The keyword 'group' indicates we are dealing with a bunch of machines, and not
the local policy of a home computer.
While the keyword 'settings' means the policy is tattooing values in to the User
Interface, rather
than providing a preference that a user could change.
The traditional idea is that administrators plan Group Policy Settings, and
then configure the values using GPMC. The result is that some menus on their users' computers
are locked-down, and choices are removed. The benefit is that users don't
waste time fiddling with menus in the 'Network and Internet', or worse,
compromise security by adding programs or removing files via USB sticks.
What antagonizes users about draconian group policies is that in the
office they are not allowed to configure trivial settings they are familiar
with on their home version of Windows 8. For example, some left
handers like to swap the mouse buttons.
The latest thinking amongst network architects is to plan the best of both
worlds, server administrators can configure policy settings in the
traditional manner, but they can also employ
Group Policy Preferences for
Windows 8 computers, whereby the company merely suggests non-critical
settings, and the users are free to change them.
Planning Your Windows 8 Group Policy Settings
So that you can to make effect policy settings, you need two people with different points of
view, sit them down and persuade them each to make compromises . My choice would be to pair a techie, who knows GPMC, with a
manager with a vision of what the company's Windows 8 computers interface should
look like for the users. An alternative would be one person who could wear
two hats called 'Computer security' and 'User comfort'.
Let us turn to practical matters, and get a simple policy working. It may be easier, and
safer, to learn about Policy Settings by launching the Local Policy Editor - Gpedit.msc
- on a Windows 8 machine, rather than
grappling with the Group Policy Settings using GPMC on a domain
controller.
My thinking is once you understand how to persuade a policy to 'bite' on
a
client computer using Gpedit, then you are more prepared for the extra layers
of interactions caused by domain controller replication, and delays between
ticking a box in the server's GPMC, and it taking effect on the Windows 8
client.
Search for Gpedit.msc (or GPMC and launch the policy editor)
Computer Configuration v User Configuration When you
decide to make a change to a policy the first decision is, 'Do I expand the
Computer Configuration, or scroll down to User Configuration?' It's
interesting to note in passing how this Computer v User Configuration split
mimics the registry's dichotomy, HKEY_Local_Machine, or HKEY_Current_User.
Software Settings, Windows Settings or Administrative Templates Most of the classic user settings are in found in the User
Configuration, Administrative Templates.
Prohibit access to
the Control Panel Try this experiment: expand 'Control Panel', on the top level, click 'Prohibit access to the
Control Panel', now select 'Enabled'.
There is no need to logoff, just check to see if the Control Panel has disappeared
from the menu. If you search for Control Panel, then click on the
executable, do you get a
Restrictions message saying the operation has been cancelled? If so
this means your policy is biting on the user.
Guy Recommends: A Free Trial of the Network Performance Monitor
(NPM)
SolarWinds'
Orion performance monitor
will help you discover what's happening on your network. This
utility will also guide you through troubleshooting; the dashboard will
indicate whether the root cause is a broken link, faulty equipment or
resource overload.
What I like best is the way NPM suggests solutions to network
problems. Its
also has the ability to monitor the health of individual VMware
virtual machines. If you are interested in troubleshooting, and creating
network maps, then I recommend that you try NPM now.
Configure Automatic Updates
for Windows 8 Here is a job for the Computer Configuration (not User
section). Expand Windows Templates, scroll down to Windows
Components, just about the last folder is Windows Updates. Another
surprise, there are so many group policies here, choose: Configure Automatic
Updates, click 'Enable' then make your selection.
More ideas for settings to get the feel of Windows 8 Group Policy Settings.
Do not allow Snipping tool to run (Easy to test).
Hide the "Add a program from CD-ROM or floppy disk" option (Control
Panel)
Lock
taskbar (There are more settings for taskbar)
User Group Policy loopback processing mode (Setting for public kiosk machines)
Critical Battery Notification Action (Also many more power policies)
Do not process the run once list
Enable user control of installs (Save frustration in medium security
companies)
Guy Recommends: SolarWinds Network Topology Mapper (NTM)
NTM will produce a neat diagram of your network topology. But that's
just the start;
Network Topology Mapper can
create an inventory of the hardware and software
of your machines and network devices. Other neat features include dynamic
update for when you add new devices to your network. I also love the ability to export
the diagrams
to Microsoft Visio.
Finally, Guy bets that if you test drive the Network Topology
Mapper then you will
find a device on your network that you had forgotten about, or someone else
installed without you realizing!
Block Inheritance I think of Block Inheritance as the 'anarchists setting'. This is
because OU's further down the chain can prevent settings at the domain from
taking effect. The knack of using Block Inheritance is to select the OU
container and not the individual policy.
Enforce Policy (No-override) I think of Enforce Policy as 'Big brother fights back' this setting prevents
any 'anarchists' from changing a setting further down the OU chain. The
trick to enforcing is to right-click the individual policy, not the OU.
Types of Group Policy Settings There are broadly three reasons for changing group policy settings,
firstly, adding features present in XP, but dormant in Window 8.
Secondly, using group policy to remove setting that are inappropriate for that
machine, for example, if you have no speakers: 'Remove volume control icon'.
Thirdly, employing the traditional group policy role of restricting what
users can do,
for example, 'CD and DVD deny write access'.
In practice this means administrators finding ways of restricting what
their users can do, rather as a racehorse trainer may put blinkers on a
steed to make them concentrate on the job in hand, for instance enforcing a
policy to, 'Turn off desktop gadgets' or 'Prohibit access to the Control
Panel'.
