10 Ways to Manage Desktops with Group Policy

Group Policy, when properly planned and implemented, can be an indispensable tool for managing Windows desktop systems. But two obstacles prevent administrators from effectively using Group Policy. First is an incomplete understanding of what Group Policy is and how to apply it. Second is not being clear about what you want to accomplish with Group Policy. It's easy to be overwhelmed by Group Policy because of the large number of settings and the variety of ways you can apply those settings. Understanding Group Policy really isn't difficult, however. Once you have a feel for it you just need some ideas for putting it into action. With that in mind, let's walk through a basic course in Group Policy. Then, I'll show you 10 ways you can begin using Group Policy to manage the desktop systems in your environment.

Group Policy 101
Group Policy gives you central control over certain aspects of the behavior of the desktops in your Windows Server domain. The Microsoft Management Console (MMC) Group Policy snap-in contains extensions and seven main nodes. The nodes are the management entry point for each extension.

Administrative Templates. Administrative Templates are registry-based policies that you use to alter registry settings that control the behavior and appearance of the desktop, components, and applications. Five default Administrative Templates load with a new Group Policy Object (GPO): System.adm for the Windows Server 2003 family, Windows 2000, and Windows XP; Inetres.adm for Internet Explorer (IE) settings; Wmplayer.adm for Windows Media Player (WMP); Conf.adm for NetMeeting 3.01; and Wuau.adm for Windows Update.

Security Settings. The Security Settings node specifies local computer, domain, and network security settings.

Software Installation. The Software Installation node assigns and publishes software to users and assigns software to computers.

Scripts. The Scripts node can affect computer startup and shutdown and user logon and logoff. You can place any Windows Script Host (WSH)–supported language into a script object.

Remote Installation Services (RIS). The settings in this node control how the Remote Operating System Installation feature is presented to client computers.

Internet Explorer Maintenance. The Internet Explorer Maintenance node settings manage Internet Explorer (IE) and customize its behavior.

Folder Redirection. This node's settings redirect Windows special folders (i.e., My Documents, Application Data, Desktop, and Start Menu) to an alternate location on the network.

Administrators use Group Policy Editor (GPE) to configure policy information or settings, which are stored in a GPO. In turn, GPOs link to appropriate sites, domains, or organizational units (OUs) in Active Directory (AD) to determine the computers or users to which the settings in the GPO will apply. You apply most GPOs for managing desktop systems and users to an OU that contains either user or computer objects. You can also use Security Group and Windows Management Instrumentation (WMI) filtering to further narrow the scope of objects to which a given policy will be applied. The Learning Path for this article directs you to more detailed information about using Group Policy. Let's get started leveraging the power of Group Policy to manage your desktop systems.

1. Always Wait for Network at Startup and Logon
This setting affects the Group Policy engine and determines whether GPOs are applied synchronously or asynchronously. Win2K applies GPOs synchronously. XP Professional introduced a refined asynchronous processing mode to speed up both boot and login times. As a side effect, however, in XP Pro, Group Policy settings that take a specific action according to security group membership can take two or even three logons to become effective. The shortcomings to this approach are obvious, especially when you use Group Policy as part of your security strategy. You can, however, guarantee application of targeted policies in a single boot or login by enabling the Always wait for the network at computer startup and logon setting.

The Setting:
Computer Configuration\ Administrative Templates\ System\ Logon\ Always wait for the network at computer startup and logon

2. Automated OS Installation via RIS
What better way to leverage Group Policy than to start using it right away as you deploy client systems? RIS, which showed up initially in Win2K Server, is an optional component that lets administrators create automated installation images for Windows 2003, XP, and Win2K. You can deploy these images to clients and servers. You use the Remote Installation Services node of GPE to control the Choice Screen Options that Windows provides to RIS clients. From the Choice Options Properties screen you can configure the Automatic Setup, Custom Setup, Restart Setup, and Tools options for RIS.

The Setting:
User Configuration\ Windows Settings\ Remote Installation Services\ Choice Options

3. Startup, Shutdown, Logon, and Logoff Scripts
If you think logon scripts are old news for managing desktops and user environments, you're only partially correct. Group Policy gives you much more control over where and when scripts can be run. In addition to specifying the traditional logon script, which runs when a user logs on to the domain, you can specify a script to run when a user logs off the system. You can also specify individual scripts to run both when a computer starts up and when it shuts down. These four types of script triggers give you much more flexibility to perform tasks that just don't fit in the traditional logon script paradigm.

The Settings:
Computer Configuration \ Windows Settings \ Scripts (Startup/Shutdown)
User Configuration \ Windows Settings \ Scripts (Logon/Logoff)

4. Standardize OS "Look and Feel" Settings
You can use a combination of Group Policy settings to create and maintain a standard look and feel for your users' systems. Such standardization can be helpful in developing consistent and effective approaches to training and support. You can control a myriad of settings—too many to list here. The following locations and settings, however, will provide some guidance and food for thought.

