Group Policy Central

UPDATE: Since I published this article Microsoft published an new MSDN article showing a simple registry key that can turn this backup notification. Therefore please go to this article “How to use Group Policy to turn off Backup Notification in the Windows 7 Action Center – The Easier Way . ” for the best way to turn off this notification.

One of the new features in Windows 7 is called the Action Center which is now you one stop shop for all system notifications to the users. One of the alerts that you will get by default out of the box with Windows 7 is the “Set Up Backup” Maintenance notice (see below).

For home PC’s this is really important that this message be displayed as the data on the hard drive is usually the only copy. However in an networking environment a users should be configured with roaming profiles, redirections folders and a home drive to ensure all their personal data is store safely on a file servers. Therefore you dont really need to remind them to back up their PC’s so you probably don’t want them to get messages asking them to configure their backups.

The Action Center icon can be entirely removed from the Notification Area using the “Remove the Action Center icon” native group policy.

However this is a bit extreme as you may still want to enable this feature for other notification such as windows updates or if you have an out of date anti-virus definition. So the problem is there is no native way to use Group Policy to enable/disable specific notification events such as the backup notifications.

That’s ok… Thanks to the power of Group Policy Preferences and some help from the people on the Microsoft support forums I have figured out a way to control this via Group Policy.

Normally I will step you through the process of creating the Group Policy Preferences manually and then I sometimes provide you with the XML file that is already preconfigured with the settings. However in this case the value is a complicated Binary string that would be very hard to type out manually so I am just providing the preconfigured XML file for you. As this is an XML file feel free to open up with notepad and inspect the file before you apply it to your own systems.

Step 1. Edit a Group Policy Object (GPO) that is targeted to the users that you want to disabled the backup notification.

Step 2. Navigate to User Configuration > Preferences > Windows Settings > Registry

Step 3. Download the file below and then drag (or copy/paste) it into the pane on the right.

Now you are pretty much done and you should then see something like this (Image below).

Now the user should no longer get any backup notifications in the Action Center or in the Notification Icon.

Note: User will need to log off and on again for it to become affective.

(Sorry… no fix for the virus notification as you really need to install some sort of AV software)

More Information

This first item in the list will disable the Backup Notification in the Action Center and the second one will enabled it. Notice however how the second one is greyed out as it is disabled by default. These settings are also configured to “Apply once and do not reapply” as this may be some you want to enabled/disable manually on some computers. I have also put a description in each setting to keep track of what each setting does.

If you want to re-enabled the Backup Notification setting for all your users then highlight the enabled item and click on “disabled” in the toolbar.

Then highlight the original disabled item and click “enabled” in the tool bar.

It should then appear like this…

Registry Key Details

In case you were wondering I have put in the partial details of the registry key that control the backup notification however the value are WAY to long to fit in this page so the Data has been truncated (A LOT).

Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100 
Value: CheckSetting
Type: REG_BINARY 
Data Enabled: 1 (REG_DWORD) = Enabled
Data Disabled: 01000000D08C9DDF0115D1118C7A00C04….  (Way to long to fit in here)
Data Enabled: 23004100430042006C006F0062000000000…. (Way to long to fit in here)

In case you had not already heard Microsoft have had to release an update for all European users to prompt display a ballot screen about what version of browser they want to use (see below). This is one of the actions Microsoft had to do to comply with the EU anti-trust case.

Microsoft have released article KB2019411 explaining how IT administrators can disable a Browser Choice screen for their users using a simple registry key.

Key: HKLM\Software\BrowserChoice 
Value: Enable
Data: 1 (REG_DWORD) = Enabled
Data: 0 = Disabled

Now of course you can deploy registry key using Group Policy Preferences which will make it much easier for IT administrators disable this screen.

Step 1. Edit a Group Policy Object that is applied to all the workstation you want this Browser Ballot disabled.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and create a “New Registry Item”

Step 3. Type “Software\BrowserChoice” in the Key Path then type “Enable” in the Value name, then select REG_DWORD as the value type “0” in the value data and then click “OK”.

If all that is to much hassle to do all that below is a link to the Group Policy Preference XML file you can just copy into the policy.

