Latest revision as of 15:28, 19 September 2013

Getting Started

To start the Group Policy Managment Console (GPMC)...

Start mmc.exe
Go to File | Add/Remove Snap-in...
Add the Group Policy Management
Browse to Group Policy Objects
Right-click and create a new GPO

Policy Application

Interval

By default group policies are refreshed by client machines every 90 mins, with a random offset of up to 30 mins in order to load balance. Additionally...

Computer Configuration policies are refreshed at boot
User Configuration polices are refreshed at login

To change the interval for

Computers
- In Computer Configuration | Policies | Administrative Templates | System | Group Policy
- Update Group Policy refresh interval for computers
Users
- In User Configuration | Policies | Administrative Templates | System | Group Policy
- Update Group Policy refresh interval for users

Manual

To refresh polices on the current machine

gpupdate

To see the results of the last refresh (open the created HTML file)

gpresult /H GPreport.html

Filter by Security Group

To only apply to certain to groups

On the Scope tab, within the Security Filtering field
Remove the Authenticated Users groups
Add the appropriate groups

To prevent application to certain groups

On the Delegation tab, and click on the Advanced... tab
Add the appropriate group(s) and for Apply group policy check Deny

Policy vs Preference

Within both the User and Computer configuration sections of a GPO are two sub-sections, Policies and Preferences

Policies
- Are enforced on users and cannot be changed or overridden by them
Preferences
- Are applied, but can be changed by the user. However they will be applied when the policy refreshes, unless the Apply once and do not reapply is selected

Precedence

Policy's that get applied 1st (have a lower Precedence number when viewed in the Group Policy Inheritance tab of an OU) overrule any subsequent policies. Therefore any policy applied to an OU, will take precedence of an inherited rule from a parent OU.

Common Policy Paths

Auditing (Event) logging	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Local Polices \| Audit Policy
Default Local Admin	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Restricted Groups
Password	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Account Polices \| Password Policy
Power Options	Computer Configuration \| Preferences \| Control panel Settings \| Power Options \| Power Scheme
Proxy	User Configuration\| Policies \| Windows Settings \| Internet Explorer Maintenance \| Connection \| Proxy Settings
Remote Desktop	Computer Configuration \| Polices \| Administrative Templates \| Windows Components \| Remote Desktop Services \| Remote Desktop Session Host \| Connections
Screen Saver	User Configuration \| Polices \| Administrative Templates \| Control Panel \| Personalization \| Enable screen saver
Security Policy Options	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Local Polices \| Security Options
Windows Update	Computer Configuration \| Polices \| Administrative Templates \| Windows Components \| Windows Update

Group Policy Object (GPO) Examples

Default Local Administrator

To give a particular domain security group, local admin rights over machines affected by the GPO

Browse to Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups
Select Add Group...
Locate the security group, and then add it to appropriate local group (eg BUILTIN\Administrators)

To ensure the local admin account is enabled with correct password...

Go to Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options
Set Accounts: Administrator account status to Enabled
Go to Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
Right-click over right hand pane and select New | Local User
In the User name field select Administrator (built-in)
Enter password, uncheck User must change password at next logon, check Password never expires

Branding

Logon Screen

The following steps allow a customised logon background, if you have multiple versions of background file at different sizes these can all be used. The files need to end up in %windir%\system32\oobe\info\backgrounds\ and must follow this naming convention...

backgroundDefault.jpg - Must exist - will be used if no proper fit file can be found
background1280x800.jpg - Optional, copy on as many different files as you have different size versions available, using the appropriate resolution in the filename

To set-up...

