10 Ways to Manage Desktops with Group Policy

Group Policy, when properly planned and implemented, can be an

indispensable tool for managing Windows desktop systems. But two obstacles
prevent administrators from effectively using Group Policy. First is an
incomplete understanding of what Group Policy is and how to apply it. Second
is not being clear about what you want to accomplish with Group Policy. It's
easy to be overwhelmed by Group Policy because of the large number of
settings and the variety of ways you can apply those settings. Understanding
Group Policy really isn't difficult, however. Once you have a feel for it you just
need some ideas for putting it into action. With that in mind, let's walk
through a basic course in Group Policy. Then, I'll show you 10 ways you can
begin using Group Policy to manage the desktop systems in your
environment.

Group Policy 101

Group Policy gives you central control over certain aspects of the behavior of
the desktops in your Windows Server domain. The Microsoft Management
Console (MMC) Group Policy snap-in contains extensions and seven main
nodes. The nodes are the management entry point for each extension.

Administrative Templates. Administrative Templates are registry-based

policies that you use to alter registry settings that control the behavior and
appearance of the desktop, components, and applications. Five default
Administrative Templates load with a new Group Policy Object (GPO):
System.adm for the Windows Server 2003 family, Windows 2000, and
Windows XP; Inetres.adm for Internet Explorer (IE) settings; Wmplayer.adm
for Windows Media Player (WMP); Conf.adm for NetMeeting 3.01; and
Wuau.adm for Windows Update.

Security Settings. The Security Settings node specifies local computer,

domain, and network security settings.

Software Installation. The Software Installation node assigns and publishes

software to users and assigns software to computers.

Scripts. The Scripts node can affect computer startup and shutdown and user

logon and logoff. You can place any Windows Script Host (WSH)supported
language into a script object.

Remote Installation Services (RIS). The settings in this node control how the
Remote Operating System Installation feature is presented to client
computers.

Internet Explorer Maintenance. The Internet Explorer Maintenance node

settings manage Internet Explorer (IE) and customize its behavior.

Folder Redirection. This node's settings redirect Windows special folders (i.e.,
My Documents, Application Data, Desktop, and Start Menu) to an alternate
location on the network.

Administrators use Group Policy Editor (GPE) to configure policy information

or settings, which are stored in a GPO. In turn, GPOs link to appropriate sites,
domains, or organizational units (OUs) in Active Directory (AD) to determine
the computers or users to which the settings in the GPO will apply. You apply
most GPOs for managing desktop systems and users to an OU that contains
either user or computer objects. You can also use Security Group and
Windows Management Instrumentation (WMI) filtering to further narrow the
scope of objects to which a given policy will be applied. The Learning Path for
this article directs you to more detailed information about using Group Policy.
Let's get started leveraging the power of Group Policy to manage your
desktop systems.

1. Always Wait for Network at Startup and Logon

This setting affects the Group Policy engine and determines whether GPOs
are applied synchronously or asynchronously. Win2K applies GPOs
synchronously. XP Professional introduced a refined asynchronous processing
mode to speed up both boot and login times. As a side effect, however, in XP
Pro, Group Policy settings that take a specific action according to security
group membership can take two or even three logons to become effective.
The shortcomings to this approach are obvious, especially when you use
Group Policy as part of your security strategy. You can, however, guarantee
application of targeted policies in a single boot or login by enabling the

Always wait for the network at computer startup and logon setting.

The Setting:
Computer Configuration\ Administrative Templates\ System\ Logon\ Always
wait for the network at computer startup and logon

2. Automated OS Installation via RIS

What better way to leverage Group Policy than to start using it right away as
you deploy client systems? RIS, which showed up initially in Win2K Server, is
an optional component that lets administrators create automated installation
images for Windows 2003, XP, and Win2K. You can deploy these images to
clients and servers. You use the Remote Installation Services node of GPE to
control the Choice Screen Options that Windows provides to RIS clients. From
the Choice Options Properties screen you can configure the Automatic Setup,
Custom Setup, Restart Setup, and Tools options for RIS.

The Setting:
User Configuration\ Windows Settings\ Remote Installation Services\ Choice
Options

3. Startup, Shutdown, Logon, and Logoff Scripts

If you think logon scripts are old news for managing desktops and user
environments, you're only partially correct. Group Policy gives you much
more control over where and when scripts can be run. In addition to
specifying the traditional logon script, which runs when a user logs on to the
domain, you can specify a script to run when a user logs off the system. You
can also specify individual scripts to run both when a computer starts up and
when it shuts down. These four types of script triggers give you much more
flexibility to perform tasks that just don't fit in the traditional logon script
paradigm.

