microsoft desktop optimization pack [vista]

7/28/2019 Microsoft Desktop Optimization Pack [Vista]

http://slidepdf.com/reader/full/microsoft-desktop-optimization-pack-vista 1/18

Technical Level: 100

How to Gain Control of your Desktop Environment

Microsoft Desktop Optimization Pack (MDOP) helps IT professionals improve control of theirdesktop environments. MDOP is a comprehensive set of tools that provides a way for ITprofessionals to move their organization’ s desktop strategy from a basic infrastructurematurity level to a dynamic maturity level. This document provides a basic technical

overview of the tools included in MDOP. A discussion on how each tool helps organizationsmove through the infrastructure optimization model is also provided so that IT professionalsand managers can better understand how MDOP can benefit the organization as a whole.

Using the Microsoft® DesktopOptimization Pack for SoftwareAssurance and the InfrastructureOptimization Model

To keep your users happy, yourInformation Technology (IT) infrastructure

must continuously adapt to support newapplications and capabilities. As yoursystems become more complicated, youspend more time and effort keepingsystems secure and under control. Withthe Microsoft Desktop Optimization Packfor Software Assurance, you can optimizeand better secure your core infrastructureby using integrated management and

security solutions that help you respondmore quickly to end user businessdemands and optimize the security of yoursystems.

What is Infrastructure Optimization?

The Infrastructure Optimization Modelgives you a way to categorize the maturityof your IT environment. You can use themodel to help develop a plan that usesMicrosoft tools to help you spend less timeand effort on systems management, asFigure 1 shows.



Figure1. Basic view of Infrastructure Optimization Model

Understanding the Benefits for ITProfessionals

You can use the InfrastructureOptimization Model to move from manualIT processes to dynamic processes. For ITprofessionals, this change can be bothinteresting and challenging. Think aboutall the tedious tasks that take a long timebecause they include detailedconfiguration steps and lengthy pausesbetween steps—for example, installingdesktop operating systems or deployingsoftware to a large group of users.

One of the pillars of InfrastructureOptimization is the automation of day-to-day IT jobs that take up your precioustime.

As a technical person, you might not beinterested in ―increased business agility.‖ But what about deploying a newapplication by the time you finish yourmorning espresso? How about installingthat new application that the marketingdepartment asked about—in one

afternoon? Without increasing the amountof time required, you have become moreresponsive to the marketing department.You have become more ―agile.‖

Infrastructure Optimization increases yourability to be responsive. Someone will askyou how to decrease application-deployment time, and you will be the onewith the ability to answer them, anddeliver the solution. The best part is thatyou can move away from repeating tasksand can focus on automating and

streamlining solutions. Instead of walkingfrom computer to computer to install asoftware package, you can be writingscripts or creating software packages thatconfigure themselves.

Communicating with BusinessDecision Makers

Communicating with your business-drivencounterparts can be equally important to

maximize your technical effectiveness.Infrastructure Optimization provides aframework for communicating with yourbusiness-focused colleagues.

Whereas you might focus on whether toimplement RAID 0 or RAID 5 storage,business users are likely thinking aboutwhether they have guaranteed access to aservice that is critical to their jobs. Youmay know how a particular technology canhelp achieve business goals; however, youmight not know how best to express thatunderstanding. Business users anddecisions makers may see IT as a costcenter, and require you to justify every

project before implementation. TheInfrastructure Optimization Model givesyou a way to link technical goals andbusiness goals. You can use the model tocommunicate the value of implementingthe technologies in MDOP.

The Microsoft Desktop OptimizationPack

MDOP is a collection of tools designed tohelp streamline all aspects of managing adesktop environment. You can use thefollowing MDOP tools to make your ITenvironment more dynamic:

Microsoft Application Virtualization(Formerly SoftGrid)

Microsoft Diagnostics and Recovery Toolset (DaRT)

Microsoft Asset Inventory Service(AIS)

Microsoft Advanced Group Policy Management (AGPM)

Microsoft System Center DesktopError Monitoring (DEM)

The remainder of this document will focuson each MDOP component, how each toolcan help you move your environmentforward through the InfrastructureOptimization continuum, and how to puteach tool’s business value into ―bigpicture‖ terms that your businesscolleagues will understand.



