Do you use Group Policies?
Best Practice (Litmus Test)
Professionals: Use Group Policies to configure the desktop
Amateurs: Use mandatory profiles to control the users
In Windows Server 2003, Group Policies are second in importance only toActive Directory. Group Policies are also fun to configure. The key thinking behind Group Policies is ‘prevention is better than cure’. Restrict userssettings and so prevent them from causing problems. Group Policies arelike putting blinkers on the users. Policies make users concentrate on their job tasks, while stopping them from playing with all the extra Windows settings that there is no business case for using. As a result of a good group policy the users are more productive and you get less support calls to the help desk.
Professionals master Group Policies. Amateurs either ignore them or get into a mess because the do not appreciate the intricacies of setting a good policy.
With Group Policies not only can you be Mr Nasty (screwing down the desktop),but you can also be Mr Nice. Mr Nice provides just the programs users need, but no extras. So when an accountant logs on they get office XP andaccountant software. When ordinary users log on they get only the officesuite. What is more if the program break then the intellimirror softwareautomatically restores the original settings.
Having established the need, the next problem with setting up System Policy is time to experiment. You need a weekexperimenting with a group of test machines before you think of rolling out tothe production network.
Policies can be applied at the Domain, OU and Site level. My advice is to set your security at the domain level, but control the desktop at the OUs. Avoid setting policies at the Site level, it is not necessary and only adds an extra layer of complexity.
Tips to Make you a Group Policy Expert
- When you experiment with Group Policies, create and use a special test account
- Create a special OU (Organisation Unit) for testing Group Policies
- Take the time to investigate all the Group Policy settings
- Consider mastering the Group Policy templates to apply your settings at the Domain level
- Use ‘No Override’ and ‘Block Inheritance’ to isolate a problem
- Create a ‘VISION’ of the desktop your users should be allowed
- See more on Group Policy
Example Group Policy: Internet Explorer Autocomplete
Be careful with ‘Disable AutoComplete forms’, this is designed to stop forms saving passwords and usernames that people use regularly. I say be careful, because I really like being able to save my username and password, that way, I do not having to keep typing it in every time I visit a site.
Manual steps to ‘walk through’ IE AutoComplete
- Launch Internet Explorer.
- Seek the Tools menu / button and click on Internet Options.
- In the Internet Options window click the Content tab.
- Click the AutoComplete button.
- Check or uncheck the options you wish have or not have AutoComplete.
- Web page addresses – AutoComplete refers to the address you type in the address bar.
- Forms – Fill out fields that are commonly completed such as email, phone number and address
- User names and passwords on forms – The main Internet Explorer AutoComplete setting: Any forms that require usernames.
Group Policies v Logon Script Strategy
In my opinion logon scripts are gradually being replaced bysystem policies. For example, mapping home drives via a logon script, can now be replaced by policy which redirects the ‘My Documents’ to a server. However, it is often a case that there is more than one way toachieve the desktop that you want. If a logon script gets it done then fine, butif not then do consider a policy. Group policies are here to stay,Windows 2000 has about 400 and XP has an extra 200 policies. Now in Server 2003, there are yet more policies and the splendid GPMC to manage the settings.
Many largecompanies write their own policies, once you remember that policies controleither the USER or HKLM part of the registry then you can see that virtually anyregistry setting can be written into a policy.
The modern group policy method of drive mapping does not require any knowledge of either VBScript or PowerShell. In Windows Server 2008 you can launch the GPMC and configure Drive Maps in the Preferences section. See more on Group Policy Drive Maps.
Windows 8 Group Policy Settings
One way of creating workable group policies is to combine the thoughts of two experienced members of staff with different view points of view. My suggestion would be to pair a techie, who knows the group policies, with a manager who has a vision of what the company’s Windows 8 computers interface should provide for the users. See more onWindows 8 Group Policy settings.
Guy’s Litmus test is a concept that you can apply anywhere. Each test gives you an instant answer to the simple question:- ‘Are you dealing with a professional, or are they an amateur? Is this the real deal, or is it a turkey?’ The Litmus Test concept is rather like Best Practice, but it reduces a 27 page report to one sentence.
Learn about Windows 8 and Active Directory
Over 40 of Guy’s litmus tests. Have fun while you learn about aspects of computing. Stacks of ideas to check your servers, networks and security.
Your eBook has printer friendly pages and lots more screen shots.