The Settings:
User Configuration\ Administrative Templates\ Start Menu & Taskbar
\Remove Favorites menu from Start Menu
\Turn off personalized menus [in Windows 2003 and XP SP2]; \Disable Personalized menus [in XP and Win2K Server]
\Prevent changes to Taskbar and Start Menu Settings [in Windows 2003 and XP 2P2]; \Disable changes to Taskbar and Start Menu Settings [in XP and Win2K Server]

User Configuration\ Administrative Templates\ Windows Components\ Windows Explorer
\Turn on Classic Shell
\Remove the Folder Options menu item from the Tools menu
\Remove "Map Network Drive" and "Disconnect Network Drive"
\No "Entire Network" in My Network Places

User Configuration\ Administrative Templates\ Desktop
\Hide and disable all items on the desktop
\Hide My Network Places icon on desktop
\Remove the Desktop Cleanup Wizard

User Configuration\ Administrative Templates\ Control Panel\ Show only specified Control Panel applets
User Configuration\ Administrative Templates\ Control Panel\ Add or Remove Programs\ Hide Change or Remove Programs page

User Configuration\ Administrative Templates\ Control Panel\ Display\ Desktop Themes
\Remove Theme option
\ Load a specific visual style file or force Windows Classic

5. Configure Windows Firewall Settings for XP Systems
The vast majority of settings for controlling Windows Firewall were only recently made available in XP Service Pack 2 (SP2). But before we dive into those settings, it's worth noting that you do have a modicum of control over how XP's original Internet Connection Firewall behaves. You exercise this control by using the Prohibit use of Internet Connection Firewall setting on your DNS domain network; you'll find the setting under Computer Configuration\ Administrative Templates\ Network\ Network Connections.

In XP SP2, Windows Firewall is accompanied by an array of Group Policy–controllable features. The Group Policy options for Windows Firewall in XP SP2 let an administrator configure two different sets of firewall configurations, known as profiles. You use the Domain profile when the client is connected to the network on which the client's domain controllers are located. You use the Standard profile when the client is connected through an alternate network. You can create a more restrictive set of firewall options in the Standard profile for when systems don't have the benefit of a corporate firewall. You can also configure exceptions in the Domain profile that facilitate connections from internal systems management tools. For these and other XP SP2 settings, you need to implement XP SP2 Administrative Templates, as the Microsoft TechNet article "Deploying Windows XP Service Pack 2 in Enterprise Environments" discusses (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/sp2entdp.mspx).

The Settings:
Computer Configuration\ Administrative Templates\ Network/Network Connections\ Windows Firewall\ Domain Profile

Computer Configuration\ Administrative Templates\ Network/Network Connections\ Windows Firewall\ Standard Profile

6. Strengthen Desktop Security
Implementing secure desktop clients requires a multifaceted management approach, and Group Policy can help ensure a consistent, stable foundation on which to build your security strategy. Group Policy gives you the ability to centrally manage and enforce a wide range of security settings and policies related to desktop computers and their users. There are four general areas you can focus your security efforts on: security settings, IP Security (IPSec) policies, software restriction policies, and wireless network policies. Because configuring these policies requires a thorough understanding of their possible effects and plenty of testing before you implement them in a production environment, I won't attempt to explain the details here. You can read more about configuring these settings at http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/enus/Default.asp?url=/resources/
documentation/windowsserv/2003/all/deployguide/enus/dmebg_dsp_djor.asp.

You use security settings to configure security-related OS specifics such as file and registry ACLs, audit policy, password policy, event logging, and service startup modes. You can import a security template into a GPO, which lets you organize security settings in a single, easily managed package. Default templates are located in %systemroot%\Security\Templates and have an .inf extension.

The Setting:
Computer Configuration\ Windows Settings\ Security Settings

IPSec is a relatively complicated security feature for filtering, authenticating, and encrypting network traffic. To access an extensive list of resources for learning more about IPSec, check out the Microsoft Windows Server 2003 IPSec Technology Center at http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx.

The Setting:
Computer Configuration\ Windows Settings\ Security Settings\ IP Security Policies on Active Directory

Software restriction policies are self-explanatory. They let you specify applications that you want to allow or deny on a per-user or per-computer basis.

The Settings:
Computer Configuration\ Windows Settings\ Security Settings\ Software Restriction Policies

User Configuration\ Windows Settings\ Security Settings\ Software Restriction Policies

Wireless network policies let you configure settings that control the behavior of the Wireless Configuration Service in XP through the Wireless Network Policies Extension in a Windows 2003 environment.

The Setting:
Computer Configuration\ Windows Settings\ Security Settings\ Wireless Network (IEEE 802.11) Policies

   Previous  [1]  2  Next