Microsoft ApplicationVirtualization (Formerly SoftGrid)

Many IT pros are familiar with completeoperating system virtualization, in whichcomputer architecture is emulated

through software. Microsoft Application

Virtualization provides a virtualenvironment for each application,including a virtual registry, DLL files, COMobjects, fonts, services, .ini files, and soforth. Figure 2 illustrates howApplication Virtualization works.

Figure 2. Using SoftGrid Application Virtualization

The key aspect to notice is that eachvirtual application environment is isolatedfrom the others and from the operatingsystem. The operating system isunchanged by the applications and localand virtual applications can coexistwithout conflict on one operating systeminstance.

Microsoft Application VirtualizationComponents

Three components make up theApplication Virtualization solution (thelicensing for all components is included inthe purchase of MDOP):

Microsoft System Center Application Virtualization

Management Server: Functions asthe primary management interfacefor virtualized applications. You canconfigure application publishing and assignment as well as streamingdelivery.

Microsoft System Center Application VirtualizationStreaming Server: Functions as a

lightweight streaming delivery server, without a Microsoft SQLServer® or Active Directory®requirement. This server can work alone or in conjunction with the publishing capabilities of theManagement Server.

Microsoft ApplicationVirtualization Client: Acts as an



interface between the virtualized application and the operating system.Manages the virtual application cacheon the local system.

Microsoft ApplicationVirtualization Sequencer: Serves

as an application packager that prepares the application to bevirtualized.

Benefits of Microsoft ApplicationVirtualization

The application isolation that ApplicationVirtualization provides can help youoptimize application management in someexciting ways.

Running applications locally without

installing themNo elements of a virtual application areever installed on the operating system.Registry entries, services, and DLLs are allstored in the virtual environment.Consequently, the applications run as if they were installed and executed locally,without changing the local operatingsystem.

Executing Multiple Versions of thesame Application

Thanks to the way programs are isolatedfrom each other, you can run multipleversions of the same program on thesame desktop. For example, you can run acopy of Microsoft Office Access® 2000, oreven Access 97, on a computer that isrunning Office Access 2007. Because eachapplication essentially references its ownregistry and virtual file system, you don’thave to worry about the overwrittenregistry entries and files that typicallyoccur when installing a new version of an

application over an old version.

Streaming Application Deployment

Application Virtualization opens up a newway to deliver applications throughstreaming. This method works byseparating applications into two blocks of features. The first feature block streamsthe code bits needed to get the application

running. These bits are stored in a cachefile on the client. The second feature blockcontains the rest of the application’sfeatures. As a user executes variousfeatures in this block, the features areincrementally streamed in the

background. For laptop users or remoteusers who might not have the bandwidthto stream applications, you can takeadvantage of a pre-load feature thattransfers the entire virtual application.

Enable Roaming and Free Seating

You can use the Application VirtualizationManagement Server to configureapplications so that they are associatedwith Active Directory groups. Each time auser logs on to a system, the Application

Virtualization Client checks with theApplication Virtualization ManagementServer to determine which applicationsthe user is assigned. If the user doesn’thave access to an application on thesystem, he or she will not see theprogram icon or shortcut. If an allowedapplication for that user is not already inthe system’s cache, the system willreceive the application from theApplication Virtualization ManagementServer upon the user’s first attempt tolaunch that program.

Microsoft also offers the ApplicationVirtualization Streaming Server. Thislightweight version of the ManagementServer offers only streaming capabilities,but without the other infrastructurerequirements of the Management Server.This is intended to enable lowermaintenance branch servers where virtualapplications are replicated and availablefor local LAN access. When used inconjunction with the Management server,

virtual application configurations are nowcentrally controlled, but delivered over thelocal branch LAN.

Now you have an easy, central way todefine which applications users mayaccess, and a way to make sure that anyapplication bits that are not locally cachedcan be transferred transparently in the



background. You can replicate thisenvironment to a disaster recovery site.Such a site will consist of a ApplicationVirtualization Servers, the applicationsreplicated to the server’s content store,and systems preloaded with the

Application Virtualization Client. Userssimply log on to their computers, and theapplications they needed will beautomatically available.

