SlideShare a Scribd company logo

10 things group policy preferences does better

G
Gol D Roger
Technology
1 of 14
Download to read offline
10 things Group Policy Preferences can do better than your current script! By Florian Frommherz September 5th, 2008
Table of Contents Overview.................................................................................................................................................. 3 Drive Mappings ....................................................................................................................................... 3 Energy options ......................................................................................................................................... 5 Folder Options ......................................................................................................................................... 5 Internet Explorer Settings ....................................................................................................................... 5 Setting local Administrator Passwords /Administering local users and groups ...................................... 6 Regional Options ..................................................................................................................................... 7 Creating Files and Folders on client machines ........................................................................................ 8 Creating Shortcuts on Clientmachines .................................................................................................... 9 Connection Printers ............................................................................................................................... 11 Creating Scheduled Tasks ...................................................................................................................... 12 Green and red lines under my options? ................................................................................................ 13
Overview Let’s be honest: some administrative tasks are a pain in the foot as they are either difficult to implement or require heavy scripting action. Some of them even require you to import some registry export files because there aren’t Group Policy settings or ADM templates for them around. To get around these issues, we can use Group Policy Preferences with 21 new Client Side Extensions that implement a heck of functionality we were missing until now. The perquisites and requirements can be found here: http://support.microsoft.com/kb/943729. You basically need to download and install the Client Side Extensions on all target machines. Additionally, you need a management station with Server 2008 installed (member server is sufficient) or a Vista SP1 machine with RSAT installed. To be clear: there’s no need to have your AD schema extended or a 2008 DC in place. This article is (hopefully) about what Group Policy Preferences can do and how they can help you minimize overall scripting in your environment. Drive Mappings One of the things every administrator under us certainly created once in his career is drive mappings. Drive mappings help users place their documents on the same server with the same drive letter all the time. We usually map drive using scripts, like bananasimportant documents and provide special drive letters to them so people can use them like their local drives. For a batch file, we could simply use NET USE U: “bananasimportant documents” /persistent:no to map the bananas server share “important documents” to U:. That’s pretty easy we can see – but what if we wanted to filter the sharing a little bit? What if we wanted to have a couple of shares connected and mapped based on certain criteria like the user’s group membership in a AD security group or the machine’s operating system? Scripting that wouldn’t be that easy. This is where Preferences can help. Under User ConfigurationPreferencesWindows SettingsDrive Maps we can find the corresponding Preference settings. Selecting “New” from the context menu, we can add a new drive mapping. You’ll notice that the UI to administer preferences is easy to understand. It sometimes is a 100% copy of the UI in Windows – it feels like you would configure some settings on the local machine. That’s another thing why Preferences rock.
Creating a drive mapping is boring the same way it is using a script. It gets interesting as soon as we try to implement the filter criteria based on which we want the share mapped. Preferences can do this with item-level targeting. The tab “Common” has a checkbox labeled “item-level targeting” and a button you can push. That opens up a sort of formula editor we can use to create a filter. Machines that are in the scope of your Group Policy with this Preference will use that filter to evaluate whether the settings herein gets applied or not. We choose “New Item” and create a filter just like we wanted it: based on security group membership and operating system of the client.
Power options Deploying power options with Group Policy isn’t an easy thing to do. There are a few things you can do, but they’re mostly not sufficient. So is the free tool “powercfg” you can use to script the machine to default to hibernation or sleep mode (see: http://technet.microsoft.com/en- us/library/cc748940.aspx). Again, we can use Preferences that come with a very common UI we all know: Computer ConfigurationPreferencesControl Panel SettingsPower Options lets you create Power options and Power scheme preferences. Notice that some settings have a green underline – that’s a special feature of Group Policy Preferences which is described in the very last section “Green and red lines under my options?”. For now it’s just important to know that settings we want to deploy need to be underlined green. Folder Options Making hidden folders visible? Making system files visible to users? Not as easy as you might think, if you’re not going to roll out a new profile that to all users that has this configured. You certainly don’t want to roll this out with a registry import script, do you? Another one for Preferences: Computer configurationPreferencesControl Panel SettingsFolder Options gives you the chance to configure Windows XP and Windows Vista folder options with just the same UI you’d use to configure the local folder options on your machine! All settings, checkboxes and options are there. If you know the pain to deploy this, you’ll love Preferences! Internet Explorer Settings Managing Internet Explorer is a little tricky. Not only the two modes “Internet Explorer Maintenance” and “Internet Explorer Preference” are difficult to understand, the application or non-application is a chapter of its own. Thinking of the underlying architecture, IE5 and IE6 settings are still managed
