Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


April 2005

10 Ways to Manage Desktops with Group Policy

Get going with Group Policy today
From the April 2005 Edition
of Windows IT Pro
Ed Roth
Cover Story
InstantDoc #45614
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Desktop Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Lights, Camera, Lockdown!

7. Control Windows Update and Automatic Updates
Generally speaking, XP's Windows Update and Automatic Updates are great features. In a corporate environment, though, there are good reasons to control their availability and behavior. You can disable Automatic Updates and remove user access to Windows Update through Group Policy. Of course, you'll likely only do this if you have a centralized update distribution mechanism such as Software Update Services (SUS) or its soon-to-be-released successor Windows Update Services (WUS). Both SUS and WUS are controllable through Group Policy but might require an updated version of the Wuau.adm administrative template. The settings for the built-in update tools are user-specific. SUS and WUS settings are computer-based.

The Settings:
User Configuration\ Administrative Templates\ System\ Windows Automatic Updates
User Configuration\ Administrative Templates\ System\ Windows Update
Computer Configuration\ Administrative Templates\ Windows Components\ Windows Update

8. Folder Redirection
Folder Redirection lets you redirect the path of special folders such as My Documents, Desktop, and Application Data to a network location. Storing these folders and their contents on a file server affords them the superior protection that server class hardware inherently provides and also makes the data available to users from multiple workstations. A separate but complementary technology is XP's Offline Files, which automatically makes files available offline when you redirect them from a special folder. For more information about implementing Folder Redirection, see "Using IntelliMirror to Manage User Data and Settings" (July 2003, InstantDoc ID 39193).

The Settings:
User Configuration\ Windows Settings\ Folder Redirection
User Configuration\ Network\ Offline Files

9. Standardize and Secure IE
IE is one of the most frequently used tools on many users' systems; unfortunately, it's also one of the most misused. In addition, IE presents an oft-exploited avenue for malware and other threats to security and privacy. Although there is no bulletproof solution to these risks when IE is so widely used, there are Group Policy settings to shore up security and better control how IE is used. IE subkeys under User Configuration and Computer Configuration in GPE let you customize settings and set restrictions on a per-user or per-computer basis (the majority of settings are beneath User Configuration). Customizations you can make include but aren't limited to:

  • Changing the appearance of the browser interface
  • Setting custom URLs for favorites, search page, and home page
  • Configuring default program for handling tasks such as email and newsgroup activities
  • Controlling security zones and content rating settings
  • Configuring connection settings for LAN and dial-up

You can also restrict user access to certain IE settings, menu items, and configuration pages to enforce consistency and bolster security. Take a minute to read the Explain tab for the settings you configure to avoid confusion about what will happen when you enable or disable a setting. XP SP2 dramatically expands the IE security options that Group Policy can control. The new features include MIME sniffing safety, zone elevation protection, ActiveX installation restrictions, file download restrictions, and Add-on management.

The Settings:
Computer Configuration\ Administrative Templates\ Windows Components\ Internet Explorer
User Configuration\ Administrative Templates\ Windows Components\ Internet Explorer

10. Software Installation Policy for Automated Application Deployments
Software installation and maintenance are part of Microsoft's IntelliMirror functionality, and you can control both with Group Policy. You can configure settings within GPE to assign or publish an application to users or computers. Software installation and maintenance functionality works with programs that use Windows Installer technology (i.e., .msi files). Of course, Microsoft applications such as Office use Windows Installer technology for their installation process, which means you can assign Office to a user or computer population and have it installed automatically. You can create custom installations using msi transforms and use security group filtering to target specific groups of users to which the custom installation will be applied. And in case you're wondering, you can also use software installation and maintenance functionality to deploy XP SP2. You can assign XP SP2's Update.msi only to machines; assigning to users isn't supported. For more information, see the Microsoft article "Best Practices for Using Update.msi to deploy Service Packs," http://www.support.microsoft.com/?kbid=278503.

