INTRO TO I.T.: 2014

HISTORY OF LINUX

HISTORY

In August 1991, a student form university of Helsinki in Finland began a post to the comp.os.minix, news group with word "Hello every body out there using minix, I am doing a free Operating System (Just a hobby, won't be big and professional like GNU) for 386 (486) at colons. Name Linus Torvalds."

The hobby he spoke of eventually become what we know today LINUX.

At that time UNIX and other operating systems were costly then PC hardware. While versions of UNIX have long been available for PC's. They never had the grace of power of operating available for mini computers, mainframes and today servers. This lack of accessing ultimately give birth to LINUX as a means to make a UNIX like operating system available on wide spread basis.

Today's Linus was developed with the assistance of programer's word wide; Linus Torvalds still retains control of evolving core of Linus operating system the Kernel ..0000000

In March 1992, version 1.0 of the Kernal was first official release of Linux.

MAIN FEATURE & ADVANTAGES OF LINUX

Multitasking Capability:
Full multitasking and 32-bit support. Linux, is a real multitasking system allowing multiple users to run many programs on the same system at once.
Multiuser Capability: Multiuser operating system several users to use the same computer to carry out their computing job. Can run programs, access files and print documents at the same time.
System Portability:
Linux has this outstanding feature that it is not written for specific hardware platforms. It can be ported to another system (installation) without the need to make any major changes.
System Security:
Several levels of security exits in Linux.

First level is system security is A login is simply the name that you supply to Linux to identify yourself to the operating system. Linux keeps track of which names are permitted to log in or access the system and only allows valid users to have access.

Another level of security is when it comes to accessing files. Three permission "Read, Write & Execute" can be assigned by the owner of the file to each of his files. All of these permissions can be individually either granted or denied to all the users of the system.
Third level of security allows users to encrypt data files on the disk so that even if someone manage to access then he can't make much sense of it.

Linux Application:

Text & Word Processing Application:
In addition to commercial word processing software's such as Word Perfect, Star Office, Applixware, Linux offers powerful tools for editing text files and processing text in an automated fashion.
Programing Languages:
There is a wide variety of programming and scripting languages & tools available for Linux.
Internal Tools:
In addition to supporting Well-Known software such as Netscape Communicator and Mosiac, Linux provide wide verity of internet software and full range of software needed to create internet services such as Web Server, Mail Server plus complete network support to connect to the internet via Local Network or Modem.
Databases:
Linux provide robust platform for running client server database application such as free database SQL and postgre available for Linux also commercial database such as Oracle, Sybase and Informix.

DOS & Windows Compatibility:
Linux can run DOS software with a high degree of stability and compatibility and offers several approaches to run Windows software, Wabi, Win3e, VM ware.
Linux is Free Software:
Linux kernel and most of the applications written for Linux are available for free on the Internet, often with no restriction on the copying and redistribution of the software.
Virtual Memory & Shared Libraries:
Linux can use a portion of your hard drive as virtual memory, expanding your total amount of available RAM. Linux also implements shared libraries, allowing programs that use standard subroutines to find the code for these subroutines in the libraries at runtime. This saves a large amount of space on your system.
Linux Support (almost) all of the Features of Commercial Versions of UNIX:
In fact, some of the features found in Linux may not be available on other proprietary UNIX system.
GNU Software support (Free Software's):
Linux supports a wide range of free software written by the GNU project, including utilities such as the GNU and C++ compiler, gawk, groff and so on. Many of the essential system utilities use by Linux are GNU software.
Built-in Support for Networking, Multitasking, & other features
X Windows System:
The X Windows convert text base Linux to graphics Operating System A complete version of the X Windows System, known as XFree86, is available for Linux. The X Windows System is a very powerful graphics interface, supporting many applications.

HARDWARE REQUIREMENT

You can run entire system from a single, hi8gh-density 5.25-inch floppy, but Hardware requirement depends upon Linux software & accessories selection.

Component Minimum Good Pe

Processor 386 Pentium 133

RAM 4 MB 32 - 64 MB

Hard Disk 150 MB IGB

Display VGA, Mouse, CD-Rom

Linux Tools & Applications:

The outermost layer of the Linux operating system is its tools and applications. These tools can be invoked from the command line itself and help perform the day-to-day as well as complex tasks of the system.

The Shell:

It is the command interpreter of the operating system. It accepts commands from users and analyses and interprets these commands.

The Linux Kernel:

It is the core of the system. It controls all the tasks, schedules all the processes and carries out all the crucial functions of the operating system. All operating systems have a kernel that contains thousands of routines to carry out the numerous tasks that the operating system has to handle. The major duties of the kernel are under:

To keep track of the programs that are executing
All processor time to each and also decide when one program stops and another starts.
It also handles exchange of information between computer and its terminals tape drives and printers.

Linux File System:

To store data in a computer system so that you can retrieve it at some time in the future, you place it in a file in the file system and give the file a filename so that you can reference it again later on. File are, stored on magnetic disk and hence continue to exit even if the computer is switched off and also set permission on it.
Linux distinguishes three types of files in its file system -
An ordinary file has no internal structure imposed on it by the system - it is simply a sequence of characters.
A directory file stores information about other files and directories. This enables Linux to organinse its file system into a hierarchy of files and directories.
The special files are the input/output devices attached to a particular computer system.

Important Directories in the Linux File System:

Most of the directories that hold Linux system files are "standard" some of the most important directories on your Linux system.

/
This is the root directory. It holds the actual Linux program, as well as sub-directories. Do not store your own files here.
/home
This directory holds users' home directories. After logging to the system this is PWD for a user.
/bin
This directory holds many of the basic Linux programs. Bin stands for binaries, files that are executable and that hold text only computers could understand.
/usr
This directory holds many other user-oriented directories. Like games, help files.
/dev
Linux treats everything as a file! The /dev directory holds devices. These are special files that serve as gateways to physical computer components. For instance, if you copy to /dev/fd0, you are actually sending data to the system's floppy disk. You terminal is one of the /dev/tty files. Partitions on the hared drive are of the form /dev/hd0. Even the system's memory is a device!
/usr/sbin
This directory holds system administration files. If you do an Is -1, you see that you must be the owner, root, to run these commands.
/sbin
This directory holds system files that are usually run automatically by the Linux system.
/etc
This directory and its sub-directories hold many of the Linux configuration files. These files are usually text and they can be edited to change the system's configuration.

File & Directories:

A file as a container of information. Once information is stored in a file, it will remain there until it is changed or the file is removed from the system.
A Linux allows filenames to be up to 256 characters long. These characters can be lower and upper cases letters, numbers and other characters, usually the dash(-), the underscore (_) and the dot (.).

Directory:

Whenever a new user is created in the Linux system to use Linux, a directory is created for that user which has a unique name. This directory is called the home directory. When you login successfully, Linux makes your home directory the current directory and you are then ready to begin your session. You can also make and remove sub-directories.

File Naming Rules:

A file name must be 1 to 255 characters long.
All characters are legal except (/) which is used for separating directory levels and files.
Spaces and tabs must be quoted if used as a part of file name. Avoid using following characters:
@ # $ ^ & * ? ( ) [ ] { } / \ ! ; ' " < >
All (.) at the beginning of a file name hides it from Is command.
Upper and lower case characters are interpreted differently. TMP is different from tmp.
Do not use following at beginning of file name:
+ - = _

Wildcards:

It matches any string with zero or more characters.
? It matches any single character.
[characters] It matches any one of the character enclosed in [ ] c1 - c2 will match characters c1 through c2.
[!characters] It matches any one of characters not enclosed in [ ]
Example using wildcards:

IS *.db
It displays all files ending with .db.
Is[0-9]*
It displays all files beginning with a numbers.
Is [!0-9]*
It displays all files not beginning with a number.
Is *.[bdfg]
It displays all files ending with characters b, d, f or g.
Is!(m*)
It displays all files not beginning with m.

THE SHEL

It is the command interpreter of the operating system. It accepts commands from users and analyses and interprets these commands. Most of the Linux commands are executable C programs. Shell interprets user commands and starts executing appropriate executable file. It then request kernel to carry out actual transfer of data which finally leads to output that is displayed of the screen of the terminal. Shell acts are mainly used with Linux:

Bourne Shell (sh):
This is one of the most widely used shells in the Linux world. It was developed by Steve Bourne of AT&T Bell Laboratories in the late 1970's. It is the primary Linux command interpreter and comes along with every Unix system. It introduced many shell concepts such as the ability to text program for success of failure status, allows for sophisticated scripting (Programing) but lack of features such as history list and command line editing. The prompt used by the Bourne shell in the Linux installation is shown by a ($) dollar sign.
C Shel (Csh):
The C shell was developed by Bill Joy at the University of California at Berkeley. The C shell is the default shell in the Berkeley version of Unix. It has a few principal advantages over the Bourne shell.

A history mechanism:
The C shell remembers the commands that the user types and allows him to recall them without having to retype them.
Aliasing:
The C shell permits you to call frequently used commands by your own formulated abbreviations. This is a type of "micro" facility that is available at the command line.
Arithmetic:
Arithmetic calculation and comparison, testing can be performed by the shell itself.

Korn Shel (Ksh):
Developed by David Korn at AT&T, this shell was designed to be much bigger than the Bourne shell and includes several features that make it more superior. It includes all the enhancement of C shell like command history and aliasing and offers a few more features itself which makes it more efficient than the Bourne shell.
Broune Again Shell (Bash):
It is the most common shell installed with Linux Distribution. It is based on Bourne Shell and provides additional feature set including command line editing, a history list and file name completion and allow to write sophisticated shell scripts using Bourne Shell like syntax.

WHAT IS DISTRIBUTION

Distribution is different sets of applications, utilities, tools and drivers modules are built on same versions Kernel (the heart of the Operating System), can include and can offer different installation and upgrade programs to ease management of the system.
As windows 98 or Window NT defines the complete set of windows utilities applications and drivers that Microsoft ship. There is no room for variation in any application, drivers or utility.
But Linux has opened the door to different flavors of Linux meet differed need. On the same Kernel version they allow3 to add are remove applications, drivers and utility and allow3 to redistribute their product. Hence each product are called Distribution.
Following are the different types of Distributions.

Red Hat:Red Hot Linux distribution from Red Hat Software (www.redhat.com) has emerged as the favorite Linux distribution for most users. Red Hat gained fame for its tools for installation and upgrading the operating system. It introduce GNOME Desktop some feature are Improve installation, improved Administration Tools like LinuxConfig, Xconfigurator, GNOME Desktop environment for X Windows, improved performance features like Symmetrical Multiprocessing and offer different RAID Techniques.
Slack Ware:
Before Red Hat Linux come to fame slack ware was the distribution to beet but still a popular distribution and found on (www.slakware.com) the distribution offers the full Range of expected utilities, tools, application, including X windows, development tools such as GNU computers Full Java Support and Java SDK for Linux. It can be downloaded Walnut Greek FTP site (ftp.cdram.com)
Debian:
Debian has no commercial organisation backing it. It is produced by a team of volunteers. Debian offer more than 1000 software packages and publicised their bugs on website (www.debian.org). It is offer free distribution redistribution right, available source code.
Caldera Open Linux:
This distribution can be downloaded at no cost from Caldera Website at (www.calerasystems.com). It include K desktop environment and non commercial Star office for Linux. Word Perfect 6 for Linux Netware support and license of DR-DOS for Dos compatibility.

INSTALLING LINUX (REDHAT)

Step by Step Guide to Installing Redhat

Screen 1:
If you have booted your system with the Redhat installation media or are installing by NFS you will see the Redhat welcome scree. Press enter for install in graphical mode.
Screen 2:
Press Next.
Screen 3:
For language select English.
Screen 4:
Keyboard type. Choose US International.
Screen 5:
Mous4e type. Select your mouse type here and if you are going to use this system as a desktop, enable the emulate 3 buttons check box.
Screen 6:
Installation type. Choose custom.
Screen 7:
Disk Partitioning. Choose Manually with Disk Drive.
Screen 8:
Disk setup. Delete all existing partitions (Warning: All Data currently on the disk is erased!) Depending on your needs, create new partitions. for simplicity, creating two partitions, one for use as swap which I make twice as large as the amount of physical RAM and one for all other data, called a root partition. Here's how;
Select new then enter the following into the pop-up box;
file system type swapsize (2x RAM) e.g. 64
then OK
then;
Select new
enter the following into the pop-up box;
Mount Point /
File system type EXT3
and click the Fill to maximum allowable size check box then click OK
You should now have two visible partitions, called /dev/hdal.1 and /dev/hda2 underneath the /dev/hda entry. One will be type EXT3 and one will be type swap.
At this stage will have finished configuring partitions. Click next to go to the next screen.
Screen 9:
Boot Loader. Grub is the preferred boot loader and the default options are suitable, so nothing needs to be changed here. Click Next.
Screen 10:
Network configuration. You will see a list of your network interfaces (such as eth0). Configure each one to suit your own physical network requirements.
here we don't use DHCP for wired machines so we select to configure manually and enter the IP information in the box provided.
Note that your wireless card probably has not been detected by this stage. Do not worry will shell configure it later.
Screen 11:
Firewall configuration. If you intend to run NoCat your entries here will be superseded by the NoCat configuration process. For the purpose of the initial configuration, select Medium security level and ETH0 as a trusted device. Allow Incoming ssh.
Screen 12:
Additional Language Support. Select Other language from the list and uncheck English (USA).
Screen 13:
Time Zone. Click on the map of Pakistan to set the time zone.
Screen 14:
Root password. This screen is where we set the password for the super-user. Create a root password that you will remember. Click OK then Next.
Screen 15:
Authentication Configuration. The default settings don't need to be changed. Click Next.
Screen 16:
Package selection. The packages you choose here will depend on what you want to do with you system, so the recommendations we make below are guidelines. Anything that you omit here but need later can be installed at a later stage. Here it is section by section.;

In Editors Emacs can be removed and vim-enhanced can be added.

