Managing Users with Policies
Group Policy enables administrators to define how the end-user experience and desktop will be configured. Also, with user-based group policies, end users can be granted or denied access to certain Windows applications and features and even can be limited from reading or writing to removable media. Common user group policy configurations include, but are not limited to, the following:
- Start menu configuration
- Restricting Control Panel and display settings
- Internet Explorer settings
- Software restrictions
- Microsoft Management Console restrictions
- Screensaver settings
- Mapping network drives
- Installing printers
- Creating desktop shortcuts
- Application-specific configurations, including customizing Microsoft Office if the administrative templates are loaded and used in the policy
- Network configuration settings
- Folder redirection and offline file settings
Managing the user environment and desktop with group policies, for the most part, can be used to configure the graphical user interface for the user and to impose security restrictions to increase the reliability of the computer systems in use. In some cases, application shortcuts can be added to the desktop and applets can be hidden from view in the Control Panel or Start menu, but in more restrictive cases, they can be hidden and restricted from execution. Many organizations would like the end-user desktop to be very simple and present the end users with only the necessary applications relevant to their job. Although this is an extreme case, it can be performed by configuring the settings located in the User Configuration\Policies\Administrative Templates\Start Menu and Taskbar Settings node. A more functional Start menu GPO extension can also be used to manage the configuration of the Start menu for Windows XP, Windows Vista, and Windows 7 by configuring settings located in the User Configuration\Preferences\Control Panel Settings\Start Menu node.
Desktop security is also a very big concern for companies, now more than ever. One easy configuration organizations can use to better secure end-user desktops is to implement a password-locking screensaver. Automatic desktop locking with screensavers can be a very handy configuration, but sales and remote users should be granted extended computer idle time before a screensaver kicks in and locks the system in the middle of a sales presentation or a web-based meeting. Screensaver settings can be configured in the User Configuration\Policies\Administrative Templates\Control Panel\Personalization Settings node. To enable a password-protected screensaver with a blank screen screensaver that works on every version of Windows, the following four settings must be configured:
- Enable Screen Saver-Enabled
- Password Protect the Screen Saver-Enabled
- Force Specific Screen Saver-Enabled "scrnsave.scr"
- Screen Saver Time Out-Enabled "900", to go to screensaver after 15 minutes of inactivity
Another of the biggest pain points for companies is being able to back up end-user data, which, by default, is stored on the local drive of the computer system the user logs on to. When users log on to multiple computers or Remote Desktop Services systems, administrators can configure users with roaming profiles and/or specific Remote Desktop Services profiles, which follow them between systems and are stored on server shares. This configuration is set on the actual user object and is not necessarily a Group Policy setting.
Remote Desktop Services profiles are great for Remote Desktop Services systems, but implementing roaming profiles for an entire company on every computer can introduce challenges because each time the user logs on to a system, the entire profile is copied to the local computer and when the user logs off, the profile is copied back to the server. The larger the profile gets, the longer it takes to copy the profile between the server shares and the computer system. On Remote Desktop Services systems, it is very easy for administrators to remotely log off and complete the copy of the profile back to the server share. However, for end-user workstations, when roaming profiles get large, many users do not wait for the profile copy to complete and manually shut down the system or unplug it from the network. This, of course, can cause profile corruption and, even worse, data loss. Group Policy settings can be used to mitigate these issues somewhat and restrict the data that is included in the roaming profile. To improve Remote Desktop Services profile and standard roaming profile performance, administrators can use Group Policy to redirect user folders to server shares using folder redirection.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations