Top 10 GPOs for Desktop Management (April 14, 2005)
**Please note:****Portions of this transcript have been edited for clarity
Introduction
This chat was brought to you by Windows IT Pro Magazine
Jana Carter (Moderator):
Welcome to today's chat. We have a great chat for you.
Jana Carter (Moderator):
Today's topic is Top 10 GPOs for Desktop Management. We are pleased to have this chat sponsored by Windows IT Pro Magazine. Thanks and welcome to all readers of Windows It Pro Magazine!
Jana Carter (Moderator):
We welcome you to submit questions throghout today's chat. To do so:
1. Type your question in the SEND box
2. Click the Submit a Question radio button
3. Click SEND
Jana Carter (Moderator):
We will do our best to answer as many questions as we can in the hour we have today.
Jana Carter (Moderator):
You will see the answers from our experts in this window, the Transcript Window.
Jana Carter (Moderator):
Welcome to our MVPs who could join us today.
Jana Carter (Moderator):
OK, with that, let's get started.
Jana Carter (Moderator):
My name is Jana Carter and I am a product manager at Microsoft. I manage our chat and blog platforms.
Ed Roth (Expert):
Hi my name is Ed Roth. I am a Contributing Editor for Windows IT Pro Magazine and a veteran of the Windows computing world. I currently manage a group of Network / Systems Admins and programmers for a local government organization.
Jana Carter (Moderator):
We will have another expert joining us shortly.
Jana Carter (Moderator):
Let's get started. We will begin to respond to your questions.
Start of Chat
Ed Roth (Expert):
Q: Is there a GPO that sets the Display refresh rate.
A: I don't believe tere is a native extension to do this. It might be a risky proposition unless you were certain that all of your video hardware was compatible with the refresh you wanted to specify. I wouldn't expect Microsoft to implement this type of setting because of that risk.
Ed Roth (Expert):
Q: We are looking for better tools to define the password complexity option(s) in the GPO
A: Do you mean you have tried using all of the native settings and they are inadequate? If so, what specifics are you trying to accomplish?
Ed Roth (Expert):
Q: In attempting to apply group policies; i have noticed that some policies require IE6 in Windows XP Service Pack 2. In cases like this how do we apply the group policy to win2k and xp sp1 machines?
A: The behavior of the client side policy processing is that it ignores any policies that do not apply to it particular OS or SP level. That means any settings that are designated for SP2 or later simply do not get applied.
Ed Roth (Expert):
Q: Is there any particular place within MS Web Site where additional GPOs can be downloaded from?, I mean, without having to aquire vendor GPOs or without having to create them myself?
A: I think you might be referring to adm templates. You can check out https://www.microsoft.com/downloads/details.aspx?FamilyID=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en for the most recent adm files.
Ed Roth (Expert):
Q: GPO Question: How can I secure some training lab PC's to prevent the users from installing software? I'd like to be able to lock down the PC's to secure them and prevent the users from changing settings, installing software & generally poking around.
A: I think the easiest way to accomplish a loickdown like that is to start with one of the scenarios in Microsoft's "Implementing Common Desktop Management Scenarios" https://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverwhitepapers/0ede57ad-7796-4b47-99fe-3d38702558a9.mspx . Pick the parts of a scenario that you like then test and modify from there.
Ed Roth (Expert):
Q: Looking for a way to define SUS server settings (Windows Update) by AD site
A: Did you download and apply wuau.adm? It can be found in my previously mentioned adm download location.
Ed Roth (Expert):
Thanks all for your patience - Darren is still trying to get in ...
Ed Roth (Expert):
Q: Is there a way to essentially "push" a group policy update to a client? Having to manually do this at a remote location is a pain.
A: Darren says he has a tool at www.gpoguy.com/tools.htm to accomplish this. Thanks Darren
Ed Roth (Expert):
Q: Looking for a way to disable wireless products on laptops, even when they are no longer connected to the domain.
A: If they no longer connect to the domain I'm not sure you will be successful in getting any new policy settings out to them. Did I understand that correctly?