Put your background file(s) on a share that can be read by all
Configure a rule to copy the file(s) to the local machine
1. Computer Configuration | Preferences | Windows Settings | Files
  - EG Source - \\file-svr\priv$\Branding\MyCompany_1680x1050.jpg - update as required
  - EG Destination - %windir%\system32\oobe\info\backgrounds\background1680x1050.jpg
  - Suppress errors on individual file actions - Check
Configure a rule to update the registry
1. Computer Configuration | Preferences | Windows Settings | Registry
  - Hive - HKEY_LOCAL_MACHINE
  - Key Path - SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
  - Value name - OEMBackground
  - Value - REG_DWORD 1

Note that if a previously customised logon screen exists on target computers, you will need to ensure that new files are copied over with the Action field set to Replace to ensure that they are overwritten, and also ensure that any files that aren't overwritten by the new background files are deleted. To delete, in Computer Configuration | Preferences | Windows Settings | Files, create a new entry with the following parameters

Action - Delete
EG Destination - %windir%\system32\oobe\info\backgrounds\background1024x768.jpg
Suppress errors on individual file actions - Check

Desktop Background

Put your background file on a share that can be read by all
Configure a rule to copy the file to the local machine
- Computer Configuration | Preferences | Windows Settings | Files
  - EG Source - \\file-svr\priv$\Branding\MyCompany_1680x1050.jpg - update as required
  - EG Destination - C:\Backgrounds\MyCompany_1680x1050.jpg - note that you must specify the filename, even if its unchanged by the copy
Configure a rule to update the registry
1. User Configuration | Polices | Administrative Templates | Desktop | Desktop
2. Update the Desktop Wallpaper setting with the file path and set Wallpaper Style to Fill

Screen Saver

Put your screen saver executable on a share that can be read by all
- It must be a SCR file - if your screen saver is distributed/installed by an installer (.MSI or .EXE), look at the registry entry HKCU\Control Panel\Desktop\SCRNSAVE.EXE to find the .SCR file on a machine running the screen saver
Configure a rule to copy the file to the local machine
1. Computer Configuration | Preferences | Windows Settings | Files
  - EG Source - \\file-svr\priv$\Branding\CompanyScreenSaver.scr - update as required
  - EG Destination - %windir%\system32\CompanyScreenSaver.scr - note that you must specify the filename, even if its unchanged by the copy
Configure the following to enable the screensaver
1. In User Configuration | Polices | Administrative Templates | Control Panel | Personalization
2. Set Enable screen saver to Enabled
3. Set Screen Saver Timeout to the appropriate number of seconds, eg 900 for 15 mins
4. Set Password protect the screensaver to Enabled
  - Optional - forces user to login to exit the screensaver

Internet Explorer

Proxy

In order to configure proxy settings, browse to...

User Configuration | Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings

This will still let users change the settings, to prevent this...

Browse to User Configuration| Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel


Enable the Disable the Connections page setting

Favourites

In order to add pre-defined favourites to Internet Explorer...

Browse to  User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | URLs 
Right-click over  Favorites and Links 
Favourites can be added to the Favorites section
Links (which appear in the Favorites bar above the webpage in IE, if viewable) can be added to the Links section
Don't check Delete existing Favorites and Links, if present unless you're sure users won't have their own links there already

Fonts

In order to deploy/install fonts to client machines you need to do two things...

Copy the font file(s) to C:\Windows\Fonts
Create a registry value to make the font available to the system (in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts)

This is very laborious if you need to deploy a large number of font files, but it does work.  Note that gpupdate /force doesn't always succeed in making the fonts available to Word etc, restart the client machine in question.
To set-up...

Install the font(s) onto an example machine 1st
This enables you to copy the registry keys required
Put the font file(s) on a share that can be read by all
Configure a rule to copy the file(s) to the local machine
 Computer Configuration | Preferences | Windows Settings | Files 
EG Source - \\file-svr\priv$\Branding\Fonts\LTYPO.TTF - update as required
EG Destination - %windir%\Fonts\LTYPO.TTF
Suppress errors on individual file actions - Check
Configure a rule to create the required registry values (using the registry on the example machine as a reference)
 Computer Configuration | Preferences | Windows Settings | Registry 
Hive - HKEY_LOCAL_MACHINE
Key Path - SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts
Value name - Example Font (TrueType) - update as required
Value - REG_SZ LTYPO.TTF - update as required