One result of Windows 8 group policies is that companies create a
customized version of the operating system, which is very different from the
users' home version of Windows 8. For example, 'Turn off desktop
gadgets' is enabled at work, while there is no such restriction at home.
Get a Test Machine If possible use Gpedit on a test
Windows 8 machine, rather than
risk experimenting on a domain OU with
GPMC. Your final mission may well be a group policy in a active
directory, but this
does introduce extra layers for troubleshooting, for example Domain
Controller replication and update delays.
Like their predecessors, Windows 8 Group policies make changes to the
registry, a fact which you can turn to your advantage by creating your own
.adm template based on registry keys, then importing these settings into
your Group Policy. That said this advanced technique is only useful if
there is no existing policy in the Administrative Template section.
Get a Simple Policy Working If a group policy that I am
attempting to apply does not work, I go back to basics and get a simple
policy to work just to make sure I am not making a fundamental mistake.
Also a strange thing happens once I get one policy working it seems easier
to get other more tricky settings to do what I ask of them.
Read the Policy Carefully Be careful with double negatives in group policies,
for instance, 'Turn off xyz...' Disabled, would mean a user gets xyz.
Check your logic with a quick look at the description of a policy you are
about to apply.
This
Engineer's Toolset v10 provides a comprehensive console of 50 utilities
for troubleshooting computer problems. Guy says it helps me
monitor what's occurring on the network, and each tool teaches me more about how the
underlying system operates.
There are so many good gadgets; it's like having free rein of a
sweetshop. Thankfully the utilities are displayed logically: monitoring,
network discovery, diagnostic, and Cisco tools. Try the SolarWinds Engineer's Toolset now!
This built-in command-line utility displays the Resultant Set of Policy
(RSoP) information, Here below is a small section of what the Windows
8 Gpresult reveals about your group policy.
COMPUTER SETTINGS ------------------ Last time Group Policy was
applied: 2/2/2012 at 20:42:47 Group Policy was applied from: BIGSERVER
Group Policy slow link threshold: 500 kbps Domain Name: WIN8 Domain
Type: Windows 2008 Site Name: Default-First-Site-Name more ....
USER SETTINGS Applied Group Policy Objects
----------------------------- Default Domain Policy more ....
Note: Before you launch cmd.exe, or PowerShell,
remember to 'Run as administrator' else the Windows 8 Gpresult will
issue an access denied
message when you issue a command such as: Gpresult /r (Summary of RSoP).
Left to it's own timetable, a Windows clients initiates a group policy
'pull' about every 100 minutes. The purpose of Windows 8's Gpupdate is
to force an instant update rather than waiting up to 2hrs (90 mins + Random
30).
Mostly I launch cmd.exe (Run as administrator), or these days I tend to use
PowerShell, then
I just type 'Gpupdate' on its own. However, you may benefit
from one of these
switches:
/force. Reapplies all group policy settings.
/target:computer or /target:user Applies only the computer
(or user) section of your policy. Normally I would use plain Gpupdate without
this option.
/logoff. Useful for those few settings that do not apply until the user logs
on again.
/boot. Handy for the rare configuration that needs the computer to restart.
GPMC and Gpedit
Domain administrators set group policies for their users via GPMC.
For a Workgroup or HomeGroup you can use Windows 8's built-in Gpedit.
Actually, this highlights the main benefit of a domain - central
administration. I regard Gpedit as merely a reference for when the
domain is not available, or as a test-bed for trying settings on one
machine without disrupting the domain workforce.
Problem: You Cannot
Find Gpedit
The first source of frustration is that you type plain gpedit, whereas it
only appears in search results when you add the .msc extension, thus always
type the full: gpedit.msc.
Another problem is that you have the
Home Premium edition; and you need the Ultimate, Professional (old Business)
or Enterprise editions in order to get a copy of the Windows 8 Group Policy
Editor.
Guy
Recommends: The Free Config Generator
SolarWinds' Config Generator is a free tool, which puts you in charge of
controlling changes to network routers and other SNMP devices.
Boost your network performance by activating network device features
you've already paid for.
Guy says that for newbies the biggest benefit of this free tool is that
it will provide the impetus for you to learn more about configuring the SNMP
service with its 'Traps' and 'Communities'. Try Config Generator now - it's
free!
Here is Another Sample of Windows 8 Group Policies
Enforce disk quota limit.
Require a password when a computer wakes.
Turn off Autoplay.
Do not allow pinning programs to the Taskbar.
Windows Firewall: Do not allow exceptions.
Prohibit connection to roaming Mobile Broadband networks.
Prevent installation of removable device.
Internet Explorer is a fertile area, for example: 'Disable change
proxy settings'
Enlightened administrators can find ways of using Windows 8 group
policies to make life easier for their users, for example, on low-spec
machines 'Always render print jobs on the server'.
»
Summary of Windows 8 Group Policy Settings
Microsoft's Group Policies can be traced back to System Policies in NT 4.0.
The concept is to provide a Group Policy Management Console (GPMC), where an
administrator can configure operating system settings that apply to all his
machines, and all the users in his domain.
Before you start choosing Group Policy Settings for real, take the time
to flesh-out a vision of the Windows 8 computer that you want for this
particular group of users. As for mastering the individual policy
items, practice on safe and easy to understand settings. The main
dangers are double negatives confusing you, and thinking a setting is not
working, when you are just looking in the wrong place.
If you like this page then please share it with your friends
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
