Group Policy Central » Group Policy Preferences

Hotfix: Internet Explorer Group Policy Preferences do not apply to Internet Explorer 9

Alan Burchill — Tue, 18 Oct 2011 02:11:15 +0000

If you have have been using the some what simple hack I mentioned to make Group Policy Preference work with Internet Explorer 9 you will be relieved to know that Microsoft have now fixed an official hotfix to make this work.

You can get read the full Microsoft Kb article at http://support.microsoft.com/kb/2530309 .

However you should take special attention at the two notes:

This update does not re-write the version information for existing settings. Instead, you must define a new set of Internet Explorer settings in a new or existing Group Policy Object.

Meaning you will need to re-created the Group Policy Preference before the policy will apply to a computer running IE9.

This update does not create a new Internet Explorer 9 UI item. However, when define new Group Policy Preferences settings, and you select the Internet Explorer 8 option, this setting now applies both to Internet Explorer 8 and to Internet Explorer 9

This means that you will NOT see an Internet Explorer 9 option in the Internet Settings menu (see image below), however using the IE8 option will work with IE9.

If we take a closer look at the “InternetSettings.xml” after the hotfix has been applied shows the maximum version number is now set to “10.0.0.0” where previously this version was “9.0.0.0”. However you existing Internet Explorer Preferences will remain unaffected…

Thanks to Mark Feetham [MSFT] for leaving a comment on my previous blog post about this new hotfix.

Download it now from http://support.microsoft.com/kb/2530309

Screencast: How to use Group Policy Preferences to setup up Shortcuts

Alan Burchill — Fri, 29 Apr 2011 12:30:00 +0000

In this screencast I show you how to use the Group Policy Preferences Shortcuts Extension to deploy shortcuts to a users desktop. This video also demonstrates how you can configure the shortcut to only apply once for the users and how you can configure them to automatically be cleaned up when no longer required.

How to use Group Policy to change the Drive Letters position in Windows Explorer

Alan Burchill — Wed, 06 Apr 2011 01:41:50 +0000

I just read an article that showed you how to set this really cool registry key that allows you to change how the drive letter is displayed in Windows Explorer. As this hack is only a registry key I thought I would do a quick how to deploy this this feature using Group Policy Preferences Registry Extension.

Below is an example of the options you have to show the drive letters:

After (Default)	None

Mixed (Local After, Network Before)	Before

The registry key that you use to configure this option is called “ShowDriveLettersFirst” and it can be applied in either the user or the machine.

Note: According to this Microsoft KB Article KB330193 it will only work as a Machine setting in Windows Vista.

ShowDriveLettersFirst

Key (User): HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Key (Machine): HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Value: ShowDriveLettersFirst (REG_DWORD32)
Data: 0 (After)
Data: 1 (Mixed)
Data: 2 (None)
Data: 4 (Before)

Step 1. Edit a Group Policy Object that is targeted either to a user or a computer that you want to apply this setting.

Step 2. Create a New Registry Item using the above Registry details

Step 3. Click on the “Common” tab and tick “Remove” this item when it is no longer applied”. I would also put in a comment in the description field explaining the valid numbers and what they do for the setting so someone else looking at this policy know how to re-configure this option if needed.

Explanation: This will ensure the setting reverts to defaults if the computer no longer has this setting applied.

For more information on this registry key check out Microsoft KB330193

Source GHacks: Windows Explorer: Display Drive Letters Before Drive Names (via LifeHacker: Show Drive Letters Before The Drive Name In Windows Explorer )

How to enable Group Policy Preferences support for IE9

Alan Burchill — Wed, 30 Mar 2011 22:49:49 +0000

I have previously talked about the new Group Policy for IE9 ,however I mention that one of the issues was that there is currently no “official” support of Group Policy Preferences… Unfortunately there is still no “official” support but it is now possible if you do some really easy XML editing…

Mark Heitbrink (fellow Group Policy MVP) has published an article which explains why it does not work and explains briefly how to modify the XML file for Group Policy Preferences so it will apply setting to IE9.

Therefore taking Mark excellent information I have gone thought the process step by step below showing what I think is the easiest way to find and edit the XML file to enable GPP for IE9.

Step by Step enabling GPP for IE9

Step 1. Setup a IE8 Internet Explorer Extension setting that has the setting you want to apply to IE9. (e.g. Home Page)

Step 2. In the same Group Policy Object navigate to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) and double click on the Logon (or logoff) option. Then click on the “Show Files” button.

Step 3. Click on “Users” in the Address bar.

Step 4. Then click on the “Preferences” and then “InternetSettings” folder and then right click on the “InternetSettings” file and click on “Edit”.

Now we are looking at the XML that is used to apply the Group Policy Preferences settings. This is where we need to change the version number to support IE9.

Tip: Enable “Word Wrap” in notepad to see the text on multiple lines.

Step 5. Change “max=9.0.0.0” to “9.1.0.0” (see below)
Before:

After:

Step 6. Save the file and you are done.

Now you can have the goodness of Group Policy Preferences with IE9, however as the article also said this is NOT supported so please test carefully.

What is also nice about this change is that it will be persistence, so if you make subsequent changes to the same setting you do not need to edit the XML again however you will need to make this change each time you make a new GPP IE Policy setting.

Source: Internet Explorer 9(IE9) Group Policy Preferences (GPP) (Via GPOGuy )

Group Policy FAQ #2: How do you map a printer using Group Policy Preferences?

Alan Burchill — Mon, 17 Jan 2011 05:34:56 +0000

In this second of what I am sure are many FAQ posts, I am going to show you how you can use Group Policy Preferences to map printers in your organisation to help you do away with mapping printers via logon scrips.

Firstly this is only a brief introduction to printer mappings. If you want a more advanced tutorial on using Printer Preference then I recommend you take a look at my other post How to use Group Policy Preferences to dynamically map printers with Roaming Profiles.

Firstly you will need to check that you have already have got the Group Policy Preference Prerequisites installed and you also have the Group policy Management Console Installed on a management computer in your environment.

Now to map the printers all you need to do is go to the Printer Extension option of the Group Policy you want to apply the setting from (see below).

All you need to do now is put the UNC Path of the printer in the “Shared path:” text field and your done. No more batch files, vbscripts or KIX scripts to edit and maintain for mapping printers…. NICE!!!

Also remember that you can also target this setting using Preference Item-Level Targeting using the traditional Security Group Targeting or you can be a little more dynamic and use IP Address Range Targeting or Site Targeting.

Group Policy FAQ #1: What are the Group Policy Preferences Prerequisites?

Alan Burchill — Tue, 21 Dec 2010 13:00:00 +0000

Even though Group Policy Preference have been out for a number of years (since Windows Server 2008) it is still a relatively unknown feature of group policy. Therefore this is the first of a few articles I am going to be writing about some of the basic features of Group Policy Preferences. So to start off with I am going to cover a few FAQ on what you need to do start using all the Group Policy Preference goodness.