The Settings:
Computer Configuration \ Windows Settings \ Scripts (Startup/Shutdown)

User Configuration \ Windows Settings \ Scripts (Logon/Logoff)

4. Standardize OS "Look and Feel" Settings

You can use a combination of Group Policy settings to create and maintain a
standard look and feel for your users' systems. Such standardization can be
helpful in developing consistent and effective approaches to training and
support. You can control a myriad of settingstoo many to list here. The
following locations and settings, however, will provide some guidance and
food for thought.

The Settings:
User Configuration\ Administrative Templates\ Start Menu & Taskbar
\Remove Favorites menu from Start Menu
\Turn off personalized menus \[in Windows 2003 and XP SP2\]; \Disable
Personalized menus \[in XP and Win2K Server\]
\Prevent changes to Taskbar and Start Menu Settings \[in Windows 2003 and
XP 2P2\]; \Disable changes to Taskbar and Start Menu Settings \[in XP and
Win2K Server\]

User Configuration\ Administrative Templates\ Windows Components\

Windows Explorer
\Turn on Classic Shell
\Remove the Folder Options menu item from the Tools menu
\Remove "Map Network Drive" and "Disconnect Network Drive"
\No "Entire Network" in My Network Places

User Configuration\ Administrative Templates\ Desktop

\Hide and disable all items on the desktop
\Hide My Network Places icon on desktop
\Remove the Desktop Cleanup Wizard

User Configuration\ Administrative Templates\ Control Panel\ Show only

specified Control Panel applets
User Configuration\ Administrative Templates\ Control Panel\ Add or Remove
Programs\ Hide Change or Remove Programs page

User Configuration\ Administrative Templates\ Control Panel\ Display\ Desktop

Themes
\Remove Theme option
\ Load a specific visual style file or force Windows Classic

5. Configure Windows Firewall Settings for XP Systems

The vast majority of settings for controlling Windows Firewall were only
recently made available in XP Service Pack 2 (SP2). But before we dive into
those settings, it's worth noting that you do have a modicum of control over
how XP's original Internet Connection Firewall behaves. You exercise this
control by using the Prohibit use of Internet Connection Firewall setting on
your DNS domain network; you'll find the setting under Computer
Configuration\ Administrative Templates\ Network\ Network Connections.

In XP SP2, Windows Firewall is accompanied by an array of Group Policy

controllable features. The Group Policy options for Windows Firewall in XP SP2
let an administrator configure two different sets of firewall configurations,
known as profiles. You use the Domain profile when the client is connected to
the network on which the client's domain controllers are located. You use the
Standard profile when the client is connected through an alternate network.
You can create a more restrictive set of firewall options in the Standard profile
for when systems don't have the benefit of a corporate firewall. You can also
configure exceptions in the Domain profile that facilitate connections from
internal systems management tools. For these and other XP SP2 settings, you
need to implement XP SP2 Administrative Templates, as the Microsoft TechNet
article "Deploying Windows XP Service Pack 2 in Enterprise Environments"
discusses
(http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/sp2entdp.ms
px).

The Settings:
Computer Configuration\ Administrative Templates\ Network/Network
Connections\ Windows Firewall\ Domain Profile

Computer Configuration\ Administrative Templates\ Network/Network

Connections\ Windows Firewall\ Standard Profile

6. Strengthen Desktop Security

Implementing secure desktop clients requires a multifaceted management
approach, and Group Policy can help ensure a consistent, stable foundation
on which to build your security strategy. Group Policy gives you the ability to
centrally manage and enforce a wide range of security settings and policies
related to desktop computers and their users. There are four general areas
you can focus your security efforts on: security settings, IP Security (IPSec)
policies, software restriction policies, and wireless network policies. Because
configuring these policies requires a thorough understanding of their possible
effects and plenty of testing before you implement them in a production
environment, I won't attempt to explain the details here. You can read more
about configuring these settings at
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/de
ployguide/enus/Default.asp?url=/resources/
documentation/windowsserv/2003/all/deployguide/enus/dmebg_dsp_djor.asp.

You use security settings to configure security-related OS specifics such as

file and registry ACLs, audit policy, password policy, event logging, and
service startup modes. You can import a security template into a GPO, which
lets you organize security settings in a single, easily managed package.
Default templates are located in %systemroot%\Security\Templates and have
an .inf extension.

