Windows 8 Group Policy Settings

Window 8 Group Policy Settings

The keyword ‘group’ indicates we are dealing with a bunch of machines, and not the local policy of a home computer.  While the keyword ‘settings’ means the policy is tattooing values in to the User Interface, rather than providing a preference that a user could change.

• Latest Group Policy Setting Concepts
• Basics of Windows 8 Group Policy Settings
• Modifying Windows 8 Group Policy Inheritance
• Troubleshooting Windows 8 Group Policies
• Windows 8 Gpedit

 ♦

Latest Group Policy Settings Concepts

The traditional idea is that administrators plan Group Policy Settings, and then configure the values using GPMC.  The result is that some menus on their users’ computers are locked-down, and choices are removed.  The benefit is that users don’t waste time fiddling with menus in the ‘Network and Internet’, or worse, compromise security by adding programs or removing files via USB sticks.

What antagonizes users about draconian group policies is that in the office they are not allowed to configure trivial settings they are familiar with on their home version of Windows 8.  For example, some left handers like to swap the mouse buttons.

The latest thinking amongst network architects is to plan the best of both worlds, server administrators can configure policy settings in the traditional manner, but they can also employ Group Policy Preferences for Windows 8 computers, whereby the company merely suggests non-critical settings, and the users are free to change them.

Planning Your Windows 8 Group Policy Settings

So that you can to make effect policy settings, you need two people with different points of view, sit them down and persuade them each to make compromises .  My choice would be to pair a techie, who knows GPMC, with a manager with a vision of what the company’s Windows 8 computers interface should look like for the users.  An alternative would be one person who could wear two hats called ‘Computer security’ and ‘User comfort’.

Examples of Group Policy Settings

• Prohibit access to Control Panel
• Removable disks: Deny read access (Disable USB)
• Configure automatic updates (For Windows 8)

Basics of Windows 8 Group Policy Settings

Let us turn to practical matters, and get a simple policy working.  It may be easier, and safer, to learn about Policy Settings by launching the Local Policy Editor – Gpedit.msc – on a Windows 8 machine, rather than grappling with the Group Policy Settings using GPMC on a domain controller. 

My thinking is once you understand how to persuade a policy to ‘bite’ on a client computer using Gpedit, then you are more prepared for the extra layers of interactions caused by domain controller replication, and delays between ticking a box in the server’s GPMC, and it taking effect on the Windows 8 client.

Search for Gpedit.msc (or GPMC and launch the policy editor)

Computer Configuration v User Configuration
When you decide to make a change to a policy the first decision is, ‘Do I expand the Computer Configuration, or scroll down to User Configuration?’  It’s interesting to note in passing how this Computer v User Configuration split mimics the registry’s dichotomy, HKEY_Local_Machine, or HKEY_Current_User.

Software Settings, Windows Settings or Administrative Templates
Most of the classic user settings are in found in the User Configuration, Administrative Templates. 

Prohibit access to the Control Panel
Try this experiment: expand ‘Control Panel’, on the top level, click ‘Prohibit access to the Control Panel’, now select ‘Enabled’. 

There is no need to logoff, just check to see if the Control Panel has disappeared from the menu.  If you search for Control Panel, then click on the executable, do you get a Restrictions message saying the operation has been cancelled?  If so this means your policy is biting on the user.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM) v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

Windows 8 Group Policy Updates

Configure Automatic Updates for Windows 8
Here is a job for the Computer Configuration (not User section).  Expand Windows Templates, scroll down to Windows Components, just about the last folder is Windows Updates.  Another surprise, there are so many group policies here, choose: Configure Automatic Updates, click ‘Enable’ then make your selection.

More ideas for settings to get the feel of Windows 8 Group Policy Settings.

• Do not allow Snipping tool to run (Easy to test).
• Hide the "Add a program from CD-ROM or floppy disk" option (Control Panel)
• Lock taskbar (There are more settings for taskbar)
• User Group Policy loopback processing mode (Setting for public kiosk machines)
• Critical Battery Notification Action (Also many more power policies)
• Do not process the run once list
• Enable user control of installs (Save frustration in medium security companies)

Guy Recommends: Response Time Viewer for Wireshark

Here is a free tool to troubleshoot network connection and latency problems.  Key concept: this is a free tool from SolarWinds that analyzes network packets captured by Wireshark (also a free tool).

When you inspect the data in the Response Time Dashboard, if you hover over an application such as Teredo or TCP, then you get an orange box showing a breakdown of network and application response times, note the 'Peak value' in addition to the 'Average'.

Download your free trial of SolarWinds Response Time Viewer for Wireshark

Modifying Windows 8 Group Policy Inheritance

Block Inheritance
I think of Block Inheritance as the ‘anarchists setting’.  This is because OU’s further down the chain can prevent settings at the domain from taking effect.  The knack of using Block Inheritance is to select the OU container and not the individual policy.

Enforce Policy (No-override)
I think of Enforce Policy as ‘Big brother fights back’ this setting prevents any ‘anarchists’ from changing a setting further down the OU chain.  The trick to enforcing is to right-click the individual policy, not the OU.

Types of Group Policy Settings
There are broadly three reasons for changing group policy settings, firstly, adding features present in XP, but dormant in Window 8.  Secondly, using group policy to remove setting that are inappropriate for that machine, for example, if you have no speakers: ‘Remove volume control icon’.  Thirdly, employing the traditional group policy role of restricting what users can do, for example, ‘CD and DVD deny write access’.

In practice this means administrators finding ways of restricting what their users can do, rather as a racehorse trainer may put blinkers on a steed to make them concentrate on the job in hand, for instance enforcing a policy to, ‘Turn off desktop gadgets’ or ‘Prohibit access to the Control Panel’.

