Group Policy (Active Directory)
Getting Started
To start the Group Policy Managment Console (GPMC)...
- Start
mmc.exe
- Go to File | Add/Remove Snap-in...
- Add the Group Policy Management
- Browse to Group Policy Objects
- Right-click and create a new GPO
Policy Application
Interval
By default group policies are refreshed by client machines every 90 mins, with a random offset of up to 30 mins in order to load balance. Additionally...
- Computer Configuration policies are refreshed at boot
- User Configuration polices are refreshed at login
To change the interval for
- Computers
- In
Computer Configuration | Policies | Administrative Templates | System | Group Policy
- Update Group Policy refresh interval for computers
- In
- Users
- In
User Configuration | Policies | Administrative Templates | System | Group Policy
- Update Group Policy refresh interval for users
- In
Manual
To refresh polices on the current machine
gpupdate
To see the results of the last refresh (open the created HTML file)
gpresult /H GPreport.html
Common Policy Paths
Auditing (Event) logging | Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Audit Policy |
---|---|
Default Local Admin | Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups |
Password | Computer Configuration | Polices | Windows Settings | Security Settings | Account Polices | Password Policy |
Power Options | Computer Configuration | Preferences | Control panel Settings | Power Options | Power Scheme |
Proxy | User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings |
Screen Saver | User Configuration | Polices | Administrative Templates | Control Panel | Personalization | Enable screen saver |
Security Policy Options | Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options |
Group Policy Object (GPO) Examples
Default Local Administrator
To give a particular domain security group, local admin rights over machines affected by the GPO
- Browse to
Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups
- Select Add Group...
- Locate the security group, and then add it to appropriate local group (eg
BUILTIN\Administrators
)
To ensure the local admin account is enabled with correct password...
- Go to Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options
- Set
Accounts: Administrator account status
toEnabled
- Go to Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
- Right-click over right hand pane and select New | Local User
- In the User name field select Administrator (built-in)
- Enter password, uncheck User must change password at next logon, check Password never expires
Branding
Logon Screen
The following steps allow a customised logon background, if you have multiple versions of background file at different sizes these can all be used. The files need to end up in %windir%\system32\oobe\info\backgrounds\
and must follow this naming convention...
backgroundDefault.jpg
- Must exist - will be used if no proper fit file can be foundbackground1280x800.jpg
- Optional, copy on as many different files as you have different size versions available, using the appropriate resolution in the filename
To set-up...
- Put your background file(s) on a share that can be read by all
- Configure a rule to copy the file(s) to the local machine
Computer Configuration | Preferences | Windows Settings | Files
- EG Source -
\\file-svr\priv$\Branding\MyCompany_1680x1050.jpg
- update as required - EG Destination -
%windir%\system32\oobe\info\backgrounds\background1680x1050.jpg
- Suppress errors on individual file actions - Check
- EG Source -
- Configure a rule to update the registry
Computer Configuration | Preferences | Windows Settings | Registry
- Hive -
HKEY_LOCAL_MACHINE
- Key Path -
SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- Value name -
OEMBackground
- Value -
REG_DWORD 1
- Hive -
Note that if a previously customised logon screen exists on target computers, you will need to delete any files that aren't overwritten by the new background files. So in Computer Configuration | Preferences | Windows Settings | Files
, create a new entry with the following parameters
- Action - Delete
- EG Destination -
%windir%\system32\oobe\info\backgrounds\background1024x768.jpg
- Suppress errors on individual file actions - Check
Desktop Background
- Put your background file on a share that can be read by all
- Configure a rule to copy the file to the local machine
Computer Configuration | Preferences | Windows Settings | Files
- EG Source -
\\file-svr\priv$\Branding\MyCompany_1680x1050.jpg
- update as required - EG Destination -
C:\Backgrounds\MyCompany_1680x1050.jpg
- note that you must specify the filename, even if its unchanged by the copy
- EG Source -
- Configure a rule to update the registry
User Configuration | Polices | Administrative Templates | Desktop | Desktop
- Update the Desktop Wallpaper setting with the file path and set Wallpaper Style to Fill
Screen Saver
- Put your screen saver executable on a share that can be read by all
- It must be a SCR file - if your screen saver is distributed/installed by an installer (.MSI or .EXE), look at the registry entry
HKCU\Control Panel\Desktop\SCRNSAVE.EXE
to find the .SCR file on a machine running the screen saver
- It must be a SCR file - if your screen saver is distributed/installed by an installer (.MSI or .EXE), look at the registry entry
- Configure a rule to copy the file to the local machine
Computer Configuration | Preferences | Windows Settings | Files
- EG Source -
\\file-svr\priv$\Branding\CompanyScreenSaver.scr
- update as required - EG Destination -
%windir%\system32\CompanyScreenSaver.scr
- note that you must specify the filename, even if its unchanged by the copy
- EG Source -
- Configure the following to enable the screensaver
- In
User Configuration | Polices | Administrative Templates | Control Panel | Personalization
- Set Enable screen saver to Enabled
- Set Screen Saver Timeout to the appropriate number of seconds, eg
900
for 15 mins - Set Password protect the screensaver to Enabled
- Optional - forces user to login to exit the screensaver
- In
Internet Explorer
Proxy
In order to configure proxy settings, browse to...
User Configuration | Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings
This will still let users change the settings, to prevent this...
- Browse to
User Configuration| Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel
- Enable the
Disable the Connections page
setting
Favourites
In order to add pre-defined favourites to Internet Explorer...
- Browse to
User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | URLs
- Right-click over
Favorites and Links
- Favourites can be added to the Favorites section
- Links (which appear in the Favorites bar above the webpage in IE, if viewable) can be added to the Links section
- Don't check Delete existing Favorites and Links, if present unless you're sure users won't have their own links there already