Using GPOs to Configure and Tune Desktops

5,534 views

Published on

Ron Oglesby's presentation from Briforum Chicago 2011 on "Using GPOs to Configure and Tune Desktops"

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Using GPOs to Configure and Tune Desktops

  1. 1. Using GPOs to Configure and Tune Desktops<br />Living without Registry ‘Hacks’<br />Ron Oglesby @RonOglesby<br />NOT A UNIDESK COMMERCIAL<br />
  2. 2. Gabe asked about golf carts<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  3. 3. Agenda<br />Why use GPOs?<br />Policy Basics<br />Policies Vs Preferences<br />Desktop Configurations <br />ADMs and ADMX/ADMLs<br />Tools you can use as venture into GPOs<br />
  4. 4. Why do we hack the registry<br />Tune the OS<br />Set defaults<br />Hide things from users<br />Others…<br />But is a hack a policy?<br />Policies can be used for more than just registry changes<br />
  5. 5. Why use GPOs and Not Reg hacks???<br />Documentation….<br />How do to remove this spoiler?<br />Without opening the trunk?<br />
  6. 6. What do GPOs TYPICALLY get used for?<br />Windows Settings like folder redirection<br />Hiding icons and Windows options<br />Configuring browser settings<br />Setting permissions? Sometimes<br />Configuring Office or other app settings…<br />Adding Users.. Occasionally.<br />
  7. 7. Login Times and the default profile????<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  8. 8. Common tasks in tuning the VDI image?<br />Add and modify local security accounts (at times)<br />Disable / reconfigure Services<br />Tune the local OS parameters <br />File System, desktop display, TCP parameters, etc, etc<br />Tune the user profile (like Menu show delay)<br />Configure applications (like IE)<br />Sometimes even create folders and move items like tools into the image<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  9. 9. Policy Basics<br />GPO Processing and Trigger events<br />GPUPDATE /FORCE<br />
  10. 10. Policy Basics<br />Computer Configvs User Config<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  11. 11. Policy Basics<br />Policy Vs Preferences…..<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  12. 12. Policy Basics<br />Preferences added in Win 2008<br />Allow for SIMPLE config of numerous settings<br />No Templates needed!<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  13. 13. Policy Templates<br />Traditionally known as Policy ADMs (ADMX now)<br />Set the options you see in the GPOs<br />Often created by the App vendors or industrious System Engineers<br />
  14. 14. ADM files are TXT files<br />CLASS xxx - User or Machine<br />CATEGORY xxx - Major heading. “Windows Update”<br />KEYNAME xxx “SoftwareMicrosoftOffice12.0Oulook” <br />Policy xxx - name of Policy shown in GPO editor<br />VALUENAME xxx - Registry entry we are changing<br />END POLICY<br />END CATEGORY<br />
  15. 15.
  16. 16. ADM file Example<br />CLASS MACHINE<br />CATEGORY !!Reader<br />POLICY !!Checkforupdatesatstart<br /> KEYNAME "SoftwareAdobeAcrobat Reader9.0AVGeneral"<br /> EXPLAIN !!Checkforupdatesatstart_Help<br /> VALUENAME "bCheckForUpdatesAtStartup"<br />VALUEON NUMERIC 1<br />VALUEOFF NUMERIC 0<br /> END POLICY<br />END CATEGORY<br />
  17. 17. ADM vs ADMX<br />ADMX are the ‘new’ ADM<br />XML based<br />Policies/operative section of the policy are contained in ADMX<br />ADML are language specific files<br />Not stored in individual policies, can be stored in 1 central location in enterprise environments<br />Will (by default) supersede existing ADM files (Inetres.adm, system.adm, etc) or can be created to supersede and existing ADM<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  18. 18. ADMX file sample comparison<br /><categories><br /> <category name="Reader" displayName="$(string.Reader)" /><br /></categories><br /> <policies><br /> <policy name="Checkforupdatesatstart" class="Machine" displayName="$(string.Checkforupdatesatstart)" explainText="$(string.Checkforupdatesatstart_Help)" presentation="$(presentation.Checkforupdatesatstart)" key="SoftwareAdobeAcrobat Reader9.0AVGeneral" valueName="bCheckForUpdatesAtStartup"><br /> <parentCategory ref="Reader" /><br /> <supportedOn ref="SUPPORTED_NotSpecified" /><br /><enabledValue><br /> <decimal value="1" /><br /> </enabledValue><br /> <disabledValue><br /> <decimal value="0" /><br /> </disabledValue><br /> </policy><br />Group Policy Samples from Microsoft:<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyId=3D7975FF-1242-4C94-93D3-B3091067071A&displaylang=en<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  19. 19. ADM file Example<br />CLASS MACHINE<br />CATEGORY !!Reader<br />POLICY !!Checkforupdatesatstart<br />KEYNAME "SoftwareAdobeAcrobat Reader9.0AVGeneral"<br /> EXPLAIN !!Checkforupdatesatstart_Help<br /> VALUENAME "bCheckForUpdatesAtStartup"<br />VALUEON NUMERIC 1<br />VALUEOFF NUMERIC 0<br /> END POLICY<br />END CATEGORY<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  20. 20. Building your own? <br />Start with ADM files if you haven’t already.<br />Then convert them w/ the ADM to ADMX converter<br />The hardest part is not building the text file….<br />Its finding the registry keys<br />