One result of Windows 8 group policies is that companies create a customized version of the operating system, which is very different from the users’ home version of Windows 8.  For example, ‘Turn off desktop gadgets’ is enabled at work, while there is no such restriction at home.

Troubleshooting Windows 8 Group Policies

Get a Test Machine
If possible use Gpedit on a test Windows 8 machine, rather than risk experimenting on a domain OU with GPMC.  Your final mission may well be a group policy in a active directory, but this does introduce extra layers for troubleshooting, for example Domain Controller replication and update delays.

Like their predecessors, Windows 8 Group policies make changes to the registry, a fact which you can turn to your advantage by creating your own .adm template based on registry keys, then importing these settings into your Group Policy.  That said this advanced technique is only useful if there is no existing policy in the Administrative Template section.

Get a Simple Policy Working 
If a group policy that I am attempting to apply does not work, I go back to basics and get a simple policy to work just to make sure I am not making a fundamental mistake.  Also a strange thing happens once I get one policy working it seems easier to get other more tricky settings to do what I ask of them.

Read the Policy Carefully
Be careful with double negatives in group policies, for instance, ‘Turn off xyz…’ Disabled, would mean a user gets xyz.  Check your logic with a quick look at the description of a policy you are about to apply.

Download Windows 8 Group Policy Settings

Guy Recommends:  SolarWinds’ Log & Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.

Download your FREE trial of SolarWinds Log & Event Management tool.

Windows 8 Gpresult Command

This built-in command-line utility displays the Resultant Set of Policy (RSoP) information,  Here below is a small section of what the Windows 8 Gpresult reveals about your group policy. 

Note:  Before you launch cmd.exe, or PowerShell, remember to ‘Run as administrator’ else the Windows 8 Gpresult will issue an access denied message when you issue a command such as:
Gpresult /r (Summary of RSoP).

Windows 8 Gpupdate Command

Left to it’s own timetable, a Windows clients initiates a group policy ‘pull’ about every 100 minutes.  The purpose of Windows 8’s Gpupdate is to force an instant update rather than waiting up to 2hrs (90 mins + Random 30).

Mostly I launch cmd.exe (Run as administrator), or these days I tend to use PowerShell, then I just type ‘Gpupdate’ on its own.  However, you may benefit from one of these switches:

/force.  Reapplies all group policy settings.

/target:computer  or /target:user   Applies only the computer (or user) section of your policy.  Normally I would use plain Gpupdate without this option.

/logoff.   Useful for those few settings that do not apply until the user logs on again.

/boot.   Handy for the rare configuration that needs the computer to restart.

GPMC and Gpedit

Domain administrators set group policies for their users via GPMC.  For a Workgroup or HomeGroup you can use Windows 8’s built-in Gpedit.  Actually, this highlights the main benefit of a domain – central administration.  I regard Gpedit as merely a reference for when the domain is not available, or as a test-bed for trying settings on one machine without disrupting the domain workforce.

Problem: You Cannot Find Gpedit

The first source of frustration is that you type plain gpedit, whereas it only appears in search results when you add the .msc extension, thus always type the full: gpedit.msc.

Another problem is that you have the Home Premium edition; and you need the Ultimate, Professional (old Business) or Enterprise editions in order to get a copy of the Windows 8 Group Policy Editor.

Guy Recommends: The Free Config Generator

SolarWinds’ Config Generator is a free tool, which puts you in charge of controlling changes to network routers and other SNMP devices.  Boost your network performance by activating network device features you’ve already paid for.

Guy says that for newbies the biggest benefit of this free tool is that it will provide the impetus for you to learn more about configuring the SNMP service with its ‘Traps’ and ‘Communities’. Try Config Generator now – it’s free!

Download your free copy of Config Generator

Storing Windows 8 Group Policies

Any Windows 8 Group Policies created by gpedit.msc are stored in a this hidden folder
%SystemRoot%\System32\GroupPolicy\ *

Note 1: Make sure you tick ‘Hidden items’ in the View tab.

Note 2: You should see both GroupPolicy\ and GroupPolicyUser\.

* The environment variable %SystemRoot% usually translates to C:\Windows. See more about Windows 8 Gpedit.

Here is Another Sample of Windows 8 Group Policies

• Enforce disk quota limit.
• Require a password when a computer wakes.
• Turn off Autoplay.
• Do not allow pinning programs to the Taskbar.
• Windows Firewall: Do not allow exceptions.
• Prohibit connection to roaming Mobile Broadband networks.
• Prevent installation of removable device.
• Internet Explorer is a fertile area, for example: ‘Disable change proxy settings’

Enlightened administrators can find ways of using Windows 8 group policies to make life easier for their users, for example, on low-spec machines ‘Always render print jobs on the server’.

Summary of Windows 8 Group Policy Settings

Microsoft’s Group Policies can be traced back to System Policies in NT 4.0.  The concept is to provide a Group Policy Management Console (GPMC), where an administrator can configure operating system settings that apply to all his machines, and all the users in his domain.

Before you start choosing Group Policy Settings for real, take the time to flesh-out a vision of the Windows 8 computer that you want for this particular group of users.  As for mastering the individual policy items, practice on safe and easy to understand settings.  The main dangers are double negatives confusing you, and thinking a setting is not working, when you are just looking in the wrong place.

Microsoft Windows 8 Group Policy Topics

• Windows 8 Gpedit.msc  • Windows 8 Group Policy Editor  • Windows 8 Group Policy Firewall

• Windows 8 Group Policy Preferences  • Windows 8 Remote Desktop Group Policy

• Windows 8 Config  • Windows 8 Family Safety  • Windows 8 Event Viewer  • No Auto Restart