The Setting:
Computer Configuration\ Windows Settings\ Security Settings

IPSec is a relatively complicated security feature for filtering, authenticating,

and encrypting network traffic. To access an extensive list of resources for

learning more about IPSec, check out the Microsoft Windows Server 2003
IPSec Technology Center at
http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/
default.mspx.

The Setting:
Computer Configuration\ Windows Settings\ Security Settings\ IP Security
Policies on Active Directory

Software restriction policies are self-explanatory. They let you specify

applications that you want to allow or deny on a per-user or per-computer
basis.

The Settings:
Computer Configuration\ Windows Settings\ Security Settings\ Software
Restriction Policies

User Configuration\ Windows Settings\ Security Settings\ Software Restriction

Policies

Wireless network policies let you configure settings that control the behavior
of the Wireless Configuration Service in XP through the Wireless Network
Policies Extension in a Windows 2003 environment.

The Setting:
Computer Configuration\ Windows Settings\ Security Settings\ Wireless
Network (IEEE 802.11) Policies

7. Control Windows Update and Automatic Updates

Generally speaking, XP's Windows Update and Automatic Updates are great

features. In a corporate environment, though, there are good reasons to

control their availability and behavior. You can disable Automatic Updates and
remove user access to Windows Update through Group Policy. Of course,
you'll likely only do this if you have a centralized update distribution
mechanism such as Software Update Services (SUS) or its soon-to-bereleased successor Windows Update Services (WUS). Both SUS and WUS are
controllable through Group Policy but might require an updated version of the
Wuau.adm administrative template. The settings for the built-in update tools
are user-specific. SUS and WUS settings are computer-based.

The Settings:
User Configuration\ Administrative Templates\ System\ Windows Automatic
Updates
User Configuration\ Administrative Templates\ System\ Windows Update
Computer Configuration\ Administrative Templates\ Windows Components\
Windows Update

8. Folder Redirection
Folder Redirection lets you redirect the path of special folders such as My
Documents, Desktop, and Application Data to a network location. Storing
these folders and their contents on a file server affords them the superior
protection that server class hardware inherently provides and also makes the
data available to users from multiple workstations. A separate but
complementary technology is XP's Offline Files, which automatically makes
files available offline when you redirect them from a special folder. For more
information about implementing Folder Redirection, see "Using IntelliMirror to
Manage User Data and Settings" (July 2003, InstantDoc ID 39193).

The Settings:
User Configuration\ Windows Settings\ Folder Redirection
User Configuration\ Network\ Offline Files

9. Standardize and Secure IE

IE is one of the most frequently used tools on many users' systems;

unfortunately, it's also one of the most misused. In addition, IE presents an

oft-exploited avenue for malware and other threats to security and privacy.
Although there is no bulletproof solution to these risks when IE is so widely
used, there are Group Policy settings to shore up security and better control
how IE is used. IE subkeys under User Configuration and Computer
Configuration in GPE let you customize settings and set restrictions on a peruser or per-computer basis (the majority of settings are beneath User
Configuration). Customizations you can make include but aren't limited to:

Changing the appearance of the browser interface

Setting custom URLs for favorites, search page, and home page
Configuring default program for handling tasks such as email and
newsgroup activities
Controlling security zones and content rating settings
Configuring connection settings for LAN and dial-up

You can also restrict user access to certain IE settings, menu items, and
configuration pages to enforce consistency and bolster security. Take a
minute to read the Explain tab for the settings you configure to avoid
confusion about what will happen when you enable or disable a setting. XP
SP2 dramatically expands the IE security options that Group Policy can
control. The new features include MIME sniffing safety, zone elevation
protection, ActiveX installation restrictions, file download restrictions, and
Add-on management.

The Settings:
Computer Configuration\ Administrative Templates\ Windows Components\
Internet Explorer
User Configuration\ Administrative Templates\ Windows Components\ Internet
Explorer

10. Software Installation Policy for Automated Application Deployments

Software installation and maintenance are part of Microsoft's IntelliMirror
functionality, and you can control both with Group Policy. You can configure

settings within GPE to assign or publish an application to users or computers.

Software installation and maintenance functionality works with programs that
use Windows Installer technology (i.e., .msi files). Of course, Microsoft
applications such as Office use Windows Installer technology for their
installation process, which means you can assign Office to a user or computer
population and have it installed automatically. You can create custom
installations using msi transforms and use security group filtering to target
specific groups of users to which the custom installation will be applied. And
in case you're wondering, you can also use software installation and
maintenance functionality to deploy XP SP2. You can assign XP SP2's
Update.msi only to machines; assigning to users isn't supported. For more
information, see the Microsoft article "Best Practices for Using Update.msi to
deploy Service Packs," http://www.support.microsoft.com/?kbid=278503.