Do I need to extend the schema to use Group Policy Preferences?

NO. There are no schema extensions required to support Group Policy Preferences as they work by only creating a folder called “Preference” under the User and/or Computer folder in the SYSVOL.

What are the minimum version of domain mode or domain controllers I need to support Group Policy Preferences?

Unofficially Windows 2000 Domain Mode with Windows 2000 DC’s will work fine. However officially it is what ever the minimum support OS and domain mode of Active Directory is at the time.

What software do I need to install to use Group Policy Preference?

To make it easy the table below outlines what software you need to install to enabled group policy preference on the client and to make changes to the

Operating System	Client Side Extensions Required	Group Policy Management Console
Windows XP	Yes (SP2 also requires XmlLite)	Not Supported
Windows Server 2003	Yes (SP2 also required XmLite)	Not Supported
Windows Vista	Yes	Yes (via Remote Server Admin Tools)
Windows Server 2008	Included	Yes
Windows 7	Included	Yes (via Remote Server Admins Tools)
Windows Server 2008 R2	Included	Yes

How do I get the client side extensions?

Below is a list of links to the download page for the client side extensions for the versions of Windows that do not have it install out of the box.

If you are still running Windows XP or Windows Server 2003 Service Pack 2 (OMG THAT IS SO BAD) then you will also need to install the XmlLite to make preference work.

Windows XP http://www.microsoft.com/downloads/details.aspx?FamilyId=D7B5DC81-AD14-4DE2-8AD5-8C4A9AAB5992
Windows XP x64 http://www.microsoft.com/downloads/details.aspx?FamilyId=C7CB26E9-68F1-4F80-B231-79D044431E8E
Windows Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=611D1FDE-C8D0-4D80-96DA-B5B20F7BA159
Windows Server 2003 x64 http://www.microsoft.com/downloads/details.aspx?FamilyId=406777E6-79DA-4414-A329-22A435A95D9D

How do I install the client side extensions?

You can install the client side extensions a number of ways in your environment:

Logon Scripts – See GPAnswers – Scripting GPPE Installations
via WSUS
via SCCM
Slip Stream into image

Tip: If you want to do limited testing of Group Policy Preference in your environment and you are still running Windows XP or Vista then you can selectively just rollout the extensions to the computer you want to do testing. This is because there will be no affect in applying a preferences setting to a computer that does not have the client side extensions installed.

Do I need to install the client side extensions for Windows Server 2008, Windows 7 or Windows Server 2008 R2?

No. It is part of the operating system.

Why cant I edit Group Policy Preference from Windows XP or Windows Server 2003?

While the client side extensions for Group Policy Preferences are supported on Windows XP and Windows Server 2003 the version of Group Policy Management Console (GPMC) for XP/2003 has not been updated and therefore does not allow the editing of GPP’s in any way shape or form. This therefore means you need at minimum at least 1 Windows Vista (yuck) or Windows Server 2008 server with Group Policy Management Console installed to edit Group Policy Preferences in your environment even if every other server and workstation is running 2003 and XP.

How do I install the Group Policy Management Console?

GPMC is a component of the Remote Server Admin Tools for Windows 7 / Vista and is an optional feature that needs to be installed with Windows Server 2008 & R2. See my instructions for installing GPMC on Windows 7 and 2008 R2 at How to download and install the Group Policy Management Console (GPMC)

Summary

So if you are thinking about using Group Policy Preference in your environment don’t stress… Its a really simple process and as soon as you have GPMC on one or two computers and the client side extensions install on all the computers you want to apply preference to then you ready to go…

Hotfix: Group Policy Preference Hotfix Rollup (Vista / 2008)

Alan Burchill — Tue, 26 Oct 2010 22:59:12 +0000

A new Windows Vista / 2008 Group Policy Preference client side extension hotfix rollup has been released. Below I have listed the details of the hotfix including a complete list of all issues it resolved.

KB977983 – Group Policy preferences client-side extension hotfix rollup for Windows Vista and Windows Server 2008

New Issues Resolved

You cannot create a GPP folder when the target path is a Distributed File System (DFS) path.
Item-Level Targeting for the security group does not recognize nested groups for computer objects.
When you configure Item-Level Targeting for GPP to match a registry value, the match fails.
The GPP data source name (DSN) requires a password if a username is specified in the DSN connection information. After you apply this hotfix rollup, you can use a blank password in the DSN connection information.
You experience a significant delay when you log on to an Active Directory site that has a read-only domain controller (RODC). This issue occurs when you implement Item-Level Filtering for Lightweight Directory Access Protocol (LDAP) by using GPP.
GPP cannot be deployed on a printer when the printer owner is not specified as "System" or "Administrators."
When you configure Item-Level Targeting for GPP with Terminal Services, Item-Level Targeting fails.
A memory leak occurs in the GPP client every time that Item-Level Targeting is processed.

Previous KB974266 Issues Resolved

The Windows Event Log service crashes when the regional options preferences are set to English (United Kingdom).
If the regional options preference is set to English (United Kingdom) or to anything other than United States, it cannot be applied. The regional options preference setting still shows United States.
- Note A non-administrator user cannot log on to a domain from a computer that is running Windows Vista SP2, if the user’s locale information is set by using a Group Policy preference and set the regional options preference as English (United Kingdom).
If you create or update a virtual private network (VPN) connection by using a Group Policy object, the connection does not bind to IP Version 4 (TCP/IPv4) or IP Version 6 (TCP/IPv6).
A Lightweight Directory Access Protocol (LDAP) query that is used by item level targeting uses an incorrect base distinguish name.
Group Policy Service (GPSVC) stops responding during the GPSVC shutdown process if third-party printer drivers are installed by Group Policy Preferences.
The %GPTPATH% variable is not resolved correctly when Group Policy Preferences are processed.
Group Policy Preferences stops responding when you try to configure the printer item for printers that use third-party drivers. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
973772 (http://support.microsoft.com/kb/973772/ ) Group Policy Preferences stops responding when you try to configure the printer item for printers that use third-party drivers on a Windows Vista or Windows Server 2008-based computer

Source http://blogs.technet.com/b/askds/

Best Practice: How to use Group Policy Preference enable auto-logon

Alan Burchill — Tue, 05 Oct 2010 14:30:00 +0000

The below article shows you how to use Group Policy Preference to setup the registry keys on a computer so that it automatically logs onto when its turned on. While doing this is potentially huge security issue and not something I would generally recommend IT staff might want to implement on computers that are highly locked down and used for only a specific propose.

How to set a registry key using Group Policy Preferences

Before we begin I will show you how create the required registry keys using group policy preference. After this I will list the registry keys you need to use with the instruction below to configure automatic logon.

Step 1. Edit a Group Policy Object that is applied to the computers you want this setting applied.

WARNING: Make sure you have not applied this policy to any computers before you begin as this will obviously logon any computer that this policy is applied to automatically.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry

Step 3. In the Menu click on Action > New > Registry Item

Now you know how to configure a registry key setting using Group Policy Preferences you can create a new Registry Item for each registry key listed below.

