Group policy

1. Increase Your Internet Speed to 20% more :

Just go to Start -> RUN -> Type gpedit.msc and navigate to Computer Configuration -> Administrative Template -> Network -> QOS Packet Scheduler. Under QOS Packet scheduler, on the right side, Double click on the value Limit Reservable Bandwidth. Click on enable and decrease the default value from 20% to 0. This change will clear off any reserved bandwidth set by windows to itself. By decreasing it to zero. You would gain 20% increase in internet speed.

2. Using Group Policy to configure Desktop Wallpaper

This setting can be found under User Configuration > Administrative Templates > Desktop > Desktop Behind the scenes all this setting is doing is configuring the REG_SZ Wallpaper and the REG_SZ WallpaperStyle registry keys under the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System path. TIP #1: If you are running Windows 7/Server 2008 R2 pre-Service Pack 1 you will need to install hotfix http://support.microsoft.com/kb/977944 for this setting to work. TIP #2: If you are configuring this setting I recommend that you use the Fill Wallpaper Style as this will work best with most screen resolutions (especially on Windows 7). TIP #3: If you configure this setting you will need to wait for the user to logoff the computer before the background is updated.

Method #2: Group Policy Preferences Registry Key Wallpaper Configuration

As I mention in Method #1 all the Administrative Template Desktop Wallpaper does is configure the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System REG_SZ Wallpaper key. Therefore you can also use the Group Policy Preference Registry Extension option to also set the same key to give you some added benefits. To configured the Desktop Wallpaper the same as the Desktop Wallpaper administrative template simply create two registry keys User Configuration > Preferences > Windows Settings > Registry (see below). Now depending on the registry key that you configure for this setting you can either have this as a restricted (a.k.a. locked) setting or an unrestricted setting that allows the users to make their own changes. Restricted: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper Unrestricted: HKCU\Control Panel\Desktop\Wallpaper

Restricted: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\WallpaperStyle 1

Unrestricted: HKCU\Control Panel\Desktop\WallpaperStyle

Tip #4: If you dont configured the WallpaperStyle registry key then users will still be able to choose their own Wallpaper Style. If you chose the restricted registry keys to configured the wallpaper then ensure you also select the Replace action and Remove this item when it is no longer applied common option is selected (see below). If you dont do this you will find that your users will not be able to change their wallpaper even after the policy is removed as the policy registry key will not be removed.

If you chose to use the unrestricted registry key values then also make sure you chose the Apply once and do not reapply option. If you dont do this the users wallpaper will be reset ever time they log off their computer as the key will be set back to the original value during each policy refresh.

Using the Group Policy Preferences File Extension

Using the File Extension to copy the file to the local hard drive means the file will be copied to the local hard drive making obviously available at all times. However the File Extensions options also has the advantage of being able to updated the file during each group policy refresh. This way the computer gets the updated wallpaper without having to logoff or reboot the computer and you avoid slamming the network in the morning when all the computers turn on.

TIP #6: Setup the file copy as a computer setting so that it will update the files even when there is no user logged on. TIP #7: If you follow Tip #6 then you need to make sure that the desktop wallpaper file has got Domain Computers Read permissions so the local system account has access to copy the file from the network. So by now, hopefully you know how to set the desktop wallpaper and so you can ensure that the images you use for the wallpaper are always available that way you can ensure that your users are always subjected to your corporate desktop wallpaper.

3. Disable autorun to Stop Viruses :

Just go to Start -> RUN -> Type gpedit.msc and navigate to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> AutoPlay Policies Now just double click on the Turn off Autoplay to open a window where you have to Enable it and click on apply and OK. So that when ever a virus enters your system, it cannot be autorun in your system. The safest way to stay away from autorun virus. All the programs will be stop being autorun, Like USB, CDs, DVDs and any other extra gadget will 3

not autoplay on its own. You can also disable the AutoRun Commands. Just click on Default behavior for AutoRun and enable it and in options select as Do not execute any autorun commands.