Links:

• More information on the Brower Choice http://support.microsoft.com/kb/976002
• More information on the Disable registry key http://support.microsoft.com/kb/2019411
• Also check out Aaron Parkers blog here for more information http://blog.stealthpuppy.com/windows/disable-the-browser-choice-screen

Advanced Group Policy Management (AGPM) allows organisation to implement change control and versioning to their Active Directory Group Policies. This allows multiple people to edit Group Policy Object (GPO) with their changes going live the instant the change is made. Any changes to a GPO needs to be check-in, deployed then approved before ever making it to production. This product effectively sits between Active Directory (AD) and Group Policy Administrator so that they never directly need to modify a GPO. To prevent circumventing AGPM a proper implementation should include the removal of all edit/modify permission from all GPO’s for everyone except say the service account and the built-in Administrator domain account.

This guide is loosely based on the steps in the AGPM_40_Step-by-Step_Guide.pdf that comes with ADPM v4 installation files however this version is better (of course) because I have added images for most of the steps along the way.

Scenario. In this example and administrator will install the AGPM Server and Client. Then the users Alan will have Full Control delegated and user John will have only Reviewer/Editor access. John will then create a new Managed GPO and make a change to it and then deploy it for use in production. Alan will then review the GPO and Approve the change. Then Alan will “Manage” an existing unmanaged GPO.

Stage 1. Installing AGPM Client. 

It is best you install the Microsoft Advance Group Policy Management Client on any computer in your organisation that has the the Group Policy Management Console (GPMC) installed.

Step 1. Start the Advanced Group Policy Management – Client install.

Step 2. At Welcome dialog box, click Next.

Step 3. Tick I accept the license terms and click Next

Step 4. Confirm the install patch and click Next

Step 5. Type the IP or DNS Name of the AGPM server and click Next

 

Step 6. Leave all the languages selected and click Next

 

Step 7. Click Install

Step 7a. Optional – Click on the Details button to see the components that will be installed.

Wait

Step 8. Click Finish to exit the Setup Wizard.

Stage 2. Installing AGPM Server

 

Step 1. Start the Advanced Group Policy Management – Server install.

Step 2. Click Next

Step 3. Tick I accept license terms and then click Next

Step 4. Confirm the Application path and click Next

6. Confirm the Archive Path and click Next

7. Enter the AGPM Service Account details. This account needs to have full access to all GPO that you want to manage using AGPM then click Next

 

8. Enter the Archive Owner account (e.g. Contoso\Alan ) this account is the first Full Control administrator in AGPM that is used to delegate permission to other users then click Next

 

9. Confirm the Port (this needs to be the same as step 5 in the Install Client stage) and click Next

10. Leave all the languages selected and click Next

 

Step 11. Click Install

Step 11a. Optional – Click on the Details button to see the components that will be installed.

Wait

Step 12. Click Finish

Stage 3. Now you can configure AGPM client via Group Policy to automatically connect to the AGPM server. In this example I modify the Default Domain Policy so that it would apply to all Servers and Workstations.

 

Step 1. Edit the Default Domain Policy using the Group Policy Management Editor (GPME) and navigate to Users Configuration > Policies > Administrative Templates > Windows Components > AGPM then edit the AGPM: Specify default AGPM Server (all domains)

Step 2. Tick Enable and then type the name/IP address then :Port number of the AGPM Server in the text field then click OK

(Hopefully this is the last non-managed GPO change you ever make again)

Stage 4. Now you need Delegate permission to John to be able to Review/Edit GPO’s.

 

Step 1. Open GPMC on a computer that you have installed the AGPM client on.

Step 2. Navigate and click on Change Control option and then the Domain Delegation tab then click Add

Step 3. Select the user John and then select the Editor from the role field then click OK

John now has Reviewer/Edit access to AGPM (that was easy!).

Stage 5. Creating a New Controlled GPO

 

Now you are going to logon as John and create a fresh new Controlled GPO to have it then approved by Alan.