@@ Line 1: / Line 1: @@
-== Getting Started ==
+= Getting Started =
+To start the Group Policy Managment Console (GPMC)...
 # Start <code>mmc.exe</code>
 # Go to '''File <nowiki>|</nowiki> Add/Remove Snap-in...'''
@@ Line 6: / Line 7: @@
 # Right-click and create a new GPO
-By default group policies are refreshed by client machines every 90 mins, with a random offset of up to 30 mins in order to load balance.  Additionally, Computer Configuration policies are refreshed at boot, and User Configuration polices are refreshed at login.
+== Policy Application ==
+=== Interval ===
+By default group policies are refreshed by client machines every 90 mins, with a random offset of up to 30 mins in order to load balance.  Additionally...
+* Computer Configuration policies are refreshed at boot
+* User Configuration polices are refreshed at login
+To change the interval for
+* Computers
+** In <code>Computer Configuration <nowiki>|</nowiki> Policies <nowiki>|</nowiki> Administrative Templates <nowiki>|</nowiki> System <nowiki>|</nowiki> Group Policy </code>
+** Update ''Group Policy refresh interval for computers''
+* Users
+** In <code>User Configuration <nowiki>|</nowiki> Policies <nowiki>|</nowiki> Administrative Templates <nowiki>|</nowiki> System <nowiki>|</nowiki> Group Policy </code>
+** Update ''Group Policy refresh interval for users''
+=== Manual ===
 To refresh polices on the current machine
 * <code> gpupdate </code>
@@ Line 13: / Line 27: @@
 * <code> gpresult /H GPreport.html </code>
+=== Filter by Security Group ===
+To only apply to certain to groups
+# On the '''Scope''' tab, within the '''Security Filtering''' field
+# Remove the ''Authenticated Users'' groups
+# Add the appropriate groups
+To prevent application to certain groups
+# On the '''Delegation''' tab, and click on the '''Advanced...''' tab
+# Add the appropriate group(s) and for '''Apply group policy''' check '''Deny'''
+== Policy vs Preference ==
+Within both the User and Computer configuration sections of a GPO are two sub-sections, Policies and Preferences
+* Policies
+** Are enforced on users and cannot be changed or overridden by them
+* Preferences
+** Are applied, but can be changed by the user. However they will be applied when the policy refreshes, unless the ''Apply once and do not reapply'' is selected
+== Precedence ==
+Policy's that get applied 1st (have a lower Precedence number when viewed in the ''Group Policy Inheritance'' tab of an OU) overrule any subsequent policies.  Therefore any policy applied to an OU, will take precedence of an inherited rule from a parent OU.
-== Common Policy Paths ==
+= Common Policy Paths =
 {|class="vwikitable"
 |-
@@ Line 32: / Line 66: @@
 | User Configuration<nowiki>|</nowiki> Policies <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Internet Explorer Maintenance <nowiki>|</nowiki> Connection <nowiki>|</nowiki> Proxy Settings
 |-
-! Screen Saver
+! Remote Desktop
+| Computer Configuration <nowiki>|</nowiki> Polices <nowiki>|</nowiki> Administrative Templates <nowiki>|</nowiki> Windows Components <nowiki>|</nowiki> Remote Desktop Services <nowiki>|</nowiki> Remote Desktop Session Host <nowiki>|</nowiki> Connections
+|-
+! [[#Screen_Saver|Screen Saver]]
 | User Configuration <nowiki>|</nowiki> Polices <nowiki>|</nowiki> Administrative Templates <nowiki>|</nowiki> Control Panel <nowiki>|</nowiki> Personalization <nowiki>|</nowiki> Enable screen saver
 |-
 ! Security Policy Options
 | Computer Configuration <nowiki>|</nowiki> Polices <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Security Settings <nowiki>|</nowiki> Local Polices <nowiki>|</nowiki> Security Options
+|-
+! Windows Update
+| Computer Configuration <nowiki>|</nowiki> Polices <nowiki>|</nowiki> Administrative Templates <nowiki>|</nowiki> Windows Components <nowiki>|</nowiki> Windows Update
 |}
-== Group Policy Object (GPO) Examples ==
+= Group Policy Object (GPO) Examples =
-=== Default Local Administrator ===
+== Default Local Administrator ==
 To give a particular domain security group, local admin rights over machines affected by the GPO
