Group Policy Central

Group Policy is of course one of the best ways you can lockdown and configure your windows systems in your environment and one of the most commonly configured setting in Group Policy is the ability to configured the Desktop Wallpaper (a.k.a. Background) image. Now most of you might just say is all you need to do is set the  group policy setting however there are some common traps that you might fall into if you don’t use this setting correctly.

Method #1: Administrative Template “Desktop Wallpaper” Setting

The “Desktop Wallpaper” method is of course the most commonly used way for configuring the Wallpaper on a computer however as it seems with all things Group Policy using this setting comes with its own pro’s and con’s.

Pro’s

• Change is Restricted for the users
• Works on all versions of Windows

Con’s

• Limited targeting only based on standard Group Policy Object’s (OU,Security Filter,Site,WMI & Domain)

This setting can be found under User Configuration > Administrative Templates > Desktop > Desktop and is straight forward to configure as all you have to do is specify the explicit local path or a UNC to the image you want displayed as the desktop wallpaper (see below).

Behind the scenes all this setting is doing is configuring the REG_SZ “Wallpaper” and the REG_SZ “WallpaperStyle”  registry keys under the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System  path.

TIP #1: If you are running Windows 7/Server 2008 R2 pre-Service Pack 1 you will need to install hotfix http://support.microsoft.com/kb/977944 for this setting to work.

TIP #2: If you are configuring this setting I recommend that you use the “Fill” Wallpaper Style as this will work best with most screen resolutions (especially on Windows 7).

TIP #3: If you configure this setting you will need to wait for the user to logoff the computer before the background is updated.

Method #2: Group Policy Preferences Registry Key Wallpaper Configuration

As I mention in Method #1 all the Administrative Template “Desktop Wallpaper” does is configure the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System REG_SZ “Wallpaper” key. Therefore you can also use the Group Policy Preference Registry Extension option to also set the same key to give you some added benefits.

Pro’s

• Support advanced targeting option due to Group Policy Preferences Item-Level Targeting
• Change is Restricted or Unrestricted for the user

Con’s

• Must run Windows XP (or greater)
• Must have the Group Policy Client Side Extensions installed.

To configured the Desktop Wallpaper the same as the “Desktop Wallpaper” administrative template simply create two registry keys User Configuration > Preferences > Windows Settings > Registry (see below). Now depending on the registry key that you configure for this setting you can either have this as a restricted (a.k.a. locked) setting or an unrestricted setting that allows the users to make their own changes.

Restricted: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper

Unrestricted: HKCU\Control Panel\Desktop\Wallpaper

Restricted: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle

Unrestricted: HKCU\Control Panel\Desktop\WallpaperStyle

Tip #4: If you don’t configured the “WallpaperStyle” registry key then users will still be able to choose their own Wallpaper Style.

If you chose the restricted registry keys to configured the wallpaper then ensure you also select the “Replace” action and “Remove this item when it is no longer applied” common option is selected (see below). If you don’t do this you will find that your users will not be able to change their wallpaper even after the policy is removed as the policy registry key will not be removed.

If you chose to use the unrestricted registry key values then also make sure you chose the “Apply once and do not reapply” option. If you don’t do this the users wallpaper will be reset ever time they log off their computer as the key will be set back to the original value during each policy refresh.

Configuring the Desktop Wallpaper Storage Location

Now that you know the many options for configuring the Desktop Wallpaper via Group Policy the next thing you should consider is where is the wallpaper being stored. As you can seen in the screen shots of the administrative template Desktop Wallpaper that they use the example of a UNC path. But…

TIP #5: DONT EVER USE A UNC PATH FOR A DESKTOP WALLPAPER… EVER!!

Simple put using a UNC path puts a lot of stress on network as it has to download file every time the wallpaper is loaded. It also means that if the network path cannot be contacted when the user logs on all they will get is a black background wallpaper. This is particularly obvious when someone logs on with a laptop not connected LAN.

So the obviously question is how do you make sure that file that the desktop wallpaper uses is always available and easily accessible? Use a script and copy the file to the local hard drive. Sure… but http://ihatelogonscripts.com and the issue with using a script is that it will only run when the computer starts up or when the user logs on. Generally this would not be a problem and if you are smart enough to use a copy program like robocopy or other such program it wont stress your LAN as it will only copy the file once. But on the day that you change the desktop wallpaper ever computer and/or user will try to download the new wallpaper all at once.

The Answer? Use Group Policy Preferences File Extension and copy the file down to the local computer.

Using the Group Policy Preferences File Extension

Using the File Extension to copy the file to the local hard drive means the file will be copied to the local hard drive making obviously available at all times. However the File Extensions options also has the advantage of being able to updated the file during each group policy refresh. This way the computer gets the updated wallpaper without having to logoff or reboot the computer and you avoid slamming the network in the morning when all the computers turn on.

TIP #6: Setup the file copy as a computer setting so that it will update the files even when there is no user logged on.

TIP #7: If you follow Tip #6 then you need to make sure that the desktop wallpaper file has got “Domain Computers” Read permissions so the local system account has access to copy the file from the network.