In Graphical Internet evolution, gaim, Mozilla-mail, pane and xchat can be remove.

In Office/Productivity mrproject and open-office can be removed.

In Sound and Video any selected packages in this section can be removed.

In Graphics gimp, gimp-data-extras, gtkam, sane-frontends, xsane and xsane-gimp can be removed.

In Server Configuration Tools select all of the GUI configuration tools you require for the various services you intend to have on the box. You may find redhat-config-bind, redhat-config-httpd, redhat-config-network and redhat-config-services useful.

In Web Server select all that are applicable for you situation if you intend to use this system as a web server in addition to an Access Point. For use with NoCat you will need mod_perl and mod_ssl.

In Network Servers select all of the services you wish to run. For our Access Point we need ZEBRA and DHCP cipe, pxe, rsh-server, talk-server, telnet-server and ypserv can be removed.

In Administration Tools select all of the GUI config tools that you think you require. They are safe to install even if you don't end up using them.

In System Tools amanda, ethereal, etheral-gnome, nmap and nmap-front-end are useful and can be installed and we will use shapecfg in appendix C for configuring bandwidth management. Click next to being the actual RedHat installation. The install process will begin by formatting the new partitions and installing the various packages required for a functioning Linux system. The installation should take approximately 25 minutes. At the end of this process, configure the X display system for you hardware if required. It is a good idea to turn off Graphical login type at this point. You will be presented with the option to create a boot disk once the installe is complete. It is good idea to do so.

Tuning off Unnecessary Services

One last job remains; after you have logged into your system and are satisfied that it is working correctly, we'll turn off some of the plethora of services and Redhat has enabled. Some of these services we will enable later but in the mean time they are using system boots, both of which are inconvenient while we are building and testing our new system.
You can manually turn off services by re-naming files in the /ect/rc.d/ hierarchy, but Redhat has a menu driven system called simply setup that is easier use. Access it with this command;

[root@accesspoint root]# setup

A menu will come up. Scroll down to System Services and press enter to select it. You will see a list to services, those with an asterix are enabled. Disable the following services by highlighting the asterix and pressing the space bar.

anacron Scheduling daemon

apmd Power management daemon

atd Scheduling daemon

autofs Auto-mounting of remote file systems

cups Unix print daemon

gpm Console mouse support daemon

isdn iisdn

iptables Firewalling

kudzu Hardware maintenance daemon

netfs Remote file system mounter daemon

nfslock Network File System daemon

pcmcia PCMCIA monitor daemon

portmap RPC control daemon

rhnsd Redhat update daemon

Sendmail Mail server daemon

xinetd TCP/IP se4rvices supe-daemon

This leave us with only these services enabled; crond, keytable, network, random, rawdevices, sgi_fam, sshd, syslog & xfs which will make the system more responsive. Note that xfs, the X font server, can be disabled as well if you have no intention of running X.

Reboot & Test

You may like to reboot your system now to make sure that it comes back up OK. Reboot with this command;

[root@accesspoint root]# shutdown-r now

Once your system comes back up and you are satisfied that it is functioning nominally.

LINUX Files System Management

badblocks:
Used to search a disk or partition for badblocks.
efdisk:
Similar to fdisk but with nicer interface.
debugfs:
Allows direct access to filesystems data sturcture.
df:
Shows the disk free space on one4 or more filesystems.
dosfsck:
Check and repair MS-Dos filesystems.
du:
Shows how much disk space a directory and all its files contain.
dump:
Used to back up an ext2 filesystem. Complement is restore.
dumpe2fs:
Dump filesystem superblock and bolcks group information. Ex: dump32fs/dev/hda2.
e2fsck:
Check a Linux sound extended file system.
e2label:
Change the label on an ext2 file system.
exportfs:
Used to set up file system to export for nfs (network file sharing).
fdisk:
Used to fix or create partitions on a hard drive.
fdformat:
Formats a floppy disk.
fsck:
Used to add new blocks to a file system. Must not be run on a mounted file system.
hdparm:
Get set hard disk geometry parameters, cylinders, heads sectors.
mkfs:
Initialises a Linux file system. This is a front end that runs a separate program depending on the file system's type.
mke2fs:
Create a Linux second extended file system.
mkswap:
Sets up a Linux swap area on a device or file.
mount:
Used to mount a filesystem. Complement is amount.
rdev:
Query / set image root device, swap device, RAM disk size of video mode. What this does is code the device containing the root filesystem into the kernel image specified.
rdump:
Same as dump.
rmt:
Remove magtape protocol module.
restore:
Used to restore an ext2 filesystem.
setfdprm:
Set floppy drive parameters.
swapoff(8):
Used to deactivate a swap partition.
swapon(8):
Used to activate a swap partition.
sync:
Forces all unwritten blocks in the buffer cache to be written to disk.
tune2fs:
Adjust tunable filesystem parameters on second extended filesystem.
umount:
Unmounts a filesystem. Complement is mount.

Creating a User Account

When you first start your Red Hat Enterprise Linux system after installation, you were given the opportunity to create one or more user accounts using the Setup Agent. If you did not create at least one account (not including the root account) you should do so now. You should avoid working in the root account for daily tasks.

There are two ways to create new and/or additional user account: using the graphical User Manager application or from a shell prompt.

To create a user account graphically using the User Manager:

Select Applications (the main menu on the panel) => System Setting => Users & Groups from the panel. You can also start the User Manager by typing redhat-config-users at a shell prompt.
If you are not logged is as root, you will be prompted for your root password.
The window will appear. Click Add User.
In the Create New User dialog box, enter a username (this can be an abbreviation or nickname), the full name of the user for whom this account is being created and a password (which you will enter a second time for verification). The name of this user's home directory and the name of the login shell should appear by default. For most users, you can accept the defaults for the other configuration options. Refer to the Red Hat Enterprise Linux system Administration Guide for detail about additional options.
Click OK. The new user will appear in the user list, signaling that the user account creation is complete.

To create a use account from a shell prompt:

Open a shell prompt.
If you are not logged in as root, type the command su - and enter the rot password.
Type useradd followed by a space and the username for the new account you are creating at the command line (for example, useradd khan2015). Press [Enter]. Often, usernames are variations on the user's name, such as adkhan2015for Adnan Khan. User account name can be anything from the user's name, initials or birthplace to something more creative.
Type password followed by a space and the username again (for example, password adkhan2015).
At the new password: prompt enter a password for the new user and press [Enter].
At the retype new password: prompt, enter the same password to confirm your selection.

How To Add a New User in Redhat

To add a user and set up the directories you want that user to have, user the useradd command. By default, this will add a user and create a home directory for that user, which will be located in /home.
EXAMPLE: /usr/sbin/useradd yourname will create the user yourname, and make the directory /home/yourname.
EXAMPLE: /ur/bin/passwd yourname. You will be prompted twice for a password.
NOTE: If you wand useradd to create more default directories than just /home/newuser, you can add then to /etc/skel. Anything you add to this directory will be created when you add a new user.
EXAMPLE: mkdir/etc/skel/www will add a directory called www to the skel dir. Now whenever you run useradd to create a new user, it will also create a www direcrtory in the new users home directory.
There are also some options for useradd you can if you wish, such as changing where the users home directory will be or which skeleton directory to use.

INSTALLING WINDOWS 7 & WINDOWS SERVER 2008

When installing on a physical computer insert your Windows 7 DVD or CD media into your DVD drive and reboot your computer. If you;re asked to press a key to boot from DVD or CD, press any key. A black window will appear momentarily while DVD content is read.

Like in Windows Vista and Window Server 2008 and unlike previous versions of Windows. Windows 7 does not have noticeable text phase of the step process, and will boot directly into the Graphical User Interface (GUI) mode.

After a few moment you will see the first prompt:

Click "Next" unless you want to change some regional setting for the installation process.

Click on the "Install Now" button.

Next, accept the license terms and click on "Next".

Next, unless you''re upgrading an existing Windows installation. press the Custom (Advanced) Installation type button. Note that in this case, the Upgrade button is disabled because this specific installation if performed on a new computer without any previous operating system on it.

The next phase is to pick the installation partition. Since this computer has a new hard disk that hasn't been formatted before, you will only have the option to create a new partition to install Windows on, or create partitions on your hard disk, click Next to begin the installation. If you already have another existing partition with enough free space and want to install the Windows 7 on that partition to create a malti boot configuration, select the partition you want to use, and then click Next to begin the installation. If you want to create, extent, delete of format a partition, click Drive Option (Advance), click the option you want, and then follow the instructions. Since I don't need to perform any additional task I will just click on the "Next" button. The installation process will then create a partition on all the available disk space, and format it..

The step process will now begin to copy files from the installation DVD media to the hard disk.

The Computer will reboot, and the next thing you'll see is the prompt to set the user's and computer's name. By default, the computer name will be username-PC, where username is the username you have entered.

Click on "Next".

CREATE A NEW PARTITION ON A WINDOWS 7 HARD DISK

The Windows 7 Disk Management tool provides a simple interface for managing partitions and volumes.

Here's an easy way to create a new partition on your disk.

Open the Disk Management console by typing diskmgmt.mse at an elevated command prompt.
In Disk Management's Graphical view, right-click an unallocated or free area, and then click New Sample Volume. This starts the new New Simple Volume Wizard.
(Note: If you need to create unallocated space, see the Tip Easily Shrink a Volume a Windows 7 Disk for information on how to do this.)
Read the Welcome page and then click Next.
The Specify Volume Size page specifies the minimum and maximum size for the volume in megabytes and lets you size the volume within these limits. Size the partition in megabytes using the Simple Volume Size field and then click Next.
On the Assign Drive Letter or Path page, specify whether you want to assign a drive letter or path and then click Next. The available options are as follows: Assign the following Drive Letter Select an available drive letter in the selection list provided drive letter and Windows 7 selects the lowest available drive letter and excludes reserved drive letters as well as those assigned to local disks or network drives.
Mount in the following empty NTFS folder choose this option mount the partition in an empty NTFS folder. You must then type the path to an existing folder or click browse to search for or create a folder to use. Do not assign a Drive Letter or Drive Path choose this option if you want to create the partition without assigning a Drive Letter or Path. Letter, if you want the partition to be available for storage, you can assign a drive letter or path at that time.
Use the Format Partition to determine whether and how the valume should be formatted. If you want to format the volume, choose format this volume with the following setting, and then configure the following option:
File System sets the file system type as FAT, FAT32 or NTFS. NTFS is selected by default in most cases. If you create a file system as FAT or FAT 32, you can latter convert it to NTFS by using the Convert Utility. You can not, however, convert NTFS partition to FAT of FAT32.
Allocation Unit Size sets the Cluster size for the file system. This is the basic unit in which disk space is allocated. The default, is set dynamically prior to formatting. To override this feature, you can set the allocation unit size to a specific value. IF you use many small files, you might want to use a smaller cluster size, such as 512 or 1024 bytes. With these settings, small files use less disk space.
Volume Lable sets a text label for the partition. This lable is the partition's volume name and by default is set to New Volume. You can change the volume label at any time by right - clicking the volume in Windows Explorer, choosing properties, and typing a new volume in the label field provide on the general tab.
Perform a quick format tells Windows 7 to format to format without checking the partition for error. With large partitions, this option can save you a few minutes. However, it's usually better to check for errors, which enables Disk Management to mark had sectors on the disk and local them out.
Enable File and Folder Compression Turns on compression for the disk. Built-in compression is available only for NTFS. Under NTFS, compression is transparent users and compressed files can be accessed just like regular files. IF you select this option, files and directories on this drive are compressed automatically.
Click Next, confirm your option, and click Finish.

The Windows 7 Disk Management Toll Will Now Show the Space Configured As A New Partition:

How To Configure A New Hard Disk In Windows 7

In Windows 7 this is done with the Disk Management tool. The easiest way to load Disk Management is to press Windows-R type disk management's and hit enter.

Disk Management list all connected drives. This can be drives that already have a file system, drives that have not been initialised yet and optical drives such as CD and DVD drives.

The most important part of the following operation is to pick the right drive. The easiest way to fine the new drive in the drive listing is to find the drive with the right storage space. In his case, it was relatively easy as he bought a new 60 Gigabyte Solid State Drive.

The drive needs to be initialised; this is done by selecting it in the drive listing, right-clicking afterward and clicking Initialise Disk from the context menu.

