Managing Win7 with Group Policy

advertisement
Bret Madsen
Purdue University
System Administrator








Approx. 2300 computers
Over 120 lab locations and 300 Teaching
lecterns
Over 300 application packages
Updates to machines nightly
Logout to login time under 5 minutes
Revert any changes between users (Deep
Freeze)
Space for user data and customizations
Unique identifiable logins for tracking
purposes

Computer Configuration

Policies
 Windows Settings
 Security Settings/System Services
 [Remote Registry] = startup mode: automatic
 Note: by default the service is disabled

Computer Configuration

Policies
 Windows Settings
 Security Settings/Local Policies/User Rights Assignment
 [Allow Log on through Terminal Services] = group
 [Allow log on locally] = group
 Security Settings/Local Policies/Restricted Groups
 [BUILTIN\Remote Desktop Users] = group
 Administrative Templates
 Windows Components/Remote Desktop Services/Remote
Desktop Session Host/Connections
 [Allow users to connect remotely using Remote Desktop
Services] = enabled
 Windows Components/Windows Installer
 [Allow admin to install from Remote Desktop Services
session] = enabled

Computer Configuration

Policies
 Administrative Templates
 Windows Components/Windows Remote
Management/WinRM Service
 [Allow automatic configuration of listeners] =
management IP addresses
 Windows Components/Windows Remote Shell
 [Allow Remote Shell Access] = enabled
1/2

[Allow automatic configuration of listeners]
= management IP addresses


If you enable this policy setting, the WinRM
service automatically listens on the network for
requests on the HTTP transport over the default
HTTP port.
If you disable or do not configure this policy
setting, then the WinRM service does not
automatically listen on the network and you
must manually create listeners on every
computer.
2/2

Computer Configuration

Policies
 Administrative Templates
 Windows Components/Windows Update
 [Allow non-administrators to receive update
notifications] = disabled
 [Do not adjust default option to ‘Install Updates and
Shut Down’ in Shut Down Windows dialog box] =
enabled
 [Do not display ‘Install Updates and Shut Down’
option in Shut Down Windows dialog box] = enabled
 [Specify intranet Microsoft update service location] =
intranet server

Computer Configuration

Policies
 Windows Settings
 Security Settings/Local Policies/Security Options/Devices
 [Allowed to format and eject removable media] = group
 Administrative Templates
 System/Device Installation
 [Do not send a Windows error report when a generic driver is
installed on a device] = enabled
 [Prevent Windows from sending an error report when a device
driver requests additional software during installation] = enabled
 System/Device Installation/Device Installation Restrictions
 [Allow installation of devices that match any of these device IDs] = *
 [Allow installation of devices using drivers for these device classes] = *
 [Prevent installation of removable devices] = disabled
 System/Driver Installation
 [Allow non-administrators to install drivers for these device setup
classes] = enabled
1/3

[Allow installation of devices that match any of these device
IDs] = *


[Allow installation of devices using drivers for these device
classes] = *


If you enable this policy setting, Windows is allowed to install or
update any device whose Plug and Play hardware ID or compatible
ID appears in the list you create, unless another policy setting
specifically prevents that installation
If you enable this policy setting, Windows is allowed to install or
update device drivers whose device setup class GUIDs appear in the
list you create, unless another policy setting specifically prevents
installation.
[Allow non-administrators to install drivers for these device
setup classes] = *

If you enable this setting, members of the Users group may install
new drivers for the specified device setup classes. The drivers must
be signed according to Windows Driver Signing Policy, or be signed
by publishers already in the TrustedPublisher store.
2/3

User Configuration

Policies
 Administrative Templates
 System/Driver Installation
 [Code signing for device drivers] = When Windows
detects a driver file without a digital signature:
ignore
3/3

Computer Configuration

Policies
 Windows Settings
 Security Settings/Local Policies/Security Options/Interactive
Logon
 [Do not display last user name] = enabled
 [Do not require CTRL+ALT+DEL] = disabled
 [Number of previous logons to cache] = 0 logons
 Administrative Templates
 System/Logon
 [Always use custom logon background] = enabled (stored at
%systemRoot%\System32\oobe\info\backgrounds\backgrounddefa
ult.jpg)
 [Assign a default domain for logon] = name of domain
 [Hide entry points for Fast User Switching] = enabled
 [Turn off Windows Startup Sound] = enabled