with some code from the IEAK 4 engine which has come into years now. Not a really good base to build on. Group Policy Preferences can do it better: User ConfigurationControl Panel SettingsInternet Settings. Note that the colored underlining again needs to be green in order to have settings successfully applied by clients. For more on that, see the last paragraph. Setting local Administrator Passwords /Administering local users and groups There are numerous ways to edit the local administrator account and set a new password but – how good are they? One could think the easiest way to set a new password for “Administrator” is creating a computer startup script and change it using “NET USER Administrator …”. The downside here is that – with all scripting – they can be read by the Everyone principal or at least a authenticated users. Be careful with those scripts, as the password is provided in clear text there. You better use the Microsoft Script Encoder to “hide” the entire script from the user or use a tool that changes the local admin passwords from a central place by connection to each machine individually (like pspasswd: http://technet.microsoft.com/en-us/sysinternals/bb897543.aspx). Keep in mind that this requires that the machines are up and running when you run a tool like this. In our Preference case, we can use them to manage the local Administrator password. Of course the password gets saved somehow on the SYSVOL share too, but is secured by a 256bit AES encryption – so people can’t just read the clear text. That brings security in there. In Computer ConfigurationPreferencesControl Panel Settingslocal users and groups we can do that. Choosing “New” and “local User” from the context menu lets us proceed.
As shown in the picture, we can use the predefined “Administrator (built-in) to accomplish our goal. We can provide the new password and adjust the check boxes at the bottom just as we wish. Only make sure you don’t hit the “Account is disabled” checkbox or “Change password at next logon” box – as these might bit you back ;-) Remember adjusting local services that might run with “Administrator” credentials on the boxes and might fail to start if the password is changed. Regional Options Another topic that, until now always involved the creation of custom ADM templates and the creation of scripting, is “regional options”. If you missed setting the regional options settings in your images or set it wrong, you may get into trouble as different countries have different formatting- characters or different date and time formatting. User ConfigurationPreferencesControl Panel SettingsRegional Options
Look at the UI? Does it look familiar? Indeed it does! The whole UI of the “Regional Options” setting in the Control Panel got copied so that you can configure this preference setting as you would with a live machine in front of you. Keep in mind that, again, there are red/green lines under the settings. You should check the “Green and red lines under my options” section below. Creating Files and Folders on client machines User ConfigurationPreferencesWindows SettingsFiles and User ConfigurationPreferencesWindows SettingsFolder lets you create files and folders on the target machines and set the file attributes “archive”, “read only” and “hidden”. You can also use these Preferences to copy files and folders off a network share to the clients. You can also dictate that files that are already located on the target system will be replaced or deleted. You really don’t need a script for this anymore. No more copying font files and updated HOSTS files manually or using a script. No more scripting using “IF EXIST” to check whether a file already exists on a target system. You can even check with Preferences if the file in the right version and date is present on the client – remember item-level targeting!
Creating Shortcuts on client machines I hated creating shortcuts on users’ desktops. They were not easy to manage as you always had to script them. When it comes to altering a shortcut let’s say a shortcut to an intranet website that changed or an application on some app server moved. If you feel with me, the following Preference is for you: User ConfigurationPreferencesWindows SettingsShortcuts. You can create shortcuts at the following locations:
Did you notice? There really are “Quicklaunch”, “Send to” and “Explorer favorites” in the list. I welcome this as costumizing the Quick launch bar was sort of a pain since you had to toggle it on or off in the profile as it wasn’t possible in GP before. You still had to script the population of new items for the Quick Launch Bar by copying files into the appropriate folder. If you’re in a fun mood, you can also customize the icon people can see and click at the shortcut.
Connecting Printers If you deployed printers using a script or you used the pretty limited “Printer Deployment” feature in R2, you’ll surely find this a good solution: you can deploy your printers using Preferences now. They have a lot of features “Printer Deployment” lacks like central logging into the event log (built-in with preferences) and the option to set a printer as the “Default Printer”. If you’re still after the scripting solution, here’s some documentation about it: http://www.microsoft.com/windowsserver2003/techinfo/overview/printuidll.mspx. You can have shared printers, tcp/ip printers and local printers deployed. You see the “as default printer” option there? Really cool. Even there you can use item-level-targeting to filter the printer list down so that every user gets her favorite printer shared:
If you can script that in an average work day, send me an e-mail. If you can do that, you deserve deep honor and respect! Creating Scheduled Tasks That’s a classic in the newsgroups on Group Policy. Everytime the question “how can I schedule a task” comes up, I keep answering: “Create a script with at.exe or better yet schtasks.exe and create the task like that.” If you’re trying to create a task for a batch file execution, it can get a little frustrating – create a batch to create a task that executes a batch… hmm… sounds like a tough task if you look at the parameters schtasks has: http://support.microsoft.com/kb/814596 - at least it works. With preferences, we have a native way of doing that!
The tabs “Schedule” and “Properties” have other options for you to configure, like how often and when the task is scheduled to execute and whether it gets executed if the machine is on batteries. Green and red lines under my options? You surely noticed the red and green underlining in some of the UI elements in Group Policy Preference. This underlining is not a visual goodie but an indication for you as the administration whether the setting underlined is “active” and gets applied by the targets (the group policy targets, user and computer objects). Green underlining means the setting is active and will be applied by the targets. Red underlining means the setting is inactive and will therefore be ignored by the targets.
You can change the underlining and the application behind by using the function keys F5 through F8 to enable/disable the setting. F5 – activate all options F6 – activate currently selected setting F7 – disable currently selected setting F8 – disable all options This feature is currently not *that* well documented. You can however find information about this in the help files. I’m sure you’ll find an article on this very soon on TechNet or the Group Policy Team blog: http://blogs.technet.com/grouppolicy/ Note that the description above, “gets applied by the targets” is not 100% accurate. Clients don’t decide whether to apply the setting or not based on the underlining. Red underlined settings are just not exposed in the XML configuration file that the client reads while applying the settings. It’s therefore not configured at all. Conclusion For exactly $0 and a little bit of deployment work, you can have a load of new settings that you can roll out to clients – without scripting. Think about the feature Preferences already has and what powerful things you can do with item-level-targeting. Painful scripting can become passé.

