Group Policy Center

Windows has a cool feature that allows you to tell if your computer has Internet connectivity when you are connected to a network (see image below). This feature is called Network Connectivity Status Indicator (NCSI) it uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resoles to 131.107.255.255

Windows 7

However if you find this error message really annoying there is now a Windows 7 group policy will turn it off. This is a machine setting so edit a Group Policy Object that is applied to all the workstations you want to turn this message off. Then navigate to Computer Configuration > Policies > Administrative Templates > Network Connections and enabled the “Do not show the “local access only” network icon” policy setting.

TADA… Now you will no longer see the exclamation icon on the network icon.

For more information on how NCSI works and this Windows 7 policy see http://technet.microsoft.com/en-us/library/ee126135(WS.10).aspx

Windows Vista

Unfortunately Windows Vista does not have the same Group Policy however there is a registry key that can be applied using Group Policy Preferences that has the same affect.

Key: HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
Value: EnableActiveProbing
Data: 1 (REG_DWORD) = Enabled
Data: 0 = Disabled

Step 1. Edit a Group Policy Object that is applied to all the workstation you want this Browser Ballot disabled.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and create a “New Registry Item”

Step 3. Type “SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet” in the Key Path then type “EnableActiveProbing” in the Value name, then select REG_DWORD as the value type “0” in the value data and then click “OK”.

For more information on how NCSI works and this Windows Vista policy see http://technet.microsoft.com/en-us/library/cc766017(WS.10).aspx

Another one…? yes… Another roaming profiles group policy for this weeks setting of the week. But this is a really super cool policy I found while reading the “What’s New in Folder Redirection and User Profiles” (via @stealthpuppy ) document that Microsoft recently published. This document mainly goes through the new features with folder redirections in Windows 7 however it also mentions the new group policy/feature called “Background upload of a roaming users profile’s registry file while user is logged on”.

This setting can be found under Computer Configuration > Administrative Templates > System > User Profiles and is specific to Windows 7 or Windows Server 2008 R2.

This policy setting would be very useful as a way to ensure that at least part of a users profile is save to the network if they are they type that never like to log off their computer at night.

There are a few points about this policy which I have summarised below:

• Only synchronises the users registry profile (ntuser.dat) so things like desktop icons and favourites wont sync. (This is what folder redirection is for any way).
• There are two modes of scheduling the update
• Run at set interval – Between 1 hour and 720 hours (30 days).
• Run at specified time of day – useful if you only want to run this at 3am so that it only applies to users who stay logged on over night.
• The schedule will run randomly any time up to an hour after it is supposed to run so to not load the file server with a large number of concurrent requests.
• If you choose one method of scheduling then it will ignore the set value of the other schedule.

I also have a very strong suspicion that this setting is only compatible if you have Windows 2008 (or later) as the file server so that it can handle the copying of the locked file (ntuser.dat). Please ping me if you can confirm this.

Group Policy Preferences have been out for about 3 years now and so there have been a number web posts about what they are and how they are implemented. So I have created a list of links to other articles that from the Group Policy Team Blog and ohter places that help explain what Preference are and how you can use them in your environemtn.

Third Party Links

• MSServerAdmin: The One Reason You Should Use Group Policy Preferences – Printers
• GPO Guy: Group Policy Preferences Overview
• RDP Files: Group Policy Preferences aka GPPs

Microsoft Links

• Microsoft Support: Information about new Group Policy preferences in Windows Server 2008
• TechNet: Group Policy Preferences: Getting Started
• TechNet: Configure, Target, and Comment Preference Items
• TechNet: Preference Item-Level Targeting
• TechNet: Windows Settings
• TechNet: Control Panel Settings
• TechNet: Configure Common Options
• TechNet: Enable and Disable Settings
• TechNet: Variable in Preferences Items
• Group Policy Team Blog: GP Policy vs. Preference vs. GP preferences
• Group Policy Team Blog: Environment Variables in GP Preferences
• Group Policy Team Blog: Troubleshooting: Quick Fixes
• Group Policy Team Blog: GP Preferences Will Reduce Logon Scripts : Mapping Drives
• Group Policy Team Blog: Check a setting in all GPO’s continued (scripts, firewall, GP Preferences and more)
• Group Policy Team Blog: Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences
• Group Policy Team Blog: How do I migrate PolicyMaker Items to Group Policy Preference Items?
• Group Policy Team Blog: Passwords in Group Policy Preferences (updated)
• Group Policy Team Blog: Red / Green Underlining continued: Using Preferences to set IE settings like preference, or like policy