@@ Line 55: / Line 95: @@
 # Enter password, uncheck ''User must change password at next logon'', check ''Password never expires''
-=== Internet Explorer ===
+== Branding ==
-==== Proxy ====
+=== Logon Screen ===
+The following steps allow a customised logon background, if you have multiple versions of background file at different sizes these can all be used.  The files need to end up in <code>%windir%\system32\oobe\info\backgrounds\</code> and must follow this naming convention...
+* <code>backgroundDefault.jpg</code> - Must exist - will be used if no proper fit file can be found
+* <code>background1280x800.jpg</code> - Optional, copy on as many different files as you have different size versions available, using the appropriate resolution in the filename
+To set-up...
+# Put your background file(s) on a share that can be read by all
+# Configure a rule to copy the file(s) to the local machine
+## <code> Computer Configuration <nowiki>|</nowiki> Preferences <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Files </code>
+##* EG ''Source'' - <code>\\file-svr\priv$\Branding\MyCompany_1680x1050.jpg</code> - update as required
+##* EG ''Destination'' - <code>%windir%\system32\oobe\info\backgrounds\background1680x1050.jpg</code>
+##* ''Suppress errors on individual file actions'' - '''Check'''
+# Configure a rule to update the registry
+## <code> Computer Configuration <nowiki>|</nowiki> Preferences <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Registry </code>
+##* ''Hive'' - <code>HKEY_LOCAL_MACHINE</code>
+##* ''Key Path'' - <code>SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background</code>
+##* ''Value name'' - <code>OEMBackground</code>
+##* ''Value'' - <code>REG_DWORD 1</code>
+Note that if a previously customised logon screen exists on target computers, you will need to ensure that new files are copied over with the ''Action'' field set to '''Replace''' to ensure that they are overwritten, and also ensure that any files that aren't overwritten by the new background files are deleted.  To delete, in <code> Computer Configuration <nowiki>|</nowiki> Preferences <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Files</code>, create a new entry with the following parameters
+* ''Action'' - '''Delete'''
+* EG ''Destination'' - <code>%windir%\system32\oobe\info\backgrounds\background1024x768.jpg</code>
+* ''Suppress errors on individual file actions'' - '''Check'''
+=== Desktop Background ===
+# Put your background file on a share that can be read by all
+# Configure a rule to copy the file to the local machine
+#* <code> Computer Configuration <nowiki>|</nowiki> Preferences <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Files </code>
+#** EG ''Source'' - <code>\\file-svr\priv$\Branding\MyCompany_1680x1050.jpg</code> - update as required
+#** EG ''Destination'' - <code>C:\Backgrounds\MyCompany_1680x1050.jpg</code> - note that you must specify the filename, even if its unchanged by the copy
+# Configure a rule to update the registry
+## <code> User Configuration <nowiki>|</nowiki> Polices <nowiki>|</nowiki> Administrative Templates <nowiki>|</nowiki> Desktop <nowiki>|</nowiki> Desktop</code>
+## Update the ''Desktop Wallpaper'' setting with the file path and set ''Wallpaper Style'' to '''Fill'''
+=== Screen Saver ===
+# Put your screen saver executable on a share that can be read by all
+#* It must be a SCR file - if your screen saver is distributed/installed by an installer (.MSI or .EXE), look at the registry entry <code>HKCU\Control Panel\Desktop\SCRNSAVE.EXE</code> to find the .SCR file on a machine running the screen saver
+# Configure a rule to copy the file to the local machine
+## <code> Computer Configuration <nowiki>|</nowiki> Preferences <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Files </code>
+##* EG ''Source'' - <code>\\file-svr\priv$\Branding\CompanyScreenSaver.scr</code> - update as required
+##* EG ''Destination'' - <code>%windir%\system32\CompanyScreenSaver.scr</code> - note that you must specify the filename, even if its unchanged by the copy
