Using Group Policy for Configuration Control
You can use Group Policy to control many desktop settings and configuration options, such as:
Customizing logon and logoff processes
Customizing the desktop
Customizing many components of the operating system
The following sections discuss configuration options in each of these categories. These are representative examples and are not an exhaustive list. Remember, there are over 550 different Group Policy settings, and the best way to see all the different options is to study an installed version of Windows 2000. For more information about Group Policy settings, see "Group Policy" in the Microsoft ® Windows ® 2000 Server Resource Kit Distributed Systems Guide .
As you read through the remainder of this chapter, and subsequently work with Windows 2000, note the options that might be of use to your organization. Then, when your list is complete, you can begin to customize Group Policy objects to meet your needs. You should also include the complete list of options and Group Policy settings in your Client Configuration Plan.
Customizing the Logon and Logoff Processes
Windows 2000 provides numerous ways to customize logon and logoff processes. For example, you can specify that a diagnostics or virus program be run every time a user logs on or logs off.
Table 23.5 lists some logon and logoff options that might be useful to you.
Table 23.5 Sample Logon and Logoff Group Policy Options
Policy |
Description |
|---|---|
Run legacy logon scripts hidden |
By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run (it does not display logon scripts written for Windows 2000). Enabling this policy prevents logon scripts written for Windows NT 4.0 and earlier from displaying. |
Add Logoff to the Start Menu |
Adds the "Log Off < username >" item to the Start menu and prevents users from removing it. |
Do not save settings at exit |
Rolls back changes made to the desktop by users during their last session. |
Do not display welcome screen at logon |
Hides the Getting Started with Windows 2000 welcome screen that is displayed on Windows 2000 Professional each time the user logs on. |
Restricting Changes to the Desktop
Group Policy can assist you in preventing users from making potentially counter-productive changes to their computers. In addition, it can enable you to optimize the desktop for the particular tasks performed in your organization. Table 23.6 lists some policies that you can use to customize the desktop.
.gif "note-icon")
Note
Many organizations will want to create custom configurations of their Internet and intranet browser software. For more information about customizing and managing Internet Explorer 5, see the Microsoft® Internet Explorer Administration Kit (IEAK) link on the Web Resources page at https://windows.microsoft.com/windows2000/reskit/webresources . Windows 2000 includes a Group Policy snap-in to configure and manage Internet Explorer 5, called Internet Explorer Maintenance.
Table 23.6 Sample Custom Desktop Options
Policy |
Description |
|---|---|
Prohibit user from changing My Documents path |
Prevents users from changing the path to the My Documents folder. |
Disable Control Panel |
Disables all Control Panel programs. |
Hide the Add a program from CD-ROM or floppy disk option |
Removes the Add a program from CD-ROM or floppy disk option from the Add New Programs page. |
Hide specified Control Panel programs |
Hides specified Control Panel items and folders. |
Prohibit changes to the Active Desktop |
Allows you to enforce a standard desktop by preventing the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. |
Active Desktop wallpaper |
Specifies the desktop background wallpaper displayed on all users' desktops. |
Century Interpretation for Year 2000 (System) |
Specifies the last year for which two-digit years are interpreted as being in the 21st century. |
Hide these specified drives in My Computer |
Removes the icons representing the selected hard drives from My Computer , Windows Explorer , and My Network Places . Also, the drive letters representing the selected drives do not appear in the Open dialog box. |
Desktop screen saver executable name |
Specifies the screen saver used on the computer. |
Disable the command prompt |
Prevents users from running the interactive command prompt, Cmd.exe. This policy also determines whether batch files (.bat, .cmd) can run on the computer. |
Disable registry editing tools |
Disables the Windows registry editors, Regedt32.exe and Regedit.exe. |
Restricting Changes to the Start Menu
In your organization, you might want to have control over which Start menu features are enabled. Group Policy allows you to disable the options you do not want to make available, and to create an optimized Start menu that reflects the needs of your organization and its users. Table 23.7 illustrates a few examples.
Table 23.7 Representative Start Menu Options
Policy |
|---|
Re |
Disable and remove links to Windows Update |
Remove Run command from Start Menu |
Add Logoff to the Start Menu |
Disable drag-and-drop shortcut menus on the Start menu |
Do not use the search-based method when resolving shell shortcuts |
Do not run specified Windows-based applications |
Note
The Start menu that you customize and provide to users can be stored locally, or it can be stored on a network server.
Configuring Options for Remote Users
The growing number of users with portable computers in many organizations has made managing these remote computers a major administrative concern. The strategies in Table 23.8 can be useful in managing user data for remote access users.
Table 23.8 Portable and Remote Computer Options
Strategy |
Description |
|---|---|
Limit the use of Group Policy |
Group Policy cannot be turned off, even over slow links. (Be careful about applying excessively restrictive Group Policy settings or those that download lots of data to portable computers or users' home computers. Consider logon scripts and the default time-out of 600 seconds.) |
Automatically detect slow network connections |
Allows you to set threshold levels for what is considered a slow link. You can then define certain bandwidth-intensive activities that must not take place when slow links are encountered. |
Specify network files and folders that are always available offline |
Allows you to specify network files and folders that are always available for offline use. |
Disable Make Available Offline |
Prevents users from making certain files and folders available. |