Windows Server 2003 Desktop Group Policies
This section typifies the restrictive side of Windows Group Policy. Take advantage of a wonderful opportunity to play ‘Mr Nasty’ and create a plain desktop with no distractions for the users.
* Guy’s Top Three Group Policies
- Hide Internet Explorer on the Desktop
- Prohibit users from changing My Documents path
- Do not add shares of recently opened documents to My Network Places
- Desktop Group Policy Case Study
My advice is to dovetail these desktop policies with your broader company policies. For instance, if you have a company directive that everyone should clear their desk every night, then Group Policies such as ‘Hide All Items on the Desktop’ will reinforce the corporate message. As a matter of tactics, you could create OU’s for laptops, desktops and servers and then assign different desktop Group Policies for each type of machine.
Desktop Group Policy Advice
As with the Start Menu policies, there are half a dozen objects where you can ‘Remove’ icons from the user’s vision. For Example, remove the My Computer, My Documents and the Recycle Bin. When you have finished Removing, you can start on Hiding. For Example * ‘Hide Internet Explorer on the Desktop‘ (If you enable this setting, then I would keep the IE icon on the Taskbar)
One setting that I can recommend is * ‘Prohibit users from changing My Documents path’. This would compliment the policy which redirects the My Documents to a network share.
Another policy that is worth a look is: – * ‘Do not add shares of recently opened documents to My Network Places‘.
If the machine is that famous communal Kiosk, then the setting: ‘Do not save setting on exit’, makes sense. For all other machines, this setting will only infuriate users – so I would avoid it!
I have yet to find a use for ‘Remove the Desktop Cleanup Wizard’, however, every time that I am rude about a Group Policy setting a ‘Mr Angry’ emails me with a killer reason why you need that particular setting.
While I am letting off steam, I will venture to say that nobody likes the Active Desktop settings, thus the only use of that particular section would be to disable Active Directory settings on communal machines.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges. For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers.
An administrator wanted to set a specific desktop background picture for his Windows XP machines. Out of ignorance of Windows Server 2003 desktop group policies he was planning to configure the machines one by one.
Solution in GPMC:
Administrative Templates\Desktop\Active Desktop\Desktop Wallpaper
‘Wire-up with your JPG or BMP picture.
Summary of Desktop Group Policies
This page is a staging post on your journey to lock down the user’s desktop. Each Group Policy deserves your attention as each companies requirements will be different.
See more Group Policies for Windows Users
If you like this page then please share it with your friends