Ed Roth (Expert):
Q: How does the Firewall policy work. In that I mean when the computer is connected to the domain the firewall is turned off when it is not connected it is turned on. What verification is the machine doing to determine if the machine is on the network?
A: Windows Network Location Awareness determines which (domain or local) firewall policy is applied.
Ed Roth (Expert):
Q: I have had issues trying to delegate a GPO for certain users. I set the users in the GPO Management console under Security Filtering.
A: I need more detail to help with this question. Are you adding the user accounts to the dialog that say's "settings apply to these users"?
Darren (Expert):
Q: for the XP firewall GPO - can you define how GPO determines when to use the Domain Profile and when it uses the Standard Profile? How does this change when the client PC is connected through VPN?
A: The process Windows uses to determine this is fixed. Essentially Windows looks at the DNS suffix of the connection that last successfully processed the Group Policy and compares that to the DNS suffix of the current connection. If they are the same, then a domain profile is assumed and applied. If they are different (e.g. the connection is dialing in over an external ISP) then the standard profile is applied. Unfortunately VPN connection suffixes are ignored so a standard profile is generally assumed in this case.
Darren (Expert):
Q: I would like to apply GPO on "Computers" default OU in AD 2003, but going to Properties for this Container does not give the option for Group Policy. I had to create another OU, named "Client Computers" to get "Group Policy" option.
A: The "Computers" container is not an OU. So to apply a policy to computers in this container you need to link that GPO to the domain.
Darren (Expert):
Q: Does a laptop that's not connected to the network continue to be bound by group policy? If so, for some duration, or continually?
A: Yes, it does and it will be so indefinitely until something undoes the policy during the next successful policy refresh.
Darren (Expert):
Q: Is or will mbsa be Integrated with GP
A: Currently there is no integration between MBSA and GP. Since MBSA is an assessment tool, I don't see an obvious integration point.
Darren (Expert):
Q: Is there an easy way to implement per machine setttings on a per use basis (or vica versa) without using WMI (eg. In a Win2K domain)?
A: You can enable computer loopback policy to drive a particular user policy for a particular machine. There is no easy way to do the inverse.
Darren (Expert):
Q: Jana, I'd like to use the software installation GPO to deploy Office 2003. How do I setup the GPO to check to see if Office 2003 already exists on the workstation, and if so, ignore that particular workstation?
A: If you have XP and Server 2003, you can create an WMI filter to check for the presence of Office using the Win32_Product class, if I remember correctly. However, without that, Office 2003 won't install on a machine that already has it installed if the MSI product code of the version already installed on the machine is the same as the MSI package that is being deployed via GP.
Ed Roth (Expert):
Q: Is there a GPO I can leverage to block access to the Application log ?
A: This will depend on the level of access you provide to users - if they are sufficiently locked down you can try this one Computer Configuration\Windows Settings\Security Settings\Event Log\Prevent local guests group from accessing application log
Darren (Expert):
Q: Is there real benift to be had by setting the Always Wait for Network at Start up and logon GPO for XP Clients?
A: The benefit of enabling this policy is that it prevents delayed application of folder redirection and software installation policy. When this policy is not enabled, XP is in Fast logon optimization mode and these two policy areas can often take 2 or more user logons to go into effect. Frankly I don't see a lot of benefit in not enabling this.
Darren (Expert):
Q: GPO Question: How can I secure some train lab PC's to prevent the users from installing software? I'd like to be able to lock down the PC's to secure them and prevent the users from changing settings, installing software & generally poking around
A: Easiest way to do this is simply not make the users Administrators or Power Users on those workstations. Its very hard, if the user is an administrator on the box, to truly lock it down. There are too many points of entry for policy to adequately handle
Ed Roth (Expert):
Q: what are the best resources to use for GPO deployment for Windows XP SP2 like IE settings and firewall?