The Settings:
User Configuration\ Software Installation
Computer Configuration\ Software Installation

Good Policy
Now you know that some policies are simple and others, such as Folder
Redirection, require preparation and testing to implement. The best way to
approach policy creation is from the perspective of solving a particular
problem or providing a particular service. Determine the appropriate settings
to accomplish the task at hand. Read the description under the Explain tab
when viewing the properties for a setting within GPE to make sure you fully
understand a setting's impact and behavior before you turn it on. And finally,
make sure you fully test both the result of the settings in your GPO as well as
your scope targeting method before putting a policy into production.

Print
reprints
Favorite

EMAIL

inShare

Discuss this Article 9

Anonymous User (not verified)
on Apr 27, 2005
Hardware * Dial-Up Connection * Portable Computer * Battery Present *
PCMCIA Present * CPU Speed * Disk Space * RAM Available * MAC Address
Range Identity * IP Address Range * AD/LDAP Query * Domain/Workgroup *
Organizational Unit * Site Membership * Computer/DNS Name * Security
Group * User Match Software * Operating System * Service Pack * Terminal
Session * System/User Language * File match * Registry Match * Environment
Variable Other * Filter Group * Message Box * MSI Packages * Recur Every *
Run Once * Time Range * WMI Query Additionally, Group Policy provides a
rich delegation and hierarchical management model so that organizations
can make the system support the way they do business. All in all Group Policy
has practically unlimited potential and tremendous ROI. Its well integrated,
extensible, hugely scalable and by far the most widely deployed desktop
management system for Active Directory networks. Eric

Log In or Register to post comments

Anonymous User (not verified)

on Apr 8, 2005
Dude you're lame - this is an article comment section, not your opportunity
for a personal shameless plug.

Log In or Register to post comments

Anonymous User (not verified)

on Apr 14, 2005
Adam, Thanks for your thoughtful response. Having worked with IT Pro (and
predecessors) for many years, this is the type of in-depth discussion I would

expect readers to appreciate the most. Group Policy is an expansive and

valuable topic, and its hard to get enough depth even in a feature article.
Generating discussion on the topic of whats missing is a great approach to
this problem. Please forgive me if I got the wrong impression regarding
sponsorship of the article, but its easy to come to this conclusion given the
contents of the Interact section at the top of the article (in both print and
online versions). I assumed that was a paid position associated with the
article which of course was the cover story for the April print edition. My
mistake. I dont know a lot about the SL product, but from what I understand
its dependent on KiXtart scripting, not Group Policy. There are many ways to
accomplish management tasks in a distributed network scripting, script
generators, various utility products and tools, infrastructure investments such
as ZENworks, SMS, Tivoli, Altiris, etc. Some of these claim to have association
with Group Policy. However to actually provide new Group Policy features
requires implementing Microsofts extensive specification for Group Policy
Extension, including Group Policy Object Editor extensions, Resultant Set of
Policy snap-in extensions, GPMC integration, and Client Side Extensions. This
is how the Microsoft extensions work. Its hard for me to come up with an
example of desktop management functionality that cannot be managed
easily using a Group Policy extension. Of course there is not a Group Policy
extension to cover every conceivable management task, yet this is true of all
management products. Should holes in native functionality be filled by nonGroup Policy utilities if there are capable extensions available? Thats an
individual decision, but one that should be made with an understanding of
the options. In fairness, Brian did state that third party products (presumably
extensions) are required to fill the holes in Group Policy but thats by design.
Reusing my own analogy, one wouldnt argue that IE was too limited
because Microsoft didnt provide all of the plug-ins. Just the opposite is true.
Group Policy is practically *unlimited* because its extensible and the
extensibility model is supported. This isnt true of most other desktop
management systems. Brian missed an opportunity to point out a legitimate
limitation of Group Policy it doesnt support Windows NT 4 or Windows 9x
desktops. As I understand SL predates Group Policy and supports these
platforms. I assume he has a good product and Im sure it can fill some of the
holes left by native Group Policy even on current platforms. However, people
looking for Group Policy solutions should be aware that there are in fact true
Group Policy extensions that more than handle the issues raised. Therefore, I
guess I should answer the other part of your question, What are some
specific examples of desktop management functionality that can be done
easily with a Group Policy extension? Thats a mighty long list, and this is
already getting too long so Ill follow up a little later. Regards, Eric