For user environments that containmultiple types of users (e.g., customerservice agents, managers who moveamong multiple systems), you canconsistently give the right users access tothe right applications. Applicationcustomizations reside in files attached toroaming profiles. For example, if a user

has a Microsoft Office Word toolbar set up just the way the user likes it, thatconfiguration can follow the user fromsystem to system.

Standalone Mode: Deploy VirtualApplications with the Current ESDSystem or via Removable Media

Some customers already have anElectronic Software Distribution (ESD)system in place and would like toimmediately realize the benefits of

application virtualization while thestreaming infrastructure is designed andimplemented. With standalone mode, avirtual application may be deployed viathe existing ESD system using anautomatically created MSI as a controlpoint for importing and locally publishingthe shortcut. This allows forinteroperation with any ESD system thatunderstands MSIs. Since standalonemode does not require any additionalinfrastructure, the same virtual application

can be sent to a disconnected user in thefield via removable media, where it isadded through an MSI based wizard andready for use without communicating witha server.

Improve Application Support

As an IT professional, you know the painthat a misconfigured application can

cause. Troubleshooting the applicationsometimes takes longer than justreinstalling it. Then there are all thespecial instructions, .ini customizations,and special setup steps. What if you couldsimply reset the application to a known

good configuration? By using ApplicationVirtualization, you can do just that. Youcan tell the Application VirtualizationClient to remove the changes since theoriginal delivery of the application,returning the virtual application to aknown good state. The user simply closesout the application, and then re-opens itto find it working normally.

Significantly Reduce Application toApplication Regression Testing

Regression testing is one of thosenecessary evils of the applicationmanagement lifecycle. Every time youupdate the operating system or anapplication on a system, you must makesure that all other components on thecomputer continue to work as expected.This usually means that you must installupdated software, and then install all theother software packages that werepreviously installed, and then test thosepackages. This process can mean hours of work, and if one application causes an

issue, you must repeat the process afteryou apply a fix.

You can use Application Virtualization toexpedite this process significantly.Because each application is executed in itsown virtual environment, you don’t needto worry about one application updateaffecting other applications. Testingoperating system updates is as simple asinstalling the update, then streaming theapplications that were already configured.

If an application doesn’t work, it can beindividually fixed and tested. The fix forthat application will not affect any otherapplication, so you need to validate onlyone application.



Simplify and Accelerate Applicationand Operating System Migrations

Application Virtualization creates aseparation between the application andthe operating system. One of theadvantages of this separation is OSimages can be made much smaller. Youdon’t have to include as many applicationsin the base image. An image that containsfew applications is called a thin image.Thin images are great when deployingWindows® operating systems because athin image typically takes a lot less timeto deploy to a workstation. Applicationtesting is limited to making sure yourvirtualized applications run on the thinimage.

Microsoft Application Virtualization:The Big Picture

Microsoft Application Virtualization acts asan enabler for getting a new application inplace, quickly and without worrying aboutwhether the application will play nicelywith other programs. These advantages

translate into your ability to be moreresponsive to your organization’s needsfor deploying and supporting applications,enabling or automating new businessprocesses, and increasing productivity. Inthe Infrastructure Optimization Model,

Application Virtualization helps you moveto a Rationalized or Dynamic environment.When talking to a non-technical person,you can emphasize how ApplicationVirtualization can mean deploying a newapplication in days rather than in weeks ormonths.

Diagnostics and Recovery Toolset(DaRT)

Troubleshooting a faulty desktop is by farone of the most time-consuming jobs an

IT pro does. Often, replacing the offendingsystem is faster than trying to figure outwhat has gone wrong. However, replacinga piece of hardware is not always anoption. DaRT, shown in Figure 3, is acomprehensive set of programs that youcan use to quickly diagnose and restorecomputers to a working state.



Figure 3. The Diagnostics and Recovery Toolset (MSDaRT 6.0)

The Windows Recovery Environment (Windows RE)

The foundation of DaRT 6.0 is the

Windows Recovery Environment (WindowsRE). The venerable DOS disk used to bethe tool of choice when troubleshooting anuncooperative computer. Now, with thewide implementation of Microsoft WindowsNT® Kernel–based operating systems andthe standard use of the NTFS file systemin corporate environments, DOS disks areineffective. Most computers don’t evenhave floppy drives anymore! EnterWindows RE, which you can create byusing the Windows Automated InstallationKit (Windows AIK, available for download

from the Microsoft Web site). You canboot Windows RE over the network or byusing a bootable CD-ROM or a USB key.The Windows RE environment has somebasic diagnostic tools, which you can useto perform start-up repairs, systemrestores, and complete computer restores.

