Group Policy, when properly planned and implemented, can be an indispensable tool for managing Windows desktop systems. But two obstacles prevent administrators from effectively using Group Policy. First is an incomplete understanding of what Group Policy is and how to apply it. Second is not being clear about what you want to accomplish with Group Policy. It's easy to be overwhelmed by Group Policy because of the large number of settings and the variety of ways you can apply those settings. Understanding Group Policy really isn't difficult, however. Once you have a feel for it you just need some ideas for putting it into action. With that in mind, let's walk through a basic course in Group Policy. Then, I'll show you 10 ways you can begin using Group Policy to manage the desktop systems in your environment.
Group Policy 101
Group Policy gives you central control over certain aspects of the behavior of the desktops in your Windows Server domain. The Microsoft Management Console (MMC) Group Policy snap-in contains extensions and seven main nodes. The nodes are the management entry point for each extension.
Administrative Templates. Administrative Templates are registry-based policies that you use to alter registry settings that control the behavior and appearance of the desktop, components, and applications. Five default Administrative Templates load with a new Group Policy Object (GPO): System.adm for the Windows Server 2003 family, Windows 2000, and Windows XP; Inetres.adm for Internet Explorer (IE) settings; Wmplayer.adm for Windows Media Player (WMP); Conf.adm for NetMeeting 3.01; and Wuau.adm for Windows Update.
Security Settings. The Security Settings node specifies local computer, domain, and network security settings.
Software Installation. The Software Installation node assigns and publishes software to users and assigns software to computers.
Scripts. The Scripts node can affect computer startup and shutdown and user logon and logoff. You can place any Windows Script Host (WSH)–supported language into a script object.
Remote Installation Services (RIS). The settings in this node control how the Remote Operating System Installation feature is presented to client computers.
Internet Explorer Maintenance. The Internet Explorer Maintenance node settings manage Internet Explorer (IE) and customize its behavior.
Folder Redirection. This node's settings redirect Windows special folders (i.e., My Documents, Application Data, Desktop, and Start Menu) to an alternate location on the network.
Administrators use Group Policy Editor (GPE) to configure policy information or settings, which are stored in a GPO. In turn, GPOs link to appropriate sites, domains, or organizational units (OUs) in Active Directory (AD) to determine the computers or users to which the settings in the GPO will apply. You apply most GPOs for managing desktop systems and users to an OU that contains either user or computer objects. You can also use Security Group and Windows Management Instrumentation (WMI) filtering to further narrow the scope of objects to which a given policy will be applied. The Learning Path for this article directs you to more detailed information about using Group Policy. Let's get started leveraging the power of Group Policy to manage your desktop systems.
1. Always Wait for Network at Startup and Logon
This setting affects the Group Policy engine and determines whether GPOs are applied synchronously or asynchronously. Win2K applies GPOs synchronously. XP Professional introduced a refined asynchronous processing mode to speed up both boot and login times. As a side effect, however, in XP Pro, Group Policy settings that take a specific action according to security group membership can take two or even three logons to become effective. The shortcomings to this approach are obvious, especially when you use Group Policy as part of your security strategy. You can, however, guarantee application of targeted policies in a single boot or login by enabling the Always wait for the network at computer startup and logon setting.
The Setting:
Computer Configuration\ Administrative Templates\ System\ Logon\ Always wait for the network at computer startup and logon
2. Automated OS Installation via RIS
What better way to leverage Group Policy than to start using it right away as you deploy client systems? RIS, which showed up initially in Win2K Server, is an optional component that lets administrators create automated installation images for Windows 2003, XP, and Win2K. You can deploy these images to clients and servers. You use the Remote Installation Services node of GPE to control the Choice Screen Options that Windows provides to RIS clients. From the Choice Options Properties screen you can configure the Automatic Setup, Custom Setup, Restart Setup, and Tools options for RIS.
The Setting:
User Configuration\ Windows Settings\ Remote Installation Services\ Choice Options
3. Startup, Shutdown, Logon, and Logoff Scripts
If you think logon scripts are old news for managing desktops and user environments, you're only partially correct. Group Policy gives you much more control over where and when scripts can be run. In addition to specifying the traditional logon script, which runs when a user logs on to the domain, you can specify a script to run when a user logs off the system. You can also specify individual scripts to run both when a computer starts up and when it shuts down. These four types of script triggers give you much more flexibility to perform tasks that just don't fit in the traditional logon script paradigm.
