Group Policy (Active Directory)

From vwiki
Revision as of 14:36, 7 August 2013 by Sstrutt (talk | contribs) (→‎Logon Screen: Added note)
Jump to navigation Jump to search

Getting Started

To start the Group Policy Managment Console (GPMC)...

  1. Start mmc.exe
  2. Go to File | Add/Remove Snap-in...
  3. Add the Group Policy Management
  4. Browse to Group Policy Objects
  5. Right-click and create a new GPO

Policy Application

Interval

By default group policies are refreshed by client machines every 90 mins, with a random offset of up to 30 mins in order to load balance. Additionally...

  • Computer Configuration policies are refreshed at boot
  • User Configuration polices are refreshed at login

To change the interval for

  • Computers
    • In Computer Configuration | Policies | Administrative Templates | System | Group Policy
    • Update Group Policy refresh interval for computers
  • Users
    • In User Configuration | Policies | Administrative Templates | System | Group Policy
    • Update Group Policy refresh interval for users

Manual

To refresh polices on the current machine

  • gpupdate

To see the results of the last refresh (open the created HTML file)

  • gpresult /H GPreport.html

Common Policy Paths

Auditing (Event) logging Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Audit Policy
Default Local Admin Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups
Password Computer Configuration | Polices | Windows Settings | Security Settings | Account Polices | Password Policy
Power Options Computer Configuration | Preferences | Control panel Settings | Power Options | Power Scheme
Proxy User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings
Screen Saver User Configuration | Polices | Administrative Templates | Control Panel | Personalization | Enable screen saver
Security Policy Options Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options

Group Policy Object (GPO) Examples

Default Local Administrator

To give a particular domain security group, local admin rights over machines affected by the GPO

  1. Browse to Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups
  2. Select Add Group...
  3. Locate the security group, and then add it to appropriate local group (eg BUILTIN\Administrators)

To ensure the local admin account is enabled with correct password...

  1. Go to Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options
  2. Set Accounts: Administrator account status to Enabled
  3. Go to Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
  4. Right-click over right hand pane and select New | Local User
  5. In the User name field select Administrator (built-in)
  6. Enter password, uncheck User must change password at next logon, check Password never expires

Branding

Logon Screen

The following steps allow a customised logon background, if you have multiple versions of background file at different sizes these can all be used. The files need to end up in %windir%\system32\oobe\info\backgrounds\ and must follow this naming convention...

  • backgroundDefault.jpg - Must exist - will be used if no proper fit file can be found
  • background1280x800.jpg - Optional, copy on as many different files as you have different size versions available, using the appropriate resolution in the filename

To set-up...

  1. Put your background file(s) on a share that can be read by all
  2. Configure a rule to copy the file(s) to the local machine
    1. Computer Configuration | Preferences | Windows Settings | Files
      • EG Source - \\file-svr\priv$\Branding\MyCompany_1680x1050.jpg - update as required
      • EG Destination - %windir%\system32\oobe\info\backgrounds\background1680x1050.jpg
      • Suppress errors on individual file actions - Check
  3. Configure a rule to update the registry
    1. Computer Configuration | Preferences | Windows Settings | Registry
      • Hive - HKEY_LOCAL_MACHINE
      • Key Path - SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
      • Value name - OEMBackground
      • Value - REG_DWORD 1

Note that if a previously customised logon screen exists on target computers, you will need to ensure that new files are copied over with the Action field set to Replace to ensure that they are overwritten, and also ensure that any files that aren't overwritten by the new background files are deleted. To delete, in Computer Configuration | Preferences | Windows Settings | Files, create a new entry with the following parameters

  • Action - Delete
  • EG Destination - %windir%\system32\oobe\info\backgrounds\background1024x768.jpg
  • Suppress errors on individual file actions - Check

Desktop Background

  1. Put your background file on a share that can be read by all
  2. Configure a rule to copy the file to the local machine
    1. Computer Configuration | Preferences | Windows Settings | Files
      • EG Source - \\file-svr\priv$\Branding\MyCompany_1680x1050.jpg - update as required
      • EG Destination - C:\Backgrounds\MyCompany_1680x1050.jpg - note that you must specify the filename, even if its unchanged by the copy
  3. Configure a rule to update the registry
    1. User Configuration | Polices | Administrative Templates | Desktop | Desktop
    2. Update the Desktop Wallpaper setting with the file path and set Wallpaper Style to Fill

Screen Saver

  1. Put your screen saver executable on a share that can be read by all
    • It must be a SCR file - if your screen saver is distributed/installed by an installer (.MSI or .EXE), look at the registry entry HKCU\Control Panel\Desktop\SCRNSAVE.EXE to find the .SCR file on a machine running the screen saver
  2. Configure a rule to copy the file to the local machine
    1. Computer Configuration | Preferences | Windows Settings | Files
      • EG Source - \\file-svr\priv$\Branding\CompanyScreenSaver.scr - update as required
      • EG Destination - %windir%\system32\CompanyScreenSaver.scr - note that you must specify the filename, even if its unchanged by the copy
  3. Configure the following to enable the screensaver
    1. In User Configuration | Polices | Administrative Templates | Control Panel | Personalization
    2. Set Enable screen saver to Enabled
    3. Set Screen Saver Timeout to the appropriate number of seconds, eg 900 for 15 mins
    4. Set Password protect the screensaver to Enabled
      • Optional - forces user to login to exit the screensaver

Internet Explorer

Proxy

In order to configure proxy settings, browse to...

  • User Configuration | Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings

This will still let users change the settings, to prevent this...

  1. Browse to User Configuration| Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel
  2. Enable the Disable the Connections page setting

Favourites

In order to add pre-defined favourites to Internet Explorer...

  1. Browse to User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | URLs
  2. Right-click over Favorites and Links
    • Favourites can be added to the Favorites section
    • Links (which appear in the Favorites bar above the webpage in IE, if viewable) can be added to the Links section
    • Don't check Delete existing Favorites and Links, if present unless you're sure users won't have their own links there already
Retrieved from ‘http://vwiki.co.uk/index.php?title=Group_Policy_(Active_Directory)&oldid=2361