Computer Configuration

Policies
 Windows Settings
 Security Settings/Local Policies/Security Options/User
Account Control
 [Detect application installations and prompt for
elevation] = disabled

Computer Configuration

Policies
 Windows Settings
 Security Settings/Windows Firewall with Advance
Security
 Domain (Private and Public also) Profile Settings
 Inbound Rules
 RDP
 Sys Admin management machines
1/2

Domain (Private and Public also) Profile Settings

Domain
 Applies when a computer is connected to a network that contains an
Active Directory domain controller in which the computer's domain account
resides.

Private
 Applies when a computer is connected to a network in which the computer's
domain account does not reside, such as a home network. The private profile
settings should be more restrictive than the domain profile settings. A network
is assigned the private type by a local administrator.

Public
 Applies when a computer is connected to a domain through a public network,
such as one available in airports and coffee shops. The public profile settings
should be the most restrictive because the computer is connected to a public
network where the security cannot be as tightly controlled as it is in an IT
environment. By default, newly discovered networks are assigned the public
type.

Computers running Windows Server 2008 and Windows Vista support only a
single profile at a time. If the computer is connected to more than one
network, the most restrictive profile is applied to all network adapter.
2/2

Computer Configuration

Policies
 Windows Settings
 Security Settings/Local Policies/Security
Options/Devices
 [Prevent users from installing print drivers] = disabled
 Administrative Templates
 Printers
 [Execute print drivers in isolated processes] =
enabled
 [Override print driver execution compatibility setting
reported by print driver] = disabled
 [Point and Print Restrictions] = disabled
1/2

[Execute print drivers in isolated processes] = enabled




[Override print driver execution compatibility setting reported by print driver] =
disabled


This policy setting determines whether the print spooler will execute print drivers in an
isolated or separate process. When print drivers are loaded in an isolated process (or
isolated processes), a print driver failure will not cause the print spooler service to fail.
If you enable or do not configure this policy setting, the print spooler will execute print
drivers in an isolated process by default. If you disable this policy setting, the print
spooler will execute print drivers in the print spooler process.
This policy setting applies only to print drivers loaded by the print spooler. Print drivers
loaded by applications are not affected.
This policy setting determines whether the print spooler will override the Driver Isolation
compatibility reported by the print driver. This enables executing print drivers in an
isolated process, even if the driver does not report compatibility.
[Point and Print Restrictions] = disabled



This policy setting controls the client Point and Print behavior, including the security
prompts for Windows Vista computers. The policy setting applies only to non-Print
Administrator clients, and only to computers that are members of a domain.
Windows Vista computers will not show a warning or an elevated command prompt when
users create a printer connection to any server using Point and Print.
Windows Vista computers will not show a warning or an elevated command prompt when
an existing printer connection driver needs to be updated.
2/2

Computer Configuration

Policies
 Administrative Templates
 System/Folder Redirection
 [Use localized subfolder names when redirecting Start
Menu and My Documents] = enabled
 System/User Profiles
 [Do not check for user ownership of Roaming Profile
Folders] = enabled
 [Set roaming profile path for all users logging onto
this computer] = path without .v2 (appended
automatically)
1/4

[Use localized subfolder names when redirecting Start Menu and My Documents]
= enabled



[Do not check for user ownership of Roaming Profile Folders] = enabled



This policy setting allows the administrator to define whether Folder Redirection should
use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos
subfolders when redirecting the parent Start Menu and legacy My Documents folder
respectively.
Note: This policy is valid only on Windows Vista and Windows 7 when it processes a
legacy redirection policy already deployed for these folders in your existing localized
environment.
If you enable this setting Windows will not check the permissions for the folder in the
case where the folder exists.
If you disable or do not configure this setting AND the roaming profile folder exists AND
the user or administrators group are not the owner of the folder, Windows will NOT copy
files to or from the roaming folder. The user will be shown an error message and an
entry will be written to the event log. The user’s cached profile will be used, or a
temporary profile issued if no cached profile exists.
[Set roaming profile path for all users logging onto this computer] = path
without .v2 (appended automatically)

