Group Policy
Group Policy: Desktop Lockdown Part 1
Oct 22nd
I get a lot of questions about how to “lock down” workstations.
So, in the next series of tips, I’m going to give you some little strategic “base hits” for doing that.
Indeed, there’s s not a “magic bullet” toward true desktop lockdown. And, well, I also know SOME people tend to go “overboard” once they start tasting the sweet, sweet taste of “users not bothering them anymore.”
But, let’s (collectively) try not to go bananas as we implement some of these strategies. (What? People dealing with ‘Policy Control’ can sometimes go bananas once they start locking things down? Never!)
The Tip: Replacing your shell
So, in this first tip, I want to share a neat secret. Did you know you can “replace the shell” ? It’s true. You don’t NEED to use Explorer as your shell. How about “Calc” ?
Yep.. Login, and… Calc. Or Solitaire. Or, DogFoodMaker. That’s it. The only app running. Nothing else.
It’s possible.
Step 1: Choosing your shell
The policy is found under:
User | Policies | Administrative Templates | System | Custom User Interface
Enter in “c:\windows\system32\calc.exe” to try.
(I’m using hard coded paths, but you might want to use variables.)
Step 1A: A more useful shell
A more useful thing to do would be Internet Explorer, say, for cafeteria, library machines, and others.
Try entering in this (using quotes)
“C:\Program Files\Internet Explorer\iexplore.exe”
Step 2: Locking down your desktop a little bit
We want to make it so users cannot use task manager, or lock out the machine. Thankfully those options are located under:
User | Policies | Administrative Templates | System | CTL+ALT+DEL Options
You might also want to Turn off Windows hotkeys:
User | Administrative Templates | Windows Comp | Windows Explorer | ?Turn off Windows+X hotkeys?
Step 3: Lock down IE to your liking
There are a zillion options here. But some of my top favorites are
User | Administrative Templates | Windows Components | Internet Exp. | Browser Menus |
“File Menu: Disable open menu option”
and
“File menu: Disable closing the browser and Explorer windows”
Other areas to explore and control are the: Toolbars and Internet Control Panel sections.
Now, you’ve quickly taken a machine, and made it “IE only” and “pretty well locked down.”
It’s not perfect. Users could still get to, say, the command prompt by typing in
“c:\windows\system32\cmd.exe” into the browser window.
But you’re almost home now, and that’s a pretty good start. Do you have group policy tips, tricks and how to’s to share? Well then hit up the comments and make yourself heard!
Written by Jeremy Moskowitz of GPanswers.com
DNS is LIFE. Group Policy Tip of the Week.
May 27th
“Why isn’t Group Policy Working on this client?”
“Did You Check the DNS Configuration of the Client?”
One of the most frequently encountered problems with Windows 2000 and above is that things just ‘stop working’ when DNS gets out of whack. Specifically, if you’re not seeing Group Policy apply to your client machines, make sure their DNS client is pointing to a Domain Controller or other authoritative source for the domain. If it’s pointing to the wrong place or not pointing anywhere, Group Policy will simply not be downloaded.
As a colleague of mine likes to say, ‘Healthy DNS equals a healthy Active Directory.’
Moreover, in the age of Windows 2003/2008 with its multiple forests with cross-forest trusts, Group Policy could be applying from just about anywhere and everywhere. It’s more important than ever to verify that all DNS server pointers are designed properly and working as they should. For instance, if clients cannot access their ‘home’ Domain Controllers while leveraging a cross-forest trust, they won’t get Group Policy.
Finally, to put a fine point on it, DNS leverages only the fully qualified name. It’s not enough to verify that you can resolve a computer named xppro1 as opposed to xppro1.corp.com. The first is actually the NetBIOS name and not the fully qualified domain name. The second is the fully qualified domain name. If you find yourself in a DNS resolution situation where resolving the NetBIOS name will work, but the fully qualified name will not work, then you have a DNS problem that needs to be addressed.
Another Awesome GP Post by Jeremy from GPAnswers.com
Top 5 reasons Admins FAIL at Group Policy.
Feb 10th
I have been thinking about why administrators sometimes report "issues" with their
Group Policy system. As I thought about it, I decided to jot down some notes to share
with you and your team and managers. The result was five reasons people fail with
Group Policy, and I’m going to share them with you:
Reason #5: Not understanding how Windows 2000, Windows XP, Windows Vista,
and Windows Server 2008 are all different.
You started out with Windows 2000, but do you know all of the ways that Group Policy
applies differently to Windows XP? And, what about Windows Vista and 2008? Can you
be confident in explaining to the boss why settings don’t work exactly the same across these
operating systems?
Reason #4: Not using Group Policy Power to its fullest.
Did you know there are 18 categories of settings and options you can perform in the box for
Windows XP (and even more for Vista)? But what happens when you introduce the new
Group Policy Preferences? You get another 21 new CATEGORIES. If you’re not up to speed
here, you’re spinning your wheels; driving changes into your images, when you should be
doing it dynamically using Group Policy. Oh, and losing money each day you don’t implement these free new goodies.
Reason #3: Not knowing WHEN Group Policy applies.
This is a huge one. People throw their hands up in the air when it seems like Group Policy
isn’t working. But I bet it’s working fine; you just need to understand WHEN Group Policy
applies across different conditions and operating systems.
Reason #2: Not knowing how to find settings that do what you want.
How many policy settings are there? Hundreds? Thousands? Tens of thousands? Depends
on who you ask and how you classify them. There are 2400 policy settings for Vista in one
category (the Administrative Templates section), but what about the others? What process
are you using to figure out which settings you should use for your environment?
