Group Policy Center

Virtualization is currently a buzz word and it seems that Microsoft is falling over itself to brand as many products as possible with the “V” word (e.g. Hyper-V, App-V & Med-V). So “User State Virtualization” is the term that Microsoft now uses to describe what used to be call Roaming Profiles and/or Folder Redirection.

The idea is simple… a user can logon to any computer in an organisations and have all their personal files and setting apply to that computer as it was the last time they used a computer. This is really a Win/Win for Users and IT Pros as for a user this is a big time saver as they no longer need to waste time setting up their drives, printers and other personal settings when they have to use another computers. IT Pro’s also benefit when there is an un-expected failure or loss of a computer then they don’t have to go through what could be a lengthily, costly and if not impossible, process of recovering the users data.

Now theoretically User State Virtualization can be totally done with just a Roaming Profile, however this quickly becomes impractical as users often store a LOT of data which can make users profile impossibly large. To get around this Microsoft users folder redirection to essentially redirect parts of a users profile to a file share on a server where it is centrally access whenever they logon to a computer.

Reference: Managing Roaming User Data Deployment Guide

Folder Redirection provides a way for administrators to divide user data from profile data. This division of user data decreases user logon times, and Windows downloads less data. Windows redirects the local folder to a central location, giving the user immediate access to their data when they save it, regardless of the computer they are using. This immediate access removes the need to update the user profile.

By redirecting these folders to a server they are only access when needed and therefore very large files do not slow down the profile update process. The obvious disadvantage of doing this is that when a user cannot access the redirected folders (e.g. disconnected laptop users) they lose access to these files. However this restriction is also mitigated by ensuring that the user has a cached copy of these redirected folders.

Below I am going to go through a number of tips and tricks to make sure you get the most out of a User State Virtualization setup in your environment and to ensure that you don’t fall into some configuration traps.

Continue reading ‘Best Practice: Roaming Profiles and Folder Redirection (a.k.a. User State Virtualization)’ »

In the July 29 to August 12th Hot-fix release for Windows 6/7 there have been a number of Group Policy related hotfixes released. As far as I can tell none of these hotfixes are listed as being in Windows 7 Service Pack 1 that is currently in beta (see The complete list of Group Policy Hotfix’s in Windows 7/2008 R2 Service Pack 1) so if you are experiencing any of the above hotfixes it will be some time before you will be able to deploy them as part of a service pack.

• KB2250489 You cannot turn off the screen saver in the Windows Mobility Center when the "Prevent changing wallpaper" Group Policy setting is enabled on a computer that is running Windows Vista SP2
• KB2261826 You cannot find a network drive in the "Browse For Folder" dialog box in the GPMC MMC snap-in on a computer that is running Windows Server 2008 or Windows Vista
• KB2096902 Virtual machines in a VDI environment are not rolled back as expected if the disconnected Remote Desktop connections on the virtual machines are stopped by Group Policy
• KB2254754 You experience a GPO report-generation issue in the GPMC window when you try to generate the report in a localized version of Windows 7 or of Windows Server 2008 R2
• KB2258620 You cannot find the "Find Now," "Stop," and "Clear All" buttons in the GPMC snap-in on a computer that is running Windows 7 or Windows Server 2008 R2
• KB2275315 You cannot read the GPO in the SYSVOL directory in Windows 7 or in Windows Server 2008 R2 if you enable the "Deny write" permission of the GPO
• KB2284538 Apply once and do not reapply Group Policy setting is never applied after the first GPO deployment fails on a client computer that is running Windows 7 or Windows Server 2008 R2

Source: Jul. 29 – Aug. 12 Hot-Fix KB articles Weekly Release – Windows 6/7 – The Hot Blog – Site Home – TechNet Blogs

The setting of the week this week disables one of the features in Windows 7 that allowed users to pin programs to the taskbar. This option will be handy if you are in an environment where you want to prevent users from customising the taskbar such as a kiosk or library style computer. The setting can be found under User Configuration > Policies > Administrative Templates > Start Menu and Taskbar and only applies to Windows 7.

Note: If you do apply this setting to your existing users all the existing pinned taskbar programs will be removed on the next logon.