+# Configure the following to enable the screensaver
+## In <code> User Configuration <nowiki>|</nowiki> Polices <nowiki>|</nowiki> Administrative Templates <nowiki>|</nowiki> Control Panel <nowiki>|</nowiki> Personalization</code>
+## Set ''Enable screen saver'' to '''Enabled'''
+## Set ''Screen Saver Timeout'' to the appropriate number of seconds, eg <code>900</code> for 15 mins
+## Set ''Password protect the screensaver'' to ''Enabled''
+##* Optional - forces user to login to exit the screensaver
+== Internet Explorer ==
+=== Proxy ===
 In order to configure proxy settings, browse to...
 * <code>User Configuration <nowiki>|</nowiki> Policies <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Internet Explorer Maintenance <nowiki>|</nowiki> Connection <nowiki>|</nowiki> Proxy Settings</code>
@@ Line 64: / Line 153: @@
 # '''Enable''' the <code>Disable the Connections page</code> setting
-==== Favourites ====
+=== Favourites ===
 In order to add pre-defined favourites to Internet Explorer...
 # Browse to <code> User Configuration<nowiki>|</nowiki> Policies <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Internet Explorer Maintenance <nowiki>|</nowiki> URLs </code>
@@ Line 71: / Line 160: @@
 #* Links (which appear in the Favorites bar above the webpage in IE, if viewable) can be added to the '''Links''' section
 #* Don't check ''Delete existing Favorites and Links, if present'' unless you're sure users won't have their own links there already
+== Fonts ==
+In order to deploy/install fonts to client machines you need to do two things...
+# Copy the font file(s) to <code>C:\Windows\Fonts</code>
+# Create a registry value to make the font available to the system (in <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts</code>)
+This is very laborious if you need to deploy a large number of font files, but it does work.  Note that <code>gpupdate /force</code> doesn't always succeed in making the fonts available to Word etc, restart the client machine in question.
+To set-up...
+# Install the font(s) onto an example machine 1st
+#* This enables you to copy the registry keys required
+# Put the font file(s) on a share that can be read by all
+# Configure a rule to copy the file(s) to the local machine
+#* <code> Computer Configuration <nowiki>|</nowiki> Preferences <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Files </code>
+#** EG Source - <code>\\file-svr\priv$\Branding\Fonts\LTYPO.TTF</code> - update as required
+#** EG Destination - <code>%windir%\Fonts\LTYPO.TTF</code>
+#** Suppress errors on individual file actions - Check
+# Configure a rule to create the required registry values (using the registry on the example machine as a reference)
+#* <code> Computer Configuration <nowiki>|</nowiki> Preferences <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Registry </code>
+#** ''Hive'' - <code>HKEY_LOCAL_MACHINE</code>
+#** ''Key Path'' - <code>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts</code>
+#** ''Value name'' - <code>Example Font (TrueType)</code> - update as required
+#** ''Value'' - <code>REG_SZ LTYPO.TTF</code> - update as required
 [[Category:Microsoft]]
 [[Category:Windows]]
 [[Category:Active Directory]]

Group Policy (Active Directory): Difference between revisions

Latest revision as of 15:28, 19 September 2013

Contents

Getting Started

Policy Application

Interval

Manual

Filter by Security Group

Policy vs Preference

Precedence

Common Policy Paths

Group Policy Object (GPO) Examples

Default Local Administrator

Branding

Logon Screen

Desktop Background

Screen Saver

Internet Explorer

Proxy

Favourites

Fonts

Navigation menu

Group Policy (Active Directory): Difference between revisions

Latest revision as of 15:28, 19 September 2013

Getting Started

Policy Application

Interval

Manual

Filter by Security Group

Policy vs Preference

Precedence

Common Policy Paths

Group Policy Object (GPO) Examples

Default Local Administrator

Branding

Logon Screen

Desktop Background

Screen Saver

Internet Explorer

Proxy

Favourites

Fonts

Navigation menu

Search