So by now, hopefully you know how to set the desktop wallpaper and so you can ensure that the images you use for the wallpaper are always available that way you  can ensure that your users are always subjected to your corporate desktop wallpaper.

Microsoft have now released Microsoft Security Essentials 2.0 to the web which has a number of new features over the previous version.

• Windows Firewall integration – During setup, Microsoft Security Essentials will now ask if you would like to turn the Windows Firewall on or off.
• Enhanced protection for web-based threats – Microsoft Security Essentials now integrates with Internet Explorer to provide protection against web-based threats.
• New protection engine – The updated anti-malware engine offers enhanced detection and cleanup capabilities with better performance.
• Network inspection system* – Protection against network-based exploits is now built in to Microsoft Security Essentials.

Therefore I have updated my previous post based Group Policy for Microsoft Security Essentials to support configuring the newly added features.

If you want more general info about MSE v2 see: Security Garden: Microsoft Security Essentials 2.0 Released

If you want to download it visit  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e1605e70-9649-4a87-8532-33d813687a7f

Before I begin I should remind you that Microsoft only allows MSE to be used for free in small businesses with less that 10 seats (see here). But MSE does not natively support Group Policy and having to configured even 10 copies of Microsoft Security Essentials (MSE)  manually can be a pain. So the instructions below is simply a way to configure the registry keys of the application using the Group Policy Preferences Registry key setting.

Tip: If the below instructions to create the registry keys seems like to much work you will be glad to know that I have put a link at the bottom to an XML Group Policy Preferences Registry file. You can use this file to import the all the Policy Registry setting I talk about below automatically.

How to use Group Policy Preferences Registry key setting.

Before we begin we first need to know how to create a Group Policy Preferences Registry Key setting that we will use to control each of the registry keys we need to configured MSE. The following steps will need to be repeated for each registry key below.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Continue reading ‘Best Practice: Group Policy for Microsoft Security Essentials 2.0’ »

One of the common lock down’s that administrator apply to Remote Desktop Services Servers (a.k.a. Terminal Services (a.k.a. Citrix)) is to remove all but the essential control panel items.

Previous to Windows 7 you had to specify the .cpl (e.g. timedate.cpl) file name of the control panel item you wanted to show or hide however this has changed in Windows 7 and you now need to use the Canonical Name when hiding or showing specific items.

Below I will explain the new way of configuring control panel items for Windows 7 and show you the affect that this has on the control panel.

Continue reading ‘Best Practice: How to show or hide Control Panel items in Windows 7 using Group Policy’ »

Back in the days of Windows XP IT administrators could disable the local administrator account on domain joined computers but still be able to use the account if they rebooted the computer into safe mode (see How to access the computer after you disable the administrator account ).

To log on to Windows by using the disabled local Administrator account, start Windows in Safe mode.

However this behaviour has change since Windows Vista (and 7) and now you are no longer able to logon to a computers local administrator account if it is disabled (see Built-in Administrator Account Disabled ).

On domain joined computers, the disabled built-in administrator account cannot logon in safe mode

This presents some challenges as IT administrator as sometime you still need to ability to logon to a computer using the local administrator. The most common scenario you need to do this is when you need to troubleshoot domain account issues (e.g. re-join the computer to the domain) when the AD computer account has been reset or deleted or the password has become out of sync and you get a workstation trust relationship issue (see below).

The problem is that the local administrator account is now disabled and due to the new behaviour of the account you can no longer log with it using safe mode.

The built-in administrator account is disabled by default in Windows Vista on new installations.

This of course makes it almost impossible to configure the computer into a workgroup so that it can then be re-added to the domain to fix the problem. Its even more difficult if you have BitLocker encryption enabled on your local hard drive.

It is possible that you could logon with a user with local administrator access using cached credentials however this is limited to the last 10 people that logged on (increasable to 50 if you change the CachedLogonsCount below registry key).

But even so, this would also mean you have to know the username and password of the account at the time they last logged onto the computer. This may be a bit hard to do as they may have changed their password a number of times since they logged on to that computer.

Unfortunately, it is also much more unlikely now that the normal local user of the computer has not been given local admin due to all the improvement with Windows 7 (e.g. UAC) that allows users to work with standard user permissions.

Now you might think the really obvious solution is to just enable the local administrator account and set a password in advanced using Group Policy Preferences (see below) so that you can use it when you need to however doing this has a few security issues.

However enabling the local administrator account means it can be used by anyone who knows the credentials and they could then use the account to remotely access any workstation on the network (not good). It also mean a normal user that knows the local admin credentials ( we would like to think they don’t but somehow they find out) could us them whenever they are presented with a specify credentials UAC prompt. So it’s pretty much a back door that anyone can use to get around the fact you spent all this time setting up their computers for them to not require local administrator access…

So to get around this issues you could just set the password on a regular basis using Group Policy Preference (see above image) however this also has a few problems as well… While setting the local administrator password is easy to do however it is stored in the SYSVOL as an encrypted string that is fairly easy to crack (see Passwords in Group Policy Preferences ).