How to configure Windows to automatically logon

Now we need to create the below registry keys to enable the automatic logon process.

Note: You will need to substitute you own specific values for all the text in italic below.

Enable AutoLogon

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: AutoAdminLogon (REG_SZ)
Data: 1 (Enabled)

Default Domain Name

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: DefaultDomainName (REG_SZ)
Data: DOMAINNAME

Default User Name

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: DefaultUserName (REG_SZ)
Data: USERNAME

Default Password

Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value: DefaultPassword (REG_SZ)
Data: PASSWORD

You should now have 4 registry keys configured as the image below.

Warning: Be sure to also block the regedit tool on the user that logos onto this computer as anyone logged on the computer will be able to see the account password stored in the registry as clear text (see below).

Now when ever this computer is turned on it will start up and logon automatically with the credentials that you specified in the policy (see below).

TechEd 2010 AU – Unlock the Awesome Power of Group Policy Preferences in your environment

Alan Burchill — Mon, 20 Sep 2010 10:49:26 +0000

The video of my Australian TechEd Group Policy Preferences session is now online and its in h264 so you will should be able to play it back you iPad, iPhone or any other HTML5 browser without the need for a plugin.

Description: This demo-heavy session illustrates how to use new features in Group Policy to do things that will make you and your management happy: compare settings across all domains, reduce complexity of your Group Policy environment, manage power for Windows 7 clients, and use GP Preferences to reduce logon scripts…

http://ecn.channel9.msdn.com/o9/2010/Australia/mp4/cli303.mp4

Fixing Active Directory Time Sync Issues

Alan Burchill — Mon, 13 Sep 2010 08:00:00 +0000

You might think that AD time sync in your organisation is something that just works out of the box but Sander Berkouwer has just done a post about what you need to do to setup time sync for Windows Server 2008 & R2. Apparently the default time sync server for Windows Server 2003 (time.windows.com) no long works so you need to make sure that you DC are configured with a valid time source.

Check out the whole article here The things that are better left unspoken : Active Directory Time Sync (broken by default)

Tip: One of the steps in the article is to configure the time server using the “w32tim” command on your PDC emulator. You can do this via Group Policy Preferences using the scheduled task option and then use Item-Level Targeting to only apply the command to the computer name of your PDC Emulator. By scheduling this command on a regular basis you can ensure that the time zone list of the server gets refreshed to the proper values periodically.

Jeremy Moskowitz (Group Policy MVP) interview by Matt Hester

Alan Burchill — Thu, 08 Jul 2010 03:19:50 +0000

Jeremy Moskowitz (fellow Group Policy MVP) has just appeared in an interview with Matt Hester on Bytes by TechNet web site.

They covered how IT Professionals start with Windows 7 and Windows Server 2008 R2, why they need to know about Group Policy and what is new with Group Policy in Windows 7. Jeremy also highlighted some tips for his IT Pro peers related to some components of Group Policy including the Central Store.

Check out the video below:

This video should work with Silverlight or HTML5 video supported browsers.

Out Now: TechEd Group Policy Session Video’s

Alan Burchill — Wed, 30 Jun 2010 08:00:00 +0000

This year Microsoft are now making available for everyone the videos screen cast from the TechEd USA conference on the TechEd web site. So if you attended TechEd USA this year but didn’t get to see all the sessions or if you just missed out on going all together you can now check out all the session at http://www.msteched.com

For your convince I have embedded the Group Policy specific video’s below.

How to Save Money, Time, and Headaches with Group Policy in Windows 7 / Windows Server 2008 R2

MDOP: Advanced Group Policy Management 4.0

AppLocker: Your Solution for True Application Smackdown

Updated: How to make Adobe Reader more secure using Group Policy

Alan Burchill — Fri, 04 Jun 2010 05:00:00 +0000

Update: This article is a re-publish of a post I have previously posted. This time I have updated the “Configuring Automatic Update for Adobe Reader” section below with now an officially documented and more reliable method. I have also added a section called “Locking down the Automatic Update option for Adobe Reader” which shows you how to prevent users from changing Adobe Reader update options once they are configured.

Recently there have been a number of critical security issues that have been associated with Adobe Reader (see below).

New: To see a complete list of current updates for Adobe Reader (all current versions) on Windows go to http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

This has has left IT administrators with a bit of a nightmare as to how to keep Reader secure as Adobe don’t have the wonderful tools such as Group Policy and Windows Update, WSUS and SCCM to manage their patch rollout deployment.

One thing you might notice about the many of the vulnerabilities in Adobe products is that they are frequently JavaScript issues. Surprisingly the recommend action from Adobe to mitigate this security issues is to simply turn off JavaScript (which is enabled by default) in Adobe Reader. Seeing how rarely the JavaScript option is actually used in Adobe Reader I recommend that you just configure this option to be permanently turned off (see image 1).

Image 1. Adobe Reader JavaScript option

Disabling JavaScript

Now there is no way to disable the user interface you can disable the user interface using third-party tools (see http://www.policypak.com/support-and-sharing/video-tutorials) to prevent users to re-enabling this option. However some users might need to open PDF’s with JavaScript content so leaving the UI enabled would allow them to re-enable the option when needed. The good thing about configuring this registry key via Group Policy Preferences is that it would automatically turn the option off in the background at the next policy update leaving JavaScript only enabled for a few hours. NICE!

To do disable this option edit a Group Policy Object (GPO) that is targeted to the users accounts. Once you have opened the GPO in the Group Policy Management Editor go to User Configuration > Preferences > Windows Settings > Registry then go to Action > All Tasks > Add and configured a New Registry setting (as per image below).

Image 2. Disable JavaScript registry key

The key to update is:

Key: HKCU\Software\Adobe\Acrobat Reader\9.0\JSPrefs
Value: bEnableJS (REG_DWORD)
Data: 0 (zero)

Note: If you don’t want this option to be turned off once a users has re-enabled it then tick the “Apply once and do not reapply” option in the “Common” tab (see image 3) as this will only change this registry key once making it more a default setting rather then an enforced one.

Image 3. Apply one and do not reapply

Updated: Configuring Automatic Update for Adobe Reader

Adobe has also added a “Automatically install updates” feature (see image 4) with the release of Adobe Reader 9.2.0. however as of the time of writing this document the new version of Adobe Reader 9.3.0 is out and for some reason it is not automatically updating. So maybe there is a little more work to go here for Adobe.

Thanks to Ryan Steel for pointing out that Adobe have now published a document ( http://kb2.adobe.com/cps/837/cpsid_83709/attachments/Acrobat_Reader_Updater.pdf ) that documents the registry key for enabling the “Automatically install updates” option.

