Group Policy – System
This is a section where there is something for everyone. But before you start, think strategically, decide whether to implement the settings here at the Computer Configuration folder, or whether to manage similar Group Policies from the Users Configuration folder.
Group Policy Topics
- User Profiles
- Disk Quotas
- Group Policy
- Remote Assistance
- System Restore
- Error Reporting
- Windows File Protection
- Remote Procedure
- Power Management
- Windows Time Service
* Guy’s Top Four System Group Policies
What do you think about the new feature – * Shutdown event tracker? Windows Server 2003 asks you for a reason why the machine is shutdown, if this feature annoys you, then control via the policy ‘ Display Shutdown Event Tracker ‘ – Disable.
If the Shutdown Event Tracker policy does not work, then try adding this DWORD to the registry:
Add a Reg_DWORD ShutdownReasonUI
Value: (0 = disabled, 1 = enabled)
It is annoying when you Add or Remove program and the installation engine cannot find the \i386 folder, however there is a policy where you can manage the files: ‘ Specify Windows installation file location ‘.
Another feature that drives people mad is when CDs autoplay. So control the CD’s behaviour with a Group Policy: ‘ Turn off Autoplay ‘.
I am a great fan of roaming profiles, especially for we administrators. With these settings you can alleviate worries that roaming profiles generate too much network traffic by imposing limits on the size of the profiles and the directories to include in the roaming profile.
Nothing much here, perhaps you would want to run script visibly if you are testing, or if it had information for the users, but otherwise a section to ignore. By all means run legacy scripts hidden, but why not upgrade those Batch files to VBScript?
There are two ideas here that are worth a look. Firstly, would there be any programs that clients always need? If so, then configure the ‘ Run Programs at Logon ‘ setting. Secondly, have you been caught by viruses exploiting the ‘ Run Once ‘ registry setting? Well if so then you can block the registry RunOnce key with this Group Policy.
Disk Quotas has been on network manager’s wish list for a number of years. Do set a limit if only to make the users aware that there are limits to disk storage. Perhaps I should not say this, but you could set limits then play the hero by increasing them when users complain.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
* ‘ Group Policy Slow Link Detection ‘, people often ask me what is a slow link? 56K, 256K? Well here you can decide based on the experience of how long Group Policy settings take to apply when a client logs on remotely. Incidentally, this may be a Group Policy to enable for your Laptops OU.
The other settings here are to assist administrators who are configuring Group Policies.
Decide who can solicit remote assistance, also who do you trust to offer help.
Occasionally, you may need to turn off System Restore, for instance when a virus has got through your defences and keeps re-infecting client machines.
Rather like the Event Shutdown Tracker, you may take a view on whether those messages wanting to report errors are useful or a pain. Should you wish to limit the messages to specific programs, then here are your policies to gain that control.
Syslog messages contain useful information for troubleshooting network problems. When something goes wrong then surely there will be an error message in the syslog datagram – if only we can find that record and interpret the event.
Here is a utility to capture and analyze network messages. The Kiwi Syslog Server filters messages and creates advanced alerts. View your syslog data via web access.
By default files are only scanned at start-up, if your machine is up and running for months then you may wish to configure a weekly scan.
Possibly you may wish to control RPC calls as part of your security initiative.
This Engineer’s Toolset v10 provides a comprehensive console of 50 utilities for troubleshooting computer problems. Guy says it helps me monitor what’s occurring on the network, and each tool teaches me more about how the underlying system operates.
There are so many good gadgets; it’s like having free rein of a sweetshop. Thankfully the utilities are displayed logically: monitoring, network discovery, diagnostic, and Cisco tools. Try the SolarWinds Engineer’s Toolset now!
If you are fed up with those Win32 Time errors in the Event Log then why not use a Group Policy to configure the Time Servers. In Windows Server 2003 domains Kerberos relies on time synchronization between servers, otherwise it thinks that a hacker has intercepted a packet and then put it back on the network 10 minutes later.
Setting: Enable NTP Server Enabled
See more Computer Group Policies
If you like this page then please share it with your friends