Group Policy Center

While I was at TechEd New Zealand 2010 I was asked to step into Jeremy Moskowitz shoes at the last minute as he had been quarantined in hospital with suspected swine flu. So with very little preparation I hobbled together a troubleshooting session based on his slide deck and a few of my own tips…

Source http://www.msteched.com/2010/NewZealand/CLI309

Luckily for him he was fine and released out of hospital that night so he was still able to present my his two other session on Wednesday…

Ned Pyle from the Active Directory Service team has just done a super post to the Ask the Directory Services Team called Post-Graduate AD Studies. This is a collection of links to pretty much every AD/Group Policy related TechNet article known to man. Definitely a post that you will want to bookmark to use as a reference whenever you have any AD or Group Policy related problems or questions.

Below is a list of all the Group Policy related articles that are listed in the post:

• Group Policy
• AppLocker
• Core Group Policy Technical Reference
• Designing a Group Policy Infrastructure
• Group Policy Components
• Group Policy Management Console
• Group Policy Object Editor

Check out the whole article at: Post-Graduate AD Studies – Ask the Directory Services Team – Site Home – TechNet Blogs.

P.S. Can anyone pick where I got the inspiration for the title?

In my previous article In this article Best Practice:Active Directory Structure Guidelines – Part 1 I spoke about some of the guidelines I personally use when developing an Active Directory OU structure. In this next part I will discuss some guidelines I use when designing a Group Policy Object infrastructure.

Ideally you should make the the Active Directory OU and GPO design decision together to best ensure that you have the most efficient design possible. However if you have an existing OU structure designed a lot of these guidelines can still be applied to most existing environments.

As in Part 1 these are simply guidelines that I use and should not be taken as hard an fast rules. I quite often finding myself having to break these rules due to real world conflicts or just because one rule might conflict with the other rule. If you do find your self in a situation where you are not sure which path to take try to chose the option that will result in the least administrative effort in the long term.

Continue reading ‘Best Practice: Group Policy Design Guidelines – Part 2’ »

I have been doing Active Directory and Group Policy work for a while now and I have developed my own set of rules that I try to use where ever possible. So below I have written down all my rules in no particular order for you to go over and use for yourself. You may only chose to use only some of these rules or you might want to use them all depending on your circumstance. This is a two part series where I will first talk about designing you Active Directory Organisation Unit structure and then in part 2 (Best Practice: Group Policy Design Guidelines – Part 2) I will discuss some more ideas for applying Group Policy to the OU structure.

I want to be clear that these are only guidelines and not rules that need to be strictly adhered to. In almost all case there are exceptions to these guidelines and you might even find your self implementing them in a hybrid approach. I intend for this web page to be updated on a regular basis as none of these rules are set in stone and thing obviously change all the time.

Continue reading ‘Best Practice: Active Directory Structure Guidelines – Part 1’ »

During Kevin Sullivan Group Policy session at TechEd 2010 in the USA this year he mentioned an example of a being able to configure group policy to allow users to select whatever screensaver they want except the one called “(None)” (see image below). While this method does not prevent the users from select the (None) from the screensaver options list it will set it back to a screensaver of your choice when the user selects (None) option.

The logic to implement this policy is to test if the SCRNSAVE.EXE registry key exists and if it doesn’t then create the key with the screensaver that you want to enable.

Note: You can also use this tutorial as a guide for applying  other group policy preferences settings based on weather a registry key exists or not. A good example you might want to do this for is to test to see if a specific application registry key exists before you apply an application specific registry setting. This helps you keep a cleaner configured SOE by not un-necessarily applying configuration settings.

How to use Group Policy to allow the users to chose any screensaver except (None)

Step 1. Edit a Group Policy Object (GPO) that is targeted to the users accounts you wan to apply this policy

Step 2. Navigate to User Configuration > Preferences > Windows Settings > Registry then from the menu click on Action > New > Registry Item

Step 3. Select “Update” from the Action then type “Control Panel\Desktop” in the Key Path: text field then type “SCRNSAVE.EXE”  in the Value Name text field and “C:\Windows\System32\scrnsave.scr” in the Value data: text field.

Step 4. Click on the Common tab and then tick “Item-level targeting” and then click the “Targeting…” button.

Now we will target the screen saver to apply only when the “HKCU\Control Panel\Desktop\SCRNSAVE.EXE” registry key does NOT exist as this means the screen saver has been configured to “(None)”.

Step 5. Click on “New Item” then the “Registry Match” option.

Step 6. Select the “Value exists” Match type” then type “Control Panel\Desktop” in the key path field and then type “SCRNSAVE.EXE” in the value name field

Step 7. Click back on the targeting setting in the top pane and press “F8” which changes the option to “does not exist” then click OK and OK.

This policy will now apply the blank screen saver on the next group policy refresh to all targeted users whenever they select the “(None)”.

Below is a table that shows the screensaver set to “(None)” (before column) and then the after a policy refresh the screensaver is configured as “Blank” (After column). Then the users has selected the “Photos” (Custom column) screensaver and the policy is refreshed again however this time there is no change as the screensaver is configured with a value so it is not set back to “Blank”.

Before	After	Custom

The beta of Windows 7/Server 2008 R2 Service Pack 1 beta has now been released to the public for testing. For your benefit I have parsed through the complete list of hotfixes and I have listed out all the group policy specific setting. If you just want the service pack right now you can download it here http://technet.microsoft.com/en-us/evalcenter/ff183870.aspx

I have highlighted the two hotfixes that stand out it my mind as the issues that have been most annoying bugs with group policy with Windows 7 RTM.

I have also posted an installation screenshot walk though on my other blog here http://www.smartergeek.info/2010/07/install-screenshots-windows-7-service-pack-1-beta/

The setting of the week this week prevents users from running Windows Media Center on Vista or above versions. Unlike Windows XP which had its own dedicated version of Media Center, Vista Enterprise and Ultimate editions and Windows 7 Business, Enterprise and Ultimate had inbuilt support Windows Media Center. This setting would most likely be used in a corporate environment where they wanted to control the running of unproductive applications. This is either a user or computer based setting that can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Media Center meaning you can either selectively apply it to users or to all the computers in your fleet.

When the setting is enabled the user will still see the shortcut to Windows Media Center however when the user tries to run the program they will be presented with the following dialogue box.