“What group policy settings should I configure?”

220px-RubberbandballHaving been a Group Policy MVP for a while and a contributor to the Microsoft Group Policy forums for even longer I still see a lot of people asking “I am new to Group Policy. What settings should I configure?”. My answer to these people is now pretty much unconditionally “nothing”. That’s right… Nothing…. Of course that is not the answer you are probably expecting a Group Policy MVP to give so let me explain…

I certainly remember a time (long ago) where I sat down with a specific customer and went through all the Group Policy settings to setup a configuration for them to apply at their work. Now this was a small manufacturing shop with only hand full of staff and the guy who owned wanted to “lock down” his computer to make sure his staff could not “muck up” his computers. Mind you this was back in the day of Windows 2000 Group Policy was the fantastic new technology and the idea of being able to configure the look and feel of Windows was rather novel to say the least. However I have since seen many organisation that have upgrade from Windows XP that had many policy setting that were configured just “because” that it sounded like a good idea at the time. Another example, was a place I worked for had the option to prevent application taskbar grouping (see below) to be disabled in Windows XP. It was decided from the “powers that be” that this option should be turned off as it was better to not confuse the user with this new Windows XP UI feature.


But more on this one later…

These are just some of the examples that I have personally experienced as to how Group Policy settings used to be configured for pretty much no other reason that just arbitrarily “because it is there”.

Jump forward to today where this thinking of configuring policy settings for the sake of it is now very much out of vogue and for good reason. The Microsoft blog post Sticking with Well-Known and Proven Solutions has a really good example of why just configuring settings because it sounds good is a bad idea. As the example in it shows not only can just configuring test setting lead to a complicated environment it can downright cause massive headaches when troubleshooting issues with your computers. This post also reflects some of the sentiment that I have spoken about at my TechEd session where I say if you are moving from XP to Windows 7 (or 8) now is an ideal opportunity to reset everything that is done in your environment and start again fresh…

My analogy to this is if you are upgrading your computer now is the time to take the knife to the Rubber Band Ball and cut away all the layers of settings and customisations that have been building up in your environment. Design a clean fresh environment for your users that completely mirrors the experience that they have out of the box with almost any Windows PC they buy at a retail shop (minus the crap ware). Not only does this create an environment that is simpler and easier to manage for the IT staff it gives your users the feeling of freedom. Allowing the users to customise their desktops such as wallpaper, task bar colour as they see fit is actually makes them feel less physiologically in control of their PC, where in reality all they have is freedom in their own profile. What this means is that users can now be give full access to customise their own computer but still not enough access to for them to affect the overall configuration of the computer it self. Of course users can still stuff up their own profiles however when this happens most time all the IT admin needs to do is a simple profile reset. While this is not the most convenient thing to have happen to the users it is certainly a lot rarer in Windows 7 environment and when combined with folder redirection can be a very quick and painless process for the user..

Keeping the user interface free of group policy restrictions and default profile customisations also means that it is more likely that your users will pickup the new OS more quickly as it looks and feels the same as their computer they have probably got running at home. This is certainly true of Windows 7 deployment today as a lot of people also have Windows 7 at home now it has been over 3 years since its release. This will also become more true of Windows 8 deployment into the future as people get used to the new Windows 8 not from their work computer but by them upgrading their home computers over the next few years.

That all being said there is always an exception to the rule and in this case I would say that security baseline templates in the Security Compliance Manager tool from Microsoft should still be applied to your environment. This free tool actually contains a number of security baseline templates that are recommended to be applied to your environment. But Microsoft has already done  a lot of the time consuming effort in finding a reasonable set of security configurations to apply to most environments with minimal impact. That being said you should always test carefully when applying these template to your environment. However the added advantage of this tools is that for every setting they have listed it also comes with the vulnerability, potential impact and countermeasure (see example below) , giving you at least additional information for when it comes to troubleshooting said baseline templates in your environment.


It is also interesting to note that “Windows 8 User Security Compliance” template only has a total of 6 configured user setting (4 of which are screen saver specific) as opposed to the 310 computer setting (most of which are configured) in the “Windows 8 Computer Security Compliance” template. This just shows that when it comes to implementing a security lock down for your users there is not much that needs to be done outside of not giving them administrator access of their own computer…

Oh… and getting back to that taskbar application group feature…. after a while I remember people asking me casually why their computer at work did not have the application grouping feature of their home computers. After even more time there was a change of the “powers that be” and it was decided that the task bar grouping option would be turn back on. Some people still it was a BIG MISTAKE the found it quite offensive that people wanted to undo decisions that they had made many years ago. But, the change went ahead and the policy to restrict the application grouping the task bar was removed and none of the users were any the wiser that their UI was change back to a more standard configuration even thought they all now had the feature enabled.

So… In summary if you are new to Group Policy or you are looking at getting off Windows XP to Windows 7 then take the resist the urge to just configure policy setting “because”. You user will find it easier to pick up the new OS as it will have a more familiar look and feed and you will also find that your next upgrade of your computers (to what ever the latest version of Windows is at the time) will be a whole lot easier as you won’t have to cut apart that Rubber Band Ball configuration of your environment again.

Author: Alan Burchill

Microsoft MVP (Group Policy)

14 thoughts on ““What group policy settings should I configure?”

Leave a Reply