Agenda Why use GPOs? Policy Basics Policies Vs Preferences Desktop Configurations ADMs and ADMX/ADMLs Tools you can use as venture into GPOs
Why do we hack the registry Tune the OS Set defaults Hide things from users Others… But is a hack a policy? Policies can be used for more than just registry changes
Why use GPOs and Not Reg hacks??? Documentation…. How do to remove this spoiler? Without opening the trunk?
What do GPOs TYPICALLY get used for? Windows Settings like folder redirection Hiding icons and Windows options Configuring browser settings Setting permissions? Sometimes Configuring Office or other app settings… Adding Users.. Occasionally.
Policy Templates Traditionally known as Policy ADMs (ADMX now) Set the options you see in the GPOs Often created by the App vendors or industrious System Engineers
ADM files are TXT files CLASS xxx - User or Machine CATEGORY xxx - Major heading. “Windows Update” KEYNAME xxx “SoftwareMicrosoftOffice12.0Oulook” Policy xxx - name of Policy shown in GPO editor VALUENAME xxx - Registry entry we are changing END POLICY END CATEGORY
Building your own? Start with ADM files if you haven’t already. Then convert them w/ the ADM to ADMX converter The hardest part is not building the text file…. Its finding the registry keys
Ron’s rules for Policies Vs Preferences… When to use a policy Something that the usermay have access to but I don’t want them to change IE security, connectivity, or application settings When to use a preference When I set a default setting that they may change IE default start page or default short cuts on the desktop When I want to change a registry setting that they do not have a GUI to change Default user screen saver, machine settings like NTFS last access time stamp, etc.
Policy Preference Options Create Create the object (reg entry, drive mapping, etc, etc) Will do nothing if the entry/object already exists Replace Delete existing setting (if exist) and create a new object Update Modification of an existing object Will create if it does not exist Delete
Preference WARNINGS These are like defaults NOT Policies…. These can tattoo the machine Newer policies do not tattoo. That was a benefit of getting away from some of the old school NT type policies Registry changes made via Preferences can leave a tattoo after removal of policy UNLESS you counter/remove the VM from having the policy apply. Other changes (Directories, User/group modifications or additions) also stick Preferences are basically like your image “HACK” but with management….
Windows 7 Services Examples Desktop Window Manager Session manager Disk Defragmenter Diagnostic Policy Services IP helper (if no IPv6) Security Center Superfetch Themes Service (classic interface) Windows Defender Windows Search Windows Update http://www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf
Where to start? GPAnswers.com http://www.gpanswers.com/resources/gp-tips-and-tricks.html PolicyPak.com http://policypak.com/ Off 2007 Policy Templates http://www.microsoft.com/downloads/en/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7&displaylang=en Off 2010 Policy Templates http://www.microsoft.com/downloads/en/details.aspx?FamilyID=64B837B6-0AA0-4C07-BC34-BEC3990A7956&displaylang=en Using GPOs to Customize XenApp http://support.citrix.com/proddocs/index.jsp?topic=/online-plugin-110-windows/ica-import-icaclient-template-v2.html IE 9 Preferences not working? http://blogs.technet.com/b/asiasupp/archive/2011/03/30/internet-explorer-9-ie9-group-policy-preferences-gpp.aspx XenApp Blog’s XenApp and XenDesktop Policies http://www.xenappblog.com/downloads/
ADM/Xs and Policy references? Microsoft ADM to AMDX migrator? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0F1EEC3D-10C4-4B5F-9625-97C2F731090C Group Policy Settings References from MS? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb Group Policy ADMX Syntax Guide: http://technet.microsoft.com/en-us/library/cc753471(WS.10).aspx Group Policy Survival Guide http://technet.microsoft.com/en-us/library/cc754151(WS.10).aspx Managing with ADMX files http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx
Q&AOpen Discussion Ron Oglesby ron.unidesk.com Twitter: @ronoglesby