Recommended

Windows tuning guide_for_vspace
Windows tuning guide_for_vspaceWindows tuning guide_for_vspace
Windows tuning guide_for_vspacekaduger
 
Readme
ReadmeReadme
ReadmeKarim MAZOUZ
 
Freshdesk integration with Capsule Crm
Freshdesk integration with Capsule CrmFreshdesk integration with Capsule Crm
Freshdesk integration with Capsule CrmFreshdesk Inc.
 
how to optimize games in windows 10
how to optimize games in windows 10how to optimize games in windows 10
how to optimize games in windows 10AmandaMandy
 
Readme cakewalk
Readme cakewalkReadme cakewalk
Readme cakewalkRoszalina Ina
 
Lexmark x1100 series
Lexmark x1100 series Lexmark x1100 series
Lexmark x1100 series Christian García
 
Windows 7 Tips Tricks Ppt Version
Windows 7 Tips Tricks Ppt VersionWindows 7 Tips Tricks Ppt Version
Windows 7 Tips Tricks Ppt Versionjohn weston
 
Jtag Help Desk manual 1.0
Jtag Help Desk manual 1.0Jtag Help Desk manual 1.0
Jtag Help Desk manual 1.0vasyaua2011
 

Recommended

Windows tuning guide_for_vspace
Windows tuning guide_for_vspaceWindows tuning guide_for_vspace
Windows tuning guide_for_vspacekaduger
 
Readme
ReadmeReadme
ReadmeKarim MAZOUZ
 
Freshdesk integration with Capsule Crm
Freshdesk integration with Capsule CrmFreshdesk integration with Capsule Crm
Freshdesk integration with Capsule CrmFreshdesk Inc.
 
how to optimize games in windows 10
how to optimize games in windows 10how to optimize games in windows 10
how to optimize games in windows 10AmandaMandy
 
Readme cakewalk
Readme cakewalkReadme cakewalk
Readme cakewalkRoszalina Ina
 
Lexmark x1100 series
Lexmark x1100 series Lexmark x1100 series
Lexmark x1100 series Christian García
 
