Group Policy Central

The group policy setting for the week this week is a new policy setting for Windows 7/2008 R2. This setting is called “Prevent changing mouse pointers” and can be found under User Configuration > Policies > Administrative Templates > Control Panel > Personalization. This setting is handy if you want to tightly control the user environment such as public access computers in a library or a common shared computer.

Below you can see how the “pointers” tab is removed when the policy is enabled.

Not Configured/Disabled	Enabled

 Be careful however when you apply this setting however as it will locks the use into whatever mouse pointer scheme they had active at the time the policy is applied.

P.S. I jumped #30 and #31 because I recently discovered that I had two other setting of the week post’s with the same number. So as to not rename all the other setting of the weeks I have decided to just correct the numbering from this article going forward.

(Wow… I have been doing this for 6 months now… how time flies… )

This weeks setting of the week is another old one however it is very important for any environment that is still running Windows XP SOE. The “Do not allow Windows Messenger to be run” will prevent any user from running Windows Messenger that comes out of the box with Windows XP. Now Windows Messenger 4.6 that comes with Windows XP is no longer supported but disabling the program should help avoid any confusion for user that also have Windows Live Messenger installed.

This is a user setting that can be found under User Configuration > Policies > Administrative Templates > Windows Components > Windows Messenger and while it does say it applied to Windows XP this in reality is only a Windows XP setting as there is no Windows Messenger in Windows Vista or above.

While most organisation already have this program removed from the SOE (see image below) this is a good safety net setting for anyone who has joined their non-SOE version of messenger to the domain.

Now to be clear this will only prevent the user running Windows Messenger and not the live of Windows Live Messenger or other third-party messenger programs.

This setting will not remove messenger from the computer but when the users clicks on the Windows Messenger link.

,

Back to another profile setting this week and this one can save any organisation using Windows Vista or greater a lot of time if you manual provision your accounts. The setting is called “Set roaming profile path for all users logging onto this computer” and it configures the users roaming profile path that is normally configured on a per account basis in Active Directory Users and Computers (see below). Being able to apply this setting via Group Policy means it is one more user attribute that you no longer need to configure on the users account. This of course makes provisioning users account just that little bit simple which should save both time and the possibility for human errors.

This setting can be found under Computer Configuration > Policies > Administrative Templates > System > User Profiles but as its a computer based setting this also means that you need to be careful how you apply this setting. Applying this setting to laptop could be undesired as they may try to log into a remote location with a slow WAN link to the profile server. So if you do apply this to the laptop you might want to configured it to point to a DFS namespace path or a DNS alias (if you have subnet masking filtering enabled) which can help point them to a faster more local path. This of course means it would be really useful to have a OU structure that separate your laptops from your desktop computer.

But I would definitely recommend use this setting if you are using Windows Vista or Windows 7 in your SOE.

This weeks setting of the week is a double header but they are really simple but so commonly used that they really have to be mentioned.

The first setting is found under User Configuration > Policies > Administrative Templates > Control Panel > Personalization > Prevent changing desktop background. As the name suggest this setting prevents users from changing the background image via the Display Setting control panel applications however it does not prevent users from right clicking on an image and setting it as a background image.

Recommendation: Enabled

If you really want to stop users from changing the background image then you also need to configure the “Desktop Wallpaper” setting to specify a background image which can be found under User Configuration > Policies > Administrative Templates > Desktop > Desktop (yes Desktop is there twice).

Recommendation:  Enabled (specify path to background image)

These setting should be configured for anyone want to implement a standard background desktop image of their SOE computers. However be warned if you are going to implement this setting then expect to cop a lot of flack from your users complaining they cant set their background image to their favourite family photo or even worse their cat.

Logon Scripts!!! I hear you yelling at me about why I am doing a tutorial about logon scripts when Group Policy Preferences is supposed to allow me to stop using my logon scripts. Well in a utopian world there would be no logon scripts to maintain however there are still some situations that you might have to execute a program at logon. One example I recently saw on the Group Policy Forums was a person who wanted a way to delay the launching of the browser so as to not add additional delay to the users logon to what was already a slow computer. Somewhat similar to the Delay Start option for services that was introduced in Windows 7.

Prerequisites: This is a Windows Vista+ configuration as Windows XP has a more limited scheduling engine. If you really want to do this via Windows XP (sucks to be you) you could run the script with some delay/timeout third party tool in it and just have it run from the users “Startup” start menu folder…

Step 1. In a Group Policy Object (GPO) that you have targeted at all the users (or most of them) that you want the delayed start program/action to run on go to “Users Configuration” > “Preferences” > “Scheduled Task” then go “Action” > “New” > “Scheduled Task (Windows Vista and later)”. Then type the display name of the script in the “Name” field (see image 1) and click on the “Triggers” tab.

Note: In this example we are just going to be running a command prompt so the Name is “CMD.exe”.

Image 1: Scheduled Task Properties

Step 2. On the Triggers tab click the “New” button”. Change the “Begin the task” drop down option to “At log on” and then tick “Delay task for:” and configure the delay from the pop down menu (see image 2). Then click “OK”

Note: Unfortunately this option does not seem to be user configurable so for the use of a logon script “30 seconds” and “1 minute” are the only practical options.

Image 2: New Trigger

Step 3. You should now have the trigger configured for your event that looks like the image below (see image 3). Now click on the “Actions” tab.

Image 3: Configured Trigger

Step 3. In the “Actions” tab click on the “New” button and then configure the action you want to take. Again in this example we are just going to be running a command prompt so configure the “Action” to “Start a program” (see image 4).

Note: You can also use this option to send and e-mail or even display a pop-up message to the users. Very handy if you used to use the “net send” program in Windows XP before Service Pack 2 as it was disabled due to security issues.

Image 4: New Action

Step 4. Configure the “Program/Script” to run to “C:\Windows\system32\cmd.exe” then click “OK” (see image 5).

Image 5: New Action

Step 5. Click “OK” (see image 6)

Image 6: Actions Tab

Now you are done. The task is scheduled and it will be pushed out to all your users at the new Group Policy refresh. (see image 7).

Note: If you don’t want this to apply to all your user accounts you can also use Group Policy Preferences targeting options to refine the targeting.

Image 7: Scheduled Tasks

Below is the view of the scheduled task as configured on the computer (see image 8,9 & 10).

Note: The settings tab are greyed out because it is being controlled by Group Policy.

Image 8: Scheduled Tasks General Tab

Image 9: Scheduled Tasks Triggers Tab

Image 10: Scheduled Tasks Actions Tab