Group Policy Central

One of the most common setting that Group Policy is used for it so configure browser home pages settings. There are a number of ways that this can be done in Part 1 i am going to go thought the changing the Home Page setting using a native Group Policy.

In Part 2 I will explain how to configure home page setting using Group Policy Preferences and in Part 3 will explain how to configure home pages setting using the Windows Setting > Internet Explorer Maintenance option.

The advantage of using a native group policy setting is that they do not require the deployment of the Group Policy Preference client side extensions and the setting are enforced so the user cannot change the setting even temporarily.

Primary Home Page

This option allows the admin to configured a single home page for the user without the ability for the user to add any other secondary home pages if they are using IE7 or IE8. This setting will also work however if the users has IE5 and above installed.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Policies > Administrative Templates >Windows Components > Internet Explorer

Step 3. If you want to configure a single home for your users and/or you are using IE5 or IE6 edit the “Disable changing home page setting”

Step 4. Select “Enabled” and then type the URL you want as the home page in the “Home Page” text field.

Now the user browsers will be hardcoded to use only http://www.bing.com as the home page and the UI to make this change will be disabled.

Multiple Tabs

This option allows the admin to specify the users secondary home pages while still allowing them to configured the default home page.

Note 1: This policy setting will not work with IE7 that does support secondary home pages.

Note 2: This policy setting will not work if you have the “Disable changing home page settings” also enabled.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Policies > Administrative Templates >Windows Components > Internet Explorer

Step 3. If you want to configure a single home for your users and/or you are using IE5 or IE6 edit the “Disable changing secondary home page setting”

Step 4. Select “Enabled” and Click on “Show…”

Step 5. Click in the text field next the the * and type the URL that you want to add as a secondary home page. You can repeat this for as many secondary home pages that you want.

The user will now have http://www.yahoo.com and http://www.microsoft.com load as their secondary home pages and they will be able to change their default primary home page by using the”Add or Change Home Page…” option (see image below).

However They will not be able to add or change the secondary home pages which means that the “Add this webpage to your home page tabs” (see image below) option will NOT work.

This also means the UI under “Internet Option” for changing the “Home Page” will also be disabled.

I really like the secondary home page option as it allows users to customise their home pages setting why still ensuring they load the corporate home page each time they open their browser.

This week I have decided to chose “Add the Administrator security group to roaming users profiles” as the setting of the week. This setting can be found under “Computer Configuration > Policies > Administrative Templates > System > User Profiles” and applied to Windows XP / 2003 or later.

This setting adds the administrator ACL to the users roaming profile path on the server when it is first created. This greatly helps your user administrator as they don’t need to perform complicated take ownership and permission changes when they need to access a users profile to do something like a file restore or profile move.

In my experience unless the privacy of the users personal files on your companies file server needs to be guaranteed this option is normally enabled.

BUT!!!! Be very sure that you enable this option as soon as possible as this setting does NOT apply retrospectively to existing users profiles as it only applied the administrators group to the profile when the roaming profile when  it is created on the server for the first time.

In my previous article “How to use Group Policy to make USB drives read only on Windows XP” I showed you you could configure Windows XP to prevent users from writing to USB block level devices. However for some organisations just making drives read only is not enough I have heard stories of them having to resort to using hot glue guns to prevent people using USB storage devices.

Update: I just found this article explains how use native Group Policy to disable you USB drives. Microsoft Support: HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

Thankfully there is also a registry key in Windows XP that allows you to block the use of USB storage devices. Now there are two ways to prevent USB storage devices so you may want to implement either or both methods in your organisation. First method prevents computers that have already had USB devices installed and the second prevents any new USB devices from installing.

How to block existing USB Storage Devices

To implement this edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type SYSTEM\CurrentControlSet\Services\UsbStor into the Key Path field then type Start into the Value Name field and 4 in the Value Data field and click OK.

If you want to prevent the installation of USB storage device then we use Group Policy to set the security on the driver files to prevent then from installing.

Key: HKLM\SYSTEM\CurrentControlSet\Services\UsbStor
Value: Start
Data: 4 (hex) = Disabled
Data: 3 (hex) = Enabled

How to block new USB Storage Devices

This time edit a Group Policy Object that is applied to all the workstations in your organisation navigate to Computer Configuration > Policies > Windows Settings > Security Settings > File System. Then click on “Action” menu and then “Add File”. Navigate to C:\Windows\Inf and select “Usbstor.inf” and press “OK”. Now click on “Users” in the security tab and then click in the “Deny” “Full Control” tick box then click OK.

Note: Alternatively you could just add the name of the user or group you want to prevent from using USB storage devices.

Click “Yes” to the security warning.

Then click OK.

Note: Remember that deny permission take precedence so inherited permission will not have any affect and that we are applying the permission directly to a file so we don’t need to worry about inheritance from this object.

Now repeat the steps above and this time select “C:\Windows\Inf\Usbstor.pnf”

You should see something like the images below in your group policy.

Now either way when users plug in a USB Storage devices into a computer it will prevent OS from seeing the device thus preventing the users from reading and writing to removable media.

See the Microsoft article about this option at http://support.microsoft.com/kb/823732

HOWTO: Use Group Policy to disable USB, CD-ROM, Floppy Disk and LS-120 drivers

There is an awesome new feature coming in Outlook 2010 call the Outlook Social Connector (a.k.a. People Pane) that allows you to view all the recent relevant status updates and emails from that person. This feature also enables third parties (i.e. Facebook, Twitter & Linkedin) to make connectors so that the view can contain information from a variety of sources.

User can turn this option on and off fairly easily under the “People Pane” option under the “View” tab in the Outlook Ribbon.

However some (out of touch) IT organisations might not want this feature enabled in your organisation and so there is a registry kill switch that can be controlled via group policy to enable/disable this option.

Key: HKCU\Software\Microsoft\Office\Outlook\SocialConnector

Value: RunOSC (REG_DWORD)

Data: 0 = Disabled

Data: 1 = Enabled

To control this option edit a Group Policy Object that is applied to all the users in your organisation navigate to Users Configuration > Preferences >Windows Settings > Registry. Then click on Action > New > Registry Item type Software\Microsoft\Office\Outlook\SocialConnector into the Key Path field then type RunOSC into the Value Name field and 1 in the Value Data field and click OK.

Alternatively you can click on the file image below to download the XML group policy preference file with this already setting configured. Once you downloaded the file just drag it into the Group Policy Preference Registry section and it will automatically create the setting.

Once this setting is applied you can see this “People Pane” option is no longer visible in the “View” tab.

Note: This also fixes the issue of the People Pane not showing in for some users who installed Office 2010 Beta.

This weeks setting is another is another oldie but a goodie that is commonly used to lock down SOE’s so that users can use the registry editor. It is called “Prevent access to registry editing tools” which us a user setting found under User Configuration > Policies > Administrative Template > System and will work on all platforms since Windows 2000.

The affect is pretty simple… It stops users from running regedit.exe so they cant make registry changes to their computer or profile. This will also work even if a user take a copy of the regedit.exe command and rename it to something else.

If you select “No” for the “Disable regedit from running silently?” this will allow user to apply registry keys via a preconfigured .REG file using the “regedit.exe /s” silent switch so make sure you select “Yes” unless you need to this back door for something like a logon script.