Group Policy Center

Group Policy Setting on the week will be taking a break for the next 2 weeks as I will be speaking at TechEd Australia and New Zealand.

If you are lucky enough to be coming to either event then please come to my one or both of Group Policy sessions.

I will also be randomly video interviewing people for their Windows 7 Deployment story… So if you have a story you want to share (or you just want to meet me) feel free to send me a message on twitter http://www.twitter.com/alanburchill to catch up…

Virtualization is currently a buzz word and it seems that Microsoft is falling over itself to brand as many products as possible with the “V” word (e.g. Hyper-V, App-V & Med-V). So “User State Virtualization” is the term that Microsoft now uses to describe what used to be call Roaming Profiles and/or Folder Redirection.

The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Continue reading ‘Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization)’ »

This week setting of the week allows you to prefer a custom logon background image in Windows 7. This setting is called “Always use custom logon background” and can be found under Computer Configuration > Policies > Administrative Templates > System > Logon.

Microsoft brought back the option to easily customise the logon background in Windows 7 as this was previously possible in Windows XP but it was removed with Windows Vista which left people with some pretty messy workarounds.

Once you have enabled this option all you have to do to create the “%windir%\system32\oobe\info\backgrounds” folder and populate it with a backgroundDefault.jpg image and your computer will then use that as the background image when logging on and off.

Note: Some sites will direct you to configured the OEMBackground or UseOEMBackground in the HKLM\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background however this setting will negate the need to set this key.

For more info on how to configure a custom background check out Windows 7 to officially support logon UI background customization

In the July 29 to August 12th Hot-fix release for Windows 6/7 there have been a number of Group Policy related hotfixes released. As far as I can tell none of these hotfixes are listed as being in Windows 7 Service Pack 1 that is currently in beta (see The complete list of Group Policy Hotfix’s in Windows 7/2008 R2 Service Pack 1) so if you are experiencing any of the above hotfixes it will be some time before you will be able to deploy them as part of a service pack.

• KB2250489 You cannot turn off the screen saver in the Windows Mobility Center when the "Prevent changing wallpaper" Group Policy setting is enabled on a computer that is running Windows Vista SP2
• KB2261826 You cannot find a network drive in the "Browse For Folder" dialog box in the GPMC MMC snap-in on a computer that is running Windows Server 2008 or Windows Vista
• KB2096902 Virtual machines in a VDI environment are not rolled back as expected if the disconnected Remote Desktop connections on the virtual machines are stopped by Group Policy
• KB2254754 You experience a GPO report-generation issue in the GPMC window when you try to generate the report in a localized version of Windows 7 or of Windows Server 2008 R2
• KB2258620 You cannot find the "Find Now," "Stop," and "Clear All" buttons in the GPMC snap-in on a computer that is running Windows 7 or Windows Server 2008 R2
• KB2275315 You cannot read the GPO in the SYSVOL directory in Windows 7 or in Windows Server 2008 R2 if you enable the "Deny write" permission of the GPO
• KB2284538 Apply once and do not reapply Group Policy setting is never applied after the first GPO deployment fails on a client computer that is running Windows 7 or Windows Server 2008 R2

Source: Jul. 29 – Aug. 12 Hot-Fix KB articles Weekly Release – Windows 6/7 – The Hot Blog – Site Home – TechNet Blogs

Last week I was a guest on the Australia IT Pro podcast called the “Coalface Tech Podcast” where I spoke on the topic of Group Policy. I was joined by regular team members, including Matt Marlor, Steve Molkentin, Simone Bennett and Nicholas Rayner and we talked about pretty much all things Group Policy, including preferences, AGPM and I even when into some of my group policy best practices.

You can listen to the post cast right now from AuTechHeads Coalface Tech Podcast or use this link with any good podcast reader RSS to CoalFace Tech Podcast

Kudo’s to anyone who can tell me how many time I plug my web site…

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

Continue reading ‘How to use Group Policy to control Services’ »

The setting of the week this week disables one of the features in Windows 7 that allowed users to pin programs to the taskbar. This option will be handy if you are in an environment where you want to prevent users from customising the taskbar such as a kiosk or library style computer. The setting can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar and only applies to Windows 7.

Note: If you do apply this setting to your existing users all the existing pinned taskbar programs will be removed on the next logon.

Below are some screenshots of the UI with the setting enabled.

“Pin to Taskbar” is removed

“Pin this program to taskbar” is removed

All existing pinned programs will be removed.