The Settings:
Computer Configuration \ Windows Settings \ Scripts (Startup/Shutdown)
User Configuration \ Windows Settings \ Scripts (Logon/Logoff)
4. Standardize OS "Look and Feel" Settings
You can use a combination of Group Policy settings to create and maintain a standard look and feel for your users' systems. Such standardization can be helpful in developing consistent and effective approaches to training and support. You can control a myriad of settings—too many to list here. The following locations and settings, however, will provide some guidance and food for thought.
The Settings:
User Configuration\ Administrative Templates\ Start Menu & Taskbar
\Remove Favorites menu from Start Menu
\Turn off personalized menus \[in Windows 2003 and XP SP2\]; \Disable Personalized menus \[in XP and Win2K Server\]
\Prevent changes to Taskbar and Start Menu Settings \[in Windows 2003 and XP 2P2\]; \Disable changes to Taskbar and Start Menu Settings \[in XP and Win2K Server\]
User Configuration\ Administrative Templates\ Windows Components\ Windows Explorer
\Turn on Classic Shell
\Remove the Folder Options menu item from the Tools menu
\Remove "Map Network Drive" and "Disconnect Network Drive"
\No "Entire Network" in My Network Places
User Configuration\ Administrative Templates\ Desktop
\Hide and disable all items on the desktop
\Hide My Network Places icon on desktop
\Remove the Desktop Cleanup Wizard
User Configuration\ Administrative Templates\ Control Panel\ Show only specified Control Panel applets
User Configuration\ Administrative Templates\ Control Panel\ Add or Remove Programs\ Hide Change or Remove Programs page
User Configuration\ Administrative Templates\ Control Panel\ Display\ Desktop Themes
\Remove Theme option
\ Load a specific visual style file or force Windows Classic
5. Configure Windows Firewall Settings for XP Systems
The vast majority of settings for controlling Windows Firewall were only recently made available in XP Service Pack 2 (SP2). But before we dive into those settings, it's worth noting that you do have a modicum of control over how XP's original Internet Connection Firewall behaves. You exercise this control by using the Prohibit use of Internet Connection Firewall setting on your DNS domain network; you'll find the setting under Computer Configuration\ Administrative Templates\ Network\ Network Connections.
In XP SP2, Windows Firewall is accompanied by an array of Group Policy–controllable features. The Group Policy options for Windows Firewall in XP SP2 let an administrator configure two different sets of firewall configurations, known as profiles. You use the Domain profile when the client is connected to the network on which the client's domain controllers are located. You use the Standard profile when the client is connected through an alternate network. You can create a more restrictive set of firewall options in the Standard profile for when systems don't have the benefit of a corporate firewall. You can also configure exceptions in the Domain profile that facilitate connections from internal systems management tools. For these and other XP SP2 settings, you need to implement XP SP2 Administrative Templates, as the Microsoft TechNet article "Deploying Windows XP Service Pack 2 in Enterprise Environments" discusses (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/sp2entdp.mspx).
The Settings:
Computer Configuration\ Administrative Templates\ Network/Network Connections\ Windows Firewall\ Domain Profile
Computer Configuration\ Administrative Templates\ Network/Network Connections\ Windows Firewall\ Standard Profile
6. Strengthen Desktop Security
Implementing secure desktop clients requires a multifaceted management approach, and Group Policy can help ensure a consistent, stable foundation on which to build your security strategy. Group Policy gives you the ability to centrally manage and enforce a wide range of security settings and policies related to desktop computers and their users. There are four general areas you can focus your security efforts on: security settings, IP Security (IPSec) policies, software restriction policies, and wireless network policies. Because configuring these policies requires a thorough understanding of their possible effects and plenty of testing before you implement them in a production environment, I won't attempt to explain the details here. You can read more about configuring these settings at http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/enus/Default.asp?url=/resources/
documentation/windowsserv/2003/all/deployguide/enus/dmebg_dsp_djor.asp.
You use security settings to configure security-related OS specifics such as file and registry ACLs, audit policy, password policy, event logging, and service startup modes. You can import a security template into a GPO, which lets you organize security settings in a single, easily managed package. Default templates are located in %systemroot%\Security\Templates and have an .inf extension.
The Setting:
Computer Configuration\ Windows Settings\ Security Settings
IPSec is a relatively complicated security feature for filtering, authenticating, and encrypting network traffic. To access an extensive list of resources for learning more about IPSec, check out the Microsoft Windows Server 2003 IPSec Technology Center at http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx.
The Setting:
Computer Configuration\ Windows Settings\ Security Settings\ IP Security Policies on Active Directory
Software restriction policies are self-explanatory. They let you specify applications that you want to allow or deny on a per-user or per-computer basis.