Windows RE also provides a memorydiagnostic tool and gives you access to acommand prompt. DaRT provides apowerful set of tools which can be run

alongside the basic tools that Windows REprovides.

DaRT Components

The tools in the DaRT toolset fall intothree categories: administrative,networking, and system. You can use theadministrative tools to perform commontasks in an offline environment. Thisoption is great when you are analyzing theimpacts of spyware or a root kit. You canuse the networking tools to connect the

computer to the network so that you candownload patches or access systembackups stored on network shares. Youcan use the system tools to analyzesystem issues and to perform repairs.

Table 1. Tools in the Diagnostics and Recovery Toolset

Crash Analyzer Crash Analyzer is one of the most interestingand useful tools in DaRT. In the past, with acomputer that had experienced a Windows

stop error or created a Windows Memorydump file, you were forced to ask MicrosoftProduct Support Services (PSS) to analyzethe DMP file to figure out what was going on.Now, you have a tool that can isolate theissue in many cases. Crash Analyzer canparse a DMP file, pinpoint which part of theoperating system is having problems, and(most importantly) recommend how toalleviate the problem. The tool takes just afew minutes to generate its report.

Standalone System Sweeper A Microsoft antimalware engine is integrated

into DaRT in the form of the StandaloneSystem Sweeper. You can use this tool toperform an offline scan of the computer. Thisis particularly effective in getting rid of persistent spyware that can detect andbypass online removal attempts, andmalware that tries to avoid detection byusing root kits.



TCP/IP Config You can use the TCP/IP Config tool toconfigure TCP/IP settings in the ERDcommander environment. You can use thistool to connect to network shares and tospecify network drives to access data.

Disk Wipe When you dispose of corporate assets thathave contained sensitive corporate data orprivate customer data, cleaning the harddrives are of the utmost importance. DiskWipe supports US Department of Defense5220.22-M 4-pass data wiping standards.

SFC Scan SFC Scan checks Windows system files forcorruption or errors and repairs the files inthe event of a problem.

Locksmith You can use Locksmith to reset local accountpasswords on a computer. This tool is usefulif you forget the local administrator

password on a workgroup computer orserver.

Disk Commander Disk Commander can recover lost bootpartitions. This tool is similar to WindowsVista® Startup Repair but offers the addedability to search for and regain access to lostor corrupted disk partitions.

Hotfix Uninstall You can use Hotfix Uninstall to perform anoffline uninstall of a software update thathas caused the computer not to start up.

ERD Registry Editor You can use ERD Registry Editor to edit the

Windows registry offline.

Computer Management Computer Management provides most of thefeatures you’re used to seeing in theMicrosoft Management Console (MMC)Computer Management console. Thesefeatures include offline access to the EventViewer logs and Disk Management. You alsoget a tool to modify the programs that startup automatically when Windows boots orwhen a user logs on to the desktop.

Explorer Similar to Windows Explorer, lets you browse

files graphically, move files around, or copythem copy to a USB drive or an externalHard Disk Drive.

Solution Wizard The Solution Wizard asks you questions andhelps you pick the right tool to use.



Emergency Repair Disk (ERDCommander)

When you combine the Windows REenvironment with the DaRT tools, you getthe Emergency Repair Disk Commander.ERD Commander is your new recoveryboot disk! This tool can boot from a USBkey or a CD. You can also use it over thenetwork, as a boot image from a WindowsDeployment Services. ERD Commandercan follow you anywhere the network cango.

The ERD Commander environment canmount USB drives. This capability can beuseful when you need to access acomplete system backup stored on anexternal hard drive. It’s also very useful

when you want to get files off a systemand move them to a new PC. In the eventthat the hard drive has been encryptedusing BitLocker™ drive encryption, theERD Commander provides an opportunityto enter the recovery key so that you canaccess the hard disk.

