the
following actions:
?? Log on to the domain by using the regular user account and run
C:\MOC\Win1558a\Labfiles\Lab05\Setup\Lab05.cmd.
?? Create the shortcuts manually and place them in
C:\Winnt\Profiles\All Users\Desktop.

Important
Module 5: Using Group Policy to Manage User Environments vii

Setup Requirement 4
The labs in this module require the following OUs and users in the student’s
domain. A number (1 or 2) assigned by you is to be substituted for the
variable x in the labs. One student in each pair uses number 1, the other student
uses number 2.


You can run
C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab05rm.cmd to remove most
configuration changes introduced during the labs in the module. Remove the
Log on locally right from the Everyone group manually. Manually delete the
GPOs created by students.

Important

Module 5: Using Group Policy to Manage User Environments 1

Overview
? Introduction to Managing User Environments
? Using Administrative Templates
? Using Scripts
? Best PracticesTo manage user environments effectively, you need to ensure that users have
access to the resources that they require do to their jobs—and only those
resources. Microsoft® Windows® 2000 allows you to reduce the complexity of
user environments and remove the possibility of users corrupting their
environments or spending time on unnecessary applications, software, or files.
This can lower your total cost of ownership (TCO) by ensuring that users are
always able to perform their job responsibilities and are not distracted by
unnecessary software or configuration options.
By using the Administrative Templates and Script extensions in Group Policy,
you can set up the environments for multiple users once, and then rely on
Windows 2000 to continually implement and apply the settings that you specify
to computers and users.

a New User or Computer
? Perform the Tasks to Manage User Environments
? Control What Users Can Do in Their User Environments
? Provide Users with Only the Resources That They Need to Do
Their Jobs
? Use Group Policy Settings to Manage User Environments
Administrative Templates
(Registry-Based) Settings
Administrative Templates
(Registry-Based) Settings
Scripts Settings
Scripts Settings
Control User Environments
Control User EnvironmentsManaging user environments means controlling what users can do when logged
on to the network. You do this by controlling their desktops, network
connections, and user interfaces. You want to ensure that users have what
they need to perform their jobs, but you do not want to give them the ability
to accidentally corrupt their environments by incorrectly configuring
the environments.
The types of Group Policy settings that you typically use to manage user
environments are administrative template settings (registry-based settings) and
script settings. You configure these settings in Group Policy in the
Administrative Templates and Script extensions.
If you have used Group Policy to set up user environments for an Active
Directory
™
directory service container, such as an organizational unit (OU), any

environments with Group
Policy. Do not go into too
much detail, because this is
an introductory topic.

Remind students that they
can set up Group Policy
once, and then
Windows 2000 will
continually enforce it.
Key Points
If Group Policy settings that
control user environments
are set up for an OU, when
an administrator adds a new
user or computer to that OU,
the Group Policy settings
immediately apply. This
means that the user
environment is immediately
set up for that user
or computer.

Administrators can use
Group Policy to provide
users with what they need to
do their jobs while curtailing
user actions that could
accidentally corrupt the user
environments.

? Settings for Locking Down User Environments
? Implementing Administrative Template SettingsAdministrative template settings are a multitude of registry-based Group Policy
settings that you can use to control user environments. These settings apply to
both computers and user accounts and allow you to lockdown user
environments. Locking down user environments prevents users from changing
desktop configurations, using certain applications, and making changes to
system files.
Slide Objective
To introduce administrative
template settings.
Lead-in
Administrative template
settings provide you with
the capability of managing
user environments.
Make sure that students
know what it means to
lockdown user
environments.
Module 5: Using Group Policy to Manage User Environments 5

What Are Administrative Template Settings?
? Administrative Template Settings Modify Registry
Settings That Control User Environments
? Settings Modify Registry Settings in the Registry Hives
? HKEY_LOCAL_MACHINE for computer settings
? HKEY_CURRENT_USER for user settings

