1 / 31

Managing Win7 with Group Policy

Managing Win7 with Group Policy. Bret Madsen Purdue University System Administrator. Purdue Windows Labs. Approx. 2300 computers Over 120 lab locations and 300 Teaching lecterns Over 300 application packages Updates to machines nightly Logout to login time under 5 minutes

nat
Download Presentation

Managing Win7 with Group Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Managing Win7 with Group Policy Bret Madsen Purdue University System Administrator

  2. Purdue Windows Labs • Approx. 2300 computers • Over 120 lab locations and 300 Teaching lecterns • Over 300 application packages • Updates to machines nightly • Logout to login time under 5 minutes • Revert any changes between users (Deep Freeze) • Space for user data and customizations • Unique identifiable logins for tracking purposes

  3. Remote Registry • Computer Configuration • Policies • Windows Settings • Security Settings/System Services • [Remote Registry] = startup mode: automatic • Note: by default the service is disabled

  4. Remote Desktop • Computer Configuration • Policies • Windows Settings • Security Settings/Local Policies/User Rights Assignment • [Allow Log on through Terminal Services] = group • [Allow log on locally] = group • Security Settings/Local Policies/Restricted Groups • [BUILTIN\Remote Desktop Users] = group • Administrative Templates • Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections • [Allow users to connect remotely using Remote Desktop Services] = enabled • Windows Components/Windows Installer • [Allow admin to install from Remote Desktop Services session] = enabled

  5. Remote Management • Computer Configuration • Policies • Administrative Templates • Windows Components/Windows Remote Management/WinRM Service • [Allow automatic configuration of listeners] = management IP addresses • Windows Components/Windows Remote Shell • [Allow Remote Shell Access] = enabled 1/2

  6. Remote Management • [Allow automatic configuration of listeners] = management IP addresses • If you enable this policy setting, the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP port. • If you disable or do not configure this policy setting, then the WinRM service does not automatically listen on the network and you must manually create listeners on every computer. 2/2

  7. Windows Updates • Computer Configuration • Policies • Administrative Templates • Windows Components/Windows Update • [Allow non-administrators to receive update notifications] = disabled • [Do not adjust default option to ‘Install Updates and Shut Down’ in Shut Down Windows dialog box] = enabled • [Do not display ‘Install Updates and Shut Down’ option in Shut Down Windows dialog box] = enabled • [Specify intranet Microsoft update service location] = intranet server

  8. External Devices • Computer Configuration • Policies • Windows Settings • Security Settings/Local Policies/Security Options/Devices • [Allowed to format and eject removable media] = group • Administrative Templates • System/Device Installation • [Do not send a Windows error report when a generic driver is installed on a device] = enabled • [Prevent Windows from sending an error report when a device driver requests additional software during installation] = enabled • System/Device Installation/Device Installation Restrictions • [Allow installation of devices that match any of these device IDs] = * • [Allow installation of devices using drivers for these device classes] = * • [Prevent installation of removable devices] = disabled • System/Driver Installation • [Allow non-administrators to install drivers for these device setup classes] = enabled 1/3

  9. External Devices • [Allow installation of devices that match any of these device IDs] = * • If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation • [Allow installation of devices using drivers for these device classes] = * • If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation. • [Allow non-administrators to install drivers for these device setup classes] = * • If you enable this setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store. 2/3

  10. External Devices • User Configuration • Policies • Administrative Templates • System/Driver Installation • [Code signing for device drivers] = When Windows detects a driver file without a digital signature: ignore 3/3

  11. Logon • Computer Configuration • Policies • Windows Settings • Security Settings/Local Policies/Security Options/Interactive Logon • [Do not display last user name] = enabled • [Do not require CTRL+ALT+DEL] = disabled • [Number of previous logons to cache] = 0 logons • Administrative Templates • System/Logon • [Always use custom logon background] = enabled (stored at %systemRoot%\System32\oobe\info\backgrounds\backgrounddefault.jpg) • [Assign a default domain for logon] = name of domain • [Hide entry points for Fast User Switching] = enabled • [Turn off Windows Startup Sound] = enabled

  12. UAC • Computer Configuration • Policies • Windows Settings • Security Settings/Local Policies/Security Options/User Account Control • [Detect application installations and prompt for elevation] = disabled

  13. Firewall • Computer Configuration • Policies • Windows Settings • Security Settings/Windows Firewall with Advance Security • Domain (Private and Public also) Profile Settings • Inbound Rules • RDP • Sys Admin management machines 1/2

  14. Firewall • Domain (Private and Public also) Profile Settings • Domain • Applies when a computer is connected to a network that contains an Active Directory domain controller in which the computer's domain account resides. • Private • Applies when a computer is connected to a network in which the computer's domain account does not reside, such as a home network. The private profile settings should be more restrictive than the domain profile settings. A network is assigned the private type by a local administrator. • Public • Applies when a computer is connected to a domain through a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment. By default, newly discovered networks are assigned the public type. • Computers running Windows Server 2008 and Windows Vista support only a single profile at a time. If the computer is connected to more than one network, the most restrictive profile is applied to all network adapter. 2/2

  15. Printing • Computer Configuration • Policies • Windows Settings • Security Settings/Local Policies/Security Options/Devices • [Prevent users from installing print drivers] = disabled • Administrative Templates • Printers • [Execute print drivers in isolated processes] = enabled • [Override print driver execution compatibility setting reported by print driver] = disabled • [Point and Print Restrictions] = disabled 1/2

