Best Practice Ezine #15 – Group Policies

Best Practice Ezine.  Computer Performance. Advertise

Guy’s Best Practice & Litmus Tests Ezine #15 – Group Polices

Contents for ezine #15

Introduction to Group Policies

Group Policies remind me of the wise old saying,  ‘Prevention is better than cure’.  The central theme with group policies is, apply settings centrally, which then control each user’s desktop.  What are we talking about here?  The answer is settings like, ‘Remove Run Command’, ‘Hide all icons on the desktop’.  ‘Restrict access to the control panel.  As a result of a good policy there is less distraction for the user and more time for the administrator to run their network properly.

Once upon a time, there were a series of ‘Mr Men’ books.  Now these children’s books had characters like Mr Angry and Mr Happy.  The relevance is that people who create group policies wear one of two hats, ‘Mr Nasty’ locks-down the users desktop, whilst ‘Mr Nice’  provides settings that make user more productive.  In truth, the best group policies have elements of both characters, prevention (Mr Nasty) yet providing all the settings users need to do their job (Mr Nice).

The nuance of the word ‘Group’ in group policy is that different users have different settings, so its best to assign policies to specific groups.   If you ignore this advice you may find that Mr Nasty’s viscous policy restrict even the administrator.

XP’s 700 Group Policies have come along way since NT’s System Policies and Poledit.  To practice controlling your users you need a test OU in an Active Directory domain.  Whilst Group Policies can be set at the domain level, I strongly recommend experimenting with settings at the OU level, at least while you are learning.  A beginners mistake is not create any users in your test OU, this would lead to frustration because the settings had no effect when you logged on with an account in the default Users container.

You will have great fun with Group Policies, not only are the end results satisfying, but there is the intellectual challenge of getting just the effect that you want.  One key point to remember is that the policies are actually changing the registry.  As a consequence half the policies are for the Computer Configuration (HKey_Local_Machine) and the other half are for the Users Configuration corresponding to HKey_Current_User.

Guy Recommends: The Free IP Address Tracker (IPAT) IP Tracker

Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets.  IPAT cracks this problem of allocating IP addresses in networks in two ways:

For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. 

For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker

Getting started – Creating a policy.

  • Open Active Directory Users and Computers
  • Select your Domain, and create a new OU.  Firstly, create a test user in that OU.
  • right-click the new OU, Properties, Group Policy.  There are slight differences between Windows 2000, or 2003, but what you need is a new policy.
  • Here are some settings that ‘Mr Nasty’ would be keen to enforce, navigate:
  • User (not Computer) Configuration, Administrative Templates, Start Menu and Taskbar
  • Remove Network Connections from Start Menu
  • Remove Links and Access to Windows Update
  • Remove My Music from Start Menu
  • Mr Nice’ would select ‘Add Logoff to the Start Menu’


Once you have made your selections, then close all menus.  Best would be to logon at an XP machine as that test user and check the Start Menu.  Otherwise and logoff, then logon as the test user.  If you get an error saying cannot logon interactively, then make your test user a member of the backup operators group.  For more help and to review more of the 700 policies see online:

Once you have had success, you may like to go back and try some more group policy settings.  My plan is to investigate practical policies that would benefit every network.

Navigate back to the User Configuration, Administrative Templates, and this time choose the Control Panel.  Now ‘Mr Nasty’ can disable the Display Icon or even the whole Control Panel.

Internet Explorer – Set Proxy IP address

If you have Windows 2003, then ‘Mr Nice’ can help the user by setting their Internet Explorer proxy settings, home page and even their favourites.  Navigate to the User Configuration (not Computer). Next expand the Windows Settings (not Administrative Templates), and see Internet Explorer Maintenance with its distinctive icon.

Once inside, select, Connection, Proxy Settings. 

You may also like to check out URLs, Important URLs.

If none of this section is making sense then you have probably selected Administrative Templates instead of Windows Settings, IE is configured from three different places!

Where next?

Configuring Group Policies is a major project, this ezine is designed to getting you started.  The next point to master is security filtering.  Firstly, make sure that you have the Advanced Setting checked (View Menu, high, high, Advanced Features).  Secondly, right-click your policy, now select the security tab and assign appropriate groups or test users.

Once you have mastered the basics, then you may like to try strategies like ‘Block Inheritance’ and Enforced (No override).

See more on Group Policies – a whole section here

See more interesting Windows Active Directory articles

E 171 Computers  •E 169 .NET  •E 119 SP2  • E 49 MMC  •E 76 W2K3 RC2  •Free CSV Import Utility

E 89 Printer Locations  • E 79 Logon Scripts  •E 70 Group Policy  • E 57 Group Policy  •E 55 CSVDE

E 22 Longhorn  • E 15 Group Policy  • Solarwinds Permissions Analyzer for Active Directory  • Ezines