A: This has some good detail https://www.microsoft.com/technet/prodtechnol/winxppro/maintain/mangxpsp2/mngintro.mspx
Darren (Expert):
Q: what is the difference between the domain controller security policy, domain security policy and local security settings
A: THe DC Policy GPO is linked to the DC OU and applies only to DCs. The Default Domain Policy GPO is linked to the domain and is the default place to set domain account policy (e.g. password length, minimum age, etc.). You can only set account policy at a GPO linked to the domain, in fact, so the Default Domain Policy is the obvious place to do this. The local Security settings refers to the effective security settings on a local machine, which could be a combination of GPOs and the local GPO.
Darren (Expert):
Q: Can we discuss best practice for Windows XP firewall and GPOs to control it, particularly allowing ports for applications?
A: My preference is to keep it simple. The default Firewall setup, when enabled, allows very little through. If you have to manage many exceptions, it can become error prone and difficult over time. Unfortunately, if you find that you have to manage many exceptions, its best to keep a separate list of those exceptions, since there's no easy way, within the GPO, to edit the list once its added.
Ed Roth (Expert):
Q: We would like to use special characters in our passwords
A: You can set this at Computer Configuration\Windows Settings\Account Policies\Password Policy\Password must meet complexity requirement
Darren (Expert):
Q: Is there a way to set the time zone setting in a GPO?
A: No, unfortunately not natively within GP. Changing timezones is a fairly complex set of registry changes. I think there is a reskit tool to do this however so you might be able to do it within a GP-based startup script.
Darren (Expert):
Q: Are there any GPO's that let you add sites to the the SP2 pop-up blocker?
A: Yes, under User Configuration|Administrative Templates|Windows Components|Internet Explorer|Popup Allow List
Ed Roth (Expert):
Q: Is there a way to essentially "push" a group policy update to a client? Having to manually do this at a remote location is a pain.
A: Darren is the man with the tool - check out https://www.gpoguy.com/Tools.htm
Darren (Expert):
Q: What are best practices for keeping GPO processing at a minimum at logon, time-wise?
A: Certain types of policy, such as file system and registry security, are very intensive. Avoid doing time-intensive stuff within GP. There are a number of things that you get for free from GP infrastructure that optimizes processing. For example, GPs that have not changed since they were last processed do not get run during every foreground or background refresh. Of course, keep the number of GPOs being processed slim, don't use a ton of security group filters, WMI filters take time to process,etc.
Ed Roth (Expert):
Q: Can we use Folder Redirection for Favorites?
A: Unfortunately, no. There are some third party tools that can help you might want to check out PolicyMaker from Desktop Standards.
Darren (Expert):
Q: i need to push an application using Software installation in a domain security policy, but the only option is msi packages, is there a way around this?
A: Not really. Software Installation supports per-user publishing of applications only through something called a zap file, which is a text file wrapper around a setup.exe. But its very limited. Your best bet is to try and use something like WinInstall LE to re-package your setup as an .msi
Darren (Expert):
Q: How often does it check to see if it is still connected to the domain? What if the laptop is suspended and removed from the domain and taken offsite before being brought back up. Will it then check to see if it is on the domain and if not turn on the FW
A: If you're referring to how Windows knows whether to apply the domain or standard firewall profiles, then the answer is--both policies are delivered to the machine during GP processing. Whenever the network connection state changes, a test is done to determine if the machine is still connected to the domain. If not, then the standard profile is made active.
Darren (Expert):
Q: The "Don't run specified Windows applications" isn't additive in 2000 -- that is, if you specify this in multiple places in your policy tree, only one wins -- any chance that this has changed in 2003 so that the mutiple lists get added together?
A: No unfortunately it has not changed.
Darren (Expert):
Q: other than creating another user account, is there a way to stop the gpo from running when a user remotely logs in via vpn over an internet connection vs when the user logs in to his system locally?
A: Not really. You could do a site-based GPO that attempts to undo other GP settings but the problem is that site-based GPs are low in the processing hierarchy and thus can be overwritten themselves.
Darren (Expert):
Q: Does AD2003 have generic functionality so that we can set policies for registry keys w/o tatooing the reg, or do we need to be using addons such as AutoProf's stuff...
A: The rules around tattooing haven't changed. Any entries that are made in the 4 reg keys (2 under HKLM and 2 under HKCU) will not tattoo. Any other settings will tattoo.