It is now important to select the right disk from the menu important because there may be multiple disks that are not initilised. Disks can be unselected from the menu. It is usually sufficient to select the MBR partition style, unless the disk that needs to be initialised is larger than 2 Terabytes or is used on Titanium based computer.

The process takes a few seconds the most, and the status of the disk should change from Not Initialised to Online. The drive space on the other hand is still shown as unallocated. This is because no file system has been selected yet for the drive.

The drive can be formatted by right-clicking on the Unallocated space in Disk Management, and selecting New Simple Volume. There are other options but those are usually for more advanced uses.

The operating system will then walk the user through setting up the hard drive so that it can be accessed in Windows.

The first step is to select the volume size for the drive, which usually should be the maximum size available unless the drive should be partitioned. After that a drive letter can be selected for the new hard drive, so that it becomes accessible in Windows 7. In the last step, the file system can be selected. It is NTFS by default and it is usually not required to make any changes here. It may make sense however to change the volume label for better identification of the drive in Windows.

The following should not take long and the drive becomes available right after the operation ends.

DEVICES AND PRINTERS IN WINDOWS 7

The Devices and Printers fould displays devices connected externally to your computer, including devices connected wireless or over the network.

The Devices and Printers folder allows you to perform many tasks, which were depending on the device. Here are the main tasks you can do:

View all the external devices and printers connected to your computer.
Add a new device or printer to your computer.
Check to see if a specific device is connected and working properly.
Display detailed information about your devices, such as make, model, and manufacturer.
See what tasks you can do with a particular device.

CONFIGURING DISK AND DRIVES USING DISK MANAGEMENT

Your primary tool for working with your computer's disks is Disk Management. You will use Disk Management to partition disks, format disk volumes with file systems, and mount disk volumes. You can also use Disk Management to convert a disk from the basic disk type to the dynamic disk type and vice versa. However, while you can convert for a basic disk type to the dynamic disk type without losing data, you must remove disk volumes on a dynamic disk before you can convert the disk to the basic disk type.

Using an Administrator account, you can start and work with Disk Management by completing the following steps:

Right-click Computer on the Start Menu.
On the shortcut menu, choose Manage to start Computer Management.
In the left pane of the Computer Management Window, select Disk Management under storage..

Disk Management provides an over view of the storage devices configure within or attached to your computer. By default, Disk Management's main windows show the Volume list view in the upper panel and Graphical view in the lower panel. The third view available but not displayed is the Disk List view.

You can set the view for the top or bottom pane using option from the View menu. To change the top view, select View, choose Top, and then select the view you want to use. To change the bottom view select View, choose Bottom and then select the view you want to use.

Volume list view provides a detailed summary of internal drives and external devices with removable storage. Devices with removable media, such as CD-ROM, and DVD-ROM drives, are listed only if you've inserted a CD or DVD. The volume details provide the information.

MANAGING YOUR COMPUTER'S DISKS

You can set the view for the top or bottom pane using options from the View menu. To change the top view, select View, choose Top and select the view you want to use. To change the bottom view select View, Choose Bottom and then select the view you want to use.
Volume list view provides a detailed summary of internal drives and external devices with removable storage, Devices with removable media, such as CD-ROM and DVD-ROM drives are listed only if you have inserted a CD or DVD. The volume details provide the following information:

Volume

The drive letter or the volume name and drive letter, such as C: or Primary (C:)

Layout

The layout type of the volume, such as simple.

Type

The drive type, such as basic or dynamic

File System

The file system type, such as FAT or NTFS

Status

The status of the volume, as well as any relevant volume designation, such as Healthy (Active, Primary Partition).

Capacity

The amount of data the volume can store.

Free Space

The amount of the free space in MegaBytes (MB) or GigaBytes (GB).

% Free

The amount of free space as a percentage of total volume capacity.

Fault Tolerance

An indicator as to whether the volume uses fault tolerant features.

Overhead

The total additional disk space required because of the fault tolerant feature used (if applicable). The Graphical view provides a graphical overview of internal drives, external drives with removable storage, and devices with removable media. This is the view you use to partition, format and mount disks.

In the Graphical view, you can see the individual areas of allocated and unallocated space on internal disks and disks with removable storage. An allocated area of a disk has a volume. An unallocated area of a disk is free space that's not being used.

The summary information regarding disks and devices with removable storage includes the disk number, drive type, disk capacity and overall status. For each volume allocated on a disk you will see the volume name, drive letter, volume capacity, file system type and status as well.

Disk Volume Details

Although Disk Management can show only two view panes at a time, you can display the Disk List view in either the upper or the lower pane of the main window. This Disk List view provides summary information about physical drives. This information includes:

Disk

The disk designator and number, such as Disk 0 or CD-ROM 1.

Type

The drive or media type, such as basic, dynamic, removable, CD or DVD. Also displays the drive letter if one is assigned.

Capacity

The amount of data the drive, device or media can store.

Unallocated Space

The amount of space that has not been allocated (if any).

Status

The drive or device status, such as online, online (errors), no media or offline.

Device Type

The device interface type, such as Integrated Drive Electronics (IDE). Small Computer Interface (SCSI), USB, FireWire (1394).

Partition Style

The partition style of the disk or device. Windows 7 supports both Master Boot Record (MBR) and GUID Partition Table (GPT) partition styles. For the most part, the partition style used is determined by your computer's processor architecture and the type of device.

LIST OF DETAIL

when you are working with basic or dynamic disks, you should note the special designations assigned to drive sections. Drive sections can have one or more of the following designations.

Active

The drive section used for system cache and start-up. Some devices with removable storage may be listed as having the active partition such as when you use Ready Boost.

System

The drive section containing the boot manager files needed to load the operating system. A drive section with this designation can not be part of a striped or spanned volume.

Boot

The drive section containing the operation system and its related files.

Page File

A drive section containing a paging file used by the operating system.

Crush Dump

The drive section to which the computer attempts to write dump files in the event of a system crash.

Your computer has one active, one system, one boot and one crash dump drive section. The page file designation is the only drive designation you might see on multiple drive sections.

Depending on the disk type and status, you might also see the following designations:

At Risk

A drive section with this designation is at risk of failing, and probably also has an error status, such as Online (Errors).

Primary Partition

A drive section that is designated as a primary partition. Although this designation is usually displayed only for fixed disks, you may see this designation on devices with removable storage and on devices with removable media.

FILE AND FOLDER COMPRESSION IN WINDOWS 7

The document Library will be used for this demonstration.

Open the Documents Library.
Right Click on a blank area.
A pop-up menu appear.
Select New.
In the menu, click Compressed (zipped) folder.
A Blank Zipped folder appears in the Documents Library.

Tip!

Now you have created a compressed folder you can copy or move files into it. Each file is automatically compressed.

Compressing an Individual File

The Document Library will be used for this demonstration.

Open the Document Library.
Select the file you wish to compress.
Right click on selected file.
In the pop-up menu, select Sent to.
In the side menu, select Compressed (zipped) folder. The illustration below shows the sequence to follow.
The newly created compressed folder takes the name of the file you selected for compression.

Compressing a Folder

The Document Library will be used for this demonstration.

Open the Document Library.
Select the folder for compression.
Right click on the selected folder.
In the pop-up menu, select Send to.
In the side menu, select Compressed (zipped) folder.
The illustration below shows the sequence.
The compressed folder appears in the Document Library. with the original folder.

Int is more practical when compressing files to use the following technique.

Create a blank compressed (zipped) folder in the Documents Library.
Select a group of files you wish to compress.
Right click on the highlighted group and drag the selection onto the compressed folder.
Windows opens a pop-up menu asking whether you want to copy or move the files into the compressed folder.
If you choose Copy, the original files remain in the Documents Library.
If you choose Move, the files are transferred into the compressed folder.

Extracting a Zipped File from a Compressed Folder

Select the compressed folder and open it by double-clicking.
In the file list, choose the file to be unzipped.
Drag the file from the compressed folder to its new location.
When you release the mouse button, a pop-up menu offers three options - Copy, Move or Cancel.

Note: Choosing Copy leaves the compressed file back in the compressed folder. Choosing Move does as the name suggests

Extracting All Zipped Files

Right click on the Compressed (zipped) Folder.
In the pop-up menu, select Extract All.
Click the Browse button to choose a location.
Select a destination window opens
Select where you wish the files extract to.
Click the Make New Folder button.
Type in a name for the folder.
Click the OK button.
The new folder destination appears in the Extract Compressed (Zipped) Folder.
Click the Extract button.
Windows extracts the files and unzips them.
If you double-click on the Specials folder you created you will see the extracted files.

Note: When extracting, the files are unzipped and copies to the new destination while the originals, remain zipped in the Compressed (zipped) folder.

Checking the Contents of a Compressed Files Folder

Double-clicking on the Compressed folder.
The Compressed Folder, Important Files, opens. IF you use the Details view you will see more details about the compression.

How To Set Up VPN in Windows 7

VPN (Virtual Private Network) technology lets a computer using a public internet connection join a private network by way of a secure "tunnel"between that machine and the network. The most common case is a business allowing its employees to connect to its work network from home or from home or form the road.

There are two principal ways to configure VPN. The first and more-common scenario, called outgoing, is setting up a remote computer to call into the office network. The second scenario, called incoming, occurs on the network side, where a computer allows secure connections from other computers. Windows 7 comes preloaded with the Agile VPN client, which makes setting up either kind of connection relative easy.

Step by Step: Connecting to a VPN (Outgoing)

Step 1 Click the Start button. In the search bar, type VPN and then select Setup a virtual private network (VPN) connection.

Step 2 Enter the IP address or domain name of the server to which you want to connect. If you are connecting to a work network, you IT administrator can provide the best address.

Step 3 If you want to set up the connection, but not connect, select Don't connect now; otherwise, leave it blank and click Next.
Step 4 On this Next screen, you can either put in your username and password, or leave it blank. You will be prompted for it again on the actual connection. Click Connect.
Step 5 To connect, click on the Windows network logo on the lower-right part of your screen; then select Connect under VPN Connection.
Step 6 In the Connect VPN Connection box, enter the appropriate domain and your log-in credentials; then click Connect.
Step 7 If you can not connect, the problem could be due to the server configuration. (There are different types of VPN.) Check with your network administrator to see what kind is in use -- such as PPTP -- then, on the Connect VPN Connection screen, select Properties.
Step 8 Navigate to the Security tab and select the specific Type of VPN from the drop- down list. You may also have to unselecte Include Windows log on domain under the Options tab. Then click OK and Connect.

Step by Step: Building a VPN (Incoming)

Step 1 Click the Start button, and in the search bar type Network and Sharing.

Step 2 Click Change Adapter Settings in the left-hand menu.

Step 3 Click File and then New Incoming Connection.

Step 4 Select the users you should like to give access to and click Next.

Step 5 Click Through the Internet and select Next.

Step 6 Select the Internet Protocol you should like to use. (The default TCP/IPv4--the line highlighted in the screenshot below -- will work fine.)

Step 7 Finally, click Allow access' you have now set up an incoming VPN connection.

CONNECTING TO WIRELESS NETWORKS WITH WINDOWS 7

Wireless Network Configuration Methods

You can configure connections to wireless networks, known as wireless wireless profiles, for a computer running Windows 7 with the following methods:

Network Notification Area Icon
This is a method by which users connect to available wireless networks.
Set up a Connection or Network dialog box
This method by which users can manually create wireless networks profile.
Manage Wireless Networks dialog box
This is another method to manually configure wireless networks and specify their detailed setting.
Group Policy
Network administrators can use Group Policy settings in an Active Directory Domain Services (ADDS) environment to centrally configure and automatically deploy wireless network settings for domain member computers.
Command Line
Network administrators can use commands in the netsh wlan context of the Netsh.exe tool to manually configure wireless networks and their settings. There are Netsh commands to export an existing wireless profile to an XML file and then import the wireless profile settings stored in the XML file on another computer.

The following sections describe in detail how to connect to a wireless network using the Network notification area icon and the Setup a connection or network dialog box in Windows 7, how to manage your wireless networks, and how to connect to non-broadcasting wireless networks.

The Network Notification Area Icon

To connect to an available wireless network, click the Network icon in the notification area of your desktop. The resulting pane contains a list of detected wireless networks and, for domain-joined computers, the name of wireless networks configured through Group Policy.
From this pane you can connect to a listed wireless network by double-clicking it, clicking the network and then clicking Connect, or by right-clicking the network and clicking Connect.
To view information for a listed wireless network, place the mouse pointer over the network name. The information includes the wireless network's name, signal strength, security type, radio type (802.11b/g/n), and Service Set Identifier (SSID). To refresh the list of wireless network, click the up/down arrow icon in the upper right of the pane. To disconnect from a connected wireless network, right-click the network and then click Disconnect.
You can obtain status of a connected network and properties of a connected network or a network that has been configured through connected network or a network that has been configured through Group Policy through the wireless networks' context menu.
The properties dialog box of a wireless network is described later in this article.

Step up a Connection or Network Dialog Box:

You can access the Step up a connection or network dialog box in Windows 7, from the Set up a new connection or network link in the Network and sharing center.

To manually create a wireless network profile, click manually connects to a wireless network, and then click Next.