Image 4. Adobe Reader Updater Preferences

Image 5. Adobe Reader Updater System Tray Notification

The key to configure automatic update is:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe ARM\1.0\ARM
Value: iCheck (REG_DWORD)
Data: 0 (Manual)
2 (Semi-Automatic)
3 (Automatic)

Below is an example of how you would configure this registry key using Group Policy Preferences. Be sure that this key is targeted to the computer object as it is a local machine setting.

Image 6. Group Policy Preferences Updater Registry Key

As Adobe digitally sign their program this means their (not-so) quarterly security update should automatically update the program without prompting normal users for a UAC elevation prompt (ref http://kb2.adobe.com/cps/838/cpsid_83813.html).

Note: Ryan did pointed out that this automatic update without a UAC prompt might not necessarily be work as expected so you will need to test this automatic update facility for your environment.

Having the program digitally signed also means that you can easily prevent any older version of the program from running using AppLocker with Windows 7. If you want to see some instruction on how to do this check out my other blog post How to configure AppLocker Group Policy in Windows 7 to block third-party browsers.

New: Locking down the Automatic Update option for Adobe Reader

Another registry key that is document in this article show the key that locks down the user interface for the Adobe Reader update option. This is very handy as if you configured Adobe Updater to Automatic then locking down the UI will make it a LOT harder for users to turn this option off.

The key to lock down Adobe Updater is:

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Polices\Adobe\{product}\{version}\FeatureLockdown
Value: bUpdater (REG_DWORD)
Data: 0 (Locked Down)

Note: The patch listed in the Adobe documentation for this option is wrong therefore I have added “Polices” to the key above to correct for this error.

Also note the above example has {product} and {version} which you should substitute the value “Acrobat Reader” and “9.0” (see image 7 below). You would obviously have to change the version number to match the version of Adobe Reader you have deployed in your environment.

Image 8. Group Policy Preferences lockdown updater Registry Key

Once this key is applied to your computers you will now see that the “Check for Updates” under the help menu and the “Updater” section under preferences have now been removed (see images below).

Image 9. “Check for Update” removed from help menu

Image 10. “Updater” removed from Preferences

While most IT professional don’t like having to install Adobe Reader in their environment at least this will certainly go a long way to making it as secure as possible. It would certainly seem that McAfee labs predictions have come true (“Adobe product exploitation will likely surpass that of Microsoft Office applications in 2010.”) as Steve Gibson (founder of the Gibson Research Corporation) mentioned on his latest Security Now podcast that Adobe are now looking at changing to a monthly security patching cycle as they are continuity having to release emergency out of cycles patches any way.

Good Luck!!!

How to use Group Policy to remove the Adobe Reader desktop shortcut

Alan Burchill — Wed, 10 Mar 2010 08:00:00 +0000

One of the most annoying things about Adobe Reader is that it is in need for constant updating to newer version due to security issues. While this is true for most software packages whenever you install an Adobe Reader update it also restores the desktop icon even if it has already been deleted. (Annoying!!!).

Note: for more information on using Group Policy to secure Adobe Reader see my previous article Permanent Link to How to make Adobe Reader more secure using Group Policy

So below I go through how to use one of the new Group Policy Preferences options is called “Shortcuts” to remove the icon when ever it is re-instated (see below). While in this example I use (pick on) Adobe Reader it can also be used as a guide for removing any other shortcut that you so desire.

Step 1. Edit a GPO that targets the computers that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Preferences > Control Panel Settings > Windows Settings

Step 3. Click on the “Action” menu and click on “New” and then click on “Shortcut”

Step 4. Change the Action to “Delete” then select “All Users Desktop” and then type “Adobe Reader 9” in the name field.

Now wait time you install an Adobe Reader update all you have to do is wait for the next group policy refresh and the shortcut will be gone… (Yes).

How to use Group Policy to remove the Network Connectivity Status Indicator message in your network icon

Alan Burchill — Mon, 08 Mar 2010 16:00:00 +0000

Windows has a cool feature that allows you to tell if your computer has Internet connectivity when you are connected to a network (see image below). This feature is called Network Connectivity Status Indicator (NCSI) it uses a combination of DNS and/or HTTP look ups to tell if you are connected to the Internet. The way does this is either via a HTTP request for http://www.msftncsi.com/ncsi.txt or a DNS look up for dns.msftncsi.com that resoles to 131.107.255.255

Windows 7

However if you find this error message really annoying there is now a Windows 7 group policy will turn it off. This is a machine setting so edit a Group Policy Object that is applied to all the workstations you want to turn this message off. Then navigate to Computer Configuration > Policies > Administrative Templates > Network Connections and enabled the “Do not show the “local access only” network icon” policy setting.

TADA… Now you will no longer see the exclamation icon on the network icon.

For more information on how NCSI works and this Windows 7 policy see http://technet.microsoft.com/en-us/library/ee126135(WS.10).aspx

Windows Vista

Unfortunately Windows Vista does not have the same Group Policy however there is a registry key that can be applied using Group Policy Preferences that has the same affect.

Key: HKLM\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet
Value: EnableActiveProbing
Data: 1 (REG_DWORD) = Enabled
Data: 0 = Disabled

Step 1. Edit a Group Policy Object that is applied to all the workstation you want this Browser Ballot disabled.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and create a “New Registry Item”

Step 3. Type “SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet” in the Key Path then type “EnableActiveProbing” in the Value name, then select REG_DWORD as the value type “0” in the value data and then click “OK”.

For more information on how NCSI works and this Windows Vista policy see http://technet.microsoft.com/en-us/library/cc766017(WS.10).aspx

What are Group Policy Preferences

Alan Burchill — Sun, 07 Mar 2010 09:50:43 +0000

Group Policy Preferences have been out for about 3 years now and so there have been a number web posts about what they are and how they are implemented. So I have created a list of links to other articles that from the Group Policy Team Blog and ohter places that help explain what Preference are and how you can use them in your environemtn.

Third Party Links

Microsoft Links

My take…

Group Policy Preferences are a heap of new Group Policy settings that were released with Windows Server 2008 that allows IT administrators to pretty much do anything they want to configured computers in an corporate environmnet. Preferences only require a Windows 2000 Active Directory and they need to be manageded from a minumum of Windows Vista/2008 however they can be applied to Windows XP Service Pack 2 (or greater) workstations.

You can see all the articles on this site about Group Policy Preferences at http://www.grouppolicy.biz/tag/group-policy-preferences/

Best Practice: How to use Group Policy to configure home page settings – Part 2

Alan Burchill — Thu, 04 Mar 2010 09:00:00 +0000

In part 2 of how to use Group Policy to configure a users home page I will be show you how to use Group Policy Preferences to configure a users home page. There really isn’t a right way you can set the users home pages setting it is really up to your requirements and how much control you want to have.

The advantage of using Group Policy Preferences is that it allows you to specify a default home page but still allow users to change it if they want.

Now there are three dialogue Internet Explorer setting that can be used to configured home pages in Group Policy Preferences.