Step 1. Logon as John to a computer that has GPMC and the AGPM client

Step 2. Open GPMC and right click on Change Control and then click on New Controlled GPO…

Step 3. Fill in the submission field so that an email will be sent to the AGPM administrator to review the New Controlled GPO Request then click Submit

Step 4. Click Close

Note: In this example I don’t have a mail serve configured so the sending the of the email failed.

Step 5. Click on the Pending Tab. You can now see the Pending request waiting for approval.

Now we will approve the New Controlled GPO request.

Step 6. Logon as Alan to a computer that has GPMC and the AGPM client

Step 7. Open GPMC and right click on Change Control then click on the Pending tab and the right click on the pending request and click on Approve…

Step 8. Add a comment before you confirm the Approval action then click Yes

Step 9. Wait for it to Approve and then click Close

Note: It is this stage that Alan can link the GPO manually to the Organisational Unit (OU).

Stage 6. Making changes to GPO

 

Now John will check-out and edit a GPO from the Archive and then Alan will approve the GPO once John has finished his changes.

Step 1. Logon as John to a computer that has GPMC and the AGPM client

Step 2. Open GPMC and click on Change Control and then then Controlled tab then right click on the GPO you want to edit and click the Check Out… option.

Step 3. Now enter a comment for the GPO when that describes the change you are about to make then click OK

Step 4. Then click Close

Step 5. Go back to the GPO in the Controlled tab and right click on it and click Edit

Step 6. Now edit the GPO using the Group Policy Management Editor with the changes you want to make. Then when you are finished just close the GPME.

Step 7. Right click on the GPO and then click on Check In…

Step 8. Enter a description of the change when you want to assign with the check in and then click OK

Step 9. Click Close

Step 10. Right click on the GPO and click Deploy…

Step 11. Fill out the comment field describing the change for the person who is to review the change then click Submit

Note: this is a good spot to put in your own Change Reference Number.

Step 12. Click Close

Step 13. Now logged on Alan open the GPMC and open the Pending Tab then right click on the GPO and then click on History

Step 14. Here you can review the modifications and check-in/out history of the GPO

Step 16. You can also right click on the GPO and then go to Differences and then click on HTML Report.

Note: This will give you a HTML report highlighting all the changes that have been done to the GPO. This way you can easily review just the setting that have been changed if it is a GPO that has numerous settings configured. Highlighted section show the options that have changed.

Step 17. Once you are satisfied with the change right click on the GPO and click Approve…

Step 18. Again. Add a comment to the GPO to be associated with the approval and then click Yes

Step 19. Click Close

Stage 7. Converting Uncontrolled GPO’s to Controlled

 

Step 1. Logon as Alan to a computer that has GPMC and the AGPM client

Step 2. Open GPMC and click on Change Control and then then Uncontrolled tab then right click on the GPO you want to “Control” and then click on Control…

Step 3. Add a comment to the GPO as its initial comment then click OK

This Group Policy is now controlled

Hopefully this has given you enough of an introduction to AGPM to get it installed and start to perform basic changes and approvals to GPO setting …

One of the great new feature with Group Policy Preferences is the ability to map printers based on a various number of criteria such as group membership, AD Site or even IP Address range to name a few. This allows for some powerful senarios such as being able to map all the printers physically near a user based on the computers IP address. Note: This assumes that the networking team allocates the same subnets to certain computers near each other (e.g. a building or floor) but I have found this is often the case.

One of the problems that occur when you map printers with Group Policy Preferences is that if the user has a roaming profile configured and they then logon to a computer that is located in another area they will have all also have their old printers from the previous area. Now user might not really notice these printer mapping building up over time but they can soon amass a large number of mappings that makes their computer run slow to logon.

Question? So how do you map all the printers in one location but not have them follow you to another location if you are using a roaming profile?

Answer? Is a two step solution which I will go through below. There is also an optional third step that address the problem maintaining default printer mappings once a user gets back to their normal location.

Step 1. The first part is just to create a simple printer mapping that maps the printer targeted by the IP address of the users current computer.

Figure1. Create New Shared Printer

The images belo shows the printer “\\server\printer1” being mapped for the users that logon to a computer that is in the 10.1.1.0/24 subnet. It is important to note that we are talking about the IP address range of the computer that you want to map the printer not the IP address range of the printer server or the printer NIC itself.

