Hello again everyone. I have not had an Internet connection since Thursday night. Thanks Comcast/Time Warner. Great start! Anyway, if you read the title, you know this review will cover 3 chapters, 20-22. These chapters cover Group Policy, Managing Workstations through Group Policy and Security patches and hotfixes. I'm glad to be doing these three chapters together because they really flow well together. You may ask how security patches and hotfixes flow with group policy. That is a very good question. Please continue reading to discover that answer.

Chapter 20 covers Group Policy as I said above. This chapter is 29 pages long. It is a fairly long chapter in this book. It starts with a nice overview of group policy, what it is and how it can be used by the administrator. A table on page 480 sets the stage. Group policy can help you assign scripts, redirect folders, manage applications and modify registry settings.

Next, group policy is broken down into its elements. software settings, windows settings and administrative templates are contemplated. Next, group policy ordering is discussed. How is GP applied? Local settings, Site settings, Domain settings and finally, Organizational settings are applied in that order. Therefore, contradictory policies can be overwritten if a later policy contradicts an earlier policy. The exception to this is enforced policies.

The next major topic is the GPMC or the Group Policy Management Console. Most of you know that Windows is full of consoles.  Navigating and viewing policies kick off this section. Several screenshots show the GPMC to help you in the discussion. GP details show who created the policy, owns it, modified it as well as other information. GP settings will show you the policies that are setup on your system for easy review. GP delegation shows the permissions for various security groups.

The chapter next turns to GP modeling and results. Here is where the true power of GP can be tested and viewed before you destroy your network! :-> That is, you can setup policies, determine their effects on your network before you apply them. If they do not do what you need, tweak them before deploying. You are shown how to setup the modeling report in a step by step fashion. Creating the report follows. Again, a step by step method is used for your benefit.

The next section covers 8 pages. It is Default SBS Group Policy Objects. It is all the details of GP objects. It begins with the windows firewall and gives you all the policy elements and their respective settings. This continues with the Internet Connection Firewall, client computers, remote assistance, lockout policy, domain password policy, default domain policies, auditing policies and default domain controllers policy. The preceding sections will show you just how indepth of a subject GP is. Books have been written on this subject. Therefore, this chapter will not make you a GP guru, but it will help you to master the policies you need for SBS.

The next section covers creating/modifying GP Objects. It runs the gamut from planning to testing the GPO to modeling it as in another previous section. Finally, the chapter concludes with troubleshooting GP and GP disaster recovery. What is GP DR? In a word, backup.

Chapter 21

Chapter 21 is called Managing Workstations Through Group Policy. Chapter 20 was concerned with GP for the SBS server. This chapter brings it down to the workstation level. This is where the work saving part comes in. Are you tired of visiting 5, 10, 25, 50 workstations to keep them up to date with applications, patches, antivirus, scripts, other applications, etc. ad nauseum? If so, GP is here to make your life easier.

The chapter starts with a discussion on why manage workstations. See what I wrote in the previous paragraph to find out some of the answer. Next, we turn to folder redirection and offline files. Most of you know that redirecting documents to the server is a no brainer wizard and it works very well. This can help you to make easy backups of all your users documents. Offline files can keep a copy of the documents on a laptop. When the laptop is not connected to the server, the user can still use the documents, update them and once back in the office, the documents can be synched and updated. There are plenty of GP's that can be set for offline policy. See page 515 for all of them.

Managing workstation access is our next topic. You can easily set logon restrictions for your users. Want to prohibit logons for certain hours? Easily done with a GP. Locking down users to protect your server and protect your users from themselves is up next. pp 517-520 shows what policies are enabled and disabled for just about every setting you can imagine from the Control Panel to IE and numerous other settings.

There are also many other GP uses. For instance, Office has a kit that has 11 different policies that you can use to control Office behavior and control what you want your users to see and use. As always, our chapter ends with some good troubleshooting tips.

Chapter 22

Our final review today is chapter 22 which covers security patches and hotfixes. Earlier I told you that this chapter flows well with the GP topic. I also said I would answer that here. Here is the answer. WSUS. You can establish WSUS on your server and then you can deploy these patches to your workstations and even your server at your convenience. Therefore, you can assure that your machines are patched in a timely and safe manner using WSUS and GP. There are some issues however. The laptop that is not connected. The workstation that is powered down will not get updated. What can you do? In a word, reschedule. You can reschedule these machines so they are patched. You can also train your users when patches are released to ensure the machine stays on for the night of the event.

This chapter starts off with the story about the moth in the vacuum tube. Debugging started back in the 40's and continues to this day. Makeup of a patch and how you are notified are discussed. What kind of patch do you have? Page 529 lays it out for you. Patch testing and risk analysis is discussed and some good resources are listed to keep one up to date  on this topic. The chapter has a strong thread that weaves throughout. That thread is, do not guarantee patching. That is, every patch is not tested against every possible scenario. Therefore, your client may have some third party applications or utility that breaks when a patch is applied. If you guarantee this will not happen, you will soon be in hot water.

Resources for patches are up next. Again, several good resources are listed to help you. WSUS and automatic updates are given as resources to obtain your patches. Office patches can be obtained the same way from the same site so you don't have to worry about patching them from the office update site separately. The MBSA is discussed on pp. 538-539. It can show you what patches you are missing. Another tool called Shavlik HFNetChk Pro is discussed. It is not free, but it can patch many things on your server, workstations and it even includes patching for some third party applications.

WSUS comes next in a large section. It covers installing WSUS, synchronizing, setting up GP on the server, and the approval process. As always, troubleshooting brings it all to a close. Five KB articles are listed to help one troubleshoot update issues.

I hope you enjoyed these three reviews and learned something. Next, we move into premium technologies. The book only has two chapters left. They are 23: ISA2K4 Basics and 24: ISA2K4 Advanced Administration. These chapters are 22 and 20 pages long respectively. I will try to review them is separate posts. After I complete these two, I plan to go through and make a list of all the resource links in every chapter as a separate blog post. That should be useful for everyone of you out there. Please come back so we can finish this book. Once I complete this one, I think I may move on to one of Harry's books and review it in this space. I can't wait to get your feedback. Take care and I'll see you in a few days.