A password in a preference item is stored in SYSVOL ….. it is not stored as clear text in the XML source code of the preference item. However, the password is not secured.

To help mitigate this I have also written an article that explain a way to more securely apply the new password to all the computers (see How to use Group Policy Preferences to change account Passwords ) but even if you did this on a regular basis you would still need to tell all the IT support staff what the new password is when you change the password and thus people quickly learn the local admin account credentials all over again…

Note: That all being said it is still a really good idea to set a password for the local administrator account as the default password is configured as blank.

The other solution you might think of is to boot the computer using a third-party tool that can reset and enable the local admin account (see http://www.bing.com/search?q=sethc.exe+%22windows+7%22+administrator+password&form=QBRE&qs=n&sk= ) however these tools don’t work if your local drive is encrypted with BitLocker nor are they supported from Microsoft (see Microsoft policy about lost or forgotten passwords ).

If you want help to break or to reset a password, you can locate and contact a third-party company for this help. You use such third-party products and services at your own risk.

So lets assume you have a computer that is no longer properly connected to the domain with a disabled local administrator account. The computers local system drive is BitLocker encrypted and and you don’t know the credentials of any other accounts that have previously logged on with local administrator permissions… What do you do?

So below I will show you how to enable the local administrator account so that you can at least still logon with the local administrator even if the account has been disabled…

How to enable a disabled local administrator account on a Windows 7 computer with BitLocker enabled

Before you begin you are going to at a minimum know the following information:

• The account name and password of the local administrator account.
• The BitLocker recovery key for the local system drive. (see instruction on how to get the key from here How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1 )

Step 1. Boot the computer using the Windows 7 Installation media

Step 2. When prompted to “Install now” click the “Repair your computer” option at the bottom left.

Step 3 (optional). If your local computer hard drive is BitLocker is encrypted you will now be prompted to type in the recovery key (see below) and just follow the next couple of step that is appropriate for your situation.

Note: You may need to use the Recovery Key Identifier (e.g. A5103515) to find the correct encryption recovery key from Active Directory.

Note2: This step is only required if your local hard drive is encrypted using BitLocker drive encryption.

Step 4. After you have entered the correct recovery and unlocked the drive select the appropriate installation of Windows 7 that you wish to gain access to (You will probably only have one option to select).

Note: Remember the drive letter in the location column as you will need to use this later (Almost definitely going to be “(D:) Local Disk” ).

Step 5. From the System Recovery Options click on “Command Prompt”

Step 6. Now run “regedit” from the command prompt.

Step 7. Click on HKEY_USERS and then click on File > Load Hive

Step 8. Navigate to D:\Windows\System32\Config folder and select the SAM file then click Open

Note: The drive letter you use in the path above is the same as the the drive letter in the Location column in Step 4.

Step 9. Now type “SAM_TEMP” (or any value) in the Key Name text field and click OK

Step 10. Expand SAM_TEMP\SAM\Domains\Account\Users\000001F4 and double click on the “F” key.

Step 11. Change the value “11” in the first column, row 0038 to “10” and click OK

Before	After

Step 12. Click back on “SAM_TEMP” and then from the File > Unload Hive and Yes to confirm.

Step 13. Exit Regedit and close the Command Prompt and click Restart from the System Recovery Option menu

Done…

Summary

You will now be able to logon as the local administrator account by using the account name “.\administrator” and the password of the account (which you should already know). This will enable you to configure the computer into a workgroup and then re-join the computer account back into the domain but without having to resort to enabling a back door administrator account on the all the computers in your environment…

Now you might now be wondering what is the point of security is on Windows 7 (i.e. BitLocker and disabled local admin) if it is so easy to circumvent however you need to remember that for this process to work you still need to know the local administrator password and more importantly you will need to know the unique BitLocker recovery key… Obviously this makes it very important to have BitLocker drive encryption deployed otherwise it will make it very easy to break into pretty much any computer if you have physical access.

the best network software security measures can be rendered useless if you fail to physically protect your systems

I know this is not strictly a Group Policy topic however it is very closely related topic and one I feel that this is still well worth knowing for any IT administrator so you can configured a more secure environment…

Other References

How to configure Group Policy to use Data Recovery Agents with “Bitlocker to Go” drives – Part 2
How to use Group Policy to save “BitLocker to Go” recovery keys in Active Directory – Part 1

Windows Seven Forums: How to Enable the Built-in Administrator Account from WinRE

The below article shows you how to use Group Policy Preference to setup the registry keys on a computer so that it automatically logs onto when its turned on. While doing this is potentially huge security issue and not something I would generally recommend IT staff might want to implement on computers that are highly locked down and used for only a specific propose.

How to set a registry key using Group Policy Preferences

Before we begin I will show you how create the required registry keys using group policy preference. After this I will list the registry keys you need to use with the instruction below to configure automatic logon.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

WARNING: Make sure you have not applied this policy to any computers before you begin as this will obviously logon any computer that this policy is applied to automatically.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Continue reading ‘Best Practice: How to use Group Policy Preference enable auto-logon’ »