Figure 2. Target setting to only be mapped for computers between 10.1.1.0 to 10.1.1.255

Figure 3. Resulting printer mapping

Step 2. The second step is to delete the printer mapping if the IP address of the printer does not fall within the IP address range that you want the printer to be mapped. To do this we start by copying the existing printer mapping that we made in step 1. This avoids making any typo’s in either the printer queue name of the IP addresses.

Figure 4. Copying the existing printer mapping made in step 1.

Figure 5. Paste the setting into an unused part of the pane

Figure 6. Both printer mapping entries

Now we make the changes to the action on the second printer mapping targeting so that it will remove the printer mapping when the user logs onto a computer in another area.

Figure 7. Open the properties of the second printer

Figure 8. Change the Action to “Delete”

Figure 9. Go back to the targeting and change it to an “Is Not” between “10.1.1.0” and “10.1.1.255”

Figure 10. New target rule

Figure 11. Two printer entries to map and then clean up the printer queues for a user based on their location.

Step 3. Maintaining Default Printer Mappings

You have now configured dynamic printer mapping for your user based on location of the user. However this solution does have one problem/annoyance, user normally like to set a default printer. If a user was to logon to a workstation in another location then return to their normal desk their default printer will have been reset as it will have been removed. To get around this problem we have to add another rult to the targeting on the Delete printer option so it does NOT delete if the printer is configured as the default printer. To do this we check the registry location that the default printer is saved and test to see if the printer we are deleting is the default printer.

So go back to the targeting option for the Delete printer action and add another test that will check to see if the printer is the default printer.

Figure 12. Add a new Item of type “Registry Match”

Figure 13. Configured Registry Match Setting

Change the Match Type to “Match value data” and the Value data match type to “Substring match” as the value we are looking for will contain other information as well that we don’t care about. Make sure the Hive is set to “HKEY_CURRENT_USER” and the Key Path is set to “Software\Microsoft\Windows NT\CurrentVersion\Windows”. The Value name “Device” is where in the registry the default printer information is saved. We then set the Substring to “\\server\printer1” which is the UNC path to the printer queue. Note: The substring value has to be exactly the same as the value set in the Path for the printer mapping.

There, now you know how to use Group Policy Preferences to map and remove network for users based on their physical location while avoiding the build up of mapping if your user have roaming profiles while still preserving their default printer.

One problem I see all the time is IT administrator never being able to control who is a local administrator of any particular computer. The problem is that when you give someone local admin access to a computer (because they legitimately need it) you cant stop them from giving admin access to someone else on the same computer. When this does happen it is also its almost impossible to discover as you have to run a query every computer to see who is in the local admin group and then figure out which account should be a member. Once solution to this is of course following Microsoft best practice and not give your users local admin access to their PC or Server and in an utopian environment this would be possible but we all live in the real world where managers have admin access to their PC’s and developers are allowed to install any software they want. So how do you give a users full admin access to a computer but stop them from adding more people to the local admin group on a computer? Use Group Policy Preference of course.

But first a bit of History… Since Group Polices were first introduced with Windows 2000 there was an setting called “Restricted Groups” which allows you to control the membership of a group. This option had two modes one called “Members” option which I also call the “Iron Fist” mode and the other “Members Of” option which is much gentler. The “Members” option removes any groups or users that are not explicitly specified and the “Members Of” option just adds a specific group which out removing any existing groups. The “Members” option was really good at cleaning up those rogue members of the local admin group but its was also really hard to setup as you had to have a new group policy every time you wanted a different list of members in local group on a computer. The “Members Of” option was a lot easier to maintain as you could layer multiple group policies on top of each other but this normally resulted in just adding another layer of group to the pile of groups that were already in the local administrators group. The other problem was the “Members” option would override the “Members Of” option so there was really no way of mixing the two modes.

BUT…  Group Policy Preferences can use Variables which enabled you to be very extremely granular in controlling you local admin group while still having “Iron Fist” control. Muuhhaaaahahahahah!!!

 

How do I setup a restricted local administrator group?

The following steps will need to be applied to a GPO that is applied to the computer objects you want to control the local administrator groups. Note: You must make sure you don’t have any other Group Policy “Restricted Groups” settings applied to your computers as they will always override the group policy preferences settings.

Step 1. Open the Group Policy Management Consol and edit the group policy that is applied to the scope of computers that you want to control.

Step 2. Go to the Computer Configuration > Preferences > Control Panel Settings > Local User and Groups option (see Image 1.).

Image 1. Local User and Group

Step 3. Now click on Actions > New > Local Group

Step 4. Now you will be need to select “Administrators (built-in)” from the group name as this always selects the built-in administrators group even if you have renamed it to obfuscate the name of the admin account.

Step 5. Tick both “Delete all member users” and “Delete all member groups”. These two options will automatically remove any users or groups that are not explicitly being added to the group. You only need to do this on item number 1 in the list of settings as that setting will be processed last.

Step 6. Now you will need to make sure you have added back in the Domain Admin’s and Local Administrator groups so that you don’t totally lock yourself out of the computer. To do this click the “Add…” button to bring up the “Local Group Member” dialogue box (see Image 2)

Image 2. Local Group Member

Step 7. Now type “BuiltIn\Administrator” in the Name field and click OK (see Image 3.)

Note: The image below is wrong… it should be “BUILTIN\Administrator”

Image 3. Local Administrators group added to the local administrators group

Step 8. You should also add “DOMAINNAME\Domain Admins” as it is a good practice to have the DA account as a member of the local admin group on all computers in the domain.  To do this we are going to use the DomainName variables. Click “Add…” again and now click in the “Name:” text field and then press F3. This will now bring up the “Select Variable” dialogue box (See Image 4.). Click on the “DomainName” field and press “Select” and then “OK”. (alternatively you could type %DomainName% in the name field and just press OK.)

Note: The image below is also wrong… The bottom image should be “BUILTIN\Administrator”

Image 4. Selecting the DomainName Variable

You should now see the following which will restrict the local administrator group to only have the Domain Admins and the local administrator.

Note: The image below is wrong. It should be “BUILTIN\Administrator”

Image 5. Basic local administration group setting

So what you as? I can do this already with the “Restricted Groups” Group Policy setting. Well only having the local Administrator and Domain Admin’s in the local admin group is not not much use unless you are willing to give everyone the local admin password or give them all Domain Admin’s privileges (Like that ever happens) when ever they needed admin access. Well again this is where Group Policy Preferences can help.

 

How to add individuals to a single computer?

Now we are going to go thorough how to add a uniquely named domain group to the local administrators group without having to set up multiple group policies objects. This scenario is very helpful if you want to grant a single user or group local administrators access on computer but still ensure that no other users or groups can be added without explicitly being approved. In the steps below the computer name is DESKTOP01 and the domain name is CONTOSO, we want to add the group “CONTOSO\DESKTOP01 Administrators” to the local administrator group but we also want the same to happen on DESKTOP02, DESKTOP03 and so on, each with their own uniquely named group based on the computer name.

Update: Having a unique group for each computer allows you to easily grant permission to for a single users to a single computer as there is a one to one mapping of domain groups to local administrator groups.

Step 9. Now go back and repeat steps 3 to 6 until you get to the Local Group Member dialogue box again (see Image 6.).

Note: This creates a second local administrator group entry in the list to work around an issue.

Image 6. Add Local Group Member

Step 10. Type “%DomainName%\%ComputerName% Administrators” in the Name text field and click “OK” (Image 7.)

Image 7. Configuration to automatically unique group to local administrators group

Now this will now automatically add a domain group called “DOMAINNAME\COMPUTERNAME Administrators” to the local administrators group on the computer to which the policy is applied and your group policy should look like Image 8.

Image 8. Two local administrator group settings

Update: There are two separate local administrator group setting in the policy, the first one is the setting you see in image 5 and second one is the setting you can see in image 7.

However the “CONTOSO\DESKTOP01 Administrators” group will only be added to the local administrators group on the computer DESKTOP01 if that group is already exists. Therefore you do not need to create the group until the need arises to add an individual user or group to just a single computer.

Update: This policy will not create the group in your Active Directory called “DOMAINNAME\COMPUTERNAME Administrators” and you don’t have to create it unless you want to use it to grant permission to the computer. Once you have created the group you can then add a single user to the domain group… or multiple user accounts and groups. The other advantage of having this domain group is that it is the only place where you can grant admin access to the computer without it being automatically removed there fore it makes auditing who is a local administrator on a workstation much easier as you only have to audit the domain groups. This means that you can even report on who has access to the computer when the computer isn’t even connected to the domain.

This group policy setting combined with the other setting made earlier (see Image 5.) will mean that the local administrator group on the computer DESKTOP01 in the CONTOSO domain will have the following members automatically added to the group:

• CONTOSO\Domain Admins
• DESKTOP01\Administrator
• CONTOSO\DESKTOP01 Administrators

But ANY other users or groups will be automatically removed after the next group policy refresh. This does mean there is a slight window of opportunity for someone to slip in an un-authorised account into the local administrators group but they will get removed at the next policy update.

Side Note: I have found that users almost never complain that they cant add un-authorised user to the local admin account on computer. Go figure… 

AWSOME!!!! I hear you say… but wait there is more…

 

How do I add additional broader groups to the local administrators group?

Now that you are able to granuarlly add a single user or group to the local administrators group on a computer you might run into problems id you have more than a 1000 computers due to AD Token Bloat Issues . So to get around this we can setup some more broadly applied administrator groups to the computer that will give admin access to only a subset of computers such as all workstations or only the SQL Servers in your organisation.

Workstations Admin Groups

To apply a Workstation administrators group to the local administrators group on all workstations make sure you have a group policy only targeted to your workstations. This is normally pretty easy as most companies isolate their workstations computer accounts to one (or a select) number of Organisational Unit.

Step 11. Go back and repeat steps 6 and 7 but this time add the group “%DomainName%”\Workstations Administrators” in the name field. This will added the additional group “CONTOSO\Workstation Administrators” to the local admin group on all the workstations in your domain which will allow you to easily add all the Desktop Administrators in your organisation access to all the workstations without having to give them the local admin password or domain admin’s privileges.

Server Role Admin Groups

It gets a little tricker when you want to grant access to a server based on its role as server are sometime configured for multiple roles. So in these steps we are going to automatically added a domain group called “CONTOSO\SQL Server Administrators” to all the servers you have that have SQL Server installed on them. This will be very handy to making sure SQL service accounts or database administrators have admin access to all the servers that have Microsoft SQL Server installed. You can however make multiple version of these admin group for other roles (e.g. Exchange,SCCM,ISA) you just need to know what the best way to target the setting.

Step 12. First make sure you are editing a group policy that is applied to all your servers in your organisation.

Step 13. Repeat Step 9 and 10 and then we open the properties of the new policy setting and specify the group but this time we type “%DomainName%\SQL Server Administrators” in the name field.

Step 14. Click on the “Common” tab and then tick “Item Level Targeting” and click the “Targeting…” button.

Step 15. Click on the “New Item” in the menu bar and select the option you want to use to target all the SQL servers in your organisation and select the “File Match” option to look in the Program Files folder and see if a sub-folder exists called “Microsoft SQL Servers” (See Image 8). This is normally true for any server that has Microsoft SQL Server installed and so it will then automatically apply the SQL Server Admin group to that server if it was installed.

Note: In this example we tested that the “Microsoft SQL Server” folder exists but we could also make rule to test for the existence of a particular file or registry key.

Image 8. Testing to see if Microsoft SQL Server is installed.

Now any computer that SQL Server, MSDE or SQL Express installed will get the group “CONTOSO\SQL Server Administrators” automatically added to the local admin group.

This nice thing about this is that if SQL is installed on the server at some point in the future the SQL Admin group will be added automatically at the next group policy refresh without you having to do a thing.

Finally.. now you have tight control of the local administrator groups on all the computers in your domain it is now important to monitor and secure the domain groups that are being added to the local administrator groups as they now control who has admin access to all your computers. But I will save how to do that for another blog post…