|
Every system administrator needs to be
familiar with file and data management policies, which affect the amount
of data a user can store on systems, how offline files are used, and
whether the System Restore feature is enabled.
Configuring Disk Quota Policies
Policies that control disk quotas are applied at the system level.
You access these policies using the Administrative Templates policies
for Computer Configuration under System\Disk Quotas. The available
policies are summarized in Table 1.
Table 1. Disk Quota Policies
|
POLICY NAME |
DESCRIPTION |
|---|
|
Apply Policy To Removable Media |
Determines whether to extend quota policies to NTFS volumes on
removable media. If you do not enable this policy, quota limits apply
only to fixed media drives. | |
Enable Disk Quotas |
Turns disk quotas on or off for all NTFS volumes on the computer and prevents users from changing the setting. | |
Enforce Disk Quota Limit |
Specifies whether quota limits are enforced. If quotas are enforced,
users are denied disk space if they exceed the quota. This setting
overrides settings on the Quota tab for the NTFS volume. | |
Log Event When Quota Limit Exceeded |
Determines whether an event is logged when users reach their limit and prevents users from changing their logging options. | |
Log Event When Quota Warning Level Exceeded |
Determines whether an event is logged when users reach the warning level. | |
Specify Default Quota Limit And Warning Level |
Sets a default quota limit and warning level for all users. This
setting overrides other settings and affects only new users of a volume. |
Whenever you work with quota limits, you’ll want to use a standard
set of policies on all systems. Typically, you won’t need to enable all
the policies. Instead, you can selectively enable policies and then use
the standard NTFS features to control quotas on various volumes. If you
want to enable quota limits, use the following technique:
-
Access Group Policy for the system, site, domain, or OU you want to
work with. Next, access the Disk Quotas node using the Administrative
Templates policies for Computer Configuration under System\Disk Quotas. -
Double-tap or double-click Enable Disk Quotas. Select Enabled, and then tap or click OK. -
Double-tap or double-click Enforce Disk
Quota Limit. If you want to enforce disk quotas on all NTFS volumes
residing on this computer, select Enabled. Otherwise, select Disabled,
and then set specific limits on a per-volume basis. Tap or click OK. -
Double-tap or double-click Specify Default Quota Limit And Warning
Level. The Specify Default Quota Limit And Warning Level dialog box,
shown in Figure 1, appears. Select Enabled.
-
Scroll the Options scroll bar down. Under Default Quota Limit, set a
default limit that is applied to new users when they first write to the
quota-enabled volume. The limit does not apply to current users and does
not affect current limits. On a corporate network share, such as a
share used by all members of a team, a good limit is between 1 GB and 5
GB. Of course, this depends on the size of the data files users
routinely work with. Graphic designers and data engineers, for example,
might need much more disk space. -
Scroll the Options scroll bar down to set a warning limit as well. A
good warning limit is about 90 percent of the default quota limit,
meaning that if you set the default quota limit to 10 GB, you should set
the warning limit to 9 GB. Tap or click OK. -
Double-tap or double-click Log Event When Quota Limit Exceeded.
Select Enabled so that limit events are recorded in the application log.
Tap or click OK. -
Double-tap or double-click Log Event When Quota Warning Exceeded.
Select Enabled so that warning events are recorded in the application
log. Tap or click OK. -
Double-tap or double-click Apply Policy To Removable Media. Select
Disabled so that the quota limits apply only to fixed media volumes on
the computer. Tap or click OK.
Configuring System Restore Policies
System Restore is
designed to save the state of system volumes and enable users to restore
a system in the event of a problem. It is a helpful feature for the
average user, but it can use a tremendous amount of disk space. You can turn System Restore off for individual drives or for all drives on a computer.
In the Group Policy console, you’ll find the System
Restore policies under the Administrative Templates policies for
Computer Configuration under System\System Restore. Through System
Restore policies, you can override and disable management of this
feature. The following policies are available:
-
Turn Off System Restore
If you enable this policy, System Restore is turned off and can’t be
managed using the System utility or the System Restore Wizard. If you
disable this policy, System Restore is enforced and cannot be turned
off. -
Turn Off Configuration
If you enable this policy, you prevent configuration of the System
Restore feature. Users can’t access the Settings dialog box but can
still turn off System Restore. If you disable this policy, users can
access the Settings dialog box but can’t manipulate it, and they can
still turn off System Restore.