\Software\Microsoft\Windows\CurrentVersion\Policies. When settings reside
in these locations, Windows 2000 enforces them without removing the local
default-registry settings.
Windows 2000 applies both the Group Policy and the default registry settings to
users and computers. If there are conflicts, the Group Policy settings prevail. If
you delete the Group Policy object (GPO) containing the settings, or unlink it
from a container, the settings are removed from the registry hive the next time
that Group Policy is refreshed, and the local default-registry settings apply.
Slide Objective
To explain what
administrative template
settings are and where
they reside.
Lead-in
Group Policy administrative
template settings are
registry-based settings that
you can use to manage
user environments.
Make sure that students
remember what a registry
hive is.
Key Points
Administrative template
settings modify the settings
stored in the two registry
hives. The hives are
HKEY_LOCAL_MACHINE
for computer settings, and
HKEY_CURRENT_USER

.pol
Registry
.pol
HKCU
HKCU
Registry
.pol
Registry
.pol
HKLM
HKLM
Client computer starts, user logs on, and the domain controller
provides a list of GPOs
Client computer starts, user logs on, and the domain controller
provides a list of GPOs
1
1
1
Client computer connects to Sysvol and locates the Registry.pol files
Client computer connects to Sysvol and locates the Registry.pol files
2
2
2
Client computer writes to the registry hives (HKLM and HKCU)
Client computer writes to the registry hives (HKLM and HKCU)
3
3
3
applying administrative
template settings.
Lead-in
Now let us look at the
process in which Group
Policy registry settings
are applied.
The slide for this topic is
animated. Display a new
step on the slide as you talk
about it.
Delivery Tip
Open Windows Explorer
and show students the
Registry.pol files in the path
provided in the Note in the
student text.
Key Points
The administrative template
settings that Windows 2000
applies are stored in the
Registry.pol file in the GPT
on domain controllers.

The values for the registry
settings are contained in the
Registry.pol file.
Note
Module 5: Using Group Policy to Manage User Environments 7



The loopback setting is a Group Policy setting that causes administrative
template user settings in a GPO to apply to the computers affected by that GPO.
These user settings then apply to all users that log on to the computer and
replace the user settings applied directly to the users. Because the settings for
the computer are applied last, they take precedence.
Loopback is most useful for computers that are dedicated to specific tasks or
that have special software installed on them (for example, computers that are set
up to create compact discs). The desktop environment of these computers
should not changed.
To enable loopback, perform the following steps:
1. Open Group Policy, and then expand Computer
Configuration\Administrative Templates\System\Group Policy.
2. Double-click User Group Policy loopback processing mode.
3. In the Properties dialog box for the settings, make sure that the User Group
Policy loopback processing mode check box is selected and has a white
background, and then select one of the following modes:
?? Replace. This mode replaces the user settings that are typically applied
to users logging on to the computer.
?? Merge. This mode combines the user settings applied to the computer
and the user settings applied to the user. If there is a conflict, the user
settings applied to the computer prevail.

Slide Objective
To explain what loopback is
and when to use it.
Lead-in
Windows 2000 allows you to
alter the typical method in
which Group Policy settings

Applies to
Applies to
Applies to
Windows
Components
Windows
Components
The parts of Windows 2000 and its tools and components to
which users can gain access, including MMC
The parts of Windows 2000 and its tools and components to
which users can gain access, including MMC
System
System
Logon and logoff, Group Policy, disk quotas, and
loopback policy
Logon and logoff, Group Policy, disk quotas, and
loopback policy
Network
Network
The properties of network connections and dial-in
connections
The properties of network connections and dial-in
connections
Printers
Printers
Printer settings that can force printers to be published in
Active Directory and disable Web-based printing
Printer settings that can force printers to be published in
Active Directory and disable Web-based printing
Start Menu &

