Bret Madsen Purdue University System Administrator Approx. 2300 computers Over 120 lab locations and 300 Teaching lecterns Over 300 application packages Updates to machines nightly Logout to login time under 5 minutes Revert any changes between users (Deep Freeze) Space for user data and customizations Unique identifiable logins for tracking purposes Computer Configuration Policies Windows Settings Security Settings/System Services [Remote Registry] = startup mode: automatic Note: by default the service is disabled Computer Configuration Policies Windows Settings Security Settings/Local Policies/User Rights Assignment [Allow Log on through Terminal Services] = group [Allow log on locally] = group Security Settings/Local Policies/Restricted Groups [BUILTIN\Remote Desktop Users] = group Administrative Templates Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections [Allow users to connect remotely using Remote Desktop Services] = enabled Windows Components/Windows Installer [Allow admin to install from Remote Desktop Services session] = enabled Computer Configuration Policies Administrative Templates Windows Components/Windows Remote Management/WinRM Service [Allow automatic configuration of listeners] = management IP addresses Windows Components/Windows Remote Shell [Allow Remote Shell Access] = enabled 1/2 [Allow automatic configuration of listeners] = management IP addresses If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. If you disable or do not configure this policy setting, then the WinRM service does not automatically listen on the network and you must manually create listeners on every computer. 2/2 Computer Configuration Policies Administrative Templates Windows Components/Windows Update [Allow non-administrators to receive update notifications] = disabled [Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box] = enabled [Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box] = enabled [Specify intranet Microsoft update service location] = intranet server Computer Configuration Policies Windows Settings Security Settings/Local Policies/Security Options/Devices [Allowed to format and eject removable media] = group Administrative Templates System/Device Installation [Do not send a Windows error report when a generic driver is installed on a device] = enabled [Prevent Windows from sending an error report when a device driver requests additional software during installation] = enabled System/Device Installation/Device Installation Restrictions [Allow installation of devices that match any of these device IDs] = * [Allow installation of devices using drivers for these device classes] = * [Prevent installation of removable devices] = disabled System/Driver Installation [Allow non-administrators to install drivers for these device setup classes] = enabled 1/3 [Allow installation of devices that match any of these device IDs] = * [Allow installation of devices using drivers for these device classes] = * If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation. [Allow non-administrators to install drivers for these device setup classes] = * If you enable this setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. 2/3 User Configuration Policies Administrative Templates System/Driver Installation [Code signing for device drivers] = When Windows detects a driver file without a digital signature: ignore 3/3 Computer Configuration Policies Windows Settings Security Settings/Local Policies/Security Options/Interactive Logon [Do not display last user name] = enabled [Do not require CTRL+ALT+DEL] = disabled [Number of previous logons to cache] = 0 logons Administrative Templates System/Logon [Always use custom logon background] = enabled (stored at %systemRoot%\System32\oobe\info\backgrounds\backgrounddefa ult.jpg) [Assign a default domain for logon] = name of domain [Hide entry points for Fast User Switching] = enabled [Turn off Windows Startup Sound] = enabled Computer Configuration Policies Windows Settings Security Settings/Local Policies/Security Options/User Account Control [Detect application installations and prompt for elevation] = disabled Computer Configuration Policies Windows Settings Security Settings/Windows Firewall with Advance Security Domain (Private and Public also) Profile Settings Inbound Rules RDP Sys Admin management machines 1/2 Domain (Private and Public also) Profile Settings Domain Applies when a computer is connected to a network that contains an Active Directory domain controller in which the computer's domain account resides. Private Applies when a computer is connected to a network in which the computer's domain account does not reside, such as a home network. The private profile settings should be more restrictive than the domain profile settings. A network is assigned the private type by a local administrator. Public Applies when a computer is connected to a domain through a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment. By default, newly discovered networks are assigned the public type. Computers running Windows Server 2008 and Windows Vista support only a single profile at a time. If the computer is connected to more than one network, the most restrictive profile is applied to all network adapter. 