On the Enter information for the wireless network you want to add page, configure the following.

Network Name: type the name of wireless network.
Security Type: Select the method used to authenticate a connection to the wireless network. The choices are the following;

No Authentication (Open): Open system authentication with no encryption.
WEP: Open system authentication with Wired Equivalent Privacy (WEP).
WPA2-Personal: Wi-Fi Protected Access 2 (WPA2) with a pre-shared key (also known as a pass phrase).
WPA - Personal: Wi-Fi protected Access (WPA) with a pre-shared key.
WPA2-Enterprise: WPA with IEEE 802.1X authentication.
802.1x: IEEE 802.1X authentication with WEP (also known as dynamic WEP)

The choices listed depend on the capabilities of your wireless network adapter that are reported to Windows. If an authentication type does not appear in the list, ensure that your wireless adapter supports the type and that you have installed the latest driver for your adapter that is compatible with Windows 7.

The Shared key authentication method is not listed. Microsoft Strongly discourages its use because it provides weak security for your wireless network. To configure shared key authentication, select No Authentication (Open) here and then select Shared from the Security tab in the properties of the Wireless network (described later in this article.).

Encryption Type: Select the method used to encrypt data send over the wireless network (described later in this article).

When you select the No Authentication (Open) security type, None is selected for you.
When you select WEP security type, WEP is selected for you.
When you select the 802.1x security type, WEP2-Enterprise, WPA-Personal, WPA-Enterprise security types, you can select AES or TKIP.

The encryption type choices listed depend on the capabilities of your wireless network adapter that it reports to windows.

Security Key:Type the WEP key (if you selected the WPA-Personal security type), or the WPA2 pre-shared key (if you selected the WPA2-Personal security type). For the WPA2-Enterprise. WPA-Enterprise and 802.1x security types, Windows 7 automatically determines the security key when performing 802.1 X-based authentications.
Hide Character: Specifies whether you want to view the value typed in Security Key.
Starts This Connection Automatically: Specifies whether Windows 7 will automatically connect to this wireless network. IF you clear this check-box, you must manually connect to the wireless network from the list of networks available for the Network notification area icon.
Connect Even If The Network is not Broadcasting: Specifies whether Windows should attempt to connect even if the wireless network is not broadcasting its name. This will cause Windows to send Probe Request frames to locate the wireless network. These Probe Request Frames can be used by malicious users to determine the mane of the non-broadcast network.

You can click Change Connection Settings to access the properties of the wireless network, as described letter in this article, or click Close.

The Manage Wireless Networks Dialog Box

You access the Manage Wireless Networks dialog box from the Manage Wireless Networks link in the Network and Sharing.

If the Manage Wireless Networks link is not present from the Network and Sharing Center, click the Change Adapter Setting link and ensure that your wireless network adapter is enabled on your laptop or notebook computer, appears in the Network Connections folder as a wireless connection and is enabled. If your wireless network adapter appears in the Network Connection folder as a wired connection, ensure that you have installed the latest driver that is compatible with Windows 7.
From the Manage Wireless Networks dialog box, you can add a new wireless network, remove a selected wireless network, obtain the properties of the wireless network adapter and choose the type of profile to assign to new wireless networks (applies to all users or the current user).
To manually add a wireless network, click Add to launch the Manually connect to a wireless network wizard, which allows you to create a wireless network profile for either an infrastructure or ad hoc wireless network.
To create a wireless profile for an infrastructure wireless network, click Manually Create a Network Profile. To create a wireless profile for an ad hoc wireless network, click Create an Ad Hoc Network.
To view or modify the properties of a wireless network in the list, double-click the name in the Manage Wireless Networks dialog box.
From the Connection tab, you can view the wireless network's name, SSID, network type (either Access Point for infrastructure mode networks or Computer-to-computer for ad hoc mod network), and availability. You can also configure the following.

Connect automatically when the network is in range.
Connect to a more preferred network if available.

Specifies whether Windows 7 will automatically disconnect from this wireless network if a more preferred wireless network comes within range.
Connect even if the network is not broadcasting its name (SSID).

The Copy this network profile to a USB flash drive link launches the Copy Network Settings wizard, which writes the wireless network profile settings to a USB flash drive. You can then use the flash drive to automate the wireless network profile configuration of other computer.

No Authentication (Open)
Shared
Shared key authentication. The Security tab is the only location, where you can configure shared key authentication because its use is highly discouraged.

WPA2-Personal
WPA-Personal
WPA2-Enterprise
WPA-Enterprise
802.1x

Based on the selected security type, you can configure either a network security key or specify and configure a network authentication method. If you specify WPA-Enterprise, WPA2-Enterprise, or 802.1x as your security type, you must configure the following.

Choose a network authentication method Select an extensible Authentication Protocol (EAP) method and click Settings to configure the EAP type as needed.
Remember my credentials for this connection each time I'm logged on Specifies that when the user logs off, the user credential data is not removed from the registry. If you clear the check box, the next user logs on, they will prompted for their credentials (such as username & password).

If you specify the use of WPA-Personal or WPA2-Personal as your security type or No Authentication (Open) or Shared as your security type with WEP as your encryption type, you must configure a network security key.

If you choose the WPA-Enterprise, WPA2-Enterprise or WPA2-Personal security types, you can also configure advanced settings.

On the 802.1x settings tab, you can specify the authentication mode (User or Computer authentication, Computer authentication, User Authentication or Guest Authentication), save a set credentials for user authentication and delete credentials for all users.

Single Sign-On (SSO) allows you to configure when 802.1X authentication occurs relative to the user logon and to integrate user logon and and 802.1X authentication credentials on the Windows logon screen.

In the Fast Roaming section, you can configure Pair wise Master Key (PMK) caching and pre-authentication option.

Note When you select the WPA-Enterprise security type, the Advance Settings dialog box does not contain the 802.11 settings tab/

The Enable Federal Information Processing Standard (FIPS) compliance for this network check box allows you to specify whether to perform AES encryption in a FIPS 140-2 certified mode. FIPS 140-2 as a U.S. government computer security standard that specifies design and implementation requirements for cryptographic modules. Windows 7 is FIPS 140-2 certified. When you enable FIPS-140-2 certified mode, Windows 7 performs the AES encryption in software, rather than relying on the wireless network adapter. This check box only appears when you select WPA2-Enterprise, WPA2-Personal as the authentication method on the Security tab.

Non-Broadcasting Wireless Networks

A non-broadcasting wireless network does not advertise its network name, also known as its SSID. A wireless access point of a non-broadcasting wireless network can be configured to send Beacon frames with an SSID set to NULL. A non-broadcasting wireless network is also known as hidden wireless network. You can configure wireless networks in Windows 7 as broadcast or non-broadcast. A computer running Windows 7 will attempt to connect to wireless networks in the preferred networks list order, regardless of whether they are broadcast or non-broadcast. Additionally, non- broadcast networks appear last in the list of available networks with the name Other Networks.

Configure Remote Desktop Access on Windows 7 System

Remote Desktop is not enable by default. You must specifically enable it to allow remote access to the workstation. When it is enabled, any member of the Administration group can connect to the workstation. Other users must be placed on a remote access, follow.

In Control Panel, click System And Security and then click System.
On the System page, click Remote Setting in the left pane. This open the System Properties dialog box to the Remote tab.
To disable Remote Desktop, select Don't Allow Connections to this Computer and then click OK. Skip the remaining steps.
To enable Remote Desktop, you have two option. You can:

Select Allow Connections from Computers Running Any Version of Remote Desktop to allow connection from any version of Windows.
Select Allow Connections Only from Computer Running Remote Desktop with Network Level Authentication to allow connections only from Windows 7 or later computers (and computers with secure network authentication).

Click Select Users. This displays the Remote Desktop Users dialog box.
To grant Remote Desktop access to a user, click Add. This opens the Select Users dialog box. In the Select Users dialog box. In the Select Users dialog box, click Locations to select the computer or domain in which the users you want to work with are located. Type the name of a user you want to work with in the Enter The Object Names To Select field and then click Check Name. If matches are found, select the account you want to use and then click OK. If no matches are found, update the name you entered and try searching again. Repeat this step as necessary, and then click OK.
To revoke remote access permissions for a user account, select the account and then click Remove.
Click OK twice when you have finished. Windows Firewall must be configured to allow inbound Remote Desktop exceptions. You can configured to allow inbound Remote Desktop exceptions. You can configure this on a per-computer basis in Windows Firewall for domain profile and the standard profile.

STEP BY STEP INSTALLATION OF WINDOWS SERVER 2008

To use Windows Server 2008 you need to meet the following hardware required.

Component Requirement

Processor:

Minimum:
1 GHz (x86 processor) or 1.4 GHz (x64 processor).
Recommended:
2 GHz or faster Note: An Intel Itanium 2 processor is required for Windows Server 2008 for Itanium-based System.

Memory:

Minimum:
512 MB RAM.
Recommended:
2 GB RAM or greater.
Maximum:
(32-bit system): 4 GB (Standard) or 64 GB (Enterprise and Datacenter)
Maximum (64-bit system):
32 GB (Standard) or 2 TB (Enterprise, Datacenter and Itanium-based System).

Available:

Minimum:
10 GB.
Recommended:
40 GB or greater

Disk Space:

Note:
Computers with more than 16 GB of RAM will require more disk space for paging, hibernation and dump files

Drive:

DVD-ROM:
DVD-ROM is required not CD-ROM.

Display:

VGA:
Super VGA (800 x 600) or higher-resolution monitor, LCD or LED.

Peripherals:

Keyboard Microsoft Mouse or Compatible pointer device.

FOLLOW THIS PROCEDURE TO INSTALL WINDOWS SERVER 2008:

Insert the appropriate Windows Server 2008 Installation Media into your DVD drive. IF you don't have an installation.
Reboot the computer.
When prompted for an installation language and other regional options, make your selection and press Next.
Next, press Install Now to begin the installation process.
Product activation is now also identical with that found in Windows Vista. Enter your Product ID in the next window, and if you want to automatically activate Windows the moment the installation finishes, click Next.
If you do not have the Product ID available right now, you can leave the box empty and click Next. You will need to provide the Product ID later, after the server installation is over. Press No.
Because you did not provide the correct ID, the installation process cannot determine what kind of Windows Server 2008 license you own and therefore you will be prompted to select you correct version in the next screen, assuming you are telling the truth and will provide the correct ID to approve you selection later on.
If you did provide the right Product ID, select the Full version of the right Windows version you are prompted and click Next.
Read and accept the license terms by clicking to select the check box and pressing Next.
In the "Which type of installation do you want?" window, click the only available option - Custom (Advanced).
In the "Where do you want to install Windows?", if you are installing the server on a regular IDE hard disk, click to select the first disk, usually Disk 0, click Next.
If you are installing on a hard disk that's connected to a SCSI controller, click Load Driver and insert the media provided by the controller's manufacturer.
If you must, you can also click Drive Option and manually create a partition on the destination hard disk.
The installation now begins, and you can go and have lunch. Copying the setup files from the DVD to the hard drive only takes about one minute. However, extracting and un-compressing the files takes a good deal longer. After 20 minute, the operating system is installed. The exact time it takes to install server core depends upon your hardware specification. Faster disks will perform much faster installs.. Windows Server 2008 takes up approximately 10 GB of hard drive space.
You remove it before going to lunch, as you will find the server hanged without the ability to boot (you can bypass this by configuring the server to boot from CD/DVD and then from the hard disk in the booting order on the server's BIOS).
Then the server reboots you will be prompted with the now Windows Server 2008 type of login screen. Press CTRL+ALT+DEL to log in.
Click on Other User.
The default Administrator is blank, so just type Administrator and press Enter.
You will be prompted to change the user's password. You have no choice but to press OK.
In the password changing dialog box, leave the default password blank and enter a new, complex, at-least-7-characters-long new password twice. A password like "topsecret" is not valid (it's not complex), but one lick "TOpSecreT" sure is Make sure you remember it.
Someone thought it would be cool to nag you once more, so now you will be prompted to accepted to accept the fact that the password had been changed. Press OK.
Finally, the desktop appears and that's it, you are logged on and can begin working. You will be greeted by an assistant for the initial server configuration, and after performing some initial configuration tasks, you will be able to start working.

ACTIVE DIRECTORY INSTALLATION ON WINDOWS SERVER 2008

To start the installation of active directory is to change the name of the computer to reflect the new status. To do that, log-in to the server and click on the Start button and Right-click on Computer and go to Properties, at the bottom under computer name, domain, and work-group setting, click on the Change Setting:

The System Property window will come up.

Click on the Change tab, and change the computer name to whatever you want.

Click on the OK button, Windows Server 2008 will now reboot.

INSTALLING ACTIVE DIRECTORY DOMAIN SERVICES

Now that we have renamed the computer to something that reflects the new role on Windows Server 2008, we will proceed with the installation of active directory. To install active directory domain services, go to Start and on Server Manager.

The server manager window will come up:

The Select Server Role window will come up:

Make sure the Active Directory Domain Services option is checked.

Click on Next after checking the option.

Active directory domain services (AD DS) is something new on Windows Server 2008. On the following window you can read a small introduction about it. Click next when you finish reading.

