Group Policy Central

Along with the recent release of Windows 8 Microsoft also released Windows RT which is pretty much Windows 8 designed to operate on ARM based processors. For consumers the most obvious difference of this OS is the lack of ability to run legacy software. In enterprises however the biggest missing feature is that this OS is not joinable to a domain and thus cannot be configured using Group Policy.

HOWEVER…. It is still possible with a very minor configuration changes to enable a Windows RT device to be configured via Local Group Policy.

To begin with, you might remember my blog post What’s changed with the Group Policy Client Service in Windows 8 where I explain that the Group Policy service will shutdown after a period of 10 minutes when not in use. Well, with Windows RT there are no Local Group Policy settings configured out of the box so by default the Group Policy Client service is as always disabled. Therefore before we configure the local group policy on a Windows RT device we first need to enable the local group policy service which you can get into via the Computer Management option from the system menu (See image below).

Once you are into the Computer Management tool navigate to the Services section and find the Group Policy Client Service.

Note: As mention before this service is disabled by default in Windows RT.

Now configure the Group Policy Service start up type to be Automatic and then manually start the service.

Now that the services is started you will be able to modify any of the Local Group Policy as per normal by setting by running “MMC” from the start menu then loading the Local Computer Policy snap in. As you can see in the image below I have used the Local Policy to configure the Default Lock Screen image as I mention in my previous blog post How to use Group Policy to change the Default Lock Screen image in Windows 8

That is pretty much it… ]While it is still disappointing that these devices cannot be managed via Group Policy at least you can still configure the policy settings on these device when you just want to make some minor tweaks.

Side Note: This blog post was completely written using on a Windows RT, for those of you who are lamenting the fact that there is no Windows Live Writer for Windows RT the blogging feature in Word 2013 is pretty much an exact replacement for this application (see image below).

SharePoint 2010 is quickly being coming a very popular web platforms for many organisation for collaborating and sharing information. In some cases it is almost to popular in some medium to large organisation with many SharePoint server farms popping up all over the place as each department or business unit see’s a need. As a quote from a Microsoft article says:

Because deployments of Microsoft SharePoint 2010 Products are managed at the farm level, a single SharePoint deployment has no information about other SharePoint deployments that might exist in the same enterprise.

Therefore Microsoft has provided a registry key you can create on your server to ensure that SharePoint will not install.

Key: HKLM\Software\Policies\Microsoft\Shared Tools\Web Server Extensions\14.0\ SharePoint\
Value: DisableInstall (REG_DWORD)
Data: 00000001

Step 1. To deploy this key create a new GPO with the following Group Policy Preferences Registry Extension and link it at the domain in your organisation.

Then if anyone tries to install SharePoint 2010 on a server in your organisation they will get this message:

SharePoint installation is blocked in your organization. Please contact your network administrator for more details.

However you may want to have SharePoint 2010 installed on your approved server so you will need a way for this setting to be removed for these approved servers.

Step 2. To do this go to the common tab and tick the “Remove this item when it is no longer applied” option. This way the registry key will be deleted for any server that is approved to have SharePoint 2010. Then tick “Item-level targeting” and then click the “Targeting…” button. (Hence the Replace is used in step 1).

Step 3. Option #1 would be to target the setting to NOT apply if the server computer account is in the “SharePoint” server OU. This is obviously only practical if all you SharePoint servers were grouped together in one OU.

Step 3. Option #2 would be to target the setting to NOT apply if the server computer account is in the “SharePoint Servers” security group. This option is more suited if you have servers spread out over your organisation.

Note: In both examples I have added a condition that this setting will only apply to server operating systems therefore avoiding the key to get pushed to on to any of the workstations in the organisations.

Now hopefully armed with this information you can control the sprawl of SharePoint in your organisation…

References: http://technet.microsoft.com/en-us/library/ff730261.aspx

In Windows 8 there are now two different versions of Internet Explorer 10 installed. One is a Metro looking version that does not support Brower add-ons to improved performance and reliability of the touch version of the browser. The other more traditional desktop version of Internet Explorer allows browser add-ons (x86 only) but its controls are not as touch friendly (for more info see http://blogs.msdn.com/b/b8/archive/2011/09/14/metro-style-browsing-and-plug-in-free-html5.aspx). However if you are using Windows 8 on a traditional non-touch device however you will pretty much want to always want to default to the IE Desktop version as there is no advantage to running the Metro version without a touch screen.

Along with the new browser there is of course new Internet Explorer 10 group policy preferences settings and one of these allows you to default the browser to always open in IE in desktop mode and below are the instructions you need to default the browser to Desktop Mode.

Step 1. Edit a Group Policy targeted to a user and open “User Configuration > Preferences > Control Panel Settings” then right click on “Internet Settings” and then click on “New” and “Internet Explorer 10 and 11”

Step 2. Click on the Programs tab and then choose “Always in Internet Explorer on the desktop” and tick “Open Internet Explorer tiles on the desktop”

Note: Not sure why it is called “Internet Explorer 10 and 11” but this seems to suggest that the options of the two browsers version will be similar.

Note2: If you have an existing Metro tile pinned to your start screen you will need to re-create it looks like the link for Metro IE is not the same for Desktop IE

Update: Microsoft has now released blog post about this feature called Launch Options for Internet Explorer 10 on Windows 8

Even though Group Policy Preference have been out for a number of years (since Windows Server 2008) it is still a relatively unknown feature of group policy. Therefore this is the first of a few articles I am going to be writing about some of the basic features of Group Policy Preferences. So to start off with I am going to cover a few FAQ on what you need to do start using all the Group Policy Preference goodness.

Do I need to extend the schema to use Group Policy Preferences?

NO. There are no schema extensions required to support Group Policy Preferences as they work by only creating a folder called “Preference” under the User and/or Computer folder in the SYSVOL.

What are the minimum version of domain mode or domain controllers I need to support Group Policy Preferences?

Unofficially Windows 2000 Domain Mode with Windows 2000 DC’s will work fine. However officially it is what ever the minimum support OS and domain mode of Active Directory is at the time.

What software do I need to install to use Group Policy Preference?

To make it easy the table below outlines what software you need to install to enabled group policy preference on the client and to make changes to the

The below article shows you how to use Group Policy Preference to setup the registry keys on a computer so that it automatically logs onto when its turned on. While doing this is potentially huge security issue and not something I would generally recommend IT staff might want to implement on computers that are highly locked down and used for only a specific propose.

How to set a registry key using Group Policy Preferences

Before we begin I will show you how create the required registry keys using group policy preference. After this I will list the registry keys you need to use with the instruction below to configure automatic logon.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

WARNING: Make sure you have not applied this policy to any computers before you begin as this will obviously logon any computer that this policy is applied to automatically.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Continue reading ‘Best Practice: How to use Group Policy Preference enable auto-logon’ »