ERD Commander provides acomprehensive toolset that helps ITprofessionals to recover desktops frommany different scenarios, such as when aPC is infected with malware or has

experienced corrupted drivers.

Benefits of DaRT

Works Offline: Access critical system information and data without booting up the workstation’s local operating system. This is very useful if you need to work on workstationsthat you suspect might be infected with malware. You can get access tothe operating system’s key configuration data in a user friendly,

easy to use environment. Recovers data: Provides automated

tools that help you to recover hard disk information, files, and WindowsRestore points. The tools are straight forward, and guide you through thesteps to recover information on thecomputer.

Recovers machine without wipeand reload of the OS: Oftenrecovering a machine with DaRT cantake much less time than reloadingthe operating system. With theadvanced diagnostic tools such as the

Crash Analyzer Wizard and theSolution Wizard, finding the problemson a workstation can be done morequickly. You spend less timetroubleshooting and get the solutionyou need applied quickly.

Reduces help desk time and cost: Help desk technicians now have acomplete set of tools that help themto quickly determine problems. Thisreduces the time it takes them to fix workstations, and lets them use their time more efficiently.

Provides Offline MalwareRemoval: DaRT 6.0 now includes anoffline Malware removal tool. This isextremely useful if the workstationbecomes infected with persistent malware that is able to re-infect thecomputer when it boots up, malwarethat defies removal attempts, or root kits. With the offline scanner, themalware is removed and does not have a chance to re-install itself.Malware definitions can be

downloaded when the ERDCommander disk is created and canbe updated over the internet or by using a USB drive. This helps insurethat the latest threats can beremoved from workstations.

Platform support

DaRT is available in two versions. DaRT6.0 supports Windows Vista and theWindows Server® 2008 operatingsystems. The Standalone System Sweeper

component of DaRT 6.0 will also supportWindows XP. DaRT 5.0 supports Windows2000, Windows XP, and Windows Server2003. Both versions will be available inthe MDOP package.

DaRT: The Big Picture

You can use the DaRT tools to diagnosecritical infrastructure problems quickly.



With advanced diagnostic tools thatautomate many complexities of thetroubleshooting process, you can begin toturn troubleshooting into a well-documented process. This capability helpsyou move from a Basic level to a Standard

level of environment maturity in theInfrastructure Optimization Model. Whenyou talk to your business colleagues,explain how the DaRT can reduce the timeit takes to diagnose, and possibly to fix, acrashed computer.

Asset Inventory Service (AIS)

Knowing what is going on in yourenvironment is crucial. Every job in anorganization may require a desktop, andyou need to know what is or will be

installed on those desktops. You also needto make sure that all systems are in

compliance with the organization’slicensed software. Many an organizationhas been caught off guard when itdiscovered that software licensed for asmall group of users has found its wayonto many more computers. To help avoid

these unpleasant surprises, you can useinventory software to monitor thesoftware being installed in theenvironments.

Asset Inventory Service (AIS) is a hosted,Web-based service that collectsinformation and provides reports aboutthe software being used in yourenvironment. AIS works by deploying anagent to the computers that you want toinventory. The agent then securely reportsthe software inventory to the AIS

database (Figure 4).

Figure 4. The Asset Inventory Service is managed using a web based console

How AIS Works

AIS works by deploying a preconfiguredclient to target systems. The client can beconfigured by the administrator for theinterval of data collection desired. Theclient can be downloaded and installedmanually but usually will be deployed by

using an automated method, such as aGroup Policy Object (GPO) softwareinstallation policy or electronic distributionsoftware.

Getting and deploying the AIS client is astraight forward task. You need to validate



your MDOP purchase agreement andactivate AIS on the ―services‖ section of the MVLS site (Figure 5), which thenprovides you access to the AIS site. Fromthere, you can download the agent andthen deploy it through any preferred

method of deployment. You will only haveto do that once because after initialinstallation the agent will maintain itself through the service (update, upgrade,remove). Once the agent has beendeployed, it will make the first scan andsend that information back intelligently,with as little overhead as possible,minimizing any load on both the computerand the network. Depending on the size of your organization, you could see resultswithin minutes after deployment.Depending on the size of your

organization, you could have full reportsavailable to you only a short time afterdeployment. You can view that datathrough the various reports, allowing youto get insight into your organization’ssoftware by publisher, by software title,

by computer, by group (sites) or bycategory. (This category information ispart of the added value of Asset InventoryService and provides great insight toenable better business decisions.) AIS willalso rationalize the information, findingthe proper names of the software titlesand assuring that the same informationwill not appear multiple times in yourreports (this sometimes happens ininventory reports due to minimaldifferences in the metadata, like multipleinterpretations of the publisher name).