The Settings:
User Configuration\ Software Installation
Computer Configuration\ Software Installation

Good Policy
Now you know that some policies are simple and others, such as Folder Redirection, require preparation and testing to implement. The best way to approach policy creation is from the perspective of solving a particular problem or providing a particular service. Determine the appropriate settings to accomplish the task at hand. Read the description under the Explain tab when viewing the properties for a setting within GPE to make sure you fully understand a setting's impact and behavior before you turn it on. And finally, make sure you fully test both the result of the settings in your GPO as well as your scope targeting method before putting a policy into production.

End of Article

   Previous  1  [2]  Next  


Reader Comments
Brian Styles of ScriptLogic also has some thoughts about Group Policy. He hopes to hear your thoughts and share more of his with this article.

Brian's comments:

Policy based control over desktop settings are a great starting point to standardize and streamline the user's environment. They employ the ability to make changes on multiple machines with a single administrative change. However, Group Policies are simply not enough for comprehensive desktop administration for two reasons:

(1) limited scope of administrative ability and

(2) limited granularity of distribution.

The scope of administration Group Policies master are limited to OS- and
(some) application-specific settings. Third party solutions are required
to handle the multitude of other aspects that are required by the administrator to control the users environment. Like the administrative
scope, granularity of policy distribution is also extremely limited in that you have only users, groups, computers and OUs to use to differentiate policy deployment. OUs and object types are only a few of the long list of methods you can use to categorize and identify users.

It should come as no surprise to IT professionals that ScriptLogic would have an opinion on Group Policies given that ScriptLogic has made a business out of developing intuitive management solutions in the areas of desktop administration, Active Directory and Group Policy management. Now it's your turn to give us your feedback. Share with us your experiences of using Group Policies to manage Windows clients and feel free to post your questions. We'll be monitoring your feedback and posting replies.

- Brian Styles

acarheden March 29, 2005 (Article Rating: )

I believe that GPOs (and DFS) are some of the most under utilized, most powerful options in AD.

I have recently begun using a product which has made GPOs signicantly more powerful! Policymaker by Desktopstandard. I did look at some competing products which will go unnamed.

If you have not looked at this product you should, as it includes a BUNCH of functionality that by definition, should have been included in the GPOs. Outlook settings, Word settings, pushing out printers, mapping drives etc. It has absolutely blown me away. AND the per seat is not that much.

seriously check it out,
Bob

Osm3um April 06, 2005 (Article Rating: )

Bob,

Thanks for the plug. Clearly Group Policy is the most widely utilized desktop management technology system – and the beast feature of Active Directory. As far as I know the only scoping limitations are that machines must be Windows 2000 or later, and for central management they must be joined to AD. Everyone with an Active Directory network is already using Group Policy. Unfortunately some people miss out on the rich possibilities by focusing entirely on the extensions that are provided with Windows. That’s like complaining that IE can’t view a PDF file.

Group Policy is an extensible architecture by design. The 11 extensions that ship with Windows XP include security settings, software deployment and more. However, when we introduced the first product based on this specification, a whole new world of true Group Policy was opened up. Our PolicyMaker suite includes a total of 23 extensions (e.g. printers, drive maps, patching, local users and groups management, power options, least privilege security, Outlook profiles, and much more), and each supports the full specification – including GPMC integration, backup and restore, planning and logging modes, delegation, and more. There are no servers or services to install, it all works inside the existing architecture.

We implement a number of common features in our extensions, including drag-and-drop XML import/export, 25 categories of graphical per-setting filters (no limit to granularity), per-setting documentation, environment variable integration, extension-level delegation, and much more. Our customers find that Group Policy provides the ideal combination of flexibility, power, control, and operating system integration – a combination that cannot be found in scripting, script generators, or utility products.

