Group Policy Central

Microsoft recently released KB978098 which explains an issues with folder redirection when using the Advanced folder redirection setting (see image below). The advanced setting of this policy is used when you want to redirect users to different locations based on security group location. This is a very helpful if you have a large number of users in the same site and you don’t want to store all their redirected folder to the same location similar to how Exchange Administrator distribute users amongst multiple mailbox databases.

Issue:

This issues is not with the size of the data in the redirection folder ( as the name might suggest ) but the actual number of security groups you have used in the policy. The good news is that the number of groups you need to have configured before this becomes an issues is A LOT so this is likely only going to affect the large organisations.

Depending on the OS that you are editing the policy on it can change the number of groups you can use to configured before this issues occurs.

Windows Vista or Later =  670 (approx) Security Groups

Windows Server 2003 = 230 (approx) Security Groups

Problem

The problem occurs when the the fdeploy(?).ini file under Policies\GUID\User\Documents & Settings folder in the SYSVOL exceeds 32,767 characters due to the large number of GUID’s listed in the file (see below).

Workaround

Option 1: The workaround in the KB is to split the Group Policy Object up so that each policy has fewer groups/redirected folders.

Option 2: If you have only edited the policy in Windows XP / 2003 then you can open then Group Policy Object with Windows Vista (or greater) as it will be “converted to a newer … .ini file format” that “lets you redirect more folders”.

Disclaimer

This information is to be used at your own risk and make sure you read the KB yourself and you test any changes in thoroughly before making changes in your environment.

Source: Errors when you have a large "Folder Redirection" policy settings file in Windows Vista, in Windows 7, in Windows Server 2008, or in Windows Server 2008 R2

This weeks setting is called “Do not automatically make redirected folders available offline and can be found under User Configuration > Policies > Administrative Templates > System > Folder Redirections and will work with Windows XP or later. As the name suggest this prevents any users redirected folder from being made available for offline use which is enabled by default.

This setting is particularly useful to configure on computers that are as used by multiple users as it eliminates the build up of multiple offline file caches on the hard drive. This is particularly important on Windows XP as all offline files try to synchronise even if the user does not have access to the files which causes file sync errors. The option also improves logon performance as it does not attempt a full offline sync of the cache when the user log’s on for the first time.

The setting of the week is called “Remove the Action Center icon” and as the name says it  is used to remove the Action Center icon (a.k.a. Flag) from the system tray (see below).

You might want to enable this setting if you are in a corporate environment and you centrally managed Backups, Firewall and Updates using other programs. However disabling this means that your users will not receive any alerts if the is some critically wrong with thier computer so please use this option after careful consideration.

If you decided that you don’t want to completely disable the Action Center and only disable certain alerts then check out my other post How to use Group Policy to turn off the Backup Notification in the Windows 7 Actions Center

This is a user setting and can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar and is of course only for Windows 7 and Windows Server 2008 R2.

I know a lot of people have asked for this third an final instalment on how to use Group Policy to manage home page settings and so I have finally been able to find some time to finish this series of posts.

Just to recap in Part 1 I showed you how to configure home page setting using the administrative templates native policy and in Part 2 I showed you how to do this using Group Policy Preferences.

In this post I will show you how to configured Internet Explorer home page settings using the Internet Explore Maintenance (IEM) group policy setting option. The IEM policy setting has been in Group Policy since the very beginning and is now a depracated setting as you can tell by the now various other methods of configuration home pages as outlined in Part 1 and Part 2. So if you are configuring this as a new setting definitely look at using the native Administrative Template or Group Policy Preferences first.

However the one advantage of using IEM is “Preferences Mode”…… Huh… I hear you… Well this is the OTHER Group Policy Preference (see below) and this option only applies to Internet Explorer Maintenance settings. The advantage of the Preferences Mode settings is that once the home page is configured the user will be able to change the home page to their own “Preference”.

(Now this might seem alright, however you need to wait till the end to find out why this is really cool…)

To configured the home page edit a Group Policy Object (GPO) that is targeted to the users you want to configured. Then navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > URLs and double click on “Important URL”.

Now simply tick “Customize Home page URL” and type the URL you want configured as the home page in the “Home page URL:” text box.

Now the users home page will be configured to the URL you configured above.

Now this is the SUPER COOL thing about setting… If you have enabled Preferences Mode and you configured the “Disabled changing Secondary Home Pages setting” that I talked about in Part 1 your users will be able to make a change the Primary Home but you can still force the URL of any of the secondary home page tabs (see image below where the users has change the Primary home page to Yahoo but the Google Secondary page remains). AWESOME!

Note: If you already have a setting configured in IEM then you will first need to “Reset Browser Settings” before you can enabled “Preferences Mode” which you can do by following these instructions How to remove imported Internet Explorer Group Policy Settings

For more information on Preference Mode see http://support.microsoft.com/kb/274846

For more information on Internet Explorer Maintenance setting see  http://technet.microsoft.com/en-us/library/cc728150(WS.10).aspx

Sorry that this weeks setting of the week was a little late however as you can see I have been a little busy.

This weeks setting is called “Remote Properties from the Computer icon context menu” and can be found under User Configuration > Policies > Administrative Templates > Desktop. This setting might seem a little mundane compared some other setting however it could be very useful if you are in an environment where many of your users have admin access to their computers. Enabling this setting makes it much more difficult for users to remove their computer from the domain which they might want to do because of those pesky restrictive group policies.

Note: If you do enabled this option be sure not to apply it to specific IT staff so that they can still manage the computer account. You could do this by using using the Deny “Apply Group Policy” of the Advanced security setting of the policy.

Setting Enabled on Windows 7

Setting Enabled on Windows XP

Note that this does not prevent users from removing the computer from the domain as all you are doing is disabling the System Properties dialogue box that has the computer name tab (see image below) where domain membership is normally configured. While just disabling the UI is not a 100% effective it should at least stumble most users from changing this setting.

In case you were wondering, a user with admin access to their computer could still install either the Windows XP Support tools or the Remote Server Admin Tools (RSAT) to use the NETDOM JOIN and NETDOM REMOVE commands to change the computer domain membership.