User Group Policy – Windows Components

Group Policy – Windows Components

Each Windows Component folder has specific policies for that application, for example, timeouts for Terminal Services.  Whilst there are numerous settings here, I anticipate that you will only need a handful of these policies, the trouble is that each system requires different applications and so there is no one size fits all.

Group Policy Topics

Administrative Templates

     Windows Components

• Netmeeting
• Internet Explorer (Own Section)
• Application Compatibility
• Help and Support Center
• Windows Explorer
• Microsoft Management Console
• Task Scheduler
• Terminal Services
• Windows Installer
• Windows Messenger
• Windows Update
• Windows Media Player
• See Windows 8 Group Policy Settings

  ‡

* Guy’s Top Five Group Policies for Windows Components

• Do not allow the ‘Did You Know’ content to appear
• Remove "Map Network Drive"
• Start a Program on Connection
• Always install with elevated privileges
• Windows Media Player

Netmeeting

To date, I have found that the only way to start NetMeeting is: Start, Run, Conf.  When I see NetMeeting, I think of training sessions, however I am sure that there are business functions for this program.

Meanwhile back at Group Policies, we find the usual array of ‘Disable’ settings so that users cannot fiddle with the buttons when they should be watching the conference.  If your Network only makes casual use of this conferencing program, then I would not bother configuring these policies.

Internet Explorer

There are so many important settings for Internet Explorer, that it has its own IE pages.

Application Compatibility

Just one setting here – Disable 16-bit applications.  Why would you need this?   One answer would be to prevent old programs destabilizing the operating system.  Other than the observation – ‘Why would you need a 16-bit program in 2004?’ –  I would ignore this folder.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

Help and Support Center

Again, only one setting – * ‘Do not allow the ‘Did You Know’ content to appear‘.  This section of the Help Center is only available if you have internet connection.  So, if your users cannot connect to the internet, then changing this setting will speed up ‘Help and Support’.  Beware of double negatives, you really must test that your logic matches the policy’s logic.

Windows Explorer (Not to be confused with Internet Explorer)

More than 30 settings, including the classic – * ‘Remove "Map Network Drive".’  Lots of other restrictive policies, consider removing tabs such as DFS, Security and Hardware from the explorer.

The key is to balance users ability to browse for vital resources, while preventing them from getting into mischief.  Make decisions here based on your overall philosophy of the desktop, rather than in isolation.  By that I mean, if you restrict browsing the network, then compensate by providing mapped network drives.

Microsoft Management Console

This is about restricting which Snap-ins are available to the MMC.  Keep in mind that many of the Snap-ins will not function in the hands of non-administrators, so what you are doing here is tightening up the selection of what administrators will see if they try and create an MMC.  Guy’s advice, ignore this section.

Task Scheduler

The settings here are virtually identical to the Computer Configuration.  However the question remains, do you give users the responsibility of scheduling maintenance programs like backup?  Probably not.

Terminal Services

It has to be a good idea to set idle time-outs.  In fact, this whole Terminal Services section is a chance to be positive and improve the user’s experience.  For example, * ‘Start a program on connection‘.  Note there is a much bigger collection of Terminal Services policies under Computer Configuration.

Windows Installer

* ‘Always install with elevated privileges‘ will ensure that programs will install properly without you having to logon as administrator.  I have seen administrators placing users in powerful administrative groups, just because they did not know about this elevated privilege setting.

Trap: ‘Elevated privileges’ must also be enabled in the Computer Configuration for it to be effective.

Guy Recommends: Permissions Analyzer – Free Active Directory Tool

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

*Windows Messenger

Here are two useful settings to control how Windows Messenger behaves.  Firstly, are you going to allow Messenger to run – at all?  If you do permit the Messenger to operate, would you wish it to start automatically?

Windows Update

Do you like Windows Update?  No? Well if you hate it here is your chance to disable the Update service and so prevent it hunting for new patches.

Window Media Player

This section provides all the Group Policies necessary to create the optimum Media Player environment.  Helpful features include specifying proxy settings, coupled with restrictions to hide unnecessary tabs.  Incidentally, this policies in this folder are controlled by its own .adm template called WMPlayer.adm.

Summary of Group Policy – Windows Components

The Windows Component folder in Group Policies has specific policies for a variety of Windows Applications, for example, timeouts for Terminal Services.  You do need to trawl through all the settings, but I expect that you will only need a handful of these policies for your circumstances.

See more Group Policies for Windows Users

• Group Policies   •GPO Internet Explorer   • Group Policy Block Inheritance   •Logon Script Policies

• Start Menu Group Policies   • Network Policies  •GPMC   •Troubleshooting Group Policies

• Group Policy Overview  •Group Policy Results  • System Group Policies   • Software Installation