Group Policy Central

One of the features in Windows 7 that is sadly lacking are any Group Policies that can be used to configure an IT administrator to configure is the Libraries feature. Well an article on the Bink.nu web has started a wish list for new features to be include with Service Pack 1 and one is the ability to configured libraries via Group Policy.

I would have loved to add the departmental share to the documents library for my users from a policy instead of fixing this by hand on each system.

I totally agree that this should be something that would be very useful in an corporate environment similar to how great it is to be able to configured folder  redirection. If you also think that this is something that should be added in either the next service pack or with an Out of Band updated then send your feedback to the Group Policy team by re-tweeting this article with the @gpteam in the tweet. 

Source: Bink.nu | Is Windows 7 RTM so good that SP1 needs no real improvements? – Bink.nu

Back to another profile setting this week and this one can save any organisation using Windows Vista or greater a lot of time if you manual provision your accounts. The setting is called “Set roaming profile path for all users logging onto this computer” and it configures the users roaming profile path that is normally configured on a per account basis in Active Directory Users and Computers (see below). Being able to apply this setting via Group Policy means it is one more user attribute that you no longer need to configure on the users account. This of course makes provisioning users account just that little bit simple which should save both time and the possibility for human errors.

This setting can be found under Computer Configuration > Policies > Administrative Templates > System > User Profiles but as its a computer based setting this also means that you need to be careful how you apply this setting. Applying this setting to laptop could be undesired as they may try to log into a remote location with a slow WAN link to the profile server. So if you do apply this to the laptop you might want to configured it to point to a DFS namespace path or a DNS alias (if you have subnet masking filtering enabled) which can help point them to a faster more local path. This of course means it would be really useful to have a OU structure that separate your laptops from your desktop computer.

But I would definitely recommend use this setting if you are using Windows Vista or Windows 7 in your SOE.

Microsoft have just released a hotfix (KB980959) to fix the problem with the “Configured new tab page default behaviour” group policy setting not working for Internet Explorer 8. Apparently the Intetres.admx had the wrong path configured path is configured to “Software\Policies\Microsoft\Internet Explorer\Main” where it should be configured to “Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabbedPageShow”. If you want to see the setting for your self just look for the text “NewTabAction” in the Inetres.admx file.

For details on getting the hot fix and to see the full article “The “Configure new tab page default behavior” Group Policy setting does not work on a computer that is running Windows 7 or Windows Server 2008 R2 and that has Internet Explorer 8 installed” here http://support.microsoft.com/?kbid=980959

This weeks setting is one that you would use if you are in an environment that you want a very high level of security (e.g. Kiosk computers). The “Allow file download” option is used to prevent the downloading of files via Internet Explorer. This setting does not prevent the browser form downloading files such as images to display in the browser page but it does prevent users from downloading of files when a user click on a file download link. This could also be useful if you want to help limit the security attack vector of users being tricked into download and running malicious files on their computers from the internet which could help mitigate some Zero day attacks.

Note: This does not prevent users from running Firefox or Chrome to get around this restriction (although they would have difficulty in downloading it) therefore you may also want to consider deploying AppLocker or Software Restriction Policies to prevent the running of those apps.

To enable this restriction you need to first “Enable” the policy and then set the Allow file downloads option to “Disable” . This setting can be found under Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone. This setting can also be configured on the other zone’s under the Security Page section however the Internet Zone is what most web sites are classified as and therefore will have the largest affect.

When this policy is applied to a user and the user clicks on a hyperlink to a file to download they will then receive this dialogue box.

If you did enabled this setting and you wanted to let users download file from particular web sites you could add the site URL to the trusted sites zone list. I have previously blogged how to do here http://www.grouppolicy.biz/2010/03/how-to-use-group-policy-to-configure-internet-explorer-security-zone-sites/

P.S. Sorry i am a day late with this one… have been a bit busy lately. But don’t worry i will make sure that i always have time to do a setting of the week post each week.

As you know Group Policy Preferences are these fantastic new settings that allow IT administrators perform any configuration they want on a users group using Group Policy… well almost..  In this tutorial I will show you how to configured one of the few settings that are not controlled by preferences but can be configured using a native Group Policy.

The Internet Explore site zone assignment is one of the few settings you specifically can’t configured using preferences, as you can see (image below) the User Interface to this options has been disabled.

There is a native Group Policy that allows you to control Internet Explorer site zone list is called “Site to Zone Assignment List” which I will go thought below how to use.

Step 1. Edit the Group Policy Object that is targeted to the users you whish this setting to be applied.

Step 2. Navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and double click on the “Site to Zone Assignment List” and check the “Enable” option then click on the “Show..” button.

Step 3.  Now type the URL in the “Value name” field with the >* on the far left and then type the zone number (see table below) you want to assign to that zone.

Internet Explorer Group Policy Zone Number Mapping

As soon as you start typing the URL a new line will appear for the next URL.

Step 4. One you have finished assigning adding the URL’s and site zone number click OK

Tip: If you want to delete a row click on the button on the far left to select the row you want to delete (see image below) and then press the “Delete” key.

(sites in above list are example only)

Now the Internet Explorer Site zone list will now be populated with the zone you configured above and as you can see in the images below the Internet Explorer status bar now show the correct zone based on the that the URL’s in the address bar.