MDOP 系列之二: Microsoft 進階群組原則管理 加速部署與管理桌上型電腦 簡志偉 大型企業業務暨經銷事業群 台灣微軟

提昇企業桌上型電腦管理能力 動態資料串流軟體作為中央管理服務 將軟體清單轉換成商務智慧 可加速桌上型電腦修復的強大工具 Microsoft Desktop Optimization 可加速部署與提升管理能力 動態資料串流軟體作為中央管理服務 Microsoft SoftGrid Application Virtualization* 將軟體清單轉換成商務智慧 Microsoft Asset Inventory Service 可加速桌上型電腦修復的強大工具 Microsoft Diagnostics and Recovery Toolset 經由變更管理增強群組原則 Microsoft Advanced Group Policy Management 主動管理應用程式與作業系統失敗 System Center Desktop Error Monitoring *終端機服務的 SoftGrid Application Virtualization CAL 已發行，且與 MDOP 分開銷售 2 2

Microsoft Management Summit 2007 March 26-30, 2007 | San Diego, CA 1/3/2019 3:49 AM 簡介 2006年10月從 Desktop Standard 取得 在群組原則的延伸投資 GPOVault – Advanced Group Policy Management (AGPM, 進階群組原則管理) 群組原則的變更管理 建立在 Group Policy Management Console (GPMC) 的基礎上 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft 進階群組原則管理 (AGPM) 經由變更管理增強群組原則 提供有效率的群組原則變更管理 以角色為基礎的系統管理與範本 有彈性的委派模組 版本、歷程及復原 運用精細的系統管理控制權加強管理 降低失敗擴散的風險 PC 管理能力 診斷與支援工程師

Microsoft 進階群組原則管理 (AGPM) 案例研究 – Forsyth County 建立與管理群組原則，將整個企業的桌上型電腦組態保持在最新狀態 挑戰： 以即時、有效率及安全的方式管理 1,650 部 PC 上的群組原則 結果： 輕鬆且安全地建置群組原則物件 視需要復原群組原則變更，而不再需要等待 PC 汰換 可在最短的停機情況下，滿足即時群組原則建立需求 順暢且自動化的群組原則變更管理

Microsoft 進階群組原則管理 (AGPM) MMC 延伸到 GPMC 針對群組原則架構提供完整的異動管理 以角色為基礎的委派 離線編輯 Check-out/Check-in 透過歷史紀錄追蹤改變 部署流程 Roll-back and Roll-forward

Microsoft Management Summit 2007 March 26-30, 2007 | San Diego, CA 1/3/2019 3:49 AM AGPM 架構 Copy of GPO 1 Copy of GPO 2 GPO 1 GPO 2 AGPM 伺服器元件 AGPM 伺服器端 網域控制站 AGPM 管理元件 AGPM 用戶端 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

安裝進階群組原則管理伺服器 安裝伺服器元件: gpovents.msi 應該安裝在網域伺服器上 安裝特別注意 建立一個負責與 AD 溝通的 AGPM 服務帳戶 License 檔案 建立一個擁有 AGPM 完整權限的管理員

安裝進階群組原則管理用戶端 安裝用戶端元件: gpoventc.msi 必須與 GPMC 一起安裝在電腦上 可以透過群組原則安裝 Windows Vista Windows Server 2003 可以透過群組原則安裝

進階管理群組原則物件的檔案紀錄 GPO 更新紀錄 時間標籤 GPO 狀態 擁有者 設定與差異報告 復原舊的 GPO 套用新的 GPO

檔案紀錄位址 檔案位置標籤 必須指定主機名稱 (FQDN 或 IP 位址) 為每一個用戶端設定執行AGPM 可以透過 AGPM 的 ADM 檔案進行管理

進階群組原則管理 SMTP 設定 設定使用者接收委派管理的 email 建立新的 GPOs 發佈或更新 GPOs 其他委派任務

進階群組原則管理委派 樹系層級委派 網域層級委派 GPO 層級委派角色 完全控制 批准者 (Approver) 編輯者 (Editor) 檢閱者 (Reviewer)

設定與AGPM伺服器連結 設定email通知 委派管理 demo 設定與AGPM伺服器連結 設定email通知 委派管理 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Management Summit 2007 March 26-30, 2007 | San Diego, CA 1/3/2019 3:49 AM 工作流程 Check-out 編輯 檢閱 Check in 請求部署 批准/拒絕 Check-out/Check-in 提出請求 建立 GPOs 部署 GPOs 刪除已部署的 GPOs 請求會被送到事先定義的批准者 範本 支援 GPO 建立 允與比較 GPOs 版本之間的差異 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

控制 GPOs Uncontrolled GPOs 只用在實際環境上

demo 管理 Uncontrolled GPOs © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

建立與使用範本 建立新 GPOs 設定的基準 建立範本 從範本建立 GPO 滑鼠右鍵建立 GPO 滑鼠右鍵點擊 Change Control 選擇 “New Controlled GPO”

編輯 Controlled GPOs 必須“check-out” GPO 進行編輯 Controlled GPOs 使用 GPOE 來編輯 當 GPO 被更新, 就要“checked-in”

demo 建立/編輯 GPOs © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Management Summit 2007 March 26-30, 2007 | San Diego, CA 1/3/2019 3:49 AM 報告 報告比較在歷史紀錄內的不同時間點 Report 比較不同的 GPOs Report 比較範本 設定報告 顯示設定 差異性報告 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

demo 差異性報告 © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

從 AGPM 部署 GPO 具有編輯權限的使用者可以選擇 “Deploy” 寄送 email 給批准者 (會在 SMTP 設定中被提到) 將 GPO 放入 “Pending” 模式 被授權的使用者可以針對 ”Pending” GPO 選擇 ”Deploy” 或 “Reject” Full Control (完全控制) – 這個角色具有權力部署 “Approver” (批准者) – 這個腳色具有權力部署

透過 AGPM 刪除 GPO 從檔案紀錄管理刪除 ‘un-controls’ GPO 一旦被放在回收桶 破壞 回復

demo 部署/刪除 GPOs © 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

資源 Microsoft Desktop Optimization Pack for Software Assurance 的網站: http://www.microsoft.com/taiwan/windows/products/windowsvista/buyorupgrade/optimizeddesktop.mspx 可用資源 取得Microsoft 進階群組原則管理規格書:

Q & A

© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Microsoft makes no warranties, express or implied, in this summary. © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only and is subject to change. Microsoft makes no warranties, express or implied, in this summary.