Log In or Register to post comments

Adam (not verified)

on Mar 29, 2005
Brian Styles of ScriptLogic also has some thoughts about Group Policy. He
hopes to hear your thoughts and share more of his with this article. Brian's
comments: Policy based control over desktop settings are a great starting
point to standardize and streamline the user's environment. They employ the
ability to make changes on multiple machines with a single administrative
change. However, Group Policies are simply not enough for comprehensive
desktop administration for two reasons: (1) limited scope of administrative
ability and (2) limited granularity of distribution. The scope of administration
Group Policies master are limited to OS- and (some) application-specific
settings. Third party solutions are required to handle the multitude of other
aspects that are required by the administrator to control the users
environment. Like the administrative scope, granularity of policy distribution
is also extremely limited in that you have only users, groups, computers and
OUs to use to differentiate policy deployment. OUs and object types are only
a few of the long list of methods you can use to categorize and identify users.
It should come as no surprise to IT professionals that ScriptLogic would have
an opinion on Group Policies given that ScriptLogic has made a business out
of developing intuitive management solutions in the areas of desktop
administration, Active Directory and Group Policy management. Now it's your
turn to give us your feedback. Share with us your experiences of using Group
Policies to manage Windows clients and feel free to post your questions. We'll
be monitoring your feedback and posting replies. - Brian Styles

Log In or Register to post comments

Anonymous User (not verified)

on Apr 27, 2005
Adam, These are the extensions that are available when you install the
PolicyMaker suite. Native (Microsoft) Group Policy extensions make up just 1/3
of these. The Administrative Templates extension includes hundreds of
individual security and other operating system configuration parameters.
Software Update provides Group Policy patch management using SUS/WUS
data. Printers provides mapping of shared printers or connection of IP

printers. The solutions possible with these extensions and the numerous
policy types they include are innumerable. *Environment Variables *Local
Users and Groups *Application Security *Device Restrictions *Wireless
*Network Options *Drive Maps *Folder Redirection *Administrative Templates
*Microsoft Disk Quota *QoS Packet Scheduler *Scripts *Security *Internet
Explorer Branding *EFS recovery *Software Installation *Software Update *IP
Security *Folders *Files *Data Sources *Ini Files *Windows Services *Folder
Options *Scheduled Tasks *Registry *Applications *Printers *Shortcuts *Mail
Profiles *Internet Settings *Start Menu Settings *Regional Options *Power
Options One of the strengths of Group Policy is its ability to target groups of
settings in a GPO to users and/or computers by site, domain, and
organizational unit. Additionally, GPOs can be filtered by security group and
WMI filters. PolicyMaker extensions add to this flexibility by implement persetting targeting using a graphical drag and drop filter interface common to
all extensions and settings. This allows administrators to create a much
smaller number of GPOs and target contained settings more granularly. Filter
classes include:

Log In or Register to post comments

Anonymous User (not verified)

on Apr 7, 2005
Bob, Thanks for the plug. Clearly Group Policy is the most widely utilized
desktop management technology system and the beast feature of Active
Directory. As far as I know the only scoping limitations are that machines
must be Windows 2000 or later, and for central management they must be
joined to AD. Everyone with an Active Directory network is already using
Group Policy. Unfortunately some people miss out on the rich possibilities by
focusing entirely on the extensions that are provided with Windows. Thats
like complaining that IE cant view a PDF file. Group Policy is an extensible
architecture by design. The 11 extensions that ship with Windows XP include
security settings, software deployment and more. However, when we
introduced the first product based on this specification, a whole new world of
true Group Policy was opened up. Our PolicyMaker suite includes a total of 23
extensions (e.g. printers, drive maps, patching, local users and groups
management, power options, least privilege security, Outlook profiles, and
much more), and each supports the full specification including GPMC
integration, backup and restore, planning and logging modes, delegation, and
more. There are no servers or services to install, it all works inside the
existing architecture. We implement a number of common features in our

extensions, including drag-and-drop XML import/export, 25 categories of

graphical per-setting filters (no limit to granularity), per-setting
documentation, environment variable integration, extension-level delegation,
and much more. Our customers find that Group Policy provides the ideal
combination of flexibility, power, control, and operating system integration
a combination that cannot be found in scripting, script generators, or utility
products. This article is a great introduction, and for more information on
Group Policy, extensions, architecture, third party products, etc., check out
the following wiki site: http://www.grouppolicy.org For more information on
PolicyMaker, see: http://www.desktopstandard.com/policymaker Eric Voskuil,
CTO DesktopStandard Corporation MVP (Windows Server Management)