Internet Explorer 8	Internet Explorer 7	Internet Explorer 5 and 6

However as you can see the IE7 and IE8 screens are exactly the same so I will only go thought it using IE8 and the IE5/6 screenshots. If you do want to configure the IE8 setting remember that you will need to use the Internet Explorer 7 screen option instead however all the steps and affects are the same.

Internet Explorer 5 & 6

Internet Explorer 5 & 6 does not support tabbed browsing so this makes it a lot simpler to setup as all you can specify a default home page. Also remember that the Group Policy Preferences Client Side Extensions are are not installed on Windows XP by default so you will need to make sure they are installed before these settings will work.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Preferences > Control Panel Settings > Internet Settings

Step 3. Click on the “Action” menu and click on “New” and then click on “Internet Explore 5 and 6”

Step 4. Press “F6”

Explanation: Pressing “F6” enables the individual settings for configuration. Notice this changes the red dotted line to a solid green line which means that only the “Home:” settings is enabled to be applied as a policy.

Step 5. Now type your home page URL in the “Home” text box and click “OK”

Your done.

Now as this is a preference this will not prevent you users from changing the home page however it will be reset at the next group policy refresh.

Internet Explorer 7 & 8

Internet Explorer 7 & 8 supports multiple tabs so you need can either configure a single default home page or a default home page with multiple secondary home page.

Step 1. Edit a GPO that targets the users that you want to apply the home page setting.

Step 2. Navigate to User Configuration > Preferences > Control Panel Settings > Internet Settings

Step 3. Click on the “Action” menu and click on “New” and then click on “Internet Explore 8” (or “Internet Explorer 7”)

Step 4. Press “F6”

Step 5. Now add the URL (or URL’s) for the pages you want to be displayed and click “OK”.

Note: If you only specify one home page then the user will be able to change the home page however it will reset after the next policy refresh.

Again… your done.

As you can see below your browser is configured with two default home pages.

Note: Native Group Policies always take precedence over Group Policy Preferences so if you have you home pages configured using a native Group Policy (see Part 1) then this settings will be overridden.

How to use Group Policy to disable the EU Browser Choice

Alan Burchill — Tue, 02 Mar 2010 05:30:31 +0000

In case you had not already heard Microsoft have had to release an update for all European users to prompt display a ballot screen about what version of browser they want to use (see below). This is one of the actions Microsoft had to do to comply with the EU anti-trust case.

Microsoft have released article KB2019411 explaining how IT administrators can disable a Browser Choice screen for their users using a simple registry key.

Key: HKLM\Software\BrowserChoice
Value: Enable
Data: 1 (REG_DWORD) = Enabled
Data: 0 = Disabled

Now of course you can deploy registry key using Group Policy Preferences which will make it much easier for IT administrators disable this screen.

Step 1. Edit a Group Policy Object that is applied to all the workstation you want this Browser Ballot disabled.

Step 2. Navigate to Computer Configuration > Preferences > Windows Settings > Registry and create a “New Registry Item”

Step 3. Type “Software\BrowserChoice” in the Key Path then type “Enable” in the Value name, then select REG_DWORD as the value type “0” in the value data and then click “OK”.

If all that is to much hassle to do all that below is a link to the Group Policy Preference XML file you can just copy into the policy.

Links:

More information on the Brower Choice http://support.microsoft.com/kb/976002
More information on the Disable registry key http://support.microsoft.com/kb/2019411
Also check out Aaron Parkers blog here for more information http://blog.stealthpuppy.com/windows/disable-the-browser-choice-screen

Group Policy Setting of the Week 13 – Files

Alan Burchill — Mon, 08 Feb 2010 04:44:34 +0000

This week I have selected the Group Policy preference “Files” setting which can be found under either Users or Computers > Preferences > Windows Settings > Files. I commonly see the file update option used where a licence file or a single .exe application needs to be updated on all the computers in an organisation. Here a central copy of the file(s) is stored on a central server and when then central version is updated all the computers will receive the new version of the file at the next policy update. Much better than a logon script!!!!

You also have to ensure that the destination folder in the Create, Replate and Update options already exists as it will not automatically create the folder if it doesn’t exist. If you do need to create the folder for the destination then use the “Folders” option. Also make sure that if you are copying the file(s) to a location that its under the correct context (e.g. User context for files into their local profile and Computer context if it is being copied into the program files folder).

This option is a Create Replace Update and Delete (CRUD) enabled setting so the behaviour is a little different depending on your action. All these options support wild cards so you can use it to copy (or delete) multiple files.

Create

This option will copy a file from a location (like a network share) to another location (like on the local computer) only if the destination file does not already exist.

Replace

Again, this option will copy a file from a location (like a network share) to another location (like on the local computer) but this option will delete and overwrite the destination if it already exists.

Update

This one is very similar to Replace however it only changes the individual attributes that changes. If the file does not already exist then it does the same as the Create option.

Delete

As the name suggests it will delete what ever file you specify in the “Delete file(s):” field. Remember this also include wild cards so you can use “C:\Path\*.*”

How to use Group Policy to fix Adobe Reader PDF Preview in Windows 64bit

Alan Burchill — Fri, 05 Feb 2010 11:42:59 +0000

Leo Davidson recently posted a fix for Adobe Reader integration on 64bit Windows. His fix resolves the thumbnail and file preview feature when you install Adobe Reader (which is still only available in 32bit) in 64bit Windows which Adobe have not seemed to work out for over 3 years now. On his site he has tool that you can download to manually apply the PDF fix. The file preview is just a simple registry key change so I have added some more instruction showing how to makes these changes using Group Policy Preferences.

Update: Thanks to the feedback from Leo Davidson I have updated the instructions to only “Update” the value if it already exists.

Update2: Reduced the complexity to check for a 64bit OS.

Preview View

Method 1: File Preview Fix – Step by Step – Hard

Note: Before you do method 1 be sure to check out the much easier method 2

Step 1. Open Group Policy Management Console

Step 2. Edit a machine based Group Policy Object (GPO)

Step 3. Go to Computer Configuration > Preferences > Windows Settings > Registry

Step 4. Click on the “Actions Menu” > “New” > “Registry Item” then select the HKEY_LOCAL_MACHINE Hive type SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193} in the “Key Path” then type AppID in the Value Name field and {534A1E02-D58F-44f0-B58B-36CBED287C7C} in the “Value Data” field.

Now we are going to filter the Group Policy Preference setting so that we only apply the registry key fix to 64bit Operating Systems.

Step 5. Click on the “Common” Tab then tick “Item-level targeting” and click the “Targeting” button.

