Revision as of 09:27, 7 August 2013

Getting Started

Start mmc.exe
Go to File | Add/Remove Snap-in...
Add the Group Policy Management
Browse to Group Policy Objects
Right-click and create a new GPO

By default group policies are refreshed by client machines every 90 mins, with a random offset of up to 30 mins in order to load balance. Additionally, Computer Configuration policies are refreshed at boot, and User Configuration polices are refreshed at login.

To refresh polices on the current machine

gpupdate

To see the results of the last refresh (open the created HTML file)

gpresult /H GPreport.html

Common Policy Paths

Auditing (Event) logging	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Local Polices \| Audit Policy
Default Local Admin	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Restricted Groups
Password	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Account Polices \| Password Policy
Power Options	Computer Configuration \| Preferences \| Control panel Settings \| Power Options \| Power Scheme
Proxy	User Configuration\| Policies \| Windows Settings \| Internet Explorer Maintenance \| Connection \| Proxy Settings
Screen Saver	User Configuration \| Polices \| Administrative Templates \| Control Panel \| Personalization \| Enable screen saver
Security Policy Options	Computer Configuration \| Polices \| Windows Settings \| Security Settings \| Local Polices \| Security Options

Group Policy Object (GPO) Examples

Default Local Administrator

To give a particular domain security group, local admin rights over machines affected by the GPO

Browse to Computer Configuration | Polices | Windows Settings | Security Settings | Restricted Groups
Select Add Group...
Locate the security group, and then add it to appropriate local group (eg BUILTIN\Administrators)

To ensure the local admin account is enabled with correct password...

Go to Computer Configuration | Polices | Windows Settings | Security Settings | Local Polices | Security Options
Set Accounts: Administrator account status to Enabled
Go to Computer Configuration | Preferences | Control Panel Settings | Local Users and Groups
Right-click over right hand pane and select New | Local User
In the User name field select Administrator (built-in)
Enter password, uncheck User must change password at next logon, check Password never expires

Branding

Logon Screen

The following steps allow a customised logon background, if you have multiple versions of background at different sizes these can all be used. The files need to end up in %windir%\system32\oobe\info\backgrounds\ and must follow this naming convention

backgroundDefault.jpg - Must exist
background1280x800.jpg - Optional, copy on as many different files as you have different size versions available

Put your background file(s) on a share that can be read by all
Configure a rule to copy the file(s) to the local machine
1. Computer Configuration | Preferences | Windows Settings | Files
  - EG Source - \\file-svr\priv$\Branding\MyCompany_1680x1050.jpg - update as required
  - EG Destination - %windir%\system32\oobe\info\backgrounds\background1680x1050.jpg
Configure a rule to update the registry
1. Computer Configuration | Preferences | Windows Settings | Registry
  - Hive - HKEY_LOCAL_MACHINE
  - Key Path - SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
  - Value name - OEMBackground
  - Value - REG_DWORD 1

Desktop Background

Put your background file on a share that can be read by all
Configure a rule to copy the file to the local machine
1. Computer Configuration | Preferences | Windows Settings | Files
  - EG Source - \\file-svr\priv$\Branding\MyCompany_1680x1050.jpg - update as required
  - EG Destination - C:\Backgrounds\MyCompany_1680x1050.jpg - note that you must specify the filename, even if its unchanged by the copy
Configure a rule to update the registry
1. User Configuration | Polices | Administrative Templates | Desktop | Desktop
2. Update the Desktop Wallpaper setting with the file path and set Wallpaper Style to Fill

Internet Explorer

Proxy

In order to configure proxy settings, browse to...

User Configuration | Policies | Windows Settings | Internet Explorer Maintenance | Connection | Proxy Settings

This will still let users change the settings, to prevent this...

Browse to User Configuration| Policies | Administrative Templates | Windows Components | Internet Explorer | Internet Control Panel


Enable the Disable the Connections page setting

Favourites

In order to add pre-defined favourites to Internet Explorer...

Browse to  User Configuration| Policies | Windows Settings | Internet Explorer Maintenance | URLs 
Right-click over  Favorites and Links 
Favourites can be added to the Favorites section
Links (which appear in the Favorites bar above the webpage in IE, if viewable) can be added to the Links section
Don't check Delete existing Favorites and Links, if present unless you're sure users won't have their own links there already

@@ Line 1: / Line 1: @@
-== Getting Started ==
+= Getting Started =
 # Start <code>mmc.exe</code>
 # Go to '''File <nowiki>|</nowiki> Add/Remove Snap-in...'''
@@ Line 14: / Line 14: @@
-== Common Policy Paths ==
+= Common Policy Paths =
 {|class="vwikitable"
 |-
@@ Line 39: / Line 39: @@
 |}
-== Group Policy Object (GPO) Examples ==
+= Group Policy Object (GPO) Examples =
-=== Default Local Administrator ===
+== Default Local Administrator ==
 To give a particular domain security group, local admin rights over machines affected by the GPO
@@ Line 55: / Line 55: @@
 # Enter password, uncheck ''User must change password at next logon'', check ''Password never expires''
-=== Branding ===
+== Branding ==
-==== Logon Screen ====
+=== Logon Screen ===
 The following steps allow a customised logon background, if you have multiple versions of background at different sizes these can all be used.  The files need to end up in <code>%windir%\system32\oobe\info\backgrounds\</code> and must follow this naming convention
 * <code>backgroundDefault.jpg</code> - Must exist
@@ Line 73: / Line 73: @@
 ##* ''Value'' - <code>REG_DWORD 1</code>
-==== Desktop Background ====
+=== Desktop Background ===
 # Put your background file on a share that can be read by all
 # Configure a rule to copy the file to the local machine
@@ Line 83: / Line 83: @@
 ## Update the ''Desktop Wallpaper'' setting with the file path and set ''Wallpaper Style'' to '''Fill'''
-=== Internet Explorer ===
+== Internet Explorer ==
-==== Proxy ====
+=== Proxy ===
 In order to configure proxy settings, browse to...
 * <code>User Configuration <nowiki>|</nowiki> Policies <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Internet Explorer Maintenance <nowiki>|</nowiki> Connection <nowiki>|</nowiki> Proxy Settings</code>
@@ Line 92: / Line 92: @@
 # '''Enable''' the <code>Disable the Connections page</code> setting
-==== Favourites ====
+=== Favourites ===
 In order to add pre-defined favourites to Internet Explorer...
 # Browse to <code> User Configuration<nowiki>|</nowiki> Policies <nowiki>|</nowiki> Windows Settings <nowiki>|</nowiki> Internet Explorer Maintenance <nowiki>|</nowiki> URLs </code>

Difference between revisions of "Group Policy (Active Directory)"

Revision as of 09:27, 7 August 2013

Contents

Getting Started

Common Policy Paths

Group Policy Object (GPO) Examples

Default Local Administrator

Branding

Logon Screen

Desktop Background

Internet Explorer

Proxy

Favourites

Navigation menu

Difference between revisions of "Group Policy (Active Directory)"

Revision as of 09:27, 7 August 2013

Getting Started

Common Policy Paths

Group Policy Object (GPO) Examples

Default Local Administrator

Branding

Logon Screen

Desktop Background

Internet Explorer

Proxy

Favourites

Navigation menu

Search