To configure System Restore policies, follow these steps:
-
Access Group Policy for the system, site, domain, or OU you want to
work with. Next, access the System Restore node using the Administrative
Templates policies for Computer Configuration under System\System
Restore. -
To enable or disable System Restore, double-tap or double-click Turn Off System Restore. Select either Enabled or Disabled, and then tap or click OK. -
To enable or disable configuration of System Restore, double-tap or double-click Turn Off Configuration. Select either Enabled or Disabled, and then tap or click OK.
Configuring Offline File Policies
Offline
file policies are set at both the computer and the user level, and
there are identically named policies at each level. If you work with
identically named policies at both levels, keep in mind that computer
policies override user policies and that these policies may be applied
at different times.
The primary policies you’ll want to use are summarized in Table 2.
As the table shows, most offline policies affect access,
synchronization, caching, and encryption. You’ll find Offline File
policies under Administrative Templates for Computer Configuration in
Network\Offline Files and under Administrative Templates policies for
User Configuration in Network\Offline Files.
Table 2. Offline File Policies
|
POLICY TYPE |
POLICY NAME |
DESCRIPTION |
|---|
|
Computer |
Allow Or Disallow Use Of The Offline Files Feature |
Forces enabling or disabling of the offline files feature and
prevents overriding by users. Enables administrative control of offline
file settings for a system. | |
Computer |
Configure Background Sync |
Controls when background synchronization occurs while on slow links.
Enabled: background synchronization occurs periodically to synchronize
files in shared folders between the client and server. Disabled: default
behavior for background synchronization is used. | |
Computer |
Configure Slow-Link Mode |
Controls how slow links are used. Enabled: slow-link values for each
shared folder used with offline files are configured. Disabled: offline
files will not use slow-link mode. | |
Computer |
Enable File Screens |
Controls the types of files that can be saved to offline folders.
Enabled: users cannot create files with screened extensions. Disabled:
users can create any type of file in offline folders. | |
Computer |
Enable File Synchronization On Costed Networks |
Controls whether background sync occurs on slow networks that could
incur extra data charges. Enabled: sync can occur when the user’s
network is roaming or near or over plan limit. Disabled: sync won’t run
in the background. | |
Computer |
Enable Transparent Caching |
Controls caching of network files over slow links. Enabled: optimizes
caching on the client to reduce the number of transmissions over slow
links. Disabled: transparent caching is not used. | |
Computer |
Encrypt The Offline Files Cache |
Determines whether offline files are encrypted to improve security. | |
Computer |
Files Not Cached |
Allows you to specify file extensions of file types that should not be cached. | |
Computer |
Limit Disk Space Used By Offline Files |
Limits the amount of disk space that can be used to store offline files. | |
Computer |
Turn On Economical Application Of Administratively Assigned Offline Files |
Determines how administratively assigned files and folders are synced
at logon. Enabled: only new files and folders are synced at logon.
Disabled: all files and folders are synced at logon. | |
Computer/User |
Remove “Make Available Offline” Command |
Prevents users from making files available offline. | |
Computer/Users |
Remove “Work Offline” Command |
Remove Work Offline option from File Explorer to prevent users from manually changing offline or online mode. | |
Computer/User |
Specify Administratively Assigned Offline Files |
Uses a Universal Naming Convention (UNC) path to specify files and folders that are always available offline. |
You can administratively control which files and folders are
available for offline use. Typically, you’ll want to do this on file
servers or other systems sharing resources on the network. You can use
several techniques to administratively control which resources are
available offline. Follow these steps to set offline file configuration
policies:
-
Access Group Policy for the system, site, domain, or OU you want to work with. Most offline
file policies can be configured for either computer or user policy
(with user policy having precedence by default) by using the Offline
Files node. You can access the policies for offline files using either
the Administrative Templates policies for Computer Configuration under
Network\Offline Files or the Administrative Templates policies for User
Configuration under Network\Offline Files, unless specifically noted
otherwise. -
To assign resources that are automatically available offline,
double-tap or double-click Specify Administratively Assigned Offline
Files. Select Enabled, and then tap or click Show. In the Show Contents
dialog box, specify resources according to their UNC path, such as
\\CorpServer23\Data. Figure 2
shows a list of resources that have been added to the Show Contents
dialog box. Tap or click OK until all open dialog boxes are closed.