Step 6. Click the “New Item” then click “Registry Match” chose the “Key exists” match Type and then change the Hive to “HKEY_LOCAL_MACHINE” then type “Software\Wow6432Node” in the “Key path”

Step 7. Click the “New Item” then click “Registry Match” again change the “Match Type” is “Value Exists” change the “Hive” to “HKEY_LOCAL_MACHINE” and the “Key Path” to “SOFTWARE\Classes\CLSID\{DC6EFB56-9CFA-464D-8880-44885D7DC193}” set the “Values Name” to “AppID” change the Value Type to “REG_SZ” and then click “OK” then “OK”

Step 8. Right click the registry entry you just made and click on “Copy”

Step 9. Then right click in the blank area and click “Paste”

Step 10. Click “Yes” to the Confirm Import

Step 11. Double click on the new registry entry and insert the text “Wow6432Node\” between “Software\” and “CLSID” then click “OK”

Step 12. Click on the “the registry key HKLM\SOFTWARE\Wow6432Node exist” and then press delete

Step 13. Click on the Registry Match item and again insert the text “Wow6432Node\” between “Software\” and “CLSID” in the “Key Path” then click “OK” then “OK”

Note: You don’t need all the OS matches as the “Wow6432Node” key will only exist on 64bit versions of Windows.

It should now look like this…

You should now have fixed the Adobe File Preview issues to all the computer which you have applied this GPO.

Method 2: File Preview Fix – Import Settings – Easy

Step 1. Download this preconfigured XML Group Policy configuration that I have already made for you (HERE)

Step 2. Open Group Policy Management Console

Step 3. Edit a machine based Group Policy Object (GPO)

Step 4. Go to Computer Configuration > Preferences > Windows Settings > Registry and copy the file you downloaded in step 1. into and paste it into the blank area

Step 5. Click Yes to confirm the import and you are done.

The registry settings are now setup the same as method 1… except this way was SO much easier.

Thumbnail Preview

The second fix that Leo’s tool does it fix the thumbnail live preview option by implementing a custom written thumbnail bridge. Still working on a group policy preference to fix this so I will post again when I get this working.

A big thanks to Leo Davidson so be sure to visit his web site and make a donation if you find this fix useful…

How to use Group Policy Preferences to dynamically map printers with Roaming Profiles

Alan Burchill — Wed, 27 Jan 2010 21:00:00 +0000

One of the great new feature with Group Policy Preferences is the ability to map printers based on a various number of criteria such as group membership, AD Site or even IP Address range to name a few. This allows for some powerful senarios such as being able to map all the printers physically near a user based on the computers IP address. Note: This assumes that the networking team allocates the same subnets to certain computers near each other (e.g. a building or floor) but I have found this is often the case.

One of the problems that occur when you map printers with Group Policy Preferences is that if the user has a roaming profile configured and they then logon to a computer that is located in another area they will have all also have their old printers from the previous area. Now user might not really notice these printer mapping building up over time but they can soon amass a large number of mappings that makes their computer run slow to logon.

Question? So how do you map all the printers in one location but not have them follow you to another location if you are using a roaming profile?

Answer? Is a two step solution which I will go through below. There is also an optional third step that address the problem maintaining default printer mappings once a user gets back to their normal location.

Step 1. The first part is just to create a simple printer mapping that maps the printer targeted by the IP address of the users current computer.

Figure1. Create New Shared Printer

The images belo shows the printer “\\server\printer1” being mapped for the users that logon to a computer that is in the 10.1.1.0/24 subnet. It is important to note that we are talking about the IP address range of the computer that you want to map the printer not the IP address range of the printer server or the printer NIC itself.

Figure 2. Target setting to only be mapped for computers between 10.1.1.0 to 10.1.1.255

Figure 3. Resulting printer mapping

Step 2. The second step is to delete the printer mapping if the IP address of the printer does not fall within the IP address range that you want the printer to be mapped. To do this we start by copying the existing printer mapping that we made in step 1. This avoids making any typo’s in either the printer queue name of the IP addresses.

Figure 4. Copying the existing printer mapping made in step 1.

Figure 5. Paste the setting into an unused part of the pane

Figure 6. Both printer mapping entries

Now we make the changes to the action on the second printer mapping targeting so that it will remove the printer mapping when the user logs onto a computer in another area.

Figure 7. Open the properties of the second printer

Figure 8. Change the Action to “Delete”

Figure 9. Go back to the targeting and change it to an “Is Not” between “10.1.1.0” and “10.1.1.255”

Figure 10. New target rule

Figure 11. Two printer entries to map and then clean up the printer queues for a user based on their location.

Step 3. Maintaining Default Printer Mappings

You have now configured dynamic printer mapping for your user based on location of the user. However this solution does have one problem/annoyance, user normally like to set a default printer. If a user was to logon to a workstation in another location then return to their normal desk their default printer will have been reset as it will have been removed. To get around this problem we have to add another rult to the targeting on the Delete printer option so it does NOT delete if the printer is configured as the default printer. To do this we check the registry location that the default printer is saved and test to see if the printer we are deleting is the default printer.

So go back to the targeting option for the Delete printer action and add another test that will check to see if the printer is the default printer.

Figure 12. Add a new Item of type “Registry Match”

Figure 13. Configured Registry Match Setting

Change the Match Type to “Match value data” and the Value data match type to “Substring match” as the value we are looking for will contain other information as well that we don’t care about. Make sure the Hive is set to “HKEY_CURRENT_USER” and the Key Path is set to “Software\Microsoft\Windows NT\CurrentVersion\Windows”. The Value name “Device” is where in the registry the default printer information is saved. We then set the Substring to “\\server\printer1” which is the UNC path to the printer queue. Note: The substring value has to be exactly the same as the value set in the Path for the printer mapping.

There, now you know how to use Group Policy Preferences to map and remove network for users based on their physical location while avoiding the build up of mapping if your user have roaming profiles while still preserving their default printer.

Best Practice: How to schedule a delayed start logon script with Group Policy

Alan Burchill — Fri, 22 Jan 2010 01:15:39 +0000

Logon Scripts!!! I hear you yelling at me about why I am doing a tutorial about logon scripts when Group Policy Preferences is supposed to allow me to stop using my logon scripts. Well in a utopian world there would be no logon scripts to maintain however there are still some situations that you might have to execute a program at logon. One example I recently saw on the Group Policy Forums was a person who wanted a way to delay the launching of the browser so as to not add additional delay to the users logon to what was already a slow computer. Somewhat similar to the Delay Start option for services that was introduced in Windows 7.

Prerequisites: This is a Windows Vista+ configuration as Windows XP has a more limited scheduling engine. If you really want to do this via Windows XP (sucks to be you) you could run the script with some delay/timeout third party tool in it and just have it run from the users “Startup” start menu folder…

Step 1. In a Group Policy Object (GPO) that you have targeted at all the users (or most of them) that you want the delayed start program/action to run on go to “Users Configuration” > “Preferences” > “Scheduled Task” then go “Action” > “New” > “Scheduled Task (Windows Vista and later)”. Then type the display name of the script in the “Name” field (see image 1) and click on the “Triggers” tab.

Note: In this example we are just going to be running a command prompt so the Name is “CMD.exe”.

