Professional Documents
Culture Documents
Restricted: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle 1
Tip #4: If you dont configured the WallpaperStyle registry key then users will still be able to choose their own Wallpaper Style. If you chose the restricted registry keys to configured the wallpaper then ensure you also select the Replace action and Remove this item when it is no longer applied common option is selected (see below). If you dont do this you will find that your users will not be able to change their wallpaper even after the policy is removed as the policy registry key will not be removed.
If you chose to use the unrestricted registry key values then also make sure you chose the Apply once and do not reapply option. If you dont do this the users wallpaper will be reset ever time they log off their computer as the key will be set back to the original value during each policy refresh.
TIP #6: Setup the file copy as a computer setting so that it will update the files even when there is no user logged on. TIP #7: If you follow Tip #6 then you need to make sure that the desktop wallpaper file has got Domain Computers Read permissions so the local system account has access to copy the file from the network. So by now, hopefully you know how to set the desktop wallpaper and so you can ensure that the images you use for the wallpaper are always available that way you can ensure that your users are always subjected to your corporate desktop wallpaper.
not autoplay on its own. You can also disable the AutoRun Commands. Just click on Default behavior for AutoRun and enable it and in options select as Do not execute any autorun commands.
P RE- REQUISITES:
Create a Domain Security Group of the desired Computers which will be instructed to install your desired software e.g. "Office 2003 Computers". This is purely optional as a way of filtering PCs out from every machine in an organisational unit. If you intend to deploy software based on a user, create a Domain Security Group of the desired Users! e.g. "Office 2003 Users". If you don't assign a group to which computers will be selected, all computers in the OU you apply this group policy to will be told to install the software. Depending on the software and the licensing will depend on whether you want this! Create an Organisational Unit in Active Directory for all of the machines (computers/laptops) to which desired users can install the software on. E.g. Test OU (You can use an existing OU but see the note below! Guru Guy recommends creating a test OU for small deployement, specifically where modification of user rights is concerned!) Place a test PC or 2 into this OU so that only a couple of computers are affected (once complete and tested, move the rest into this or apply the policy to your existing OU - again, see note below) Install the Group Policy Management Tool (GPMT) to allow advanced modification and creation of domain Group Policies. A Network share in which to place the software installation folder in e.g. "\\SERVER\SOFTWARE" (set the share permissions tab to "Everyone" read access - we will secure further via NTFS Security permissions). This can be on any server in your domain, but it must have appropriate permissions for your domain computers to access. Since this lowers security, Guru Guy recommends making a dedicated share just for Group Policy Software Deployment. At a minimum the following security permissions you need are: "Authenticated Users" - this allows both machine installation and user-based installation; give them read access at minimum. OR: "Domain Computers" - this allows all computers which are members of your domain access, "Domain Users" will allow all domain users read access. Never modify the default domain policy. Always create organisational units and never include domain admins and server computers in these units. For these instructions we have created an Organisation Unit (OU) called test.