Windows 7 Tips Tricks Ppt Version
Windows 7 Tips Tricks Ppt VersionWindows 7 Tips Tricks Ppt Version
Windows 7 Tips Tricks Ppt Versionjohn weston
 
Jtag Help Desk manual 1.0
Jtag Help Desk manual 1.0Jtag Help Desk manual 1.0
Jtag Help Desk manual 1.0vasyaua2011
 
windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2Gol D Roger
 
Sxsw interactive (1)
Sxsw interactive (1)Sxsw interactive (1)
Sxsw interactive (1)pmillegan
 
Sxsw interactive
Sxsw interactiveSxsw interactive
Sxsw interactivepmillegan
 
Ethics and professionalism in the workplace1
Ethics and professionalism in the workplace1Ethics and professionalism in the workplace1
Ethics and professionalism in the workplace1youngd1
 
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01Paquito Nabayra
 
Kabihasnanggreek 130820000903-phpapp02
Kabihasnanggreek 130820000903-phpapp02Kabihasnanggreek 130820000903-phpapp02
Kabihasnanggreek 130820000903-phpapp02Paquito Nabayra
 
Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Gol D Roger
 
Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferencesRob Dunn
 
Using GPOs to Configure and Tune Desktops
Using GPOs to Configure and Tune DesktopsUsing GPOs to Configure and Tune Desktops
Using GPOs to Configure and Tune DesktopsUnidesk Corporation
 
Ascential DataStage Director Guide
Ascential DataStage Director GuideAscential DataStage Director Guide
Ascential DataStage Director GuideEmily Smith
 
John
JohnJohn
JohnLindsey Rivera
 
Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)Inductive Automation
 
Getting started with power map preview september refresh
Getting started with power map preview september refreshGetting started with power map preview september refresh
Getting started with power map preview september refreshMing Gu
 
Improving Your Admin Image
Improving Your Admin ImageImproving Your Admin Image
Improving Your Admin Imageelisemoss
 
Mangento
MangentoMangento
MangentoRavi Mehrotra
 
Introduction to Mangento
Introduction to Mangento Introduction to Mangento
Introduction to Mangento Ravi Mehrotra
 
Users guide
Users guideUsers guide
Users guideHorlarthunji Azeez
 
En clipboard app quick_reference_guide
En clipboard app quick_reference_guideEn clipboard app quick_reference_guide
En clipboard app quick_reference_guideshivamagarwal223
 
Computer application
Computer applicationComputer application
Computer applicationSudamRaut2
 
Synergis University 2014 - Inventor Performance Optimization
Synergis University 2014 - Inventor Performance OptimizationSynergis University 2014 - Inventor Performance Optimization
Synergis University 2014 - Inventor Performance OptimizationSynergis Engineering Design Solutions
 
Useful Group Policy Concepts
Useful Group Policy ConceptsUseful Group Policy Concepts
Useful Group Policy ConceptsRob Dunn
 
Creating templates
Creating templatesCreating templates
Creating templatesSyAM Software
 

More Related Content

Viewers also liked

windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2Gol D Roger
 
Sxsw interactive (1)
Sxsw interactive (1)Sxsw interactive (1)
Sxsw interactive (1)pmillegan
 
Sxsw interactive
Sxsw interactiveSxsw interactive
Sxsw interactivepmillegan
 
Ethics and professionalism in the workplace1
Ethics and professionalism in the workplace1Ethics and professionalism in the workplace1
Ethics and professionalism in the workplace1youngd1
 
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01Paquito Nabayra
 
Kabihasnanggreek 130820000903-phpapp02
Kabihasnanggreek 130820000903-phpapp02Kabihasnanggreek 130820000903-phpapp02
Kabihasnanggreek 130820000903-phpapp02Paquito Nabayra
 
Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Gol D Roger
 

Viewers also liked (7)

windows server 2012 R2
windows server 2012 R2windows server 2012 R2
windows server 2012 R2
 
Sxsw interactive (1)
Sxsw interactive (1)Sxsw interactive (1)
Sxsw interactive (1)
 
Sxsw interactive
Sxsw interactiveSxsw interactive
Sxsw interactive
 
Ethics and professionalism in the workplace1
Ethics and professionalism in the workplace1Ethics and professionalism in the workplace1
Ethics and professionalism in the workplace1
 
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01
Ap9 2ndquarter-kabihasnangminoanatmycenaean-130703070717-phpapp01
 
Kabihasnanggreek 130820000903-phpapp02
Kabihasnanggreek 130820000903-phpapp02Kabihasnanggreek 130820000903-phpapp02
Kabihasnanggreek 130820000903-phpapp02
 
Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...Windows logon password – get windows logon password using wdigest in memory d...
Windows logon password – get windows logon password using wdigest in memory d...
 