Figure 5. AIS is enabled by a multistep process



How Privacy is Protected

One of the primary concerns at Microsoftis ensuring that the data in the AISdatabase is highly protected and thatinformation in the database is correct.We do this by separating the computernames and organization names from thedesktop data that is collected.

Application statistics are gathered byMicrosoft for the purpose of making surethat this information is correct andprivate. Any information collected isanonymous, and is in no way connected toa user’s or organization’s name.

All servers that host AIS and relatedequipment are stored in a highly secure

data center, with multiple redundanciesbuilt into the infrastructure.

All data is transferred to and from AIS bymeans of a highly secure method.Communications between a client, AIS,and the Web-based management interfaceare always encrypted.

These standards are routinely reviewedand attested to by a leading independentprivacy firm.

Benefits of Asset Inventory Service

Asset Inventory Service is a hostedsolution and therefore is accessible fromvirtually anywhere in the world. It is alsoeasy to provide access to the reporting toother managers in your organization, evenif they are not technical. Effectivelymanaging your software-asset inventory isvital to ensuring compliance andoptimizing IT budgets. AIS can help you toidentify applications and installations thatcontradict your corporate policies and can

report down to the computer name levelto help with recovery and troubleshooting.You can also use AIS to analyze thesoftware to forecast organizational needs.

Easy to deploy: Due to its nature asa hosted service, AIS is very easy todeploy. After downloading the 1.5MBmsi-file from the web service, you

can use your preferred method todeploy it. You don’t need to set up/maintain a large infrastructure.You can also easily provide access toother managers in your organization,even if those managers are non-

technical, like your finance officer, procurement manager, et cetera. All they need is a Windows Live ID.

Rapid results: Results will come inwithin minutes after deployment and you will quickly see the full resultsthrough the available reports. Thereis even a way to request immediateupdated information from thesystem, upon which all inventory data will be updated within 24 hours.

Low investment: AIS is available asone of five components of MDOP. Apart from the proper licenses, youdon’t have to make any other investment to be able to start usingthe service. All servers and databases are maintained by Microsoft as part of your license.

Remote users / telecommuters:Many mobile users do not typically connect to the company network very often, but they do connect tothe internet and that is enough toassure that their inventory

information is included. As you know,an inventory isn’t worth a lot if it’snot complete.

Branch office scenarios: Many organizations already have someform of inventory management, but they don’t include their branch officesbecause they don’t want to gothrough the trouble of setting it upthere. Now, with AIS, you cancomplete your inventory by havingthem send their inventory up to theservice. Similarly, fast expanding

companies are using AIS to get aquick way of inventorying thesoftware in their newly acquired infrastructure.

Rich categorization &intelligence: AIS will rationalize theinformation, finding the proper names of the software titles and assuring that same-type-information



will not appear multiple times in your reports. These reports will allow youto get insight into your organization’ssoftware by publisher, by softwaretitle, by computer, by group (sites)or even by category. This category

information is part of the added valueof Asset Inventory Service and provides great insight to make better business decisions.

Ongoing value: As soon asMicrosoft adds new features, they will immediately become available. Also,future features can become availablequickly as beta options.

Easy export: Many organizationsalready have inventory management in place. In order to integrate withthose other systems, AIS allows youto export the information intodifferent file formats.

Asset Inventory Service: The BigPicture

When you know what software is in yourenvironment, you can make betterdecisions about current and future needs.This ability means that you can providerelevant information to business decisionmakers who want to support yourcompany’s growth. AIS helps you move to

the Rationalized IT maturity level byproviding up-to-date and insightfulreports, thus keeping you informed aboutyour environment.

Advanced Group PolicyManagement (AGPM)

Group Policy has become one of the mostwidely used tools for managing user andserver environments and for enforcingcorporate policies through technology. Asorganizations become more geographicallydispersed, you end up with an increasinggroup of administrators that can makechanges to group policies. Even in a single

site, Group Policy management can betricky when the site has more than onedomain or enterprise administrator. Manyadministrators find it undesirable to makechanges in a production environment tobegin with, and they go to great lengths in

order to prevent that, for example bycreating costly laboratory environments totest the changes they would like to make.This is where AGPM comes in handy.

How AGPM Works

Advanced Group Policy Management takesan organization’s Group Policy objects(GPO) and copies them in an offline (e.g.not in the production environment), flatfile structure (Figure 6).

Through an elegant plug-in into thefamiliar Group Policy ManagementConsole, you get a user interface to theoffline GPOs. From there, you can decidewhat (online) GPOs you want to managethrough AGPM, manage the securitysettings, even organize your templatesand access your deleted GPOs forundelete purposes. The AGPM client (theinterface) can be running on either thesame machine that the AGPM server runson, or any other server or client that hasaccess to the AGPM server.

Now, you can lock a GPO for editing,check out and edit a GPO through thefamiliar GPO editor, compare GPOs, or just report on one GPO and check it backin. You can also request deployment, uponwhich the AGPM administrator will getnotified to approve or reject the GPOchanges.

On top of that, AGPM records a history of the changes in each GPO, which will allow

you to audit GPOs (who has changedthem), or it will allow you to re-deploy anolder version of a GPO, effectively rollingback a GPO that was deployed in error.



Figure 6. Group Policy Administrators manage the group policy object on the AGPM Server, not directly

in the Active Directory

Benefits of Advanced Group Policy Management

AGPM offers a comprehensive solution tothe challenges of Group Policymanagement. AGPM provides a service

that sits between administrators and thedomain controller. This service providesseveral enhancements to Group Policymanagement:

Change Control: One of the moreexciting AGPM features is the changecontrol mechanism. This featureallows you to check out the GPOs youare working on to prevent othersfrom inadvertently making changesat the same time. AGPM trackschanges and who made the changes,

creating a comprehensive history of modifications for each GPO.

Delegation and Approval: You candelegate GPOs to specific groups and implement workflow processes that include an approval or notificationmechanism before GPO changes canbe published into production.

Offline Editing: You can use offlineediting to modify a copy of a GPOoffline, out of the productionenvironment. This mechanism can prevent accidental changes to theGPO.

Rollback: Administrators can quickly roll back a modified GPO to a previous version. AGPM also providesan undelete feature to recover GPOsthat are accidentally erased.

Reporting: AGPM provides detailed differencing reports for GPOs,allowing you to quickly ascertainwhat changes have been made.

AGPM: The Big Picture

AGPM provides a flexible solution to

manage Group Policy in complexenvironments. By implementing thistechnology, you can better respond toyour organization’s requests to implementnew or modified policies. AGPM can helpbridge the departmental policies in manyorganizations that prevent the desktopgroup administrators from managing thedesktops through Group Policy when



server GPOs are managed by the servergroup administrators. This technologyhelps you move from a Standardizedenvironment to a Rationalizedenvironment. AGPM can reduce thepossibility of errors in the environment,

thus increasing your ability to enforcebusiness policies in a timely manner.

System Center Desktop Error

Monitoring (DEM)

You can use System Center DEM to collectdata about any errors that users areexperiencing on their systems. You canuse that information to provide proactivesupport and solutions.

How DEM Works

DEM capability is already built into everyWindows 2000, XP, and Windows Vistacomputer. You most often see it as thatlittle window that pops up and lets theuser know that something has gonewrong. Often, this dialog box will promptthe user to send Microsoft some dataabout the problem.

You can use Group Policy to configureDEM to send this data to a central server.The data is aggregated on that server.

You can then analyze the data todetermine whether any users are havingproblems. Often, you’ll be able to use thedata to proactively address problemsbefore users call in to complain.

You can also submit reports to Microsoft.If the cause of the error has already beendiscovered and Microsoft has adocumented resolution, it will send theURL to the DEM administrator. The URLmay contain a link to an update ordirections to update a particular

application. This information can mean thedifference between spending your timetroubleshooting the problem or deliveringa quick solution to the user.

