Windows 7 / Networking

Managing Users with Policies

Group Policy enables administrators to define how the end-user experience and desktop will be configured. Also, with user-based group policies, end users can be granted or denied access to certain Windows applications and features and even can be limited from reading or writing to removable media. Common user group policy configurations include, but are not limited to, the following:

  • Start menu configuration
  • Restricting Control Panel and display settings
  • Internet Explorer settings
  • Software restrictions
  • Microsoft Management Console restrictions
  • Screensaver settings
  • Mapping network drives
  • Installing printers
  • Creating desktop shortcuts
  • Application-specific configurations, including customizing Microsoft Office if the administrative templates are loaded and used in the policy
  • Network configuration settings
  • Folder redirection and offline file settings

Managing the user environment and desktop with group policies, for the most part, can be used to configure the graphical user interface for the user and to impose security restrictions to increase the reliability of the computer systems in use. In some cases, application shortcuts can be added to the desktop and applets can be hidden from view in the Control Panel or Start menu, but in more restrictive cases, they can be hidden and restricted from execution. Many organizations would like the end-user desktop to be very simple and present the end users with only the necessary applications relevant to their job. Although this is an extreme case, it can be performed by configuring the settings located in the User Configuration\Policies\Administrative Templates\Start Menu and Taskbar Settings node. A more functional Start menu GPO extension can also be used to manage the configuration of the Start menu for Windows XP, Windows Vista, and Windows 7 by configuring settings located in the User Configuration\Preferences\Control Panel Settings\Start Menu node.

Desktop security is also a very big concern for companies, now more than ever. One easy configuration organizations can use to better secure end-user desktops is to implement a password-locking screensaver. Automatic desktop locking with screensavers can be a very handy configuration, but sales and remote users should be granted extended computer idle time before a screensaver kicks in and locks the system in the middle of a sales presentation or a web-based meeting. Screensaver settings can be configured in the User Configuration\Policies\Administrative Templates\Control Panel\Personalization Settings node. To enable a password-protected screensaver with a blank screen screensaver that works on every version of Windows, the following four settings must be configured:

  • Enable Screen Saver-Enabled
  • Password Protect the Screen Saver-Enabled
  • Force Specific Screen Saver-Enabled "scrnsave.scr"
  • Screen Saver Time Out-Enabled "900", to go to screensaver after 15 minutes of inactivity

Another of the biggest pain points for companies is being able to back up end-user data, which, by default, is stored on the local drive of the computer system the user logs on to. When users log on to multiple computers or Remote Desktop Services systems, administrators can configure users with roaming profiles and/or specific Remote Desktop Services profiles, which follow them between systems and are stored on server shares. This configuration is set on the actual user object and is not necessarily a Group Policy setting.

Remote Desktop Services profiles are great for Remote Desktop Services systems, but implementing roaming profiles for an entire company on every computer can introduce challenges because each time the user logs on to a system, the entire profile is copied to the local computer and when the user logs off, the profile is copied back to the server. The larger the profile gets, the longer it takes to copy the profile between the server shares and the computer system. On Remote Desktop Services systems, it is very easy for administrators to remotely log off and complete the copy of the profile back to the server share. However, for end-user workstations, when roaming profiles get large, many users do not wait for the profile copy to complete and manually shut down the system or unplug it from the network. This, of course, can cause profile corruption and, even worse, data loss. Group Policy settings can be used to mitigate these issues somewhat and restrict the data that is included in the roaming profile. To improve Remote Desktop Services profile and standard roaming profile performance, administrators can use Group Policy to redirect user folders to server shares using folder redirection.

[Previous] [Contents] [Next]

In this tutorial:

  1. Group Policy Management for Network Client
  2. Windows Group Policies
  3. Domain Group Policies
  4. Group Policy Feature Set
  5. User Configuration Policy Node
  6. Planning Workgroup and Standalone Local Group Policy Configuration
  7. Planning Domain Group Policy Objects
  8. Domain GPOs
  9. Active Directory Site GPOs
  10. Managing Computers with Domain Policies
  11. Managing User Account Control Settings
  12. Creating a Software Restriction Policy
  13. Creating Application Control Policies (AppLocker)
  14. Deploying Printers Windows Server 2008
  15. Mapping Drives Using Preferences User Drive Maps Extension
  16. Configuring Basic Firewall Settings with Group Policy
  17. Configuring Windows Update Settings
  18. Configuring Power Options Using Domain Policies
  19. Managing Users with Policies
  20. Configuring Folder Redirection
  21. Removable Storage Access
  22. Managing Active Directory with Policies
  23. Configuring Restricted Groups for Domain Security Groups
  24. Extending Group Policy Functionality
  25. Synchronous Foreground Refresh
  26. GPO Modeling and GPO Results in the GPMC
  27. Managing Group Policy from Administrative or Remote Workstations