Similar to 10 things group policy preferences does better

Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferencesRob Dunn
 
Using GPOs to Configure and Tune Desktops
Using GPOs to Configure and Tune DesktopsUsing GPOs to Configure and Tune Desktops
Using GPOs to Configure and Tune DesktopsUnidesk Corporation
 
Ascential DataStage Director Guide
Ascential DataStage Director GuideAscential DataStage Director Guide
Ascential DataStage Director GuideEmily Smith
 
Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)Inductive Automation
 
Getting started with power map preview september refresh
Getting started with power map preview september refreshGetting started with power map preview september refresh
Getting started with power map preview september refreshMing Gu
 
Improving Your Admin Image
Improving Your Admin ImageImproving Your Admin Image
Improving Your Admin Imageelisemoss
 
Introduction to Mangento
Introduction to Mangento Introduction to Mangento
Introduction to Mangento Ravi Mehrotra
 
En clipboard app quick_reference_guide
En clipboard app quick_reference_guideEn clipboard app quick_reference_guide
En clipboard app quick_reference_guideshivamagarwal223
 
Computer application
Computer applicationComputer application
Computer applicationSudamRaut2
 
Useful Group Policy Concepts
Useful Group Policy ConceptsUseful Group Policy Concepts
Useful Group Policy ConceptsRob Dunn
 
W2 k3 ad_integration-how_to
W2 k3 ad_integration-how_toW2 k3 ad_integration-how_to
W2 k3 ad_integration-how_toMeka SriHari
 
Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)
Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)
Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)Intergen
 

Similar to 10 things group policy preferences does better (20)

Group policy preferences
Group policy preferencesGroup policy preferences
Group policy preferences
 
Using GPOs to Configure and Tune Desktops
Using GPOs to Configure and Tune DesktopsUsing GPOs to Configure and Tune Desktops
Using GPOs to Configure and Tune Desktops
 
Ascential DataStage Director Guide
Ascential DataStage Director GuideAscential DataStage Director Guide
Ascential DataStage Director Guide
 
John
JohnJohn
John
 
Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)Common Project Mistakes (And How to Avoid Them)
Common Project Mistakes (And How to Avoid Them)
 
Getting started with power map preview september refresh
Getting started with power map preview september refreshGetting started with power map preview september refresh
Getting started with power map preview september refresh
 
Improving Your Admin Image
Improving Your Admin ImageImproving Your Admin Image
Improving Your Admin Image
 
Mangento
MangentoMangento
Mangento
 
Introduction to Mangento
Introduction to Mangento Introduction to Mangento
Introduction to Mangento
 
Users guide
Users guideUsers guide
Users guide
 
En clipboard app quick_reference_guide
En clipboard app quick_reference_guideEn clipboard app quick_reference_guide
En clipboard app quick_reference_guide
 
Computer application
Computer applicationComputer application
Computer application
 
Synergis University 2014 - Inventor Performance Optimization
Synergis University 2014 - Inventor Performance OptimizationSynergis University 2014 - Inventor Performance Optimization
Synergis University 2014 - Inventor Performance Optimization
 
Useful Group Policy Concepts
Useful Group Policy ConceptsUseful Group Policy Concepts
Useful Group Policy Concepts
 
Creating templates
Creating templatesCreating templates
Creating templates
 
Data link mamut_magento
Data link mamut_magentoData link mamut_magento
Data link mamut_magento
 
W2 k3 ad_integration-how_to
W2 k3 ad_integration-how_toW2 k3 ad_integration-how_to
W2 k3 ad_integration-how_to
 
Mke15
Mke15Mke15
Mke15
 
Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)
Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)
Windows Accelerate IT Pro Bootcamp: Platform Delivery (Module 2 of 8)
 
Tutorial
TutorialTutorial
Tutorial
 

More from Gol D Roger

Seizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceSeizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceGol D Roger
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsGol D Roger
 
Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Gol D Roger
 
8 0-os file-system management
8 0-os file-system management8 0-os file-system management
8 0-os file-system managementGol D Roger
 
8 1-os file system implementation
8 1-os file system implementation8 1-os file system implementation
8 1-os file system implementationGol D Roger
 
Desktop Forensics: Windows
Desktop Forensics: WindowsDesktop Forensics: Windows
Desktop Forensics: WindowsGol D Roger
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security Gol D Roger
 
IT Passport Examination.
IT Passport Examination.IT Passport Examination.
IT Passport Examination.Gol D Roger
 
Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Gol D Roger
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfeGol D Roger
 

More from Gol D Roger (12)

Seizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret ServiceSeizing Electronic Evidence & Best Practices – Secret Service
Seizing Electronic Evidence & Best Practices – Secret Service
 
Forensic artifacts in modern linux systems
Forensic artifacts in modern linux systemsForensic artifacts in modern linux systems
Forensic artifacts in modern linux systems
 
Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02Cybercrimeandforensic 120828021931-phpapp02
Cybercrimeandforensic 120828021931-phpapp02
 
8 0-os file-system management
8 0-os file-system management8 0-os file-system management
8 0-os file-system management
 
8 1-os file system implementation
8 1-os file system implementation8 1-os file system implementation
8 1-os file system implementation
 
Deep Web
Deep WebDeep Web
Deep Web
 
Desktop Forensics: Windows
Desktop Forensics: WindowsDesktop Forensics: Windows
Desktop Forensics: Windows
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
HTTPs Strict Transport Security
HTTPs Strict Transport Security HTTPs Strict Transport Security
HTTPs Strict Transport Security
 
IT Passport Examination.
IT Passport Examination.IT Passport Examination.
IT Passport Examination.
 
Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2Basic configuration fortigate v4.0 mr2
Basic configuration fortigate v4.0 mr2
 
Users guide-to-winfe
Users guide-to-winfeUsers guide-to-winfe
Users guide-to-winfe
 