The Settings:
Computer Configuration\ Windows Settings\ Security Settings\ Software Restriction Policies
User Configuration\ Windows Settings\ Security Settings\ Software Restriction Policies
Wireless network policies let you configure settings that control the behavior of the Wireless Configuration Service in XP through the Wireless Network Policies Extension in a Windows 2003 environment.
The Setting:
Computer Configuration\ Windows Settings\ Security Settings\ Wireless Network (IEEE 802.11) Policies
7. Control Windows Update and Automatic Updates
Generally speaking, XP's Windows Update and Automatic Updates are great features. In a corporate environment, though, there are good reasons to control their availability and behavior. You can disable Automatic Updates and remove user access to Windows Update through Group Policy. Of course, you'll likely only do this if you have a centralized update distribution mechanism such as Software Update Services (SUS) or its soon-to-be-released successor Windows Update Services (WUS). Both SUS and WUS are controllable through Group Policy but might require an updated version of the Wuau.adm administrative template. The settings for the built-in update tools are user-specific. SUS and WUS settings are computer-based.
The Settings:
User Configuration\ Administrative Templates\ System\ Windows Automatic Updates
User Configuration\ Administrative Templates\ System\ Windows Update
Computer Configuration\ Administrative Templates\ Windows Components\ Windows Update
8. Folder Redirection
Folder Redirection lets you redirect the path of special folders such as My Documents, Desktop, and Application Data to a network location. Storing these folders and their contents on a file server affords them the superior protection that server class hardware inherently provides and also makes the data available to users from multiple workstations. A separate but complementary technology is XP's Offline Files, which automatically makes files available offline when you redirect them from a special folder. For more information about implementing Folder Redirection, see "Using IntelliMirror to Manage User Data and Settings" (July 2003, InstantDoc ID 39193).
The Settings:
User Configuration\ Windows Settings\ Folder Redirection
User Configuration\ Network\ Offline Files
9. Standardize and Secure IE
IE is one of the most frequently used tools on many users' systems; unfortunately, it's also one of the most misused. In addition, IE presents an oft-exploited avenue for malware and other threats to security and privacy. Although there is no bulletproof solution to these risks when IE is so widely used, there are Group Policy settings to shore up security and better control how IE is used. IE subkeys under User Configuration and Computer Configuration in GPE let you customize settings and set restrictions on a per-user or per-computer basis (the majority of settings are beneath User Configuration). Customizations you can make include but aren't limited to:
- Changing the appearance of the browser interface
- Setting custom URLs for favorites, search page, and home page
- Configuring default program for handling tasks such as email and newsgroup activities
- Controlling security zones and content rating settings
- Configuring connection settings for LAN and dial-up
You can also restrict user access to certain IE settings, menu items, and configuration pages to enforce consistency and bolster security. Take a minute to read the Explain tab for the settings you configure to avoid confusion about what will happen when you enable or disable a setting. XP SP2 dramatically expands the IE security options that Group Policy can control. The new features include MIME sniffing safety, zone elevation protection, ActiveX installation restrictions, file download restrictions, and Add-on management.
The Settings:
Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer
User Configuration\ Administrative Templates\ Windows Components\ Internet Explorer
10. Software Installation Policy for Automated Application Deployments
Software installation and maintenance are part of Microsoft's IntelliMirror functionality, and you can control both with Group Policy. You can configure settings within GPE to assign or publish an application to users or computers. Software installation and maintenance functionality works with programs that use Windows Installer technology (i.e., .msi files). Of course, Microsoft applications such as Office use Windows Installer technology for their installation process, which means you can assign Office to a user or computer population and have it installed automatically. You can create custom installations using msi transforms and use security group filtering to target specific groups of users to which the custom installation will be applied. And in case you're wondering, you can also use software installation and maintenance functionality to deploy XP SP2. You can assign XP SP2's Update.msi only to machines; assigning to users isn't supported. For more information, see the Microsoft article "Best Practices for Using Update.msi to deploy Service Packs," http://www.support.microsoft.com/?kbid=278503.
The Settings:
User Configuration\ Software Installation
Computer Configuration\ Software Installation
Good Policy
Now you know that some policies are simple and others, such as Folder Redirection, require preparation and testing to implement. The best way to approach policy creation is from the perspective of solving a particular problem or providing a particular service. Determine the appropriate settings to accomplish the task at hand. Read the description under the Explain tab when viewing the properties for a setting within GPE to make sure you fully understand a setting's impact and behavior before you turn it on. And finally, make sure you fully test both the result of the settings in your GPO as well as your scope targeting method before putting a policy into production.