Depending on the software you have chosen to install will depend on what you need to do to deploy it. Since there are many types of software, Guru Guy will explain what's needed to be done so you can always tailor the instructions to your specific software. 1. The first thing you need to do is ensure you extract the EXE file or ZIP files of the software. Group Policy DOES NOT work with anything but MSI files. So don't try to deploy it! 2. Once you've got the MSI file, you've got to make sure you have an "Administrative Install Point" out of it. This is basically re-packaging the software and decompressing it further. For Instance, Microsoft Office 2003 Professional has an installation folder with setup.exe and PRO11.msi. You still can't use PRO11.msi yet... it needs to be administratively installed 3. To create an administrative installation, the most common method is to invoke the MSIEXEC installer in Administrative mode. Do this running: msiexec /a [SOFTWARE.MSI] 4. When you do this you usually encounter a wizard that looks identical to the normal software setup, except somewhere it should acknowledge you are creating an administrative install point. In the case of Microsoft Office 2003, enter information such as your company, name and product key. This means that users don't need to nor are able to enter registration information and can have this installed for them over Group Policy. 5. Choose a destination folder for your extraction of the administration point. Guru Guy recommends placing this striaght to the network location in which Group Policy will be told to obtain the software from e.g. \\SERVERNAME\Software\Office2003 4
6. Optionally patch the administrative install point. Both Office 2003 and Adobe PDF Maker, for example, allow you to run patches on their software install points which is much better since it means clients have the latest software installed without the need to patch and upgrade the moment it is installed. (Integrated/Slipstreamed Patches often also mean faster software). Patch methods vary but most are: msiexec.exe /a [location of administrative installation]\setup.msi /p [location of patch]\<Patch>.msp
STEP- BY-STEP
INSTRUCTIONS
Assuming youve followed both sets of pre-requisites above, continue below for deployment: 1. Open up the Group Policy Management Tool 2. Navigate to your TEST OU that should be located our underneath the domain policy. 3. Create and Link a new Group Policy Object (GPO) to the Organisation Unit and call it Software Install or something which means something to you. This GPO will apply to all users/machines of the PCs/Laptops in that Organisation Unit. If you wish to be selective on which machines get the software installed via the GPO, use the Domain Security Group to filter the installation, discussed later. 4. Now decide if you are installing software based on User or Machine. Most software installs via machine policy and often only installs that way. However, if you have users occupying multiple machines, then a User-Based policy is best. In either case, don't deploy them through both methods! They are likely to break the install or cause problems! 5. In the New GPO, navigate to either: Computer Configuration\Software\Software Installation or User Configuration\Software\Software Installation 6. Right Click over Software Installation and Click: NEW-> PACKAGE 7. In the Browse Window, navigate to the location of the administrative Software MSI package. Be sure to specify valid UNC network paths! E.g. \\SERVER\Software\Office2003\Pro11.msi 8. Select this as Assigned deployment and Save & OK out of dialogue. If you select "Published" as a deployment method, users will be able to optionally install the product on workstations using the Add/Remove Programs utility from the Control Panel. You can select "Advanced" if you need to make advanced customisations (such as asking the installer to ignore the language of the PC, offering a Modifications (MST) file (such as office 2003) in the Modifications tab. Either way, once done, you should now see below:
9. Nearly there! Lastly in this GPO we need to allow the software install to be "escalated", which means it can install even if the user does not have administrative rights, which in most cases they don't nor should not! So, navigate to: Computer Configuration (or User Configuration)\Administrative Templates\Windows Components\Windows Installer 10. Make the value "Always install with elevated priveledges" to "Enabled". 11. Close the GPO and view the scope tab of the policy in the Group Policy Management Pane. Under Security Filtering add either Office 2003 Computers (if you used computer configuration method) or Office 2003 Users if you are deploying via user configuration. For ease, you could just leave it as "Authenticated Users", but the problem is every machine/user in that Organisation Unit will have the software installed!!! 12. Once computers/users have been assigned to the security groups, and a machine is moved from Active Directory Computers into your new Organisation Unit, log into a machine to test the policy. 13. Type in the Start->Run gpupdate /force on a test workstation. This will refresh the group policy. 14. Reboot the computer, login, and to see if at Windows Startup it says "Installing managed software.... Office 2003" 15. Congratulations, you've just deployed your software automatically, without the need to login as an administrator or any manual intervention! Wow Microsoft's Group Policy rocks! 5
*Please note, the steps above are slightly different for deployment of Office 2007. Office 2007 can only be deployed via Computer Policy and does not use the "Always install with elevated priveledges command". It also does not get patched in the same way and only installs on the first login to the computer, not at startup.
When you do this, users cannot install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps: 1. Start Windows Explorer, and then locate the %SystemRoot%\Inf folder. 2. Right-click the Usbstor.pnf file, and then click Properties. 3. Click the Security tab. 4. In the Group or user names list, add the user or group that you want to set Deny permissions for. 5. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control. Note Also add the System account to the Deny list. 6. In the Group or user names list, select the SYSTEM account. 7. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK. 8. Right-click the Usbstor.inf file, and then click Properties. 9. Click the Security tab. 10. In the Group or user names list, add the user or group that you want to set Deny permissions for. 11. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control. 12. In the Group or user names list, select the SYSTEM account. 13. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.