  16. Printing • [Execute print drivers in isolated processes] = enabled • This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler service to fail. • If you enable or do not configure this policy setting, the print spooler will execute print drivers in an isolated process by default. If you disable this policy setting, the print spooler will execute print drivers in the print spooler process. • This policy setting applies only to print drivers loaded by the print spooler. Print drivers loaded by applications are not affected. • [Override print driver execution compatibility setting reported by print driver] = disabled • This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does not report compatibility. • [Point and Print Restrictions] = disabled • This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. • Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. • Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. 2/2

  17. Roaming and Redirection • Computer Configuration • Policies • Administrative Templates • System/Folder Redirection • [Use localized subfolder names when redirecting Start Menu and My Documents] = enabled • System/User Profiles • [Do not check for user ownership of Roaming Profile Folders] = enabled • [Set roaming profile path for all users logging onto this computer] = path without .v2 (appended automatically) 1/4

  18. Roaming and Redirection • [Use localized subfolder names when redirecting Start Menu and My Documents] = enabled • This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Menu and legacy My Documents folder respectively. • Note: This policy is valid only on Windows Vista and Windows 7 when it processes a legacy redirection policy already deployed for these folders in your existing localized environment. • [Do not check for user ownership of Roaming Profile Folders] = enabled • If you enable this setting Windows will not check the permissions for the folder in the case where the folder exists. • If you disable or do not configure this setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder, Windows will NOT copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user’s cached profile will be used, or a temporary profile issued if no cached profile exists. • [Set roaming profile path for all users logging onto this computer] = path without .v2 (appended automatically) • To use this setting, type the path to the network share in the form \\Computername\Sharename\. It is recommended to add %USERNAME% to the path to give each user an individual profile folder. If not specified, all users logging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to access the profile. 2/4

  19. Roaming and Redirection • User Configuration • Policies • Windows Settings/Folder Redirection • [AppData], [Contacts], [Desktop], [Documents], [Downloads], [Favorites], [Links], [Music], [Pictures], [Start Menu], [Videos] • Notes: • New ability to target different groups within one policy • If using non-Windows file share, there may be issues. We use Sun file server and if the folders weren’t pre-created the redirect would not work. 3/4

  20. Roaming and Redirection 4/4

  21. Internet Explorer • Computer Configuration • Policies • Administrative Templates • Windows Components/Internet Explorer • [Disable changing proxy settings] = enabled • [Disable Periodic Check for Internet Explorer software updates] = enabled • [Pop-up allow list] = list of sites (such as WebCT) • [Prevent participation in the Customer Experience Improvement Program] = enabled • [Prevent performance of First Run Customize settings] = enabled • [Customize settings] = Go directly to home page • Windows Components/Internet Explorer/Compatibility View • [Use Policy List of Internet Explorer 7 sites] = list of sites (such as WebCT) 1/2

  22. Internet Explorer • User Configuration • Policies • Administrative Templates • Windows Components/Internet Explorer • [Pop-up allow list] = list of sites (such as WebCT) • [Prevent participation in the Customer Experience Improvement Program] = enabled • [Prevent performance of First Run Customize settings] = enabled • [Customize settings] = Go directly to home page 2/2

  23. Restart • Computer Configuration • Policies • Windows Settings • Security Settings/Local Policies/Security Options/Shutdown • [Clear virtual memory pagefile] = disabled • Administrative Templates • System/Disk NV Cache • [Turn Off Boot and Resume Optimizations] = enabled • System/System Restore • [Turn off Configuration] = enabled • [Turn off System Restore] = enabled 1/2

  24. Restart • [Clear virtual memory pagefile] = disabled • Virtual memory support uses a system pagefile to swap pages of memory to disk when they are not used. On a running system, this pagefile is opened exclusively by the operating system, and it is well protected. However, systems that are configured to allow booting to other operating systems might have to make sure that the system pagefile is wiped clean when this system shuts down. This ensures that sensitive information from process memory that might go into the pagefile is not available to an unauthorized user who manages to directly access the pagefile. • [Turn Off Boot and Resume Optimizations] = enabled • If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume. The system determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cache during shutdown and hibernate respectively. This might cause a slight increase in the time taken for shutdown and hibernate. 2/3

  25. Restart • User Configuration • Policies • Windows Settings/Scripts • [Logoff] = c:\windows\system32\shutdown.exe –r –t 00 3/3

  26. Event Log • Computer Configuration • Policies • Windows Settings • Security Settings/Event Log • [Retention method for application log] = as needed • [Retention method for security log] = as needed • [Retention method for system log] = as needed • Administrative Templates • Windows Components/Event Log Service • Application (Security, Setup, and System also) • [Log File Path] = drive location • [Backup log automatically when full] = enabled • [Retain old events] = enabled

  27. Group Policy Preferences • Computer Configuration • Preferences • Windows Settings • Environment Variables • Files • Folders • Ini Files • Registry • Network Shares • Shortcuts • Note: preferences stay on the machine once applied even if policy is removed 1/4

  28. Group Policy Preferences • User Configuration • Preferences • Windows Settings • [Drive Maps], [Environment], [Files], [Folders], [Ini Files], [Registry], [Shortcuts] • Notes: • Preferences stay on the machine once applied even if policy is removed • We use this to verify the folders for folder redirection are present, map an alternative home drive, and set a registry key to disable printing balloon popups 2/4

  29. Group Policy Preferences 3/4

  30. 4/4

  31. QUESTIONS???Managing Win7 with Group Policy Bret Madsen Purdue University System Administrator

More Related