Recently uploaded

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

10 things group policy preferences does better

  • 1. 10 things Group Policy Preferences can do better than your current script! By Florian Frommherz September 5th, 2008
  • 2. Table of Contents Overview.................................................................................................................................................. 3 Drive Mappings ....................................................................................................................................... 3 Energy options ......................................................................................................................................... 5 Folder Options ......................................................................................................................................... 5 Internet Explorer Settings ....................................................................................................................... 5 Setting local Administrator Passwords /Administering local users and groups ...................................... 6 Regional Options ..................................................................................................................................... 7 Creating Files and Folders on client machines ........................................................................................ 8 Creating Shortcuts on Clientmachines .................................................................................................... 9 Connection Printers ............................................................................................................................... 11 Creating Scheduled Tasks ...................................................................................................................... 12 Green and red lines under my options? ................................................................................................ 13
  • 3. Overview Let’s be honest: some administrative tasks are a pain in the foot as they are either difficult to implement or require heavy scripting action. Some of them even require you to import some registry export files because there aren’t Group Policy settings or ADM templates for them around. To get around these issues, we can use Group Policy Preferences with 21 new Client Side Extensions that implement a heck of functionality we were missing until now. The perquisites and requirements can be found here: http://support.microsoft.com/kb/943729. You basically need to download and install the Client Side Extensions on all target machines. Additionally, you need a management station with Server 2008 installed (member server is sufficient) or a Vista SP1 machine with RSAT installed. To be clear: there’s no need to have your AD schema extended or a 2008 DC in place. This article is (hopefully) about what Group Policy Preferences can do and how they can help you minimize overall scripting in your environment. Drive Mappings One of the things every administrator under us certainly created once in his career is drive mappings. Drive mappings help users place their documents on the same server with the same drive letter all the time. We usually map drive using scripts, like bananasimportant documents and provide special drive letters to them so people can use them like their local drives. For a batch file, we could simply use NET USE U: “bananasimportant documents” /persistent:no to map the bananas server share “important documents” to U:. That’s pretty easy we can see – but what if we wanted to filter the sharing a little bit? What if we wanted to have a couple of shares connected and mapped based on certain criteria like the user’s group membership in a AD security group or the machine’s operating system? Scripting that wouldn’t be that easy. This is where Preferences can help. Under User ConfigurationPreferencesWindows SettingsDrive Maps we can find the corresponding Preference settings. Selecting “New” from the context menu, we can add a new drive mapping. You’ll notice that the UI to administer preferences is easy to understand. It sometimes is a 100% copy of the UI in Windows – it feels like you would configure some settings on the local machine. That’s another thing why Preferences rock.
  • 4. Creating a drive mapping is boring the same way it is using a script. It gets interesting as soon as we try to implement the filter criteria based on which we want the share mapped. Preferences can do this with item-level targeting. The tab “Common” has a checkbox labeled “item-level targeting” and a button you can push. That opens up a sort of formula editor we can use to create a filter. Machines that are in the scope of your Group Policy with this Preference will use that filter to evaluate whether the settings herein gets applied or not. We choose “New Item” and create a filter just like we wanted it: based on security group membership and operating system of the client.
  • 5. Power options Deploying power options with Group Policy isn’t an easy thing to do. There are a few things you can do, but they’re mostly not sufficient. So is the free tool “powercfg” you can use to script the machine to default to hibernation or sleep mode (see: http://technet.microsoft.com/en- us/library/cc748940.aspx). Again, we can use Preferences that come with a very common UI we all know: Computer ConfigurationPreferencesControl Panel SettingsPower Options lets you create Power options and Power scheme preferences. Notice that some settings have a green underline – that’s a special feature of Group Policy Preferences which is described in the very last section “Green and red lines under my options?”. For now it’s just important to know that settings we want to deploy need to be underlined green. Folder Options Making hidden folders visible? Making system files visible to users? Not as easy as you might think, if you’re not going to roll out a new profile that to all users that has this configured. You certainly don’t want to roll this out with a registry import script, do you? Another one for Preferences: Computer configurationPreferencesControl Panel SettingsFolder Options gives you the chance to configure Windows XP and Windows Vista folder options with just the same UI you’d use to configure the local folder options on your machine! All settings, checkboxes and options are there. If you know the pain to deploy this, you’ll love Preferences! Internet Explorer Settings Managing Internet Explorer is a little tricky. Not only the two modes “Internet Explorer Maintenance” and “Internet Explorer Preference” are difficult to understand, the application or non-application is a chapter of its own. Thinking of the underlying architecture, IE5 and IE6 settings are still managed