Components
The parts of Windows 2000 and its tools and
components to which users can gain access
This includes controlling user access to
MMC.
Computers and
users
System Logon and logoff procedures (including the
ability of a user to log off from a kiosk
computer). System settings also allow you to
manage Group Policy (including when refresh
occurs), enable disk quotas, and implement
loopback policy.
Computers and
users
Network The properties of network connections and
dial-in connections (including shared
network access).
Computers and
users
Printers Printer settings that can force printers to be
automatically published in Active Directory
and can disable Web-based printing.
Computers (for
these printer
settings only)

Slide Objective
To explain the different
types of administrative


(continued)
Setting type Controls Applies to

Start Menu &
Taskbar
What users can gain access to from the Start
menu. For example, by removing the Run
command, users are prevented from running
applications for which there is no icon or
shortcut. You can also make the Start menu
read-only and disable the user’s ability to
make changes.
Users
Desktop The Active Desktop. You can control users’
ability to gain access to the network and the
Internet by hiding the appropriate desktop
icons and controlling what they can do with
their My Documents folder.
Users
Control Panel Several applications in Control Panel. This
includes restricting the use of Add/Remove
Programs , Display, and Printers .
Users Windows 2000 provides you with the ability to add additional templates
to Administrative Templates in Group Policy if the preconfigured templates do
not provide you with the settings that you require. For more information about
adding additional templates, see module 7, “Configuring Administrative

Locking Down User Desktops
The following table provides the setting types that contain settings to configure
when locking down user desktops, as well as examples of the possible effects of
these kinds of configurations.
Setting type Lockdown examples

Windows
Components
Shortcut menus do not appear when users right-click the desktop
or items in Windows Explorer. Users cannot make changes to
their desktops, including customizing Microsoft
Active Desktop
™
or creating shortcuts in Windows Explorer.
Desktop Users cannot save certain changes made to their desktops when
they log off. For example, changes to icons, windows, and the
taskbar are not saved.
Start Menu &
Taskbar
Control Panel is removed from the Start menu. Users cannot
start Control Panel or run any Control Panel applications,
including changing their displays or adding and removing
programs. The Taskbar & Start Menu option is removed from
Settings on the Start menu. Users cannot open the Properties
dialog box for Taskbar or configure their Start menus
or taskbars.

Slide Objective
To provide examples of
using administrative

multitude of settings.
Module 5: Using Group Policy to Manage User Environments 11

Locking Down User Access to Resources
The following table provides the setting types that contain settings to configure
when locking down user access to resources, as well as examples of the
possible effects of these kinds of configurations.
Setting type Lockdown examples

Windows
Components
Users cannot use the Search option or the Windows Explorer
File menu to locate and access network resources. They cannot
map network drives or disconnect or modify preconfigured
network drives. Users can only view predefined resources in
My Network Places.
Desktop Users cannot use Active Desktop or see My Network Places or
My Computer on their desktops.
Start Menu &
Taskbar
Users cannot see the Search
option and do not have access to the
Windows Update icon from the Start menu. Users only see
predetermined icons. Users cannot use Run to gain access to
network resources.

Locking Down User Access to Administrative Tools and
Applications
The following table provides the setting types that contain settings to configure
when locking down user access to administrative tools and applications, as well

Explain
Disabled
Disabled
Or
Or
Hide My Network Places icon on desktop
Policy
Hide My Network Places icon on desktop
Explain
Or
Or
Not configured
(default)
Not configured
(default)
? Selecting One of the Three States Configures a Setting
? Configuring the Same Setting Differently for Different
GPOs Can Cause ConflictsImplement administrative template settings by configuring the settings in the
Administrative Templates extension in Group Policy.
In most instances, you configure a setting by selecting one of three states for the
setting. You select the state on the Policy tab of the Properties dialog box for
the Group Policy setting.
The following list provides descriptions of the three states:
?? Enabled. Windows 2000 applies the setting if the box on the Policy tab
is selected. Windows 2000 adds the change to the appropriate
Registry.pol file.
?? Disabled. Windows 2000 prevents the setting from being applied if the box

Group Policy\User
Configuration\Administrative
Templates\Desktop.
Key Points
The not configured state
makes no change to the
Registry.pol file.