You will be asked to confirm the installation of domain services:

Click on Install to start the installation.

You should receive the Installation Results window after the installation completes

Note: This only installs Active Directory domain services, it does not make Windows Server 2008 a domain controller, for that we will need to run the DCPROMO wizard.

INSTALLING ACTIVE DIRECTORY DOMAIN CONTROLLER

After Active Directory Domain Services have been installed, you should return to the Server Role Interface, click on Active Directory Domain Service:

One the window that pops up, you will see a summary message that reads, "This server is not yet running as a domain controller: RunActive Directory Domain Services Installation Wizard (depromo.exe)

Click on the blue link.

By clicking on the blue link, the depromo.exe wizard should come up.

Make sure "Use advanced mode installation" option is checked and click Next.

Read the provided information on the next screen, that explains some new features on Windows Server 2008 domain services that might affect older Windows operating system and non Microsoft SMB clients on an existing domain.

Click Next after you read the warning.

One the next window choose your deployment configuration.

Because this is my first domain controller, I will choose the "Create a new domain in a new forest" option.

Click on Next.

Choose the mane for your forest root domain on next window appear, click Next after choosing your fully qualified Domain Name:

The wizard will check if that forest name is already in used: after a few second, the wizard will ask you to enter the NetBIOS name: the default NetBIOS name should be fine. Click on the Next, and choose the Forest Functional Level:

I will choose Windows Server 2003 as my functional level. Choosing Windows Server 2008 functional level does not provide any new features over the Windows 2003 forest function level. However, it ensures that any new domain created in the forest will automatically operate at the Windows Server 2008 domain functional level, which does provide unique features, click on Next.

If DNS is not installed on your system, choose the DNS Server option, and click on Next.

If your server does have static IP address assigned on the server, you might get the warning: as you can see, having dynamic assigned IP address is not recommended, use static IP addresses for servers whenever is possible choose your option and click Next.

If you get the warning then click on OK button. Choose the location of the AD database on the screen: Leave the default settings and click on Next.

Enter your the password for your Restore Mode Administrator on the screen. Click Next after entering the password, you should get the Summary page, and click Next.

damn it!! I got an error saying I need to install DNS manually..

This is the first time I let the dpromo.exe to configure DNS for me, and I kind of was expecting for this error, that will be the subject of the need article.

Click OK on the error for now, after a while, you should get the completion Windows, click on Finish.

You will need to reboot the computer, go ahead and restart the computer and if you need to install DNS do so after the reboot.

INSTALL A DNS SERVER IN WINDOWS SERVER 2008

INSTALLATION

You can install a DNs server from the Control Panel or when promoting a member server to a domain controller (DC).

During the promotion, if''a DNS server is not found, you will have the option if installing it.

To install a DNS server from the Control Panel, follow these steps:

From the Start menu, select + Control Panel + Administrative Tools + Server Manager.
Expand and click Roles.
Choose Add Roles and follow the wizard by selecting the DNS role.
Click Install DNS in Windows Server 2008

DNS Console & Configuration

After installing DNS, you can find the DNS console from Start + All Programs + Administrative Tools + DNS. Windows 2008 provides a wizard to help configure DNS.

When configuring you DNS server, you must be familiar with following concepts:

Forward look-up zone
Reverse look-up zone
Zone types

A forward lookup zone is simply a way to resolve host names to IP addresses. A reverse look-up zone allows a DNS server to discover the DNS name of the host. Basically, it is the exact opposite of a forward look-up zone. A reverse look-up zone is not required, but it is easy to configure and will allow for you Windows Server 2008 Server to have full DNS functionality.

When selecting a DNS zone type, you have the following options. Active Directory (AD) Integrated, Standard Primary and Standard Secondary. AD Integrated stores the database information in AD and allows for secure updates to the database file. This option will appear only if AD is configured. If it is configured and you select this option, AD will store and replicate you zone file.

A standard Primary zone stores the database in a text file. This text file can be shared with other DNS servers that store their information in a text file. Finally, a Standard Secondary zone simply creates a copy or the existing database from another DNS server. This is primarily used for load balancing.

To open the DNS server configuration tool:

Select DNs from the Administrative tools folder to open the DNS console.
Highlight your computer name and choose Action + Configure a DNS Server' to launch the Configure DNS Server Wizard.
Click Next and choose to configure the following: forward look-up zone, forward and reverse look-up zone, root hints only.
Click Next and then click Yes to create a forward look-up zone.
Select the appropriate radio button to install the desired Zone Type.
Click Next and type the name of the zone you are creating.
Click Next and then click Yes to create a reverse lookup zine.
Repeat Step 5.
Choose whether you want an IPv4 or IPv6 Reverse Look-up Zone.
Click Next and enter the information to identify the reverse lookup zone.
You can choose to create a new file or use an existing DNS file.
On the Dynamic Update window, specify how DNS accepts secure, nonsecure, or no dynamic updates.
If you need to apply a DNS forwarder, you can apply it on the Forwarder window.
Click Finish.

MANAGING DNS RECORDS

You have now installed and configured you first DNS server and you are ready to add records to the zone(s) you created. There are various types of DNS records available. Many of them you will never various types of DNS records available. Many of them you will never use. We will be looking at these commonly used DNS records:

Start of Authority (SOA)
Name Servers
Host (A)
Pointer (PTR)
Canonical Name (CNAME) or Alias
Mail Exchange (MX)

START OF AUTHORITY (SOA) RECORD

The Start of Authority (SOA) resource record is always first in any standard zone. The Start of Authority (SOA) tab allows you to make any adjustments necessary. You can change the primary server that holds the SOA record, and you can change the person responsible for managing the SOA. Finally, one of the most important features of Windows 2000 is that you can change your DNS server configuration without deleting your zones and having to re-create the wheel

NAME SERVERS

Name Servers specify all name servers for a particular domain. You set up all primary and secondary name servers through this records.

To create a Name Server, follow these steps:

Select DNS from the Administrative Tools folder to open the DNS console.
Expend the Forward Look-up Zone.
Right - click on the appropriate domain and choose Properties.
Select the Name Server tab and click Add.
Enter the appropriate FQDN Server name and IP address of the DNS server you want to add.

HOST (A) RECORDS

A Host (A) record maps a host name to an IP address. These records helps you easily identify another server in a forward look-up zone. Host records improve query performance in multiple-zone environments, and you can also create a Point (PTR) record at the same time. A PTR record resolves an IP address to a host name.

To create a Host record:

Select DNS from the Administrative Tools folder to open the DNS console.
Expand the Forward Look-up Zone and click on the folder representing your domain.
From the Action menu, select New Host.
Enter the Name and IP Address of the host you are creating.
Select the Create Associated Pointer (PTR) Record check box Otherwise, you can creat it later.
Click the Add Host button.

POINTER (PTR) RECORDS

A Pointer (PTR) record creates the appropriate entry in the reverse look-up zone for reverse queries. You have the option of creating a PTR record when creating a Host record. If you did not choose to create your PTR record at that time, you can do it at any point.

To create a PTR record:

Select DNS from the Administrative Tools folder to open the DNS console.
Choose the reverse look-up zone where you want your PTR record created.
From the Action menu, select New Pointer.
Enter the Host IP Number and Host Name.
Click OK.

CANONICAL NAME (CNAME) OR ALIAS RECORDS

A Canonical Name (CNAME) or Alias record allows an DNS server to have multiple names for a single host. For example, and Alias record can have several records that point to a single server in your environment. This is a common approach if you have both your Web server and your mail server running on the same machine.

To create a DNS Alias:

Select DNS from the Administrative Tools folder to open the DNS console.
Expand the Forward Look-up Zone and highlight the folder representing your domain.
From the Action menu, select New Alias.
Enter your Alias Name.
Enter the fully qualified domain name. (FQDN).
Click OK.

MAIL EXCHANGE (MX) RECORDS

Mail Exchange records help you identify mail servers within a zone in your DNS database. With this feature, you can prioritize which mail servers will receive the highest priority. Creating MX record with help you keep track of the location all of your mail servers.

To create a Mail Exchange (MX) record:

Select DNS from the Administrative Tools folder to open the DNS console.
Expand the Forward Look-up Zone and highlight the folder representing your domain.
From the Action menu, select New Mail Ex-changer.
Enter the Host or Domain.
Enter the Mail Server and Mail Server Priority.
Click OK.

OTHER NEW RECORDS

You can create many other types of records. For a complete description, choose Action + Other New Record from the DNS console. Select the record of your choice and view the description.

TROUBLESHOOTING DNS SERVERS

When troubleshooting DNS servers, the nslookup utility will become your best friend. This utility is easy to use and very versatile. It's command-line utility that is included within Windows 2008. With nslookup, you can perform query testing of your DNS server. This information is useful in troubleshooting name resolution problems and debugging other server-related problems. You can access nslookup right from the DNS console.

To get ready to manage user accounts in Windows SBS 2008, familiarise yourself with the following terms and definitions. These key terms are associated with managing user accounts in Windows SBS 2008.

WINDOWS SBS CONSOLE

Use the Windows SBS Console to accomplish network administration tasks and to manage the computers and devices on your network.

USER ROLES

Standardise common user properties (such as group memberships, Window (R) SharePoint(R) Service site groups disk quotas, and company address information for new user accounts) with these user account templates. Creating a user account that is based on a user role reduces the need to manually enter account properties. By7 default, Windows SBS 2008 includes three user roles; Standard User, Network Administrator and Standard User with administration links.

PASSWORD POLICIES

Use this set of rules to help you enhance the security of you Windows SBS 2008 network. Setting password policies forces the network users to employ strong passwords. In Windows SBS 2008, these password polices are configured by default during installation.

REMOTE WEB WORKPLACE

Enables users to access important features of Windows SBS 2008 when they are away from the office. By using the Remote Web Workplace, users can check e-mail and calendars, connect to their computers at work, use shared applications and access the company's internal Web site. Users can access all of these features by using a Web browser from any Internet-enabled computer (such as a home computer, Internet kiosk, or laptop) and navigating to the external address of the computer running Windows SBS 2008.

INTERNAL WEB SITE

Enable domain users to share information (such as documents, photographs and upcoming events) from a central location. Windows SBS 2008 provides a pre-configured internal Web sit (an intranet) that is based on Windows SharePoint Services. This Web site is available from within the company network at http://companyweb/.

SECURITY GROUP

Enables you to control access to files, folders, and application data. For example, if you have a shared printer on your network that you want only certain users to access, create a security group for the printer.

DISTRIBUTION GROUP

Enables you to send e-mail messages to a specific group of people. For example, if you want to send network reports to certain users, create a distribution group that consists of those user accounts.

This document includes topics that can help you understand, configure, and manage your user accounts in Windows SBS 2008. This information is presented in the following sections:

IMPLEMENT STRONG PASSWORDS

Password policies are a set of rules that can enhance the security of you Windows SBS 2008 network. Using strong password provides an additional layer of defense against an un-authorised user gaining access to your network.

To help implement strong passwords, password polices are enabled by default in Windows SBS 20008 during installation. You can ensure that users implement strong passwords by enforcing password policies in your network.

The password policies in Windows SBS 2008 include the following:

MINIMUM LENGTH

Enable this policy to determine the least number of characters that a password can contain. Setting a minimum length helps protect your network by preventing users from having short or blank passwords. The default is eight characters.

COMPLEXITY

Enable this policy to determine whether passwords must contain different types of characters. If this policy is enabled, passwords cannot contain all or part of a user's account name, and it must contain characters from three of the following four categories:

English uppercase characters ( A through Z)
English lowercase characters (a through z)
Numerals (0 through 9)
Non-alphanumeric characters (such as !, $. #, %)

MAXIMUM AGE

Enable this policy to determine the period of time (in days) that a password can be used before the system requires that the user change it. the default is 180 days.

EDUCATE USERS

After implementing strong password policies, educate users about strong and weak passwords. Ask users to treat their password as they would private information, such as credit card personal identification number (PIN).

Following are typical guidelines for creating a strong password. When implemented, they provide protection for your local network.

A password should not include any of the following.

All or part of the user's account name.
User's name or e-mail alias.
Name of the user's child, parent, spouse / partner or friend.
Any word found in a dictionary.
Old password that is reused by appending numbers.
User's birth date.
User's phone number.
User's Social Security Number or other identification number.
Any easily obtained personal information (for example, a city of birth).

A strong password consists of the following:
At least eight characters.
Characters from three of the following four categories.:

Uppercase letters (A through Z).
Lowercase letters (a through z).
Numbers (0 through 9),
Non-alphanumeric character (for example) !, $, #, %).

CREATING A NEW COMPUTER ACCOUNT

To create a new computing account using the Windows interface

To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
In the console tree, right-click Computers.

Where?

Active Directory Users and Computer \ domain \ computers

Or

Right click the folder in which you want to add the Computer.

Point to New, and then click Computer.
Type the computer name.