Below are some screenshots of the UI with the setting enabled.

“Pin to Taskbar” is removed

“Pin this program to taskbar” is removed

All existing pinned programs will be removed.

This week setting of the week is called “Change Start Menu power button” which allows you to configured the start menu shutdown button in Windows 7 and Windows Server 2008 R2. You can find this setting under User Configurations>Policies>Administrative Templates>StartMenu and Taskbar.

If you have setup your computer to support Hybrid-Sleep then you should consider configuring this option to help ensure that your users select the “sleep” option.

Before

After

Note: If you select the “Sleep” or “Hibernate” options and the computers does not support that power mode then the option of shutdown will be used instead.

I was recently approached to do a book review on “Least Privilege Security for Windows 7,Vista and XP by Russell Smith” published by Packt Publishing. This book is a comprehensive guide at showing how to configure your Windows environment so that your users can operate without administrator permissions. While most administrators realise that giving administrators access to the end users is really poor practice and can lead to many security issues it is quite often a permission that some users require to do their job for whatever reason.

Its good to see that this book is quite comprehensive in the number of areas of technology as I firmly believe that you really need to take a multi-prong approach when it comes to security. Here is a list of the just some of technologies that this book talks about to achieve a Least Privilege Security:

• Program Compatibility Wizard
• Applications Compatibility Wizard
• User Account Control
• Group Policy Software Deployment
• Internet Explorer Add-on Management
• Troubleshooting Remote Users
• Configuring Windows Firewall
• Software Restrictions Policies and AppLocker
• Microsoft Deployment Toolkit
• CD Burning
• ActiveX Controls
• Changing system time and time zones
• Power Management
• Managing networks
• Standard Users Analyzer
• Applications Compatibility Toolkit
• Logon Scripts
• Remote Desktop Services
• App-V
• Med-V

In quite a lot of chapters Russell goes into detail step by step instructions explain how to use the above technologies.  But what I really like is that he also takes the time to talk about how to approach the Cultural and Political challenges in implementing this security model as this is normally the hardest part achieving a secure environment.

Configuring security is something that organisation rarely spend much time thinking about and even more rarely do anything about. Having this book in your library will at least give you the knowledge that is required to start to configure your Windows system to be more secure. I would definitely recommend this book as a reference to anyone in an organisation who is responsible for designing and/or making changes to their Windows environment.

As a special offer Packt Publishing are also letting people download preview chapter of this book by download here Chapter No. 3 – Solving Least privilege Problems with the Application Compatibility Toolkit 

Packt Publishing have also announced discount for purchases of two or more so you could use this offer to get a discount when you buy another book from their catalogue (See new-discounts-launched-purchases-multiple-books for details).

You can either purchase the paper and/or PDF (for convenient iPad reading) version of this book right now from: Least Privilege Security for Windows 7,Vista and XP by Russell Smith

The beta of Windows 7/Server 2008 R2 Service Pack 1 beta has now been released to the public for testing. For your benefit I have parsed through the complete list of hotfixes and I have listed out all the group policy specific setting. If you just want the service pack right now you can download it here http://technet.microsoft.com/en-us/evalcenter/ff183870.aspx

I have highlighted the two hotfixes that stand out it my mind as the issues that have been most annoying bugs with group policy with Windows 7 RTM.

I have also posted an installation screenshot walk though on my other blog here http://www.smartergeek.info/2010/07/install-screenshots-windows-7-service-pack-1-beta/

The group policy setting for the week this week is a new policy setting for Windows 7/2008 R2. This setting is called “Prevent changing mouse pointers” and can be found under User Configuration > Policies > Administrative Templates > Control Panel > Personalization. This setting is handy if you want to tightly control the user environment such as public access computers in a library or a common shared computer.

Below you can see how the “pointers” tab is removed when the policy is enabled.

Not Configured/Disabled	Enabled

 Be careful however when you apply this setting however as it will locks the use into whatever mouse pointer scheme they had active at the time the policy is applied.

P.S. I jumped #30 and #31 because I recently discovered that I had two other setting of the week post’s with the same number. So as to not rename all the other setting of the weeks I have decided to just correct the numbering from this article going forward.