Caution
You should carefully consider which resources are automatically made
available offline. The more resources you assign through this technique,
the more network traffic is generated to maintain offline file caches.
-
To prevent users from making files and folders available offline,
double-tap or double-click Remove “Make Available Offline” Command.
Select Enabled, and then tap or click OK. Once this policy is enforced,
users are unable to specify files for use offline. -
To restrict the types of files that can be created in offline
folders, double-tap or double-click Enable File Screens. Select Enabled.
In the Extensions box, enter a semicolon-separated list of file
extensions to exclude, and then tap or click OK. Be sure to precede each
file extension with an asterisk and a period, such as *.vbs or *.js. Once this policy is enforced, users are unable to create files with the specified extensions in offline folders. -
For Windows 8 and later, you may want to double-tap or double-click Remove “Work Offline”
Command, and then select Enabled. Once you select this option, users
cannot manually change whether Offline Files is in online or offline
mode. They can, however, continue to use Offline Files as appropriate.
In Windows Vista and later, offline files are synchronized
automatically, with background synchronization used whenever a computer
is connected to a slow network. For Windows 8 and later, a slow network
is any network with a latency of more than 35 milliseconds. Otherwise, a
slow link generally is any network with a latency of more than 80
milliseconds.
You can prevent a computer running Windows Vista and later from entering the slow-link mode and using background synchronization by disabling the Configure Slow-Link Mode policy. If you enable the Configure Slow-Link Mode policy, you can specify slow-link triggers based on network throughput and latency.
To modify the way slow links work, follow these steps:
-
Access Group Policy for the system, site, domain, or OU you want to
work with. Next, access the Offline Files node using the Administrative
Templates policies for Computer Configuration under Network\Offline
Files. -
To modify the triggers for slow links, double-tap or double-click
Configure Slow-Link Mode. Select Enabled, and then tap or click Show. In
the Show Contents dialog box, you use Value Name to specify resources
to manage and Value to specify throughput and latency settings. Keep the
following in mind:
-
In Value Name, you can specify values for individual servers according to their UNC path. For example, enter \\corpserver172\* to control slow-link triggers for all shares on CorpServer172, or \\corpserver85\data\* for all files and folders on the Data share for CorpServer85. -
In Value Name, you can specify values for all servers affected by the current policy by entering a value of *. -
In Value, you can specify a throughput trigger in bits per second, a
latency trigger in milliseconds or a combined throughput and latency
trigger. For example, enter Throughput=1024 to apply slow-link mode when network throughput is less than 1,024 bits per second, enter Latency=60 to apply slow-link mode when network latency is greater than 60 milliseconds, or enter Throughput=1024, Latency=60 to define both triggers.
Figure 3
shows a list of resources that have been added to the Show Contents
dialog box. Tap or click OK until all open dialog boxes are closed.
Caution
You should carefully consider which resources are automatically made
available offline. The more resources you assign through this technique,
the more network traffic is generated to maintain offline file caches.
-
By default, Windows syncs in the background while operating in slow-link mode. This sync occurs approximately every six hours. To fine-tune background syncing, double-tap or double-click Configure
Background Sync. Select Enabled, configure settings as appropriate, and
then tap or click OK. When configuring background sync, keep the
following in mind:
-
Sync Interval and Sync Variance are used together to define the
refresh interval. By default, the Sync Interval is 360 minutes with up
to a 60-minute Sync Variance to avoid overloading the network and
servers with numerous client requests at the same time. -
Use Maximum Allowed Time Without A Sync to help ensure all network
folders are refreshed periodically. The value is set in minutes. Thus,
if you wanted to ensure network folders were refreshed at least once a
day, you’d enter a value of 1440. -
Use Block out Start Time and Block out Duration to prohibit refresh
during specific times of the day. Block Start Time is set using 24-hour
clock time, and Block Duration is set in minutes. Thus, if you wanted to
ensure network folders weren’t refreshed from 2 P.M. to 6 P.M. daily,
you’d enter a start time of 1400 and a duration of 240.
-
With Windows 8 and later, you can use Enable
File Synchronization On Costed Networks to control whether background
sync is allowed on cellular and other networks that may charge fees when
roaming or near or over data plan usage. By default, syncing on costed
networks is disabled. To enable syncing on costed networks, double-tap
or double-click Enable File Synchronization On Costed Networks, select Enabled, and then tap or click OK.
|