Image 1: Scheduled Task Properties

Step 2. On the Triggers tab click the “New” button”. Change the “Begin the task” drop down option to “At log on” and then tick “Delay task for:” and configure the delay from the pop down menu (see image 2). Then click “OK”

Note: Unfortunately this option does not seem to be user configurable so for the use of a logon script “30 seconds” and “1 minute” are the only practical options.

Image 2: New Trigger

Step 3. You should now have the trigger configured for your event that looks like the image below (see image 3). Now click on the “Actions” tab.

Image 3: Configured Trigger

Step 3. In the “Actions” tab click on the “New” button and then configure the action you want to take. Again in this example we are just going to be running a command prompt so configure the “Action” to “Start a program” (see image 4).

Note: You can also use this option to send and e-mail or even display a pop-up message to the users. Very handy if you used to use the “net send” program in Windows XP before Service Pack 2 as it was disabled due to security issues.

Image 4: New Action

Step 4. Configure the “Program/Script” to run to “C:\Windows\system32\cmd.exe” then click “OK” (see image 5).

Image 5: New Action

Step 5. Click “OK” (see image 6)

Image 6: Actions Tab

Now you are done. The task is scheduled and it will be pushed out to all your users at the new Group Policy refresh. (see image 7).

Note: If you don’t want this to apply to all your user accounts you can also use Group Policy Preferences targeting options to refine the targeting.

Image 7: Scheduled Tasks

Below is the view of the scheduled task as configured on the computer (see image 8,9 & 10).

Note: The settings tab are greyed out because it is being controlled by Group Policy.

Image 8: Scheduled Tasks General Tab

Image 9: Scheduled Tasks Triggers Tab

Image 10: Scheduled Tasks Actions Tab

Best Practice: How to use Group Policy Preferences to Secure Local Administrator Groups

Alan Burchill — Wed, 20 Jan 2010 15:00:00 +0000

One problem I see all the time is IT administrator never being able to control who is a local administrator of any particular computer. The problem is that when you give someone local admin access to a computer (because they legitimately need it) you cant stop them from giving admin access to someone else on the same computer. When this does happen it is also its almost impossible to discover as you have to run a query every computer to see who is in the local admin group and then figure out which account should be a member. Once solution to this is of course following Microsoft best practice and not give your users local admin access to their PC or Server and in an utopian environment this would be possible but we all live in the real world where managers have admin access to their PC’s and developers are allowed to install any software they want. So how do you give a users full admin access to a computer but stop them from adding more people to the local admin group on a computer? Use Group Policy Preference of course.

But first a bit of History… Since Group Polices were first introduced with Windows 2000 there was an setting called “Restricted Groups” which allows you to control the membership of a group. This option had two modes one called “Members” option which I also call the “Iron Fist” mode and the other “Members Of” option which is much gentler. The “Members” option removes any groups or users that are not explicitly specified and the “Members Of” option just adds a specific group which out removing any existing groups. The “Members” option was really good at cleaning up those rogue members of the local admin group but its was also really hard to setup as you had to have a new group policy every time you wanted a different list of members in local group on a computer. The “Members Of” option was a lot easier to maintain as you could layer multiple group policies on top of each other but this normally resulted in just adding another layer of group to the pile of groups that were already in the local administrators group. The other problem was the “Members” option would override the “Members Of” option so there was really no way of mixing the two modes.

BUT… Group Policy Preferences can use Variables which enabled you to be very extremely granular in controlling you local admin group while still having “Iron Fist” control. Muuhhaaaahahahahah!!!

How do I setup a restricted local administrator group?

The following steps will need to be applied to a GPO that is applied to the computer objects you want to control the local administrator groups. Note: You must make sure you don’t have any other Group Policy “Restricted Groups” settings applied to your computers as they will always override the group policy preferences settings.

Step 1. Open the Group Policy Management Consol and edit the group policy that is applied to the scope of computers that you want to control.

Step 2. Go to the Computer Configuration > Preferences > Control Panel Settings > Local User and Groups option (see Image 1.).

Image 1. Local User and Group

Step 3. Now click on Actions > New > Local Group

Step 4. Now you will be need to select “Administrators (built-in)” from the group name as this always selects the built-in administrators group even if you have renamed it to obfuscate the name of the admin account.

Step 5. Tick both “Delete all member users” and “Delete all member groups”. These two options will automatically remove any users or groups that are not explicitly being added to the group. You only need to do this on item number 1 in the list of settings as that setting will be processed last.

Step 6. Now you will need to make sure you have added back in the Domain Admin’s and Local Administrator groups so that you don’t totally lock yourself out of the computer. To do this click the “Add…” button to bring up the “Local Group Member” dialogue box (see Image 2)

Image 2. Local Group Member

Step 7. Now type “BuiltIn\Administrator” in the Name field and click OK (see Image 3.)

Note: The image below is wrong… it should be “BUILTIN\Administrator”

Image 3. Local Administrators group added to the local administrators group

Step 8. You should also add “DOMAINNAME\Domain Admins” as it is a good practice to have the DA account as a member of the local admin group on all computers in the domain. To do this we are going to use the DomainName variables. Click “Add…” again and now click in the “Name:” text field and then press F3. This will now bring up the “Select Variable” dialogue box (See Image 4.). Click on the “DomainName” field and press “Select” and then “OK”. (alternatively you could type %DomainName% in the name field and just press OK.)

Note: The image below is also wrong… The bottom image should be “BUILTIN\Administrator”

Image 4. Selecting the DomainName Variable

You should now see the following which will restrict the local administrator group to only have the Domain Admins and the local administrator.

Note: The image below is wrong. It should be “BUILTIN\Administrator”

Image 5. Basic local administration group setting

So what you as? I can do this already with the “Restricted Groups” Group Policy setting. Well only having the local Administrator and Domain Admin’s in the local admin group is not not much use unless you are willing to give everyone the local admin password or give them all Domain Admin’s privileges (Like that ever happens) when ever they needed admin access. Well again this is where Group Policy Preferences can help.

How to add individuals to a single computer?

Now we are going to go thorough how to add a uniquely named domain group to the local administrators group without having to set up multiple group policies objects. This scenario is very helpful if you want to grant a single user or group local administrators access on computer but still ensure that no other users or groups can be added without explicitly being approved. In the steps below the computer name is DESKTOP01 and the domain name is CONTOSO, we want to add the group “CONTOSO\DESKTOP01 Administrators” to the local administrator group but we also want the same to happen on DESKTOP02, DESKTOP03 and so on, each with their own uniquely named group based on the computer name.

Update: Having a unique group for each computer allows you to easily grant permission to for a single users to a single computer as there is a one to one mapping of domain groups to local administrator groups.

Step 9. Now go back and repeat steps 3 to 6 until you get to the Local Group Member dialogue box again (see Image 6.).

Note: This creates a second local administrator group entry in the list to work around an issue.

Image 6. Add Local Group Member

Step 10. Type “%DomainName%\%ComputerName% Administrators” in the Name text field and click “OK” (Image 7.)