Conflicts can arise from
configuring the same
settings differently in
different GPOs. When these
conflicts arise, the last
setting applied prevails,
unless Group Policy
inheritance is modified.
Module 5: Using Group Policy to Manage User Environments 13

To gain access to the Policy tab for an administrative template setting, perform
the following steps:
1. Right-click the appropriate Active Directory container (site, domain, or
OU), and then click Properties.
2. On the Group Policy tab, create or select an existing GPO, and then
click Edit.
3. In Group Policy, expand Computer Settings or User Settings, and then
expand Administrative Templates until you locate the setting that you
want to modify (for example, User Configuration\Administrative
Templates\Desktop).
4. In the details pane of Group Policy, double-click the Group Policy setting
that you want to modify.

domain name) with a password of password and run
C:\MOC\Win1558A\Labfiles\Lab05\Setup\Lab5.cmd. This command file:
?? Assigns the Log on locally right for domain controllers to the Everyone
group, if this right was not already assigned.
?? Creates shortcuts on your desktop to Active Directory Users and
Computers, Active Directory Sites and Services, and Active Directory
Domains and Trusts.
Slide Objective
To introduce the lab.
Lead-in
In this lab, you will configure
and apply registry-based
Group Policy settings by
using Administrative
Templates.
Explain the lab objectives.

Ensure that students run
the .cmd file before
starting the lab.
Module 5: Using Group Policy to Manage User Environments 15

?? Creates the following organizational units (OUs) in your domain.
This OU In this organizational unit

East Domain Controllers
West Domain Controllers
Sales x Top Level OU in the domain
Telemarketing Salesx
Retail Salesx

computer to the West OU if your assigned number is 1, or the East OU if your assigned
number is 2. After moving your computer, you will replicate Active Directory
™
directory
service changes to the other domain controller in your domain.

Task Detail
1. Move your computer to the East
or West child OU of the Domain
Controllers OU.
a) Log on as (where domain
is your domain name) with a password of password.
b) Start Active Directories Users and Computers, expand your
domain, and then click Domain Controllers.
c) In the details pane, right-click your computer, and then
click Move .
d) In the Move dialog box, expand your domain, expand Domain
Controllers, click West if your assigned number is 1, or East if
your assigned number is 2, and then click OK.
e) Quit Active Directories Users and Computers.
2. Replicate Active Directory
changes to other domain
controllers.
a) Start Windows Explorer, expand the C:\MOC\Win1558a\Labfiles
folder, and then double-click Replicate.
Module 5: Using Group Policy to Manage User Environments 17


c) In the details pane, right-click West if your assigned number is 1,
or East if your assigned number is 2, and then click Properties.
d) On the Group Policy tab, click New, type West Policy if your
assigned number is 1, or East Policy if your assigned number is 2,
and then press ENTER.
2. Edit the administrative template
settings for the new GPO to:
?? Enable disk quotas.
?? Prevent disk quota limits from
being enforced.
?? Prevent users from running
the New Task wizard.

a) Select the new policy, and then click Edit.
b) In the Group Policy console tree, expand Computer
Configuration, and then expand Administrative Templates.
c) In the console tree, expand System, click Disk Quotas, and then,
in the details pane, double-click Enable disk quotas.
d) In the Properties dialog box for Enable disk quotas, on the
Policy tab, select the Enable disk quotas check box.
e) Click OK.
f) In the details pane, double-click Enforce disk quota limit, and in
the Properties dialog box for Enforce disk quota limit, click the
Enforce disk quota check box twice to clear it.
g) Click OK.
h) In the console tree, expand Windows Components, click Task
Scheduler, and then, in the details pane, double-click Disable
New Task Creation.