Ed Roth (Expert):
Q: ed roth, is your windowsitpro article "manage desktops with group policy" publicly available?
A: Unfortunately I think it's currently locked down to subscribers.
Darren (Expert):
Q: How about AD policies to manage wireless adapters -- specifically, 802.1x, PEAP, cert. settings?
A: Wireless Network policy in W2003 provides this. You can set preferred networks and then specify their auth. settings
Darren (Expert):
Q: Looking for a way to disable USB ports for items like micro-drives, but still be able to use USB mice and the occasional license dongle and scanner.
A: Can't do this through native policy however 3rd party policy extension products are starting to crop up to do this.
Darren (Expert):
Q: Is there a way to apply user settings (wallpaper, screensave) to a computer OU? I have conference and training room PCs that should have a distinct look even when someone logs on with a roaming profile.
A: Yes, by enabling loopback policy on the computers, you can override the user policy of anyone that logs into those computers
Ed Roth (Expert):
Q: Looking for a way to disable USB ports for items like micro-drives, but still be able to use USB mice and the occasional license dongle and scanner.
A: There doesn't appear to be anything specifically for USB port lockdown, but there are some removable media policies that may help you accomplish what you are after. Refer to the spreadsheet listing of settings I gave earlier.
Darren (Expert):
Q: Is there a way via GPO to allow a non-administrative user to install a local printer?
A: No, not natively via GP.
Darren (Expert):
For those of you interested, I have written a new GP book, with William Stanek and Derek Melber, that will be part of the upcoming Server 2003 Resource Kit. It is due out in early May. More info at https://www.microsoft.com/mspress/books/8763.asp or check Amazon.
Darren (Expert):
Q: Our #1 problem is that programs get installed on GPO 'locked down' PCs. Users R NOT local administrators. Can the GPO be modified such that installing applicaitons is disabled?
A: Its very hard to completely lock this down. I presume they are able to do this because some apps can install anywhere and don't need to write to the registry. If you can isolate directories where this typically happens, you can use file permissions and software restriction policy path rules to prevent code from being saved or running.
Ed Roth (Expert):
Q: A recent audit requirement mandates that we enable logging for access attempts, critical faults and system resets which would then be forwarded to a collection server. Can GPO do this?
A: You can probably implement what your auditors are after with the settings found in Computer Configuration\Windows Settings\Local Policies\Audit Policy you'll need to apply them to an appropriate container depending on the scope the systems your auditors want to audit.
Darren (Expert):
Q: A recent audit requirement mandates that we enable logging for access attempts, critical faults and system resets which would then be forwarded to a collection server. Can GPO do this?
A: It depends upon what you are enabling auditing on. You can use file system or registry security policy to change the SACL of a file or registry key. But if you are needing to set SACLs on AD objects, you can't do that via GP.
Darren (Expert):
Q: What is the best way to restrict viewing of the AD structure to only specific users? The normal security restricts normal users from modifying anything but they can still view AD. I want to prevent them from viewing also.
A: No real way to do this. You can use GP Administrative Templates policy to prevent particular users from being able to load, for example, the AD Users and Computers MMC snap-in, but that is the best you can do.
Darren (Expert):
Q: Can you specify certain users a GPO applies to?
A: Yes, by using security group filtering to preclude or include users or computers
Ed Roth (Expert):
Q: #3: Logon scripts: What is the right way to implement logon scripts? It seems there are several articles on the subject but I have not been able to make any of them work.
A: I'm not sure there is aright way - it depends on what you are wanting to acomplish. You need to configure the scripts to target either users or computers as defined by your needs and also decide whether you want the script to happen sooner (logon or startup) or later (logoff or shutdown).
Jana Carter (Moderator):
Windows IT Pro Magazine will be hosting another chat on May 4 on The Security Event Log: The Unofficial Guide
Jana Carter (Moderator):
Thanks for coming today! We are going to sign off now.
Jana Carter (Moderator):
Yes, you can find transcripts here: https://www.microsoft.com/technet/community/chats/trans/default.mspx