Group Policy Central

The setting of the week this week prevents users from running Windows Media Center on Vista or above versions. Unlike Windows XP which had its own dedicated version of Media Center, Vista Enterprise and Ultimate editions and Windows 7 Business, Enterprise and Ultimate had inbuilt support Windows Media Center. This setting would most likely be used in a corporate environment where they wanted to control the running of unproductive applications. This is either a user or computer based setting that can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Media Center meaning you can either selectively apply it to users or to all the computers in your fleet.

When the setting is enabled the user will still see the shortcut to Windows Media Center however when the user tries to run the program they will be presented with the following dialogue box.

Windows Desktop Search 4.0 is a fantastic local search engine for Windows XP that allows users to quickly search all their local files and network file servers. This is also a requirement for anyone that want to use the instant search feature in Outlook 2007 as it utilises this search engine to perform an index of your inbox.

However as you can see the user interface for the search is much different and by default will not perform non-indexed search’s of network file share without setting up a search location. The problem is that for some users this is a lot to get used to and they quite often go back to using the “Search Companion” (see circled in red).

So there is a registry key you can configure if you want to make the “Search Companion” the default search provider for Windows XP but you don’t want to remove the Windows Desktop Search because of all the goodness it give you in Outlook 2007

Search Companion Registry Key Details

Key: HKCU\Software\Microsoft\Windows Desktop Search\DS
Value: ShowStartSearchBand (REG_DWORD)
Data: 0 (zero)

How to enable Search Companion

Step 1. Edit a Group Policy Object that is targeted to the users that you want to enable the search companion option.
Step 2. Navigate to User Configuration > Preferences > Windows Settings > Registry
Step 3. In the menu click on Action > New > Registry Item
Step 4. Setup the following for your new registry item

Once the policy is applied to your users the search command from explorer or from the start menu you will launch the “search companion” by default.

Source: http://jamielesouef.com/microsoft/change-windows-desktop-search-to-search-companion/

This weeks Group Policy setting should be used in environments where you still use a logon script. While I implore you stop using logon scripts (see http://www.ihatelogonscripts.com ) they are still out there for a majority of customers and as such still need to be properly managed. This setting is called “Maximum wait time for Group Policy scripts” but it can also be referred to as a “dead man’s switch” which will kill any logons script from running if it ever locks up <sarcasm> which of course NEVER happens </sarcasm> . This setting can be  found under Computer Configuration > Policies > Administrative Templates > System >Scripts.

The default value for this option is 600 seconds (10 minutes) but I recommend that you do configured this to something more reasonable between 60 seconds (1 minute) to 180 seconds (3 minutes) depending on your environment.

For more information on this option check out http://technet.microsoft.com/en-us/library/cc780635(WS.10).aspx

In this weeks setting I look at a new Windows 7 setting that reverts the sort order of folders back to the old way it would sort files and folder the same as Windows 2000 (and earlier). This policy setting is called “Turn off numerical sorting in Windows Explorer and can be found under User Configuration > Policies > Administrative Templates > Windows Components > Windows Explorer.

As you can see from the “Numerical Sorting” example below the folder list will sort based on the numerical value of the folder name. This means that a single digit number will be ordered higher than a two or more digit number when sorting alphabetically.

Numerical Sorting (Setting Disabled or Not Configured)

If you take a look at the Literal Sorting example you can see that the number “10” is in position 2 because the sorting is treating the number as a literal text. You can get around this sorting problem by padding with zero’s however you need to add enough zero’s to match the same number of digits as the largest number.

Literal Sorting (Setting Enabled)	Literal Sorting with padded Zero’s (Setting Enable)

While it is unlikely that you will need to turn this on for all users in your organisation it is possible that you have some folder on your file server that have been created in such a ways that the new view method would cause a problem. Obviously in this case you would need to consider carefully if you just need to turn this on for selected users.

Last week I showed you how to exclude an individual users from having a Group Policy Object (GPO) applied and this time I will show you how to properly apply a GPO to an individual user or computer. As I previously mentioned it is always best to use a security groups with GPO filtering even if you are only going applying it to a single user or computer. This avoids ever have to go back and modify the GPO security filtering if you need to add more object to the policy in the future.

Note: Before I start I should point out a common mistake here is to remove “Authenticated Users” directory from the Security Filtering section on the Group Policy Object.

DONT DO THIS!!!

You should never do this as this however as this can cause “Inaccessible” (see image below) error messages on Group Policy Objects in the Group Policy Management Console for anyone who is not an Domain Administrator. This happens because you have removed the ability to for the user to read contents GPO but don’t worry this does not mean the policy will be applied to that user.

Step 1. Select the Group Policy Object in the Group Policy Management Console (GPMC) and the click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Select the “Authenticated Users” security group and then scroll down to the “Apply Group Policy” permission and un-tick the “Allow” security setting.

Note: That the “Allow” permission for “Read” still needs to remain ticked as this prevents the Inaccessible message as mentioned above.

Step 3. Now click on the “Add” button and select the group (recommended) that you want to have this policy apply. Then select the group (e.g. “Accounting Users”) and scroll the permission list down to the “Apply group policy” option and then tick the “Allow” permission.

This Group Policy will now only apply to users or computers that are a member of the Accounting Users security group. However you still need to remember that the user and/or computer still needs to located under the scope of the Group Policy Object for this policy to be applied.