This article is a great introduction, and for more information on Group Policy, extensions, architecture, third party products, etc., check out the following wiki site:

http://www.grouppolicy.org

For more information on PolicyMaker, see:

http://www.desktopstandard.com/policymaker

Eric Voskuil, CTO
DesktopStandard Corporation
MVP (Windows Server – Management)


Anonymous User April 07, 2005 (Article Rating: )

Dude you're lame - this is an article comment section, not your opportunity for a personal shameless plug.

Anonymous User April 08, 2005 (Article Rating: )

Whoever you are... You have a right to your opinion. However, given that the article appears to be sponsored by Brian's company, and that his "comments" were fed in by the editors, it was more than appropriate to point out that the deficiencies in Group Policy that he raises are either non-existent or properly addressed by third party *Group Policy* plug-ins. Apparently Bob felt the same way.

Eric

Anonymous User April 08, 2005 (Article Rating: )

Eric,

None of our editorial articles are sponsored. We do talk to both Microsoft and other vendors regularly though. Both ScripLogic (Brian’s company) and DesktopStandard have made markets for themselves by providing functionality above and beyond what Group Policy can do out of the box. Since customers are paying for both of these products (as well as others), I think that’s clearly an indication that some users want more from Group Policy.

That being said, our editorial purpose in posting the argument from Brian Styles is to start a discussion about Group Policy’s limitations. Your point about Group Policy extensions vs. ScriptLogic’s approach is a good one. Clearly, DesktopStandard solves many additional desktop management problems by extending Microsoft’s existing architecture. Brian obviously feels that Microsoft’s architecture isn’t flexible enough for his customers’ needs though.

So, I pose this question to both Brian and Eric: What are some specific examples of desktop management functionality that either can’t be done using Group Policy extensions or can be done easily with a Group Policy extension?


acarheden April 14, 2005 (Article Rating: )

Adam,

Thanks for your thoughtful response. Having worked with IT Pro (and predecessors) for many years, this is the type of in-depth discussion I would expect readers to appreciate the most. Group Policy is an expansive and valuable topic, and it’s hard to get enough depth even in a feature article. Generating discussion on the topic of what’s missing is a great approach to this problem.

Please forgive me if I got the wrong impression regarding sponsorship of the article, but it’s easy to come to this conclusion given the contents of the “Interact” section at the top of the article (in both print and online versions). I assumed that was a paid position associated with the article – which of course was the cover story for the April print edition. My mistake.

I don’t know a lot about the SL product, but from what I understand it’s dependent on KiXtart scripting, not Group Policy. There are many ways to accomplish management tasks in a distributed network – scripting, script generators, various utility products and tools, infrastructure investments such as ZENworks, SMS, Tivoli, Altiris, etc. Some of these claim to have association with Group Policy. However to actually provide new Group Policy features requires implementing Microsoft’s extensive specification for Group Policy Extension, including Group Policy Object Editor extensions, Resultant Set of Policy snap-in extensions, GPMC integration, and Client Side Extensions. This is how the Microsoft extensions work.

It’s hard for me to come up with an example of desktop management functionality that cannot be managed easily using a Group Policy extension. Of course there is not a Group Policy extension to cover every conceivable management task, yet this is true of all management products. Should holes in native functionality be filled by non-Group Policy utilities if there are capable extensions available? That’s an individual decision, but one that should be made with an understanding of the options.

In fairness, Brian did state that third party products (presumably extensions) are required to fill the holes in Group Policy – but that’s by design. Reusing my own analogy, one wouldn’t argue that IE was “too limited” because Microsoft didn’t provide all of the plug-ins. Just the opposite is true. Group Policy is practically *unlimited* because it’s extensible and the extensibility model is supported. This isn’t true of most other desktop management systems.

Brian missed an opportunity to point out a legitimate limitation of Group Policy – it doesn’t support Windows NT 4 or Windows 9x desktops. As I understand SL predates Group Policy and supports these platforms. I assume he has a good product and I’m sure it can fill some of the holes left by native Group Policy even on current platforms. However, people looking for Group Policy solutions should be aware that there are in fact true Group Policy extensions that more than handle the issues raised.

Therefore, I guess I should answer the other part of your question, “What are some specific examples of desktop management functionality that … can be done easily with a Group Policy extension?” That’s a mighty long list, and this is already getting too long – so I’ll follow up a little later.

Regards,

Eric


Anonymous User April 14, 2005 (Article Rating: )

Adam,

These are the extensions that are available when you install the PolicyMaker suite. Native (Microsoft) Group Policy extensions make up just 1/3 of these. The Administrative Templates extension includes hundreds of individual security and other operating system configuration parameters. Software Update provides Group Policy patch management using SUS/WUS data. Printers provides mapping of shared printers or connection of IP printers. The solutions possible with these extensions and the numerous policy types they include are innumerable.

*Environment Variables
*Local Users and Groups
*Application Security
*Device Restrictions
*Wireless
*Network Options
*Drive Maps
*Folder Redirection
*Administrative Templates
*Microsoft Disk Quota
*QoS Packet Scheduler
*Scripts
*Security
*Internet Explorer Branding
*EFS recovery
*Software Installation
*Software Update
*IP Security
*Folders
*Files
*Data Sources
*Ini Files
*Windows Services
*Folder Options
*Scheduled Tasks
*Registry
*Applications
*Printers
*Shortcuts
*Mail Profiles
*Internet Settings
*Start Menu Settings
*Regional Options
*Power Options

One of the strengths of Group Policy is its ability to target groups of settings in a GPO to users and/or computers by site, domain, and organizational unit. Additionally, GPOs can be filtered by security group and WMI filters. PolicyMaker extensions add to this flexibility by implement per-setting targeting using a graphical drag and drop filter interface common to all extensions and settings. This allows administrators to create a much smaller number of GPOs and target contained settings more granularly. Filter classes include:

Anonymous User April 27, 2005 (Article Rating: )

Hardware
* Dial-Up Connection
* Portable Computer
* Battery Present
* PCMCIA Present
* CPU Speed
* Disk Space
* RAM Available
* MAC Address Range

Identity
* IP Address Range
* AD/LDAP Query
* Domain/Workgroup
* Organizational Unit
* Site Membership
* Computer/DNS Name
* Security Group
* User Match

Software
* Operating System
* Service Pack
* Terminal Session
* System/User Language
* File match
* Registry Match
* Environment Variable

Other
* Filter Group
* Message Box
* MSI Packages
* Recur Every
* Run Once
* Time Range
* WMI Query

Additionally, Group Policy provides a rich delegation and hierarchical management model so that organizations can make the system support the way they do business. All in all Group Policy has practically unlimited potential and tremendous ROI. It’s well integrated, extensible, hugely scalable and by far the most widely deployed desktop management system for Active Directory networks.

Eric

Anonymous User April 27, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Interact! 10 Ways to Manage Desktops with Group Policy
Learning Path For more information about custom Administrative Templates:
"“Extending Group Policy”"


For more information about IPSec and Group Policy:
"“Assigning IPSec Policies to Servers and Workstations on Your Network”"

"“Protect Confidential Information Using IPSec and Group Policy”"


For more information about using Group Policy to install service packs and deploy applications:
"Access Denied, “Using Group Policy to Install Service Packs”"

"“Deploy Applications with Group Policy”"


To learn more about Windows Firewall and Group Policy:
"“Fine-Tuning Windows Firewall”"

"“Windows XP SP2: Centralized Deployment and Defense”"


To understand Group Policy in Windows 2000:
"Access Denied, “Using Group Policy to Log Off Users”"

"“Controlling Group Policy, Part 1”"

"“Controlling Group Policy, Part 2”"


To understand Group Policy in Windows XP SP2:
"“Group Policy Tips and Tricks” PowerPoint presentation,"


To access Microsoft Group Policy technical resources:
"Group Policy in Windows Server 2003"
Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Related Events WinConnections and Microsoft® Exchange Connections

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement