The following optional features are recommended for your preferred configuration. These features define how Windows 95 will be installed and administered in your organization.
For centralized administration of client computers, you must enable system policies. System policies allow you to centrally edit and control individual user and computer configurations. For example, if you want to place a custom Start menu on user desktops or to limit access to Control Panel options, system policies make it easy to do this from a central location for a large number of users.
Enabling policies creates a single file that resides on the server, and thus does not involve physically touching the client computer. In general, the policy file can be modified on the server after Windows 95 is installed; however, some types of changes, such as adding group support or a nonstandard server path for product updates, require configuration on the client computer. For information on the types of restrictions available and for details on how to implement system policies, see Chapter 15, "User Profiles and System Policies."
With user profiles, users can use personalized desktop settings each time they log on to a computer. This is especially useful for multiple users sharing a single computer who want to customize their desktops and have those custom settings loaded at logon. Conversely, a single user can move between computers using the same profile if the administrator stores that profile on the server. An administrator can also take advantage of profiles to require that a mandatory desktop configuration be loaded each time a user logs on. The ability to change profile settings can be controlled by the administrator. For information on how to use user profiles, see Chapter 15, "User Profiles and System Policies."
User profiles are not needed when only one person uses the computer or when a custom desktop adds no value. By not enabling user profiles, the logon process is shortened slightly, because the system does not need to locate and load the profile.
To remotely administer a computer's Registry, you must first enable this capability. This is done on the client computer by installing the network service called Microsoft Remote Registry service, enabling user-level security, and enabling the Remote Administration feature. Remote administration capabilities allow you to conduct a variety of tasks remotely over the network such as administering the file system, sharing or restricting directories, or querying and making changes to the Registry. If you plan to do any of these tasks, be sure to enable this feature during Windows 95 installation.
You should not enable remote administration if you don't need these services, because doing so causes unnecessary, extra processes to run on the client computer and on the network. These extra remote services could then theoretically be used by individuals on the network— provided they knew the appropriate password — to access information on your client computers. However, Windows 95 comes with security capabilities to protect against unauthorized use of the Remote Registry service. For more information, see Chapter 16, "Remote Administration."
Setup scripts (which are batch files) allow you to predefine responses to prompts that appear during Windows 95 Setup. Setup scripts go hand-in-hand with push installations to completely automate the installation process. The choice to use a setup script is very straightforward. If you need to conduct a similar installation more than five times, you should use a setup script. Begin planning for setup scripts and push installations during this phase, as you are specifying the preferred client configuration. Make sure that you document each feature needed, so that you can automate the selection of these features. For more information, see Chapter 5, "Custom, Automated, and Push Installations."
You need to understand and plan in advance how the push installation process will work for a given computer. There are several alternatives for remotely initiating the installation, ranging from editing the client's login script, to sending by electronic mail a link that contains a setup script. You will want to consider how to push the installation for each computer and make sure that the client computers are configured to support this process.
For organizations with 50 or more computers, being physically present to install each client computer is not a viable option because of the cost. In that case, you may need to turn to an administrative software solution such as Microsoft Systems Management Server. When using administrative software tools, additional client-side software may be needed. Be sure to include this software in the installation plan.
For more information about using push installations, see Chapter 5, "Custom, Automated, and Push Installations."
The peer resource sharing capability in Windows 95 allows your client computers to share files and printers directly from a local personal computer, instead of on a central server. Peer resource sharing may reduce the traffic and disk space required on central servers, because you are leveraging the power of individual computers.
Security for peer resource sharing services may take the form of user-level security based on the user accounts on a Windows NT or NetWare network. Notice that a Microsoft Windows NT Client Access License is required if the computer will be connecting to servers running Windows NT Server. For information, see Chapter 8, "Windows 95 on Microsoft Networks," or contact your Microsoft reseller.
If you don't have servers to provide security validation or don't want to use user-level security, you can use share-level security, with each individual implementing security and a password scheme on the local computer. Share-level security is set on a directory-by-directory basis.
If you do not want to use peer resource sharing services and want to disable the capability on each client computer, you can do so by selecting the appropriate option in system policies.
User-level security is based on user account lists stored on Windows NT or Novell NetWare servers. The user accounts specify which users have access rights on the network. Windows 95 passes on a user's request for access to the servers for validation. Pass-through user-level security protects shared network resources by requiring that a security provider authenticate a user's request to access resources.
User-level security is required for remote administration of the Registry and for network access to full user profiles. For information on implementing security in Windows 95, see Chapter 14, "Security."