And the number 1 Reason: Not everyone is speaking the same "language."
This is my favorite one, because it’s not even a technical one. It’s just human nature. We’re
all too busy to figure out what our common "language" is going to be. If you’ve ever had a
co-worker say to you "Do me a favor and modify that Group Policy for me." You need to stop
and ask yourself: "What is he talking about? The GPO itself? The settings contained within
the GPO? Something else?" Having you AND your team be on the same page is simply
priceless.
It’s that "Human Broadband Connection" you only get when everyone on your team
is speaking a common language.
Thanks go to Jeremy from GPAnswers for this one!
What problems do you and your organization have with Group Policy? Who is using 2008 Policies? Let us know in the comments kiddies!
Admin’s Arsenal: BareGrep
Nov 10th
Ok, here is the situation: you’ve got 1200 script files in a particular directory on your XP workstation, and you need to find any script that references “\\atl01\share” (queue Dennis Hopper voice), what do you do?!
Traditional convention is that you spend several hours opening each file in notepad and doing a “find”, or you might be able to cut it down to an hour or so if you opened several dozen of the files at a time in Notepad++ and did “find in all files”, or you could take about a half an hour and move the files over to a *NIX machine and use grep. I’ve got a better answer: BareGrep.exe from our friends at Bare metal Software. BareGrep is basically a GUI version of the *NIX grep command for Windows machines, and it works wonderfully.Much like BareTail (which I reviewed here), BareGrep is fully portable, meaning you can run it from a USB drive!
Here is a short list of some of the features in BareGrep:
- Regular expression text search (that’s inside the files)
- Wildcard and regular expression file search
- Files to find or search can be specified with a regular expression
- Multiple files can also be specified with the mouse
- Recursive directory search
- Frequently used text search patterns may be saved, named and edited
- Searching while you type, to find results quicker
- Capturing groups (using bracket characters ‘(’ and ‘)’ in a regex) extract strings from files
- Tabular presentation of search results
- Export/copy of search results in many formats
- Search files of any size (> 2GB)
Not only will this utility do all that, but it is usable from the commandline as well! What more could you want? Wait, what? You want… more features? Well you’re in luck, as BareGrep comes in two forms, the Free version (what we’ve covered so far), and the Registered version ($25 at the time of this review), which offers all of the features of the free version, as well as:
- Selecting a search result line shows that line in context in the file
- Tabs display files recently viewed
- Tabs may be positioned on any side of the window and oriented horizontally or vertically
- Lines containing particular strings can be highlighted to help you notice important text
- Highlight colors are fully customizable
Now I can’t even begin to cover the colossal amount of time that this utility has saved me, but I can tell you that it is well worth the price of admission. BareGrep can be downloaded here.
How Group Policy is Like Pumkin Chuckin’…
Nov 4th
Written by Jeremy Moskowitz of GPanswers.com
Sunday, I went and saw the most amazing thing ever. Since I used to live in Delaware, and now live in Philadelphia, I finally decided to go out and see it for myself.
That’s right: the world championships of Punkin’ Chunkin.
For the uninitiated, Punkin’ Chunkin is a competition to see who can launch a pumpkin the farthest. The basic categories are: Centrifugal, Air Cannon, Catapult and Trebuchet. 72 machines in all in this year’s competition. Yowsa !
I took some pictures, and got one amazing video of (what I think was) the most interesting device there. You can check out my pictures and the one video here:
https://moskowitzinc.infusionsoft.com/link/94db4cc00/249f00
You can see the official website here, including rules and other videos. Or get
“Flying Pumpkins — the Movie!”
http://www.punkinchunkin.com/main.htm
The winning shot this year went more than 3,000+ feet — into the wind!
If you can’t have a good time at Pumpkin’ Chunkin — you can’t have a good time anywhere. You should go. It’s weird. It’s fun. It’s hurling pumpkins using machines. It’s like Mythbusters Live — with real people and real pumpkins!
C’mon !!
And, as usual, while I’m not thinking about work, I end up thinking about work.
The history of this thing is neat: it started out innocently enough. A couple of farmers in a field and a little bragging rights as “payment.” In other words, they started small.
And so can you. I know lots of people who are basically afraid of GPOs. And for good reason. They can be dangerous if not used properly. Kind of like hurling 12 pound pumpkins from a trebuchet or an air cannon. Used well, they’re both lots of fun!
So, here’s some advice if you’re just getting started with Group Policy (so you don’t blow your network apart like a blown-up pumpkin):
(1) Use an offline test network: Don’t think that the Group Policy Object action you WANT to have happen is always GOING to happen. Make sure it works FIRST in a test lab before bringing that GPO over into production.
(2) Read the Explain text: The policy settings’ explain text is your best friend. In recent years, it’s become more and more accurate. So, read first, test second.
(3) Have others validate your work: Just because it “looks right to you” doesn’t mean the “goal” has been attained. Have others double-check your work to make sure what you’re doing is accurate.
(4) Start small; don’t go overboard: This is the biggie. When people catch “GPO fever” it’s common for people to “go a little crazy” and go a little overboard.
PS: If you blow up your pumpkin as it comes out of your machine, they call it “Making Pie.” Don’t be the guy (or gal) who makes pie out of your network.
Written by Jeremy Moskowitz of GPanswers.com
Our resident GP expert talks about everything BUT Group Policy!
Sep 26th
This week, I’m taking a break from Group Policy stuff.
If you think these tips of the week, since they’re not GP-related
aren’t that useful, then let me know, and maybe this will be the first
and last issue like this.
But here goes. All about NOT GP stuff:
More >
