Group Policy Settings (Part 2)

by [Published on 29 Nov. 2012 / Last Updated on 29 Nov. 2012]

In this article I will try to give you some guidance to help you get around a GPO, as well as some additional resources you can use to make your administration of Group Policy easier.

If you would like to read the other parts in this article series please go to:

Group Policy Settings Part II: What Settings are Available

A single Group Policy Object (GPO) contains well over 6000 settings. So, it is important to understand what you have when you open one up to edit it. Obviously there is no way to give you a roadmap for 6000 settings, but there are some key areas that most administrators lean towards when making typical settings in a GPO. Here, I will try to give you some guidance to help you get around a GPO, as well as some additional resources you can use to make your administration of Group Policy easier.

Software Settings

The software settings are not the most impressive of the GPO settings, but there are some benefits of using a GPO to deploy software. The best advice I can give here is that if you don’t need to track the software installation for licensing or making sure it is installed (not key line of business application), then this is a great solution.

You can push out either MSI or EXE, but the only way you can push out an EXE is to wrap it in a ZAP file. There is a Software Settings section under both Computer and User Configuration.

Scripts

There are four types of scripts that you can configure using Group Policy. Two reside under the Computer Configuration section and two reside under the User Configuration section. The concepts of the scripts are that you can make configurations when the “object” being targeted starts and then ends.

Administrative Templates Settings

All of the Administrative Template Settings are Registry modifications. There are many settings in many sections. Some settings fall under both Computer and User, where others are only for one of the object types.

Control Panel

Add or Remove Programs (User Configuration only)

Display (User Configuration only)

Printers (User Configuration only)

Programs (User Configuration only)

Regional and Language Options

User Accounts (Computer Configuration only)

Desktop (User Configuration only)

Active Directory

Desktop

Network

Background Intelligent Transfer Services (BITS) (Computer Configuration only)

DNS Client (Computer Configuration only)

Link-Layer Topology Discovery (Computer Configuration only)

Microsoft Peer-to-Peer Networking Services (Computer Configuration only)

Network Connections

Offline Files

QoS Packet Scheduler (Computer Configuration only)

SNMP (Computer Configuration only

SSL Configuration Settings (Computer Configuration only)

Windows Connect Now

Printers (Computer Configuration only)

Shared Folders (User Configuration only)

Start Menu and Taskbar (User Configuration only)

System

Credentials Delegation (Computer Configuration only)

Ctrl+Alt+Del Options (U

Disk Quotas (Computer Configuration only)

Distributed COM (Computer Configuration only)

Driver Installation

Folder Redirection

Group Policy

Internet Communication Management

iSCSI (Computer Configuration only)

KDC (Computer Configuration only)

Kerberos (Computer Configuration only)

Locale Services

Logon

Net Logon (Computer Configuration only)

NTFS Filesystem (Computer Configuration only)Performance Control Panel

Power Management

Remote Assistance (Computer Configuration only)

Remote Procedure Call (Computer Configuration only)

Removable Storage Access

Scripts

Server Manager (Computer Configuration only)

Shutdown Options (Computer Configuration only)

System Restore (Computer Configuration only)

Troubleshooting and Diagnostics (Computer Configuration only)

Trusted Platform Module Services (Computer Configuration only)

User Profiles

Windows File Protection (Computer Configuration only)

Windows HotStart

Windows Time Service (Computer Configuration only)

Windows Components

Active Directory Federation Services (Computer Configuration only)

ActiveX Installer Service (Computer Configuration only)

Application Compatibility

Attachment Manager (U

AutoPlay Policies

Backup

BitLocker Drive Encryption (Computer Configuration only)

Credential User Interface (Computer Configuration only)

Desktop Window Manager

Digital Locker

Event Forwarding (Computer Configuration only)

Event Log Service (Computer Configuration only)

Event Viewer (Computer Configuration only)

Game Explorer (Computer Configuration only)

Imprt Video

Instant Search (Computer Configuration only)

Internet Explorer

Internet Information Services (Computer Configuration only)

Microsoft Management Console (U

NetMeeting

Network Access Protection (Computer Configuration only)

Network Projector

Network Sharing (U

Online Assistance (Computer Configuration only)

Parental Controls (Computer Configuration only)

Password Synchronization (Computer Configuration only)

Presentation Settings

RSS Feeds

Search Security Center (Computer Configuration only)

Server for NIS (Computer Configuration only)

Shutdown Options (Computer Configuration only)

Smart Card (Computer Configuration only)

Sound Recorder

Tablet PC

Task Scheduler

Terminal Services

Windows Calendar

Windows Color System

Windows Customer Experience Improvement Program (Computer Configuration only)

Windows Defender (Computer Configuration only)

Windows Error Reporting

Windows Explorer

Windows Installer

Windows Logon Options

Windows Mail

Windows Media Center

Windows Media Digital Rights Management (Computer Configuration only)

Windows Media Player

Windows Meeting Space

Windows Messenger

Windows Mobility Center

Windows Movie Maker

Windows PowerShell

Windows Remote Management (WinRM) (Computer Configuration only)

Windows Remote Shell (Computer Configuration only)

Windows Sidebar

Windows SideShow

Windows System Resource Manager (Computer Configuration only)

Windows Update

Security Settings

The key subnodes that you will find under the security settings node include Account Policies, User Rights Assignment, Restricted Groups, and Software Restriction Policies. You will notice that the Security Settings under the Computer Configuration section has many more settings compared to the User Configuration section. Security areas include:

Account Policies

Audit Policy

User Rights

Security Options

Event Logs

Restricted Groups

System Services

Registry

File System

Wired Network (IEEE 802.3)

Windows Firewall with Advanced Security

Wireless Network (IEEE 802.11)

Public Key Policies

Software Restriction Policies

Network Access Protection

IP Security Policies

Folder Redirection

Internet Explorer Maintenance

You will find a long list of security settings under the Computer Configuration|Policies|Windows Settings|Security Settings|Local Policies|Security Options node. These are excellent for locking down desktops and servers.

Preferences Settings

The Preferences section provides control over areas that the other Group Policy sections don’t cover well. Here you will find the ability to configure the “actual GUI interface” for the technology you are controlling, as well as configure Item-Level Targeting for any of the settings you control. (For more in Item-Level Targeting, refer to this article). Group Policy Preferences allow control over:

Applications

Drive Maps

Environment

Files

Folders

Ini Files

Registry

Network shares

Shortcuts

Data Sources

Devices

Folder Options

Internet Settings

Local Users and Groups

Network Options

Power Options

Printers

Regional Options

Scheduled Tasks

Services

Start Menu

Resources

With any technology as sophisticated and complex as Group Policy, you will need to test, research, discover, and try them for yourself. I find that when an administrator needs to solve a problem is when Group Policy really shines. The key is knowing where to go for answers and how to put the technology to work for you. I get about 10 questions a month on Group Policy solutions and encourage you to send me your questions and issues, as well as refer to the following references for guidance.

Summary

There are thousands of settings in a single GPO. Knowing what is available, where to find the setting, and how to look for your setting is important. This article gives you many angles for finding and knowing what is available in a GPO. If you still can’t find your setting, please don’t hesitate to contact me at derekm@braincore.net. BTW, you can also get my book on Group Policy at here.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links