Group Policy Central

Even though Group Policy Preference have been out for a number of years (since Windows Server 2008) it is still a relatively unknown feature of group policy. Therefore this is the first of a few articles I am going to be writing about some of the basic features of Group Policy Preferences. So to start off with I am going to cover a few FAQ on what you need to do start using all the Group Policy Preference goodness.

Do I need to extend the schema to use Group Policy Preferences?

NO. There are no schema extensions required to support Group Policy Preferences as they work by only creating a folder called “Preference” under the User and/or Computer folder in the SYSVOL.

What are the minimum version of domain mode or domain controllers I need to support Group Policy Preferences?

Unofficially Windows 2000 Domain Mode with Windows 2000 DC’s will work fine. However officially it is what ever the minimum support OS and domain mode of Active Directory is at the time.

What software do I need to install to use Group Policy Preference?

To make it easy the table below outlines what software you need to install to enabled group policy preference on the client and to make changes to the

The below article shows you how to use Group Policy Preference to setup the registry keys on a computer so that it automatically logs onto when its turned on. While doing this is potentially huge security issue and not something I would generally recommend IT staff might want to implement on computers that are highly locked down and used for only a specific propose.

How to set a registry key using Group Policy Preferences

Before we begin I will show you how create the required registry keys using group policy preference. After this I will list the registry keys you need to use with the instruction below to configure automatic logon.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

WARNING: Make sure you have not applied this policy to any computers before you begin as this will obviously logon any computer that this policy is applied to automatically.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

Continue reading ‘Best Practice: How to use Group Policy Preference enable auto-logon’ »

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

Continue reading ‘Best Practice: How to use Group Policy to control Services’ »

This weeks group policy setting on the week is one that most IT administrators will probably want to implement. Now for personal use the Windows logon sound is quite nice however when you have an office packed with computers it can sound like a symphony in the morning as everyone turns on their computer. This is a new policy setting for Windows Vista but during the Beta is was not something that could be turned off. Luckily Microsoft heard loud and clear that this was an option they needed to add and by the RTM they had added this option for end users and IT admin.

As I mentioned before this is a Windows Vista or greater setting which can be found under Computer Configuration > Policies > Administrative Templates > System > Logon.

This weeks setting is one that has just been mentioned in the AD Blogs Friday mail sack and until today was a setting/feature of Windows Vista/7 that I didn’t know existed. This setting display information about previous logons during a user logon and is very similar to the last logon screen I see when logging onto an online banking web site. This setting can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options and must be applied to workstations AND domain controllers for it to work. The only down side for this setting is that you need to be in 2008 native mode to work so this might exclude some organisations for now.

WARNING: Be sure that you apply this setting to your domain controllers first otherwise they will not be able to logon.

Below is the message a users will see when after the logon successfully when the previous logon was also successful.

In this example we see the message when someone logon successfully where the 5 previous logon events had failed. Obviously this logon count number (see highlighted below) would raise a really big red flag for a users especially if you are sure that you were not the one to logon incorrectly.

For more information check out:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

http://technet.microsoft.com/en-us/library/dd446680(WS.10).aspx