Image 7. Configuration to automatically unique group to local administrators group

Now this will now automatically add a domain group called “DOMAINNAME\COMPUTERNAME Administrators” to the local administrators group on the computer to which the policy is applied and your group policy should look like Image 8.

Image 8. Two local administrator group settings

Update: There are two separate local administrator group setting in the policy, the first one is the setting you see in image 5 and second one is the setting you can see in image 7.

However the “CONTOSO\DESKTOP01 Administrators” group will only be added to the local administrators group on the computer DESKTOP01 if that group is already exists. Therefore you do not need to create the group until the need arises to add an individual user or group to just a single computer.

Update: This policy will not create the group in your Active Directory called “DOMAINNAME\COMPUTERNAME Administrators” and you don’t have to create it unless you want to use it to grant permission to the computer. Once you have created the group you can then add a single user to the domain group… or multiple user accounts and groups. The other advantage of having this domain group is that it is the only place where you can grant admin access to the computer without it being automatically removed there fore it makes auditing who is a local administrator on a workstation much easier as you only have to audit the domain groups. This means that you can even report on who has access to the computer when the computer isn’t even connected to the domain.

This group policy setting combined with the other setting made earlier (see Image 5.) will mean that the local administrator group on the computer DESKTOP01 in the CONTOSO domain will have the following members automatically added to the group:

CONTOSO\Domain Admins
DESKTOP01\Administrator
CONTOSO\DESKTOP01 Administrators

But ANY other users or groups will be automatically removed after the next group policy refresh. This does mean there is a slight window of opportunity for someone to slip in an un-authorised account into the local administrators group but they will get removed at the next policy update.

Side Note: I have found that users almost never complain that they cant add un-authorised user to the local admin account on computer. Go figure…

AWSOME!!!! I hear you say… but wait there is more…

How do I add additional broader groups to the local administrators group?

Now that you are able to granuarlly add a single user or group to the local administrators group on a computer you might run into problems id you have more than a 1000 computers due to AD Token Bloat Issues . So to get around this we can setup some more broadly applied administrator groups to the computer that will give admin access to only a subset of computers such as all workstations or only the SQL Servers in your organisation.

Workstations Admin Groups

To apply a Workstation administrators group to the local administrators group on all workstations make sure you have a group policy only targeted to your workstations. This is normally pretty easy as most companies isolate their workstations computer accounts to one (or a select) number of Organisational Unit.

Step 11. Go back and repeat steps 6 and 7 but this time add the group “%DomainName%”\Workstations Administrators” in the name field. This will added the additional group “CONTOSO\Workstation Administrators” to the local admin group on all the workstations in your domain which will allow you to easily add all the Desktop Administrators in your organisation access to all the workstations without having to give them the local admin password or domain admin’s privileges.

Server Role Admin Groups

It gets a little tricker when you want to grant access to a server based on its role as server are sometime configured for multiple roles. So in these steps we are going to automatically added a domain group called “CONTOSO\SQL Server Administrators” to all the servers you have that have SQL Server installed on them. This will be very handy to making sure SQL service accounts or database administrators have admin access to all the servers that have Microsoft SQL Server installed. You can however make multiple version of these admin group for other roles (e.g. Exchange,SCCM,ISA) you just need to know what the best way to target the setting.

Step 12. First make sure you are editing a group policy that is applied to all your servers in your organisation.

Step 13. Repeat Step 9 and 10 and then we open the properties of the new policy setting and specify the group but this time we type “%DomainName%\SQL Server Administrators” in the name field.

Step 14. Click on the “Common” tab and then tick “Item Level Targeting” and click the “Targeting…” button.

Step 15. Click on the “New Item” in the menu bar and select the option you want to use to target all the SQL servers in your organisation and select the “File Match” option to look in the Program Files folder and see if a sub-folder exists called “Microsoft SQL Servers” (See Image 8). This is normally true for any server that has Microsoft SQL Server installed and so it will then automatically apply the SQL Server Admin group to that server if it was installed.

Note: In this example we tested that the “Microsoft SQL Server” folder exists but we could also make rule to test for the existence of a particular file or registry key.

Image 8. Testing to see if Microsoft SQL Server is installed.

Now any computer that SQL Server, MSDE or SQL Express installed will get the group “CONTOSO\SQL Server Administrators” automatically added to the local admin group.

This nice thing about this is that if SQL is installed on the server at some point in the future the SQL Admin group will be added automatically at the next group policy refresh without you having to do a thing.

Finally.. now you have tight control of the local administrator groups on all the computers in your domain it is now important to monitor and secure the domain groups that are being added to the local administrator groups as they now control who has admin access to all your computers. But I will save how to do that for another blog post…

Automate Group Policy Preferences printer-management using Windows PowerShell

Alan Burchill — Mon, 18 Jan 2010 22:20:35 +0000

Jan Egil’s has just written a good blog post explaining how to use Power Shell with Group Policy Preferences to easily setup multiple printer connections. If you have ever had to make printer connections with Group Policy Preferences you will know that it is a real easy to copy a printer connection. However it is a real pain to then modify the printer path and targeting… again… and again… and again… and again… Definitely worth a read if you use Group Policy Preferences to manage your printer connection in your organisation.

Check out the article at Automate Group Policy Preferences printer-management using Windows PowerShell « Jan Egil`s Admin-Blog

How to mitigate KB979352 (a.k.a. “Google China”) security vulnerability using Group Policy

Alan Burchill — Fri, 15 Jan 2010 05:07:03 +0000

Microsoft have been getting a lot of press (here , here and here) about security vulnerability KB979352 in Internet Explorer that was used by Chinese Hackers to breach Google’s security and gain access to anti-china protestors email accounts and other private data. As a result Microsoft have now released a security advisory for IT professional listing multiple ways to mitigate this security issue before they release a patch (which they are rushing to get out).

One of the ways listed to mitigate this issue on IE6 (other than not running IE6) is to configure Active Scripting to either be disabled or set to prompt. Now this is pretty easy for one user to change this setting manually but for large organisation (like Google) performing this workaround on the many thousand’s of computers would be very time consuming.

So to make this change in Group Policy open the Group Policy Object (GPO) that is targeted on your user accounts and navigate to User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and then under the “Local Intranet” and “Internet” configured the “Allow Active Scripting” option to “Disable” or “Prompt” (see image below).

Now if you do configure this option it is likely that some legitimate sites on the locally and on the Internet may break so workaround that issue you can explicitly add them to “Trusted Sites” zone. To do this again open the Users GPO and navigate to the Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page and then open the “Site to Zone Assignment List ” setting and click “Enabled” then click the “Show” button.

Then type the full URL in the “Value Name” field and a “2” in the “Value” field for each site you want to run the Active Scripts.

Now according to Microsoft your browser should be configured to mitigate this security vulnerability.

For more information about the security vulnerability see the Microsoft Advisory at http://www.microsoft.com/technet/security/advisory/979352.mspx.

Disclaimer: I do not accept any liability what so ever for the information in this article. Please use this information at your own risk.