  21. 21. Ron’s rules for Policies Vs Preferences…<br />When to use a policy<br />Something that the usermay have access to but I don’t want them to change <br />IE security, connectivity, or application settings<br />When to use a preference<br />When I set a default setting that they may change<br />IE default start page or default short cuts on the desktop<br />When I want to change a registry setting that they do not have a GUI to change<br />Default user screen saver, machine settings like NTFS last access time stamp, etc. <br />
  22. 22. Policy Preference Options <br />Create<br />Create the object (reg entry, drive mapping, etc, etc)<br />Will do nothing if the entry/object already exists<br />Replace<br />Delete existing setting (if exist) and create a new object<br />Update <br />Modification of an existing object<br />Will create if it does not exist<br />Delete<br />
  23. 23. Preference Common Settings<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  24. 24. Preference WARNINGS<br />These are like defaults NOT Policies….<br />These can tattoo the machine<br />Newer policies do not tattoo. <br />That was a benefit of getting away from some of the old school NT type policies<br />Registry changes made via Preferences can leave a tattoo after removal of policy UNLESS you counter/remove the VM from having the policy apply.<br />Other changes (Directories, User/group modifications or additions) also stick<br />Preferences are basically like your image “HACK” but with management….<br />
  25. 25. So let’s look at how you can do this in a Policy<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  26. 26. Windows 7 Services Examples<br />Desktop Window Manager Session manager<br />Disk Defragmenter<br />Diagnostic Policy Services<br />IP helper (if no IPv6)<br />Security Center<br />Superfetch<br />Themes Service (classic interface)<br />Windows Defender<br />Windows Search<br />Windows Update<br />http://www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf<br />
  27. 27. Demo<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  28. 28. Windows Settings Examples<br />Recycle Bin – Do not move files to recycle bin <br />Screen saver (XP disable .default screen saver, Win7 Blank)<br />Disable System Restore<br />UAC settings<br />Windows Update disabled<br />Tune the file system (last access time stamp, 8.3 file names, etc)<br />Remove Tablet PC components (or disable services)<br />Project VRC Phase III – www.projectvrc.nl<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  29. 29. Demo<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  30. 30. User Tuning?<br />Focus on HKCU<br />IE and other application settings<br />Graphics/video settings<br />Customer templates are out there and checkout PolicyPak.com <br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  31. 31. Demo<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  32. 32. Finding the Registry Entry<br />GOOGLE http://lmgtfy.com/<br />RegSnap/Registry Monitoring Tools<br />Good old fashion digging and guessing!<br />My Favorite:SysTracerhttp://www.blueproject.ro/systracer<br />
  33. 33. You didn’t convince me Ron!<br />Windows Enabler<br />http://www.bluemoonpcrepair.com/wp/?p=39<br />http://www.wincert.net/tips/microsoft-windows/windows-7/2109-how-to-copy-a-user-profile-on-windows-7.html<br />Pierre’s VUEM - VirtuAllUser Environment Manager<br />http://www.virtualdesktops.info/Products.aspx<br />Login scripts, User configs, Printer configs, registry values, Port mapping, and File and folder operations.<br />Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com<br />
  34. 34. Where to start?<br />GPAnswers.com http://www.gpanswers.com/resources/gp-tips-and-tricks.html<br />PolicyPak.com http://policypak.com/<br />Off 2007 Policy Templates<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7&displaylang=en<br />Off 2010 Policy Templates<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=64B837B6-0AA0-4C07-BC34-BEC3990A7956&displaylang=en<br />Using GPOs to Customize XenApp<br />http://support.citrix.com/proddocs/index.jsp?topic=/online-plugin-110-windows/ica-import-icaclient-template-v2.html<br />IE 9 Preferences not working?<br />http://blogs.technet.com/b/asiasupp/archive/2011/03/30/internet-explorer-9-ie9-group-policy-preferences-gpp.aspx<br />XenApp Blog’s XenApp and XenDesktop Policies<br />http://www.xenappblog.com/downloads/<br />
  35. 35. ADM/Xs and Policy references? <br />Microsoft ADM to AMDX migrator?<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0F1EEC3D-10C4-4B5F-9625-97C2F731090C<br />Group Policy Settings References from MS?<br />http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb<br />Group Policy ADMX Syntax Guide:<br />http://technet.microsoft.com/en-us/library/cc753471(WS.10).aspx<br />Group Policy Survival Guide<br />http://technet.microsoft.com/en-us/library/cc754151(WS.10).aspx<br />Managing with ADMX files<br />http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx<br />
  36. 36. Q&AOpen Discussion<br />Ron Oglesby<br />ron.unidesk.com<br />Twitter: @ronoglesby<br />

×