Group Policy Central

This week setting of the week is called “Change Start Menu power button” which allows you to configured the start menu shutdown button in Windows 7 and Windows Server 2008 R2. You can find this setting under User Configurations>Policies>Administrative Templates>StartMenu and Taskbar.

If you have setup your computer to support Hybrid-Sleep then you should consider configuring this option to help ensure that your users select the “sleep” option.

Before

After

Note: If you select the “Sleep” or “Hibernate” options and the computers does not support that power mode then the option of shutdown will be used instead.

This weeks group policy setting on the week is one that most IT administrators will probably want to implement. Now for personal use the Windows logon sound is quite nice however when you have an office packed with computers it can sound like a symphony in the morning as everyone turns on their computer. This is a new policy setting for Windows Vista but during the Beta is was not something that could be turned off. Luckily Microsoft heard loud and clear that this was an option they needed to add and by the RTM they had added this option for end users and IT admin.

As I mentioned before this is a Windows Vista or greater setting which can be found under Computer Configuration > Policies > Administrative Templates > System > Logon.

During Kevin Sullivan Group Policy session at TechEd 2010 in the USA this year he mentioned an example of a being able to configure group policy to allow users to select whatever screensaver they want except the one called “(None)” (see image below). While this method does not prevent the users from select the (None) from the screensaver options list it will set it back to a screensaver of your choice when the user selects (None) option.

The logic to implement this policy is to test if the SCRNSAVE.EXE registry key exists and if it doesn’t then create the key with the screensaver that you want to enable.

Note: You can also use this tutorial as a guide for applying  other group policy preferences settings based on weather a registry key exists or not. A good example you might want to do this for is to test to see if a specific application registry key exists before you apply an application specific registry setting. This helps you keep a cleaner configured SOE by not un-necessarily applying configuration settings.

How to use Group Policy to allow the users to chose any screensaver except (None)

Step 1. Edit a Group Policy Object (GPO) that is targeted to the users accounts you wan to apply this policy

Step 2. Navigate to User Configuration > Preferences > Windows Settings > Registry then from the menu click on Action > New > Registry Item

Step 3. Select “Update” from the Action then type “Control Panel\Desktop” in the Key Path: text field then type “SCRNSAVE.EXE”  in the Value Name text field and “C:\Windows\System32\scrnsave.scr” in the Value data: text field.

Step 4. Click on the Common tab and then tick “Item-level targeting” and then click the “Targeting…” button.

Now we will target the screen saver to apply only when the “HKCU\Control Panel\Desktop\SCRNSAVE.EXE” registry key does NOT exist as this means the screen saver has been configured to “(None)”.

Step 5. Click on “New Item” then the “Registry Match” option.

Step 6. Select the “Value exists” Match type” then type “Control Panel\Desktop” in the key path field and then type “SCRNSAVE.EXE” in the value name field

Step 7. Click back on the targeting setting in the top pane and press “F8” which changes the option to “does not exist” then click OK and OK.

This policy will now apply the blank screen saver on the next group policy refresh to all targeted users whenever they select the “(None)”.

Below is a table that shows the screensaver set to “(None)” (before column) and then the after a policy refresh the screensaver is configured as “Blank” (After column). Then the users has selected the “Photos” (Custom column) screensaver and the policy is refreshed again however this time there is no change as the screensaver is configured with a value so it is not set back to “Blank”.

Before	After	Custom

This is another article I have written that address’s the commonly asked question on the Group Policy forum as to how you can use group policy to block or allow users to specific web site URL’s. It goes without saying that the most effective way to implement content filtering for the internet is to maintain list of sites on your proxy server/firewall in your organisation. However you might not have any proxy or firewall that can do this and this method is also not affective when a user is connected to the internet outside the corporate network.

Luckily there is an option in the Internet Explorer Maintenance group policy section that allows you to configured an allow/never list of URL’s for your users. If you are configuring this option I also suggest your also check out one of my other article How to configure AppLocker Group Policy in Windows 7 to block third-party browsers to prevent users from running non-IE browsers to get around this restriction as this is an IE only policy setting.

How to configure Internet Explorer to Allow and Block URL’s

Step 1. Edit a Group Policy Object (GPO) that applies to the users you want to configure URL blocking.

Step 2. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security and then click on the “Security Zones and Content Ratings”

Step 3. Select “Import the current Content Ratings settings” and then click on the “Modify Settings” button

Step 4. Click on the “Approved Sites” tab

Step 5a (Black List). Type the name of the URL that you want to block in the “Allow this website” text field and then click “Never” then “OK”

Step 5b (White List). However if you are trying to maintain a white list of URL’s then type the name of the site you want to allow it the “Allow this website” text field and then click “Always” then “OK”

Note: You will probably want to add the internal domain name of your companies AD to the Allow list of as well to ensure users can access the intranet web sites. Also note that while wildcards are supported in the URL’s, but adding just the URL “*” does not work. While this would be very handy to configure a white list I will show you how to get around this restriction in further steps below.

Now we have to create a supervisor password that will be used for making any subsequent changes to the Allow/Never URL list. This password can also be used by the user (if they know it) to work around these URL restrictions. However as this password is applied by policy it will be the same password for all users so think about chancing the password often.

Step 6. Type the same password in both the “Password” and “Confirm Password” fields and type at hint in the “hint” field. You could also type something like “To get this password please contact the help desk on 5555-5555”.

By default when you enable the content advisor it will automatically block any web site that does not have a rating configured.  Therefore you will want to turn this blanket restriction off in step 8 if you all you are trying to do is block specific URL’s in a black list configuration.

Step 8 (Black List). Tick “User can see websites that have no rating” then click “OK”

Note: For white list configuration leave the “User can see websites that have no rating” un-ticked so that all web sites will be blocked.

Step 9. Click OK

Done.

If you configured a black list then a user will be allowed to go to all web sites except the URL that you specifically blocked. When the user does hit a web site that is blocked they will be presented with dialogue box explaining why they are not able to visit the web site and an option to visit the site only if they know the supervisor password.

If they click Cancel nothing will happen and if they press OK they will get presented with this dialogue box.

Below is another example message that is presented when visiting a site without a rating and you have configured the policy not load sites that do not have a rating which you will see if you have configured this as a white list.

If you are using a white list configured and a users will still be able to visiting as site so long as it is ICRA3 rated and it does not report as having content that falls into any of the rating categories. Therefore this method is not 100% affective for a white list strategy but you do find your users visiting a site that is not specifically allowed then you can simply added it as a blocked URL.

Related Resources:

If you have played with this setting and are looking for a way to remove this setting from the group policy then see my posting How to remove imported Internet Explorer Group Policy Settings

You will also find that the computer you have made these URL restrictions on will now have the supervisor password set (I assume its something about how IEM GPMC interacts with the local computer) so to Remove IE Supervisor Password just delete the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Ratings key and it will reset the Content Advisor settings back to defaults.

The setting of the week this week prevents users from running Windows Media Center on Vista or above versions. Unlike Windows XP which had its own dedicated version of Media Center, Vista Enterprise and Ultimate editions and Windows 7 Business, Enterprise and Ultimate had inbuilt support Windows Media Center. This setting would most likely be used in a corporate environment where they wanted to control the running of unproductive applications. This is either a user or computer based setting that can be found under Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Media Center meaning you can either selectively apply it to users or to all the computers in your fleet.

When the setting is enabled the user will still see the shortcut to Windows Media Center however when the user tries to run the program they will be presented with the following dialogue box.