Category: Microsoft Group Policy Object

Group Policy Object – Disable Windows PowerShell

You may use a Microsoft Active Directory (AD) Group Policy Object (GPO) to restrict access to the Windows PowerShell. Below you will find the settings for this configuration.

Computer Configuration > Policies > Windows Settings > Security Settings > Software Restrictions > Additional Rules

Right click Additional Rules and select New Path Rule…. In the New Path Rule dialog box, enter C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe for the Path:, and select Disallowed for the Security level:, then click OK.

 


Group Policy Object – Disable Server Manager

You may create a Group Policy Object (GPO) to prevent access to the Microsoft Windows Server 2012 R2 Server Manager as well as prevent it from opening automatically after login. Below you will find the settings for this configuration.

Computer Configuration > Policies > Administrative Templates > System > Server Manager > Do not display Server Manager automatically at logon

User Configuration > Policies > Administrative Templates > System > Don’t run specified Windows applications


Group Policy Object – Hide Drives in My Computer

You may use the following setting to configure a Group Policy Object (GPO) in Microsoft Windows Server 2012 R2 that will allow you to restrict access to local drives in My Computer.

User Configuration > Policies > Administrative Templates > Windows Components > File Explorer > Hide these specified drives in My Computer


Microsoft Group Policy Object – Disable Default Domain Policy Password Policy

You may use the following method to disable the Password Policy settings in the Default Domain Policy. I do not recommend this for a production network, which should use a password policy, but it may be used in a home lab.

GPO Path: Computer Configuration/Policies/Windows Settings/Security Settings/Account Policies/Password Policy

GPO Settings: Enforce Password History/0

GPO Settings: Maximum Password Age/0

GPO Settings: Minimum Password Age/0

GPO Settings: Minimum Password Length/0

GPO Settings: Password must meet complexity requirements/Disabled


Microsoft Group Policy Object – “TCP/IP NetBIOS Helper” Service

Yesterday, I continued with the application of Group Policy Objects (GPO) for our workstation (desktop and laptop) users. When running gpupdate /force for a particular user, whose desktop is running Windows XP, I noticed that the GPO wasn’t being applied.

Part of my troubleshooting was to determine if the user’s desktop could access the \\domain.com\SYSVOL directory. On this particular machine it could be accessed using \\domain\SYSVOL but not with \\domain.com\SYSVOL. In other words, appending the top level domain (TLD) revealed a name resolution failure.

The solution was to start the DNS Client, Netlogon and TCP/IP NetBIOS Helper services and configure their startup type to automatic (I will need to troubleshoot the determine the root cause of the services not running).

Enjoy!


Microsoft Group Policy Object – Event ID 1030, 1097 and 1110

At my current employer I have been creating Group Policy Objects (GPO) in an effort to centrally administer the workstation environment, provide automation and provide consistency in workstation deployment and management.

After running gpupdate and gpresult on a Microsoft Windows XP desktop I realized that the GPOs were not being applied. After looking through the Event Viewer logs I found GPO event IDs 1030, 1097 and 1110.

It turned out that the Netlogon service was disabled. The solution was to configure the Startup type: to Automatic.

Enjoy!


Microsoft Group Policy Object – Group Policy Preference Client Side Extensions for Windows XP (KB943729)

I am currently in the process of automating the desktop deployment for my current employer. As a solution I am using Microsoft Group Policy Object (GPO) to map the network drives for the users. To date, most of my experience has been testing GPOs with Microsoft Windows 7 but today I was testing a GPO on a Windows XP desktop.

After modifying the GPO and placing the desktop in an Organizational Unit (OU) where the GPO was applied I expected the mapped drives to work, but they didn’t. After running gpresult I was able to verify that the GPO was in fact being applied, etc. I then logged on to a Microsoft Windows 7 desktop, that was in the same OU, and the drives were mapped.

The solution to this was simple. I needed to download and install the Group Policy Preference Client Side Extensions for Windows XP (KB943729) on the Windows XP desktop.

Hopefully you will find this information helpful.

Enjoy!


Microsoft Windows 7 – Modifying Profiles for Shortcuts, Folders or Files

You may use the following method, in Microsoft Windows 7, to modify the default profile and create changes in every users profile. For instance, you may add a particular shortcut, folder or file to the desktop of every single user. In Windows 7 navigate to:

C:\Users\Default\Desktop

Once you are in this directory you may place the shortcut, folder or file. Once the modification is complete any user who logs onto the computer, and creates a profile, will receive that shortcut, folder or file.

Additionally, you may use a group policy object (GPO) as an alternative solution if you have several users who need this shortcut, folder or file.

GPO Path: User Configuration\Preferences\Windows Settings

GPO Settings: Files | Folders | Shortcuts

Microsoft Windows 7 – Modifying Profiles for Shortcuts, Folders or Files

 

Enjoy!


Group Policy Object – Map Network Drive

You may use the following Microsoft Active Directory (AD) Group Policy Object (GPO) settings to map a network drive in Windows XP/7.

GPO Path: User Configuration\Preferences\Windows Settings\Drive Maps

GPO Settings: New\Mapped Drive

Additionally, you may specify which users the GPO applies to by using Item-level targeting under the Common tab. My recommendation is a Security Group.

Enjoy!


Group Policy Object – Standard Security Settings GPO

You may use the following Windows Server 2012 Group Policy Object (GPO) settings to configure basic security settings for Windows Server 2008/2012/2012 R2 or Windows 7/8/8.1.

 

Local Logon and Local Administrators

GPO Path: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Right Assignment

GPO Setting: Allow log on locally (used to define this user group)

GPO Path: Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups

GPO Settings: Administrators (used to define this user group)

 

Desktop Lockout Configuration

GPO Path: User Configuration\Policies\Administrative Templates\Control Panel\Personalization

GPO Setting: Enable Screen Saver

GPO Setting: Force Specific Screen Saver (Screen saver executable name: C:\Windows\System32\scrnsave.scr)

GPO Setting: Password protect the screen saver

GPO Setting: Screen saver timeout (seconds: 180)

GPO Path: Computer Configuration\Policies\Administrative Templates\System\Group Policy

GPO Setting: Policy Setting: Configure user Group Policy loopback processing mode

 

RDP Configuration

GPO Path: Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile

GPO Setting: Windows Firewall: Allow ICMP exceptions

GPO Setting: Windows Firewall: Allow inbound Remote Desktop exceptions

GPO Path: Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Sessions Host\Connections

GPO Setting: Allow users to connect remotely by using Remote Desktop Services

GPO Path: Computer Configuration\Policies\Windows Settings\Security Settings\Restricted Groups

GPO Setting: Remote Desktop Users (used to define this user group)

 

Firewall Allow ICMP (Ping) Requests

GPO Path: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules

 

Enjoy!