  • 6. with some code from the IEAK 4 engine which has come into years now. Not a really good base to build on. Group Policy Preferences can do it better: User ConfigurationControl Panel SettingsInternet Settings. Note that the colored underlining again needs to be green in order to have settings successfully applied by clients. For more on that, see the last paragraph. Setting local Administrator Passwords /Administering local users and groups There are numerous ways to edit the local administrator account and set a new password but – how good are they? One could think the easiest way to set a new password for “Administrator” is creating a computer startup script and change it using “NET USER Administrator …”. The downside here is that – with all scripting – they can be read by the Everyone principal or at least a authenticated users. Be careful with those scripts, as the password is provided in clear text there. You better use the Microsoft Script Encoder to “hide” the entire script from the user or use a tool that changes the local admin passwords from a central place by connection to each machine individually (like pspasswd: http://technet.microsoft.com/en-us/sysinternals/bb897543.aspx). Keep in mind that this requires that the machines are up and running when you run a tool like this. In our Preference case, we can use them to manage the local Administrator password. Of course the password gets saved somehow on the SYSVOL share too, but is secured by a 256bit AES encryption – so people can’t just read the clear text. That brings security in there. In Computer ConfigurationPreferencesControl Panel Settingslocal users and groups we can do that. Choosing “New” and “local User” from the context menu lets us proceed.
  • 7. As shown in the picture, we can use the predefined “Administrator (built-in) to accomplish our goal. We can provide the new password and adjust the check boxes at the bottom just as we wish. Only make sure you don’t hit the “Account is disabled” checkbox or “Change password at next logon” box – as these might bit you back ;-) Remember adjusting local services that might run with “Administrator” credentials on the boxes and might fail to start if the password is changed. Regional Options Another topic that, until now always involved the creation of custom ADM templates and the creation of scripting, is “regional options”. If you missed setting the regional options settings in your images or set it wrong, you may get into trouble as different countries have different formatting- characters or different date and time formatting. User ConfigurationPreferencesControl Panel SettingsRegional Options
  • 8. Look at the UI? Does it look familiar? Indeed it does! The whole UI of the “Regional Options” setting in the Control Panel got copied so that you can configure this preference setting as you would with a live machine in front of you. Keep in mind that, again, there are red/green lines under the settings. You should check the “Green and red lines under my options” section below. Creating Files and Folders on client machines User ConfigurationPreferencesWindows SettingsFiles and User ConfigurationPreferencesWindows SettingsFolder lets you create files and folders on the target machines and set the file attributes “archive”, “read only” and “hidden”. You can also use these Preferences to copy files and folders off a network share to the clients. You can also dictate that files that are already located on the target system will be replaced or deleted. You really don’t need a script for this anymore. No more copying font files and updated HOSTS files manually or using a script. No more scripting using “IF EXIST” to check whether a file already exists on a target system. You can even check with Preferences if the file in the right version and date is present on the client – remember item-level targeting!
  • 9. Creating Shortcuts on client machines I hated creating shortcuts on users’ desktops. They were not easy to manage as you always had to script them. When it comes to altering a shortcut let’s say a shortcut to an intranet website that changed or an application on some app server moved. If you feel with me, the following Preference is for you: User ConfigurationPreferencesWindows SettingsShortcuts. You can create shortcuts at the following locations:
  • 10. Did you notice? There really are “Quicklaunch”, “Send to” and “Explorer favorites” in the list. I welcome this as costumizing the Quick launch bar was sort of a pain since you had to toggle it on or off in the profile as it wasn’t possible in GP before. You still had to script the population of new items for the Quick Launch Bar by copying files into the appropriate folder. If you’re in a fun mood, you can also customize the icon people can see and click at the shortcut.
  • 11. Connecting Printers If you deployed printers using a script or you used the pretty limited “Printer Deployment” feature in R2, you’ll surely find this a good solution: you can deploy your printers using Preferences now. They have a lot of features “Printer Deployment” lacks like central logging into the event log (built-in with preferences) and the option to set a printer as the “Default Printer”. If you’re still after the scripting solution, here’s some documentation about it: http://www.microsoft.com/windowsserver2003/techinfo/overview/printuidll.mspx. You can have shared printers, tcp/ip printers and local printers deployed. You see the “as default printer” option there? Really cool. Even there you can use item-level-targeting to filter the printer list down so that every user gets her favorite printer shared:
  • 12. If you can script that in an average work day, send me an e-mail. If you can do that, you deserve deep honor and respect! Creating Scheduled Tasks That’s a classic in the newsgroups on Group Policy. Everytime the question “how can I schedule a task” comes up, I keep answering: “Create a script with at.exe or better yet schtasks.exe and create the task like that.” If you’re trying to create a task for a batch file execution, it can get a little frustrating – create a batch to create a task that executes a batch… hmm… sounds like a tough task if you look at the parameters schtasks has: http://support.microsoft.com/kb/814596 - at least it works. With preferences, we have a native way of doing that!
  • 13. The tabs “Schedule” and “Properties” have other options for you to configure, like how often and when the task is scheduled to execute and whether it gets executed if the machine is on batteries. Green and red lines under my options? You surely noticed the red and green underlining in some of the UI elements in Group Policy Preference. This underlining is not a visual goodie but an indication for you as the administration whether the setting underlined is “active” and gets applied by the targets (the group policy targets, user and computer objects). Green underlining means the setting is active and will be applied by the targets. Red underlining means the setting is inactive and will therefore be ignored by the targets.
  • 14. You can change the underlining and the application behind by using the function keys F5 through F8 to enable/disable the setting. F5 – activate all options F6 – activate currently selected setting F7 – disable currently selected setting F8 – disable all options This feature is currently not *that* well documented. You can however find information about this in the help files. I’m sure you’ll find an article on this very soon on TechNet or the Group Policy Team blog: http://blogs.technet.com/grouppolicy/ Note that the description above, “gets applied by the targets” is not 100% accurate. Clients don’t decide whether to apply the setting or not based on the underlining. Red underlined settings are just not exposed in the XML configuration file that the client reads while applying the settings. It’s therefore not configured at all. Conclusion For exactly $0 and a little bit of deployment work, you can have a load of new settings that you can roll out to clients – without scripting. Think about the feature Preferences already has and what powerful things you can do with item-level-targeting. Painful scripting can become passé.