My take…

Group Policy Preferences are a heap of new Group Policy settings that were released with Windows Server 2008 that allows IT administrators to pretty much do anything they want to configured computers in an corporate environmnet. Preferences only require a Windows 2000 Active Directory and they need to be manageded from a minumum of Windows Vista/2008 however they can be applied to Windows XP Service Pack 2 (or greater) workstations.

You can see all the articles on this site about Group Policy Preferences at http://www.grouppolicy.biz/tag/group-policy-preferences/

Just stumbled across this Microsoft KB that seem like a fairly common problem that may affect anyone who tries to apply a desktop wallpaper to a Windows 7 computer via Group Policy.

Description:

In an Active Directory domain network environment, you apply a "Desktop Wallpaper" Group Policy setting to the domain users. However, the setting is not applied to domain users who log on to client computers that are running Windows 7 or Windows Server 2008 R2.

This issue varies if the following conditions are true:

• If the domain user logs on the domain after you deploy the "Desktop Wallpaper" Group Policy setting, the desktop background changes to black.

• Note The color of the desktop background varies, depending on the color scheme that you set.

• If the domain user logs on the domain before you apply the "Desktop Wallpaper" Group Policy setting, the desktop background does not change.

Additionally, in the Personalization window of the client computer, the desktop background is displayed as being changed to the setting that you applied.

For more info and links to the hotfix go to The "Desktop Wallpaper" Group Policy setting is not applied in Windows 7 or in Windows Server 2008 R2

In part 2 of how to use Group Policy to configure a users home page I will be show you how to use Group Policy Preferences to configure a users home page. There really isn’t a right way you can set the users home pages setting it is really up to your requirements and how much control you want to have.

The advantage of using Group Policy Preferences is that it allows you to specify a default home page but still allow users to change it if they want.

Now there are three dialogue Internet Explorer setting that can be used to configured home pages in Group Policy Preferences.

However as you can see the IE7 and IE8 screens are exactly the same so I will only go thought it using IE8 and the IE5/6 screenshots. If you do want to configure the IE8 setting remember that you will need to use the Internet Explorer 7 screen option instead however all the steps and affects are the same.

Internet Explorer 5 & 6

Internet Explorer 5 & 6 does not support tabbed browsing so this makes it a lot simpler to setup as all you can specify a default home page. Also remember that the Group Policy Preferences Client Side Extensions are are not installed on Windows XP by default so you will need to make sure they are installed before these settings will work.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Preferences > Control Panel Settings > Internet Settings

Step 3. Click on the “Action” menu and click on “New” and then click on “Internet Explore 5 and 6”

Step 4. Press “F6”

Explanation: Pressing “F6” enables the individual settings for configuration. Notice this changes the red dotted line to a solid green line which means that only the “Home:” settings is enabled to be applied as a policy.

Step 5. Now type your home page URL in the “Home” text box and click “OK”

Your done.

Now as this is a preference this will not prevent you users from changing the home page however it will be reset at the next group policy refresh.

Internet Explorer 7 & 8

Internet Explorer 7 & 8 supports multiple tabs so you need can either configure a single default home page or a default home page with multiple secondary home page.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Preferences > Control Panel Settings > Internet Settings

Step 3. Click on the “Action” menu and click on “New” and then click on “Internet Explore 8” (or “Internet Explorer 7”)

Step 4. Press “F6”

Step 5. Now add the URL (or URL’s) for the pages you want to be displayed and click “OK”.

Note: If you only specify one home page then the user will be able to change the home page however it will reset after the next policy refresh.

Again… your done.

As you can see below your browser is configured with two default home pages.

Note: Native Group Policies always take precedence over Group Policy Preferences so if you have you home pages configured using a native Group Policy (see Part 1) then this settings will be overridden.