To use this setting, type the path to the network share in the form
\\Computername\Sharename\. It is recommended to add %USERNAME% to the path to
give each user an individual profile folder. If not specified, all users logging onto this
computer will use the same roaming profile folder as specified by this policy. You need
to ensure that you have set the appropriate security on the folder to allow all users to
access the profile.
2/4

User Configuration

Policies
 Windows Settings/Folder Redirection
 [AppData], [Contacts], [Desktop], [Documents],
[Downloads], [Favorites], [Links], [Music], [Pictures],
[Start Menu], [Videos]

Notes:
New ability to target different groups within one
policy
 If using non-Windows file share, there may be
issues. We use Sun file server and if the folders
weren’t pre-created the redirect would not work.

3/4
4/4

Computer Configuration

Policies
 Administrative Templates
 Windows Components/Internet Explorer
 [Disable changing proxy settings] = enabled
 [Disable Periodic Check for Internet Explorer software
updates] = enabled
 [Pop-up allow list] = list of sites (such as WebCT)
 [Prevent participation in the Customer Experience
Improvement Program] = enabled
 [Prevent performance of First Run Customize settings] =
enabled
 [Customize settings] = Go directly to home page
 Windows Components/Internet Explorer/Compatibility View
 [Use Policy List of Internet Explorer 7 sites] = list of sites
(such as WebCT)
1/2

User Configuration

Policies
 Administrative Templates
 Windows Components/Internet Explorer
 [Pop-up allow list] = list of sites (such as WebCT)
 [Prevent participation in the Customer Experience
Improvement Program] = enabled
 [Prevent performance of First Run Customize
settings] = enabled
 [Customize settings] = Go directly to home page
2/2

Computer Configuration

Policies
 Windows Settings
 Security Settings/Local Policies/Security
Options/Shutdown
 [Clear virtual memory pagefile] = disabled
 Administrative Templates
 System/Disk NV Cache
 [Turn Off Boot and Resume Optimizations] = enabled
 System/System Restore
 [Turn off Configuration] = enabled
 [Turn off System Restore] = enabled
1/2

[Clear virtual memory pagefile] = disabled


Virtual memory support uses a system pagefile to swap pages of
memory to disk when they are not used. On a running system, this
pagefile is opened exclusively by the operating system, and it is
well protected. However, systems that are configured to allow
booting to other operating systems might have to make sure that
the system pagefile is wiped clean when this system shuts down.
This ensures that sensitive information from process memory that
might go into the pagefile is not available to an unauthorized user
who manages to directly access the pagefile.
[Turn Off Boot and Resume Optimizations] = enabled

If you enable this policy setting, the system does not use the nonvolatile (NV) cache to optimize boot and resume. If you disable this
policy setting, the system uses the NV cache to achieve faster boot
and resume. The system determines the data that will be stored in
the NV cache to optimize boot and resume. The required data is
stored in the NV cache during shutdown and hibernate respectively.
This might cause a slight increase in the time taken for shutdown
and hibernate.
2/3

User Configuration

Policies
 Windows Settings/Scripts
 [Logoff] = c:\windows\system32\shutdown.exe –r –t
00
3/3

Computer Configuration

Policies
 Windows Settings
 Security Settings/Event Log
 [Retention method for application log] = as needed
 [Retention method for security log] = as needed
 [Retention method for system log] = as needed
 Administrative Templates
 Windows Components/Event Log Service
 Application (Security, Setup, and System also)
 [Log File Path] = drive location
 [Backup log automatically when full] = enabled
 [Retain old events] = enabled

Computer Configuration

Preferences
 Windows Settings
 Environment Variables
 Files
 Folders
 Ini Files
 Registry
 Network Shares
 Shortcuts

Note: preferences stay on the machine
once applied even if policy is removed
1/4

User Configuration

Preferences
 Windows Settings
 [Drive Maps], [Environment], [Files], [Folders], [Ini
Files], [Registry], [Shortcuts]

Notes:


Preferences stay on the machine once applied
even if policy is removed
We use this to verify the folders for folder
redirection are present, map an alternative
home drive, and set a registry key to disable
printing balloon popups
2/4
3/4
4/4
Bret Madsen
Purdue University
System Administrator
Download