2/2 Computer Configuration Policies Windows Settings Security Settings/Local Policies/Security Options/Devices [Prevent users from installing print drivers] = disabled Administrative Templates Printers [Execute print drivers in isolated processes] = enabled [Override print driver execution compatibility setting reported by print driver] = disabled [Point and Print Restrictions] = disabled 1/2 [Execute print drivers in isolated processes] = enabled [Override print driver execution compatibility setting reported by print driver] = disabled This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. [Point and Print Restrictions] = disabled This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. 2/2 Computer Configuration Policies Administrative Templates System/Folder Redirection [Use localized subfolder names when redirecting Start Menu and My Documents] = enabled System/User Profiles [Do not check for user ownership of Roaming Profile Folders] = enabled [Set roaming profile path for all users logging onto this computer] = path without .v2 (appended automatically) 1/4 [Use localized subfolder names when redirecting Start Menu and My Documents] = enabled [Do not check for user ownership of Roaming Profile Folders] = enabled This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. Note: This policy is valid only on Windows Vista and Windows 7 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. If you enable this setting Windows will not check the permissions for the folder in the case where the folder exists. If you disable or do not configure this setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder, Windows will NOT copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user’s cached profile will be used, or a temporary profile issued if no cached profile exists. [Set roaming profile path for all users logging onto this computer] = path without .v2 (appended automatically) To use this setting, type the path to the network share in the form \\Computername\Sharename\. It is recommended to add %USERNAME% to the path to give each user an individual profile folder. If not specified, all users logging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to access the profile. 2/4 User Configuration Policies Windows Settings/Folder Redirection [AppData], [Contacts], [Desktop], [Documents], [Downloads], [Favorites], [Links], [Music], [Pictures], [Start Menu], [Videos] Notes: New ability to target different groups within one policy If using non-Windows file share, there may be issues. We use Sun file server and if the folders weren’t pre-created the redirect would not work. 3/4 4/4 Computer Configuration Policies Administrative Templates Windows Components/Internet Explorer [Disable changing proxy settings] = enabled [Disable Periodic Check for Internet Explorer software updates] = enabled [Pop-up allow list] = list of sites (such as WebCT) [Prevent participation in the Customer Experience Improvement Program] = enabled [Prevent performance of First Run Customize settings] = enabled [Customize settings] = Go directly to home page Windows Components/Internet Explorer/Compatibility View [Use Policy List of Internet Explorer 7 sites] = list of sites (such as WebCT) 1/2 User Configuration Policies Administrative Templates Windows Components/Internet Explorer [Pop-up allow list] = list of sites (such as WebCT) [Prevent participation in the Customer Experience Improvement Program] = enabled [Prevent performance of First Run Customize settings] = enabled [Customize settings] = Go directly to home page 2/2 Computer Configuration Policies Windows Settings Security Settings/Local Policies/Security Options/Shutdown [Clear virtual memory pagefile] = disabled Administrative Templates System/Disk NV Cache [Turn Off Boot and Resume Optimizations] = enabled System/System Restore [Turn off Configuration] = enabled [Turn off System Restore] = enabled 1/2 [Clear virtual memory pagefile] = disabled Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. [Turn Off Boot and Resume Optimizations] = enabled If you enable this policy setting, the system does not use the nonvolatile (NV) cache to optimize boot and resume. If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cache during shutdown and hibernate respectively. This might cause a slight increase in the time taken for shutdown and hibernate. 2/3 User Configuration Policies Windows Settings/Scripts [Logoff] = c:\windows\system32\shutdown.exe –r –t 00 3/3 Computer Configuration Policies Windows Settings Security Settings/Event Log [Retention method for application log] = as needed [Retention method for security log] = as needed [Retention method for system log] = as needed Administrative Templates Windows Components/Event Log Service Application (Security, Setup, and System also) [Log File Path] = drive location [Backup log automatically when full] = enabled [Retain old events] = enabled Computer Configuration Preferences Windows Settings Environment Variables Files Folders Ini Files Registry Network Shares Shortcuts Note: preferences stay on the machine once applied even if policy is removed 1/4 User Configuration Preferences Windows Settings [Drive Maps], [Environment], [Files], [Folders], [Ini Files], [Registry], [Shortcuts] Notes: Preferences stay on the machine once applied even if policy is removed We use this to verify the folders for folder redirection are present, map an alternative home drive, and set a registry key to disable printing balloon popups 2/4 3/4 4/4 Bret Madsen Purdue University System Administrator