ADDITIONAL CONSIDERATIONS

To perform this procedure, you must be member of the Account Operators group, Domain Admins group, or Enterprise Admins group in Active Directory Domain Services (AD DS), or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
Another way to open Active Directory Users and Computers to click Start, click Run, and then type dsa.msc.
By default, members of the Account Operators group can create computer accounts in the Computers container and in new organisational units (OUs).
By default, Authenticated Users in a domain are assigned the Add workstation to a domain user right, and they can create up to 10 computer accounts in the domain.
There are two additional ways to give a user or group permission to add a computer to domain:

Use a Group Policy object to assign the Add Computer User permission.
On the OU, assign the user or group to Create Computer Objects permission.

You can also perform the task in this procedure by using the Active Directory module for Windows Power Shell. To open Active Directory module, click Start, click Administrative Tools, and then click Active Directory Module for Windows Power Shell. For more information see Create a New Computer Account.

To open a command prompt, click Start, click Run, type cmd, and then click OK.
Type the ABOVE command, and then press ENTER.

HOW TO SET GROUP POLICY IN WINDOWS SERVER 2008

I need to apply group policy to several computers in a Windows Server 2008 domain. After running gpmc.msc, we can see Default Domain Policy and Default Domain Controller Policy.

Default Domain Policy is linked to the domain object and affects all users and computer in the domain (including computers that are domain controllers) through policy inheritance.

Default Domain Controllers Policy is linked to the Domain Controllers OU. This policy generally affects only domain controllers are kept in the Domain Controllers OU.

GROUP POLICY AND THE ACTIVE DIRECTORY

In Window Server 2008, administrators use Group Policy to enhance and control users' desktops. To simplify the process, administrators can create a specific desktop configuration that is applied to groups of users and computers. The Windows Server 2008 Active Directory service enables Group Policy. The policy information is stored in Group Policy Objects (GPOs), which are linked to selected Active Directory containers: sites, domains, and organisational units (OUs).

A GPO can be used to filter objects based on security group membership, which allows administrators to manage computers and users in either a centralised or a de-centralised manner. To do this, administrators can use filtering based on security groups to define the scope of Group Policy management, so that Group policy can be applied centrally at the domain level, or in a decentralised manner at the OU level, and can then be filtered again by security groups. Administrator can use security groups in Group Policy to:

Filter the scope of a GPO. This defines which groups of users and computers a GPOI affects.
Delegate control of a GPO. There are two aspects to managing and delegating Group Policy: managing the group policy links and managing who can create and edit GPOs.

Administrators use the Group Policy Microsoft Management Console (MMC) snap-in to manage policy settings. Group Policy includes various features for managing these policy setting. In addition, third parties can extend Group Policy to host other policy settings. The data generated by Group Policy is stored in a Group Policy Object (GPO), which is replicated in all domain controllers within a single domain.

The Group Policy snap-in includes several MMC snap-in extensions, which constitute the main nodes in the Group Policy snap-in. The extensions are as follows:

Administrative Templates:
These include registry-based Group Policy, which you use to mandate registry setting that govern the behavior and appearance of the desktop, include the operating system components and application.
Security Setting:
You use the Security Settings extension to set security options for computers and users within the scope of a Group Policy Object. You can define local computer, domain and network security setting.
Software Installation:
You can use the Software Installation snap-in to centrally manage software in your orgainsation. You can assign and publish software to users and assign software to computers.
Scripts:
You can use scripts to automate computer start-up and short-down and user log-on and log-off. You can use any language supported by Windows Script Host. These include the Microsoft Visual Basic development system, Scripting Edition (VBScript); JavaScript; PERL; and MS-DOS-style batch files (.bat and .cmd).
Remote Installation Services:
You use Remote Installation Services (RIS) to control the behavior of the Remote Operating System Installation feature as displayed to client computers.
Internet Explorer Maintenance:
You use Internet Explorer Maintenance to manage and customise Microsoft Internet Explorer on Windows Server 2008-based computers.
Folder Redirection:
You use Folder Redirection to redirect Windows Server 2008 special folders from their default user profile location to an alternate location on the network. These special folders include My Documents, Application Data, Desktop and the Start menu.

HIERARCHY OF GROUP AND THE ACTIVE DIRECTORY

Group Policy objects are linked to site, domain, and OU containers in the Active Directory. The default order of precedence follows the hierarchical nature of the Active Directory: sites are first, then domains, and then each OU. A GPO can be associated with more than one Active Directory container or multiple containers can be linked to a single GPO.

PREREQUISITES & INITIAL CONFIGURATION

Prerequisites

This Software Installation and Maintenance document is based on Step-by Step to a Common Infrastructure for Window Server 2008 Server Deployment.

Before using this guide, you need to build the common infrastructure as described in the document above. This infrastructure specifies a particular hardware and software configuration. If you are not using the common infrastructure, you must take this into account when using the guide.

GROUP POLICY SCENARIOS

Note that this document does not describe all of the possible Group Policy scenarios. Please use this instruction set to begin to understand how Group Policy works and begin to think about how your organisation might use Group Policy to reduce its TCO. Other Windows Server 2008 features, including Security Settings and Software Installation and Maintenance, are built on Group Policy. To learn how to use Group Policy in those specific scenarios, refer to the white papers and Windows Server 2008 Server online help on Windows Server 2008 Security and Software Installation and Maintenance, which are available on the Windows Server 2008 Web site.

IMPORTANT NOTES

The Example Company, organisation, products, people, and events depicted in this guide are fictitious. No association with any real company, organisation, product, person or event is intended or should be inferred.

This common infrastructure is designed for use on a private network. This fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how Windows Server 2008 Change and Configuration Management works and functions with Active Directory. It was not designed as a model for configuring an Active Directory service for any organisation - for such information see the Active Directory documentation.

Group Policy Snap-in Configuration

Group policy is tied to the Active Directory service. The Group Policy snap-in extends the Active Directory management tools using the Microsoft Management Console (MMC) snap-in extension mechanism.

Active Directory snap-ins the set the scope of management for Group Policy. The most common way to access Group Policy is by using the Active Directory User and Computers snap-in, for setting the scope of management to domain and organisational units (OUs). You can also use the Active Directory Sites and Services snap-in to set the scope of management to a site. These two tools can be accessed from the Administrative Tools program group; the Group Policy snap-in extension is enabled in both tools. Alternatively, you can create a custom MMC console, as described in the next section.

CONFIGURING A CUSTOM CONSOLE

The examples in this document use the custom MMC console that you can create by following the procedure in this section. You need to create this custom console before attempting the remaining procedures in this document.

Note: If you want more experience building MMC consoles, run through the procedures outlined in "Step-by-Step Guide to Microsoft Management Console."

TO CONFIGURE A CUSTOM CONSOLE

Log on to the HQ-RES-DC-01 domain controller server as an administrator.
Click Start, click Run, type MMC, and then click OK.
On the Console menu, click Add / Remove Snap-in.
In the Add / Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, in the Available standalone snap-ins list box, click Active directory users and computers, and then click Add.
Double-click Active directory sites and services snap-in from the Available Standalone snap-ins list box.
In the Available Standalone snap-ins list box, double-click Group Policy.
In the Select Group Policy object dialog box, Local computer is selected under Group Policy Object. Click Finish to edit the local Group Policy object, click Close in the Add standalone snap-in dialog box.
In the Add/Remove Snap-in dialog box, click the Extensions tab. Ensure that the Add all extensions check box is checked for each primary extension added to the MMC console (these are checked by default). Click OK.

TO SAVE CONSOLE CHANGES

In the MMC Console, on the Console menu, click Save.
In the Save As dialog box, in the File name text box, type GPWalkthrough, and then click Save.

ACCESSING GROUP POLICY

You can use the appropriate Active Directory tools to access Group Policy while focused on any site, domain or OU;

To open Group Policy from Active Directory Sites and Services

In the GPWalkthrough MMC console, in the console tree, click the + next to Active Directory Site and Services.
In the Console tree, right-click the site for which to access Group Policy.
Click Properties, and click Group Policy.

To open Group Policy from Active Directory User and Computers

In the console tree in the GPWalkthrough MMC console, click the + next to Active Directory Users and Computers.
In the console tree, right-click either the reskit domain or the OU for which to access Group Policy.
Click Properties, and click Group Policy.

To access Group Policy scoped to a specific computer (or the local computer), you must load the Group Policy snap-in into the MMC console namespace targeted at the specific computer (or local computer). There are two major reasons for these differences:

Sites, domains and OUs can have multiple GPOs linked to them; these GPOs require an intermediate property page to manage them.
A GPO for a specific computer is stored on that computer and not in the Active Directory.

TO SCOPE GROUP POLICY FOR A DOMAIN OR OU

Click Start, point to Programs, click Administrative Tools, and click GPWalkthrough to open the MMC console you created earlier.
Click the + next to Active Directory Users and Computers to expand the tree.
Click the + next to reskit.com to expand the tree.
Right-click either the domain ( reskit.com) or an OU, and click Properties.
Click the Group Policy tab.

This displays a property page where the GPOs associated with the selected Active Directory container can be managed. You use this property page to add, edit, delete (or remove), and disable GPOs; to specify No Override options; and to change the order of the associated GPOs. Selecting Edit starts the Group Policy snap-in. More information on using the Group Policy snap-in can be found later in this document.

Note:

The Computers and Users containers are not organisational units; therefore, you cannot apply Group Policy directly to them. Users or computers in these containers receive policies from GPOs scoped to the domain and site object only. The domain controller container is a OU, and Group Policy can be applied directly to it.

SCOPING LOCAL OR REMOTE COMPUTERS

To access Group Policy for a local or a remote computer, you add the Group Policy snap-in to the MMC console, and focus it on a remote of computer. To access Group Policy for the local computer, use the GPWalkthrough console created earlier in this document and choose the Local Computer Policy node. You can add other computers to the console namespace by adding another Group Policy snap-in to the GPWalkthrough console, and click the Browse button when the Select Group Policy object dialog box is displayed.

Note:

Some of the Group Policy extensions are not loaded when Group Policy is run against a local GPO.

CREATING A GROUP POLICY OBJECT

The Group Policy settings you create are contained in a Group Policy Object (GPO) that is in turn associated with selected Active Directory objects, such as sites, domains, or organisational units (OUs).

TO CREATE A GROUP POLICY OBJECT (GPO)

Open the GPWalkthrough MMC console.
click the + next to Active Directory Users and computer, and click the reskit.com domain.
Click the + next to Accounts to expand the tree.
Right-click Headquarters, and select Properties from the context menu.
In the Headquarters Properties page, click the Group Policy tab.
Click New, and type HQ Policy.
The Headquarter Properties page appear.

At this point you could add another GPO for the Headquarters OU, giving each one that you create a meaningful name, or you could edit the HQ Policy GPO, which starts the Group Policy snap-in for that GPO. All Group Policy functionality is derived from the snap-in extensions. In this exercise, all of these extensions are enabled. It is possible--using standard MMC methods--to restrict the extension snap-ins that are loaded for any given snap-in. For information on this capability, see the Windows Server 2008 Server Online Help for Microsoft Management Console.

There is also a Group Policy that you can use to restrict the use of MMC snap-in extensions. To access this policy, navigate to the System\Group Policy node under Administrative Templates. Use the Explain tab to learn more about the use of these policies.

If you have more than one GPO associated with an Active Directory folder, verify the GPO order; a GPO that is higher in the list has the highest precedence. Note that GPOs higher in the list are processed last (this is what gives them a higher precedence). GPOs in the list are objects; they have context menus that you use to view the properties of each GPO. You can use the context menus to obtain and modify general information about GPO. This information includes Discretionary Access Control Lists (DACLs, which are covered in the Security Group Filtering section this document), and lists the other site domain, or OUs to which this GPO is linked.
Click Close.

MANAGING GROUP POLICY

To manage Group Policy, you need to access the context menu of a site, domain or OU, select Properties, and then select the Group Policy tab. This displays the Group Policy Properties page. Please note the following:

This page displays any GPOs that have been associated with the currently selected site, domain or OU. The links are object; they have a context menu that you can access by right-clicking the object. (Right-clicking the white space displays a context menu for creating a new link, adding a link, or refreshing the list).
This page also shows an ordered GPO list, with the highest priority GPO at the top of the list. You can change the list order by selecting a GPO and then using the UP or Down buttons.
To associate (link) a new GPO, click the Add button.
To edit an existing GPO in the list, select the GPO and click the Edit button, or just double-click the GPO. This starts the Group Policy snap-in , which is how the GPO is modified. This is described in more detail later in this document.
To permanently delete a GPO from the list, select it from the list and click the Delete button. Then, when prompted, select Remove the link and delete the Group Policy object permanently. Be careful when deleting an object, because the GPO may be associated with another site, domain, or OU. If you want to remove a GPO from the list, select the GPO from the links list, click Delete, and then when prompted, select Remove the link from the list.
To determine what other sites, domain or OUs are associated with a given GPO, right-click the GPO, select Properties from the context menu, and then click the Links tab in the GPO Properties page.
The No override check column the marks the selected GPO as one whose policies cannot be overridden by another GPO.

Note:

You can enable the No Override property on more than precedence over all other GPOs not marked. Of those GPOs marked as No override, the GPO with the highest priority will be applied after all the other similarly marked GPOs.

The Disabled check box simply disables (deactivates) the GPO without removint it from the list. To remove a GPO from the list, select the GPO from the links list, click Delete, and then select Remove the link from the list in the Delete dialog box.
It is also possible to disable only the User or Computer portion of the GPO. To do this, right-click the GPO, click Properties, click either Disable computer configuration settings or Disable user configuration settings, and then click OK. These options are available on the GPO Properties page, on the General tab.
The Block policy inheritance check box has effect of negating all GPOs that exist higher in the hierarchy. However, it cannot block any GPOs that are enforced by using No override check box; those GPOs are always applied.

Note:

Policy settings contained within the local GPO that is not specifically overridden by domain-based policy setting are also always applied. Block Policy Inheritance at any level will not remove local policy.

EDITING A GROUP POLICY OBJECT

You can use the custom console to edit a GPO. You will need to log on to the HQ-RES-DC-01 server as an Administrator, if you have not already done so.

To edit a Group Policy Object (GPO)

Click Start, point to Programs, click Administrative Tools, and the select GPWalkthrough.
Click the + next to Active Directory Users and Computers, click the reskit.com domain, and then click the Account OU.
Right-click Headquarters, select Properties, and then click the Group Policy tab. HQ Policy in the Group Policy object links list box should be highlighted.
Double click the HQ policy GPO (or click Edit).

This open the Group Policy snap-in focused on a GPO named HQ Policy, which is linked to the OU named Headquarters.

EDITING OR BROWSING A GROUP POLICY OBJECT

The Add a Group Policy Object Link dialog box shows GPOs currently associated with domains, OUs, sites, or all GPOs without regard to their current association (links). The Add a Group Policy Object Link dialog box is shown.

Add a Group Policy Object Links

GPOs are stored in each domain. The Look in drop-down box allows you to select a different domain to view.
In the Domain/OUs tab, the list box displays the sub-OUs and GPOs for the currently selected domain or OU. To navigate the hierarchy, double-click a sub-OU or use the Up one level toolbar button.
To add a GPO to the currently selected domain or OU, either double-click the object, or select it and click OK.
Alternatively, you can create a new GPO by clicking the All tab, right-clicking in the open space, and selecting New on the context menu, or by using the Create New GPO toolbar button. The Create New GPO toolbar button is only active in the All tab. To create a new GPO and link it to a particular site, domain, or OU, use the New button on the Group Policy Property page.

Note:It is possible to create two more GPOs with the same name. This is by design and is because the GPOs are actually stored as GUIDs and the name shown is a friendly name stored in the Active Directory.
In the Sites tab, all GPOs associated with the selected sites are displayed. Use the drop-down list to select another site. There is no hierarchy of sites.
The All tab shows a flat list of all GPOs that are stored in the selected domain. This is useful when you want to select a GPO that you know by name, rather than where it is currently associated. This is also the only place to create a GPO that does not have a link to a site, domain, or OU.
To create an unlinked GPO, access the Add a Group Policy Link dialog boxfrom any site, domain or OU. Click the All tab, select the toolbar button or right-click the white space, and select New. Name the new GPO, and the click Enter, and then click Cancel---do not click OK. Clicking OK links the new GPO to the current site, domain, or OU. Clicking Cancel creates an un-linked GPO.

REGISTRY-BASED POLICY

The user interface for registry-based policy is controlled by using Administrative Template (.adm) files. These files describe the user interface that is displayed in the Administrative Templates node of the Group Policy snap-in. These files are format-compatible with the .adm files used by the System Policy Editor tool (poledit.exe) in Microsoft Windows NT 4.0. With Windows Server 2008, the available options have been expanded.

Note:

Although it is possible to add any . adm file to the namespace, if you use an .adm file from a previous version of Windows, the registry keys are unlike to have an effect on Windows Server 2008, or actually set preference setting and mark the registry with these settings; that is, the registry setting persist.

By default, only those policy settings defined in the loaded .adm files that exist in the approved Group Policy trees are displayed; these settings are referred to as true policy.This means that the .adm file that set registry keys outside of the Group Policy trees; such items are referred to as Group Policy preferences. The approved Group Policies.

\Software\Policies

\Software\Microsoft\\Windows\CurrentVersion\Policies

A Group Policy called Enforce Show Policies Only is available in User Configuration\Administrative Templates, under the System\Group Policy nodes. If you set this policy to Enabled, the Show policy only command is turned on and administrators cannot not turn it off, and the Group Policy snap-in displays only only true policies. IF you set this policy to Disabled or Not Configured, the Show policies only command is turned on by default; however, youu can view preferences by turning off the Show policies only command. To view preferences, you must turn off the Show Policies only command, which you access by selecting the Administrative Templates node (under either User Configuration or Computer Configuration nodes), and then clicking the View menu on the Group Policy console and clearing the Show policy only check box. Note that it is not possible for the selected stat for this policy to persist; that is there is no preference for this policy using.

In Group Policy, preferences are indicated by a red icon to distinguish them from true policies, which are indicated by a blue icon.

Use of non-policies within the Group Policy infrastructure is strongly discouraged because of the persistent registry settings behavior mentioned previously. To set registry policies on Windows NT 4.0, and Windows 95 and Windows 98 clients, use the Windows.NT 4.0 System Policy Editor tool, Poledit.exe.

By default the System.adm, Inetres.adm, and Conf.adm files are loaded and present this namespace as shown.

ADDING ADMINISTRATIVE TEMPLATES

The .adm files include the settings:

System.adm; Operating system setting.
Inetres.adm; Internet Explorer restrictions
Conf.adm; NetMeeting settings

ADDING ADMINISTRATIVE TEMPLATES

The .adm files consists of a hierarchy of categories and subcategories that together define how options are organised in the Group Policy user interface.

TO ADD ADMINISTRATIVE TEMPLATES (.adm files)

In the Group Policy console double-click Active Directory Users and Computers, select the domain or OU for which you want to set policy, click Properties and then click Group Policy.
In the Group Policy properties page, select the Group Policy Object you want to edit from the Group Policy Object Links list, and click Edit to open the Group Policy snap-in.
In the Group Policy console, click the plus sign (+) next to either User Configuration or Computer Configuration. The .adm file defines which of these locations the policy is displayed in, so it does not matter which node you choose.
Right-click Administrative Templates, and select currently active templates files for this Active Directory container.
Click Add. This shows a list of the available .adm files in the %systemroot%\inf directory of the computer where Group Policy is being run. You can choose an .adm file is copied into the GPO.

To Set Registry-Based Setting Using Administrative Templates

In the GPWalkthrough console, double-click Active Directory Users and Computers, double-click the reskit.com domain, double-click Accounts. right-click the Headquarter OU, and then click Properties.
In the Headquarter Properties dialog box, click Group Policy.
Double-click the HQ PolicyGPO from the Group Policy Object Links list to edit the HQ Policy GPO.
In the Group Policy console, under the User Configuration mode, click the plus sign (+) next to Administrative Templetes.
Click Start Menu & Taskbar. Note that the details pane shows all the policies as Not configured.
In the details pane, double-click the Remove Run Menu From the Start Menu policy.
In the Remove Run menu from Start Menu dialog box, click Enable.
Note:
The Previous Policy and Next Policy buttons in the dialog box. You can use these buttons to navigate the details pane to set the state of other policies. You can also leave the dialog box open and click another policy in the details pane of the Group Policy snap-in. After the details pane has the focus, you can use the Up & Down arrow keys on the keyboard and press Enter to quickly browse through the settings (or Explain tabs) for each policy in the selected node.
Click OK. Note the change in state in the Setting column, in the details pane. This change is immediate; it has been saved to the GPO. If you are in a replicated domain controller (DC) environment, this action sets a flag that triggers a replication cycle.

If you log on to a workstation in the reskit.com domain with a user from the Headquarters OU, you will note that the Run menu has been removed.

At this point, you may want to experiment with the other available policies. Look at the text in the Explain tab for information about each policy.

SCRIPTS

You can set up scrits to run when users log on or log off, or when the system starts up or shuts down. All scripts are Windows Script Host (WSH)-enabled. As such, they may include Java Scripts or VB Scripts, as well as .bat and .cmd files. Links to more information on the Windows Script Host are located in the More Information section at the end of this document.

Setting Up a Logon Script

Use this procedure to add a script that runs when a user logs on.
Note:
This procedure uses the Welcome2000.js script described in Appendis A of this document, which includes instructions for creating and saving the script file. Before performing the procedure for setting up logon scripts, you need to create the Welcome2000.js script file and copy it to the HQ-RES-DC-01 domain controller.

To Set Up Logon Scripts

In the GPWalkthrough console, double-click Active Directory Users and Computers, right-click the reskit.com domain, click Properties, and then click Group Policy.
In the Group Policy properties page, select the Default Domain Policy GPO from the Group Policy Objects links list, and click Edit to open the Group Policy snap-in.
In the Group Policy snap-in, under User Configuration, click the + next to Windows Settings and then click the Scripts (Logon/Logoff) node.

In the details pane, double click Logo

The Logon Properties dialog box displays the list of scripts that run when affected users log on. This is an ordered list, with the script that is to run first appearing at the top of the list. You can change the order by selecting a script and then using the Up or Down buttons.
To add a new script to the list, click the Add button. This displays the Add a Script dialog box. Browsing from this dialog allows you to specify the name of an existing script located in the current GPO or to browse to another location and select it for use in this GPO. The script file must be accessible to the user at logon or it does not run. Scripts in the current GPO are automatically availble to the user. You can create a new script by right-clicking the empty space and selecting New, the selecting a new file.
Note:
If the View Folder Option for this folder are set to Hide file extensions for known file types, the file may habe an unwanted extension that prevents it from being run.
To edit the name or the parameters of an existing script in the list, select it and click the Edit button. This button does not allow the script itself to be edited. That can be done through the Show Files buttons
To remove a script from the list, select it and click Remove.
The Show Files button displays an Explorer view of the scripts for the GPO. This allows quick access to these files or to the place to copy support files to if the script files require them. If you change a script file name from this location, you must also use the Edit button to change the file name or the script cannot execute.

Click on the Start menu, click Programs, click Accessories, click Windows Explorer, navigate to the Welcome2000.js file (use Apendix A to create the file), and then right click the file and select Copy.
Close Windows Explorer.
In the Logon Properties dialog box, click the Show Files button, and paste the Welcome2000.js script into thed default file location.
Close the Logon Window.
Click the Add button in the Logon Properties dialog box.
In the Add a Script dialog box, click Browse, then in the Browse dialog boxk, double-click the Welcome2000.js file.
Click Open.
In the Add a Script dialog box, click Ok (no script parameters are needed), and then click Ok again.

You can then logon to cl;ient workstation that has a user in the Headquarters OU, and verify that the script is run when the user logs on.

Setting Up a Logoff or Computer Startup or Shutdown Script

You can use the same procedure outlined in the preceding section to setup scripts that run when a user logs off or when a computer start up or is shut down. For logoff scripts, you would select Logoff in step 4.

Other Script Considerations

By default, Group Policy scripts that run is a command Window (such as .bat or .cmd files) run hidden, and legacy scripts (those defined in the user object are by default visible as they are processed (as was the case for Windows NT 4.0), although there is a Group Policy that allows this visibility to be changed. The policy for users is called Run logon scripts visible or Run logoff script visible, and is accessed in the User Configuration\Administrative Templates node, under System\Logon/Logoff. For example, the policy is Run startup scripts visible and can be accessed in the Computer Configuration\Administrative Templates node, under System\Logon.

Security Group Filtering

You can refine the effect of any GPO by modifying the computer or user membership in a security group. To do this, you use the Security tab to set Discretionary Access Control Lists (DACLs) for the properties of a GPO. DACLs are used for performance reasons, the details of which are contained in the Group Policy technical paper referenced earlier in this document. This feature allows for tremendous flexibility in designing and deploying GPOs and the policies they contain.
By default, all GPOs affect all users and machines that are contained in the linked site, domain, or OU. By using DACLs, the effect of any GPO can be modified to exclude or include the members of any security group.
You can modify a DACL using the standard Windows Server 2008 Security tab, which is accessede from the Properties page of any GPO.

To access a GPO Properties page from the Group Policy Properties page of a Domain or OU

In the GPWalkthrough console double-click Active Directory Users and Computers, double-click the reskit.com domain, double-click Accounts, right-click the Headquarters OU,and the click Properties.
In the Headquarters Properties dialog, click Group Policy.
Right-click the HQ Policy GPO from the Object links list and select Properties from the context menu.
in the Properties page, click the Security tab. This displays the standard Security properties page.
You will see security groups and users based on the Common Infrastructure. For more information, see the Windows Server 2008 step-by-step guide, A Common Infrastructure for Change and Configuration Management. Make sure that you have completed the appropriate steps in that document before continuing.
In the Security property page, click Add.
In the Select Users, Computers and Groups dialog box, select the Management group from the list, click Add, and click OK to close the dialog.
In the Security tab of the HQ Policy Properties page, select the Management group and view the permissions. By default, only the Read Access Control Entry (ACE) is set to Allow for the Management Group donot have this GPO applied to them unless they are also members of another groiup (by default, there are also Authenticated Users) that has the Apply Group Policy ACE selected.
At this point, everyo0ne in the Authenticated USers group has this GPO applied, regardless of having added the Management group to the list.
Configure the GPO so that it applies to the members of the Management group only. Select Allow for the Apply Group Policy ACE for the Management group and then remove the Allow Group Policy ACE from the Authenticated Users group.
By changing the ACEs that are applied to different groups, administrators can customise how a GPO affects the users or computers that are subject to the GPO. Write access is required for modifications to be made; Read and Allow Group Policy ACEs are required for a policy to affect a group (for the policy to apply to the group).
Use the Deny ACE with caution. A Deny ACE setting for any group has precedence aver any Allow ACE given to a user or computer because of membership in another group. Details of this interaction may be found in the Windows Server 2008 Server online Help by searching on Security Group.

Note:
You can use these same types of security options with the Logon scripts you set up in the preceding section. You can set a script to run only for members of a particular group or for everyone except the members of a specific group.

Security group filtering has two functions: the first is to modify which group is affected by a particular GPO and the second is to delegate which group of administrators can modify the contents of the GPO by restricting Full Control to a limited set of administrators (by a group). This is recommended because it limits the chance of multiple administrators making changes at any one time.

Blocking Inheritance and No Override

The Block Inheritance and No Override features allow you to have control over the default inheritance rules. In this procedure, you set up a GPO in the Accounts OU, which applies by default to the users (and computers) in the Headquarters, Production and Marketing OUs.

You then establish another GPO in the Account OU and set it as No Override. These settings apply to the children OUs, even if you set up a contrary setting in a GPO scoped to that OU.

You then use the Block Inheritance feature to prevent Group policies set in a parent site, domain or OU (in this case, the Accounts OU) from being applied to the Production OU.

A description of how disable portions of a GPO to improve performance is also included.

Setting Up the Environment

You must first set up the environment for the procedures in this section.

To Set Up the GPO Environment

Open the saved MMC GP console GPWalkthrough and the open the Active Directory User and Computer node.
Double-click the reskit.com domain and then double-click the Account OU.
Right-click the Account OU and select Properties from the context menu and click the Group Policy tab.
Click New to create a new GPO called Default User Policies.
Click New to create a new GPO called Enforced User Policies.
Select the Enforced Users Policies GPO and click the Up button to move it to the top of the list. The Enforced User Policies GPO should have the highest precedence. Note that this step only serves to demonstrate the functionality of the Up button; an enforced GPO always takes precedence over those that are not enforced.
Select the No Override setting for the Enforced User Policies GPO by double-clicking the No Override column or using the Options button.
Double-click the Enforced User Policies GPO to start the Group Policy snap-in.
In the Group Policy snap-in, under User Configuration, click Administrative Templates, click System and then click Logon/Logoff.
In the details pane, double-click the Disable Task Manager policy, click Enabled in Disable Task Manager dialog box and the click OK. For information on the policy, click the Explain tab.
Click the Close button to exit the Group Policy snap-in.
In the Accounts Properties dialog box, on the Group Policy tab, double-click the Default User Policy GPO from the Group Policy Object link list.
In the Group Policy snap-in, in the User Configuration node, under Administrative Templates, click the Desktop node, click the Active Desktop folder, and then double click the Disable Active Desktop policy on the details pane.
Click Enable, click OK and click Close.
In the Accounts Properties dialog box, click Close.

You can now log on to a client workstation an any user in any of the OUs under the Accounts OU. Note that you cannot run the Task Manager--the tab is unavailable from both CTRL+SHIFT+ESC and CTRL+ALT+DEL. In addition, the Active Desktop cannot be enabled. When you right-click on Desktop and select Properties, you will that the Web tab is missing.

Ad an extra step, you can reverse the setting of the Disable Task Manager policy in a GPO that is linked to any of the child OUs of the Accounts OU (Headquarter, production, Marketing). To do this change the radio button for that policy.

Note: Doing this has no effect file the Enforced User Policies GPO is enabled in the Accounts OU.

Disabling Portions of a GPO

Because these GPOs are used solely for user configuration, the computer portion of GPO can be turned off. Doing so reduces the c omputer startup timed, because the Computer GPOs do not have to be evaluated to determine if any policies exit. In this procedure, no computers are effected by these GPOs. Therefore, disabling a portion of the GPO has no immediate benefit. However, since these GPOs could later be linked to a different OU that may include computers, you may want to disable the computer side of these GPOs.

To Disable the Computer Portion of a GPO

Open the saved MMC console GPWalkthrough and then double-click the Active Directory User and Computer node.
Double-click the reskit.com domain.
Right-click the Account OU select Properties from the context menu and click Group Policy tab.
In the Accounts Properties dialog box, click the Group Policy tab, right-click the Enforced User Policy GPO and select Properties.
In the Enforced User Policies Properties dialog box, select the General tab and then select the Disable computer Configuration Setting check box. In the Confirm Disable dialog box click Yes.
Note that the General properties page includes two check boxes for disabling a portion of the GPO.
Repeat steps 4 & 5 for the Default User Policies GPO.

Blocking Inheritance

You can block interitance so that one GPO does not inherit policy from another GPO in the hierarchy. After you block inheritance, only those settings in the Enforced User Policies affect the Users in this OU. This is simpler than reversing each individual policy in a GPO scoped at this OU.

To Block Inheritance of Group Policy for the Production OU

Open the saved MMC console GPWalkthrough and then double-click the Active Directory User and Computer node.
Double-click the reskit.com domain and then double-click the Accounts OU.
Right-click the Production OU, select Properties from the context menu and then click the Group Policy tab.
Select the Block Policy Inheritance check box and click OK.

To verify that inherited settings are now blocked, you can logon as any user in the Production OU. Notice that the Web tab is present in the Display setting properties page. Also, note that the task manager is still disabled, as it was set to No Override in the parent OU.

Linking a GPO to Multiple Sites, Domain and OUs

This section demonstrates how you can link a GPO to more than one container (site, domain or OU) in the ACtive Directory. Depending on the exact OU configuration, you can use other methods to achieve similar Group Police effects; for example, you can see security group filtering or you can block inheritance. In some cases, however, those methods do not have the desired affects. Whenever you need to explicity stat which sites, domains, or OUs need the same set of policies, use the method outlined below:

To Link a GPO to Multiple Sites, Domain and OUs

Open the saved MMC console GPWalkthrough and then double-click the Active Directory User and Computer node.
Double-click the reskit.com domain, and double-click the Account OU.
Right-click the Headquarter OU, select Properties from the context menu and then click the Group Policy tab.
In the Headquarters Properties dialog box, on the Group Policy tab, click New to create a new GPO named Linked Policies.
Select the Linked Policies GPO and click the Edit button.
In the Group Policy snap-in, in the User Configuration node, under Administrative Templates node, click Control Panel, and then click Display.
On the details pane, click the Disable Changing Wallpaper policy and the click Enabled in the Disable Changing dialog box and click OK.
Click Close to exit the Group Policy snap-in.
In the Headquarters Properties page, click Close.

Next you will link the Linked Policies GPO to another OU.

In the GPWalkthrough console, double-click the Active Directory User and Computers node, double-click the reskit.com domain and then double click the Accounts OU.
Righ-click the Production OU, click Properties on the context menu and then click the Group Policy tab on the Production Properties dialog box.
Click the Add button or right-click the blank area of the Group Policy Object Links list and select Add on the contxt menu.
In the Add a Group Policy Object Link dialog box, click the down arrow on the Look in box, and select the Accounts.reskt.com OU.
Double-click the Headquarter.Account.reskit.com OU from the Domain, OUs and linked Group Policy Objects list.
Click the Linked Policies GPO amd then click OK.

You have now linked a single GPO to two OUs. Changes mad to the GPO in the either location result in a change for both OUs. You can test this by changing some policies in the Linked Policies GPO, and then logging onto a client in each of the affecte OUs, Headquarters and Production.

Loopback Processing

This session demonstrates how to use the loopback processing policy to enable a different set of user type Group Policies based on the Computer being logged onto. This policy is useful when you need to have user type policies applied to users of specific computer. There are two methods for doing this. One allows for the policies applied to the user to be processed, but to also apply user policies based on the computer that the user has logged onto. The second method does not apply the user's settings based on where the user object it, but only processed the policies based on the computer's list of GPOs. Details on this method can be found in the Group Policy white paper referred to earlier.

To Use the Loopback Processing Policy

In the GPWalkthrough console, double-click the Active Directory User and Computer node, double-click the reskit.com domain and then double-click the Resources OU.
Right-click the Desktop OU, click Properties on the context menu and then click the Group Policy tab on the Desktop Properties dialog box.
Click New to create a new GPO named Loopback Policy.
Select the Loopback PoliciesGPO and click Edit.
In the Group Policy snp-in, under the Computer Configuration node, click Administrative Templates, click System, and then Click Group Policy.
In the details pane, double-click the User Group Policy loopback processing mode policy.
Click Enable in the User Group Policy loopban processing mode dialog box, select Replace in the Mode drop-down box and then click OK to exit the property page.

Next, you will set several User Configuration policies by using the Next Policy navigation buttons in the dialog box.

In the Group Policy snap-in, under the User Configuration mode, click Administrative Templates and click Strat Menu & Taskbar.
In the details pane, double-click the Remove user's folders from the Start mune policy, and then click Enabled in the Remove user's folder form the Start menu dialog box.
Click Apply to apply the policy, and click the Next policy button to go on to the next policy. Disable and remove links to Windows update.
In the Disable and Romove Links to Windows Update dialog box, click Enable, click Apply, and then click the Next Policy button.
In each of the following policies' dialog boxes, set the state of the policies as Indicated on the list below.

Policy Setting

Remove common program groups from Start Menu Enabled
Remove Documents from Start Menu Enabled
Disable programs on Settings Menu Enabled
Remove Network & Dial-up Connections from Start Menu Enabled
Remove Favorites Menu from Start Menu Enabled
Remove Search Menu from Start Menu Enabled
Remove the Help Menu from Start Menu Enabled
Remove Run Menu from Start Menu Enabled
Add Logoff on the Start Menu Enabled
Disable Logoffon the Start Menu Not Configured
Disable and remove the Shut Down Commond Not Configured
Disable drag-and-drop context menus on the Start Menu Enableed
Disable changes to Taskbar and Start Menu Setting Enabled
Disable Context menus for the taskbar Enabled
Donot keep history of recently opened documents Enabled
Clear history of recently opened documentsw on exit Enabled

Click OK when you have set the last policy from the list in step 5.
In the Group Policy console tree, navigate to the Desktops node under User Configuration\Administration Templates, and set the following policies to Enable.

Policy Setting

Hide Remove My Document from Start Menu Enabled
Hide My Network Places icon on desktop Enabled
Hide Internet Explorer icon on desktop Enabled
Prohibit user from changing My Documents path Enabled
Disable adding, dragging, dropping and closing the taskbar's toolbars Enabled
Disable adjusting desktop toolbars Enabled
Don't save settings at exit Enabled

Click OK when you have set the last policy from the list in step 7.
In the Group Policy console tree, navigate to the Active Desktop node under User Configuration\Administrative Templates\Desktop, set the Disable Active Desktop policy to Enabled, and then click OK.
In the Group Policy console tree, navigate to the Control Panel node under User Configuration\Administrative Templates, click the Add/Remove Programs nod, double-click the Disable Add/Remove Programs policy, set it to Enabled, and then click OK.
In the Group Policy console tree, navigate to the Control Panel node under User Configuration\Administrative Templates, cllick the Display node, double-click the Disable display in control panel policy, set it to Enabled, and then click OK.
In the Group Policy snap-in, click Close.
In the Desktops Properties dialog box, click Close.

At this point, all users who log on to computers in the Desktops OS have no policies that would normally be applied to them; instead, they have the user policies set in the Loopback Policies GPO. You may want to use the procedures outlined in the section on Security Group Filtering to restrict this behavior to specific groups of computers, or you may want to move some computers to another OU.

For the following example, a security group callec No Loopback is created. To do this, use the Active Directory Users & Computers snap-in, click the Group container, click New, and create this global security group.

In this example, computers that are in the No-Loopback security group are excluded from this loopback policy, if the following steps are taken:

In the GPWalkthrough console, double-click Active Directory User & Computers, double-click risket.com,m double-click Resources, right-click Desktop and then select Properties.
In the Desktop Properties dialog box, click Group Policy, right click the Loopback Policy GPO, and then select Properties.
In the Loopback Policies Properties page, click Security, and select Allow for the Apply Group Policy ACE for the Authenticated User group.
Add the No Loopback group to the Name list. To do this, click Add, select the No Loopback group, and click OK.
Select Deny for the Apply Group Policy ACE for the No Loopback group, and click OK.
Click OK in the Loopback Policies Properties page.
Click Close in the Desktop Properties dialog box.
In the GPWalkthrough console, click Save on the Console menu.

Other Group Policy Secnarios

Now that yoiu familiar with the methodologies for administrating Group Policy, you may want to set up some security policies, perform some software installation and maintenance, and redirect some user folder--such as the My Documents folder. These topics are covered in detail in the following step-by-step guides, available on the Windows Server 2008 Server Web site.

Deploying Security Policies
Software Installation and Maintenance
User Data and Settings Management