Microsoft is very careful about theinformation that is collected. Informationsent through DEM is used only to gatherstatistics on Windows application issues

and to trace the issues that are causingcrashes. As an administrator, you candefine exactly what information is sent toMicrosoft.

Figure 7. Group policy setting to modify DEM

reporting options

Benefits of the DEM Solution

The DEM solution can:

Accelerate desktop management and IT responsiveness: Be proactive about user management.By leveraging the data that DEM provides you can better manageissues before they become major problems. You also increase theresponsiveness of the helpdesk by helping them to see trends beforethey start to impact business productivity.

Improve desktop stability & end-user productivity : Being proactivewith DEM helps you to insure a moreconsistent level of workstationstability in the your corporate IT environment. Problems are less likely to reach a point where the end-user is unable to perform their job.



Faster resolution for help desk :By leveraging Microsoft`s onlinesolutions repository, you can morequickly discover solutions to problems detected in your environment. This reduces the time it

takes to implement a solution in your environment and leverages theknowledge of thousands of administrators worldwide.

Lower helpdesk call volume and support costs: By being proactiveand monitoring what is happening inyour workstation environment, youcan fix problems before they becomesupport calls and help desk tickets.Your help desk technicians can focus

on more productive tasks, and youreduce the time and effort associated with troubleshooting.

DEM: The Big Picture

DEM gives you tools to act proactively andto gain a better understanding of theenvironments in which users are working.This is a great example of moving to aRationalized maturity level and thebeginning stages of a Dynamic maturitylevel. Business users will appreciate thatDEM is all about fixing issues before theybecome crises. Many application problemscan be solved in an almost automatedfashion and with limited user intervention.



Using Windows Vista and MDOP to Become Dynamic

With MDOP, several exciting tools are available to help you move your organization anddesktop environment forward through the Infrastructure Optimization Model. Rememberthat your ultimate goal when considering desktop optimization is to reduce the pain andrepetitive aspects of managing desktops. Achieving this goal lets you focus on other tasks,providing additional value to your organization. In summary, the key benefits of MDOP canbe broken down into several key areas:

Enhanced Application Management User Productivity IT Responsiveness Asset Management Help desk responsiveness and cost reduction

For more information on this, and other topics around Windows Vista adoption, see:

Springboard Series: The On-Ramp for IT Pros

(http://www.microsoft.com/technet/springboard)



The information contained in this document represents the

current view of Microsoft Corporation on the issues discussed as

of the date of publication. Because Microsoft must respond to

changing market conditions, this document should not be

interpreted to be a commitment on the part of Microsoft, and

Microsoft cannot guarantee the accuracy of any information

presented. This document is for informational purposes only.

MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN

THIS DOCUMENT.

Microsoft Corporation may have patents or pending patent

applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. The

furnishing of this document does not provide the reader any

license to the patents, trademarks, copyrights, or other

intellectual property rights except as expressly provided in any

written license agreement from Microsoft Corporation.

Microsoft does not make any representation or warranty

regarding specifications in this document or any product or item

developed based on this document. Microsoft disclaims all

express and implied warranties, including but not limited to the

implied warranties or merchantability, fitness for a particular

purpose, and freedom from infringement. Without limiting the

generality of the foregoing, Microsoft does not make any

warranty of any kind that any item developed based on these

specifications, or any portion of a specification, will not infringe

any copyright, patent, trade secret, or other intellectual property

right of any person or entity in any country. It is your

responsibility to seek licenses for such intellectual property rights

where appropriate. Microsoft shall not be liable for any damages

arising out of or in connection with the use of these specifications,

including liability for lost profit, business interruption, or a nyother damages whatsoever. Some states do not allow the

exclusion or limitation of liability or consequential or incidental

damages; the above limitation may not apply to you.

Microsoft, Access, Active Directory, BitLocker, SQL Server,

Windows, the Windows logo, Windows NT, Windows Server, and

Windows Vista are either trademarks or registered trademarks in

the United States and/or other countries.

© 2008 Microsoft Corporation. All rights reserved.

microsoft desktop optimization pack [vista]

Documents