4. Install Software via Group Policy Guide

This is a common requirement where IT administrators need to deploy important software via Group Policy. Why? The benefits of doing such are numerous, but the main reasons to want to install software via group policy are: Clients cannot interact with the software installation, so support of such is standardised; Quick and easy method to deploy instead of manually going around installing software; Software can be kept up-to-date and new patches pushed out centrally. The last thing IT Administrators want is software like Adobe PDF viewer installed on one machine and then another version on another a bit later and they are using different patched versions - as one will always be older than the other! Auditing - easy to see how many PCs are affected by the policy to which you've chosen to install the software. Large enterprises would used specific software to assist with large-scale rollouts of corporate software (such as Microsoft SMS). But, if you are in such an enterprise, you are unlikely to be reading this!

P RE- REQUISITES:

Create a Domain Security Group of the desired Computers which will be instructed to install your desired software e.g. "Office 2003 Computers". This is purely optional as a way of filtering PCs out from every machine in an organisational unit. If you intend to deploy software based on a user, create a Domain Security Group of the desired Users! e.g. "Office 2003 Users". If you don't assign a group to which computers will be selected, all computers in the OU you apply this group policy to will be told to install the software. Depending on the software and the licensing will depend on whether you want this! Create an Organisational Unit in Active Directory for all of the machines (computers/laptops) to which desired users can install the software on. E.g. Test OU (You can use an existing OU but see the note below! Guru Guy recommends creating a test OU for small deployement, specifically where modification of user rights is concerned!) Place a test PC or 2 into this OU so that only a couple of computers are affected (once complete and tested, move the rest into this or apply the policy to your existing OU - again, see note below) Install the Group Policy Management Tool (GPMT) to allow advanced modification and creation of domain Group Policies. A Network share in which to place the software installation folder in e.g. "\\SERVER\SOFTWARE" (set the share permissions tab to "Everyone" read access - we will secure further via NTFS Security permissions). This can be on any server in your domain, but it must have appropriate permissions for your domain computers to access. Since this lowers security, Guru Guy recommends making a dedicated share just for Group Policy Software Deployment. At a minimum the following security permissions you need are: "Authenticated Users" - this allows both machine installation and user-based installation; give them read access at minimum. OR: "Domain Computers" - this allows all computers which are members of your domain access, "Domain Users" will allow all domain users read access. Never modify the default domain policy. Always create organisational units and never include domain admins and server computers in these units. For these instructions we have created an Organisation Unit (OU) called test.

SOFTWARE INSTALLATION PRE-REQUISTES

Depending on the software you have chosen to install will depend on what you need to do to deploy it. Since there are many types of software, Guru Guy will explain what's needed to be done so you can always tailor the instructions to your specific software. 1. The first thing you need to do is ensure you extract the EXE file or ZIP files of the software. Group Policy DOES NOT work with anything but MSI files. So don't try to deploy it! 2. Once you've got the MSI file, you've got to make sure you have an "Administrative Install Point" out of it. This is basically re-packaging the software and decompressing it further. For Instance, Microsoft Office 2003 Professional has an installation folder with setup.exe and PRO11.msi. You still can't use PRO11.msi yet... it needs to be administratively installed 3. To create an administrative installation, the most common method is to invoke the MSIEXEC installer in Administrative mode. Do this running: msiexec /a [SOFTWARE.MSI] 4. When you do this you usually encounter a wizard that looks identical to the normal software setup, except somewhere it should acknowledge you are creating an administrative install point. In the case of Microsoft Office 2003, enter information such as your company, name and product key. This means that users don't need to nor are able to enter registration information and can have this installed for them over Group Policy. 5. Choose a destination folder for your extraction of the administration point. Guru Guy recommends placing this striaght to the network location in which Group Policy will be told to obtain the software from e.g. \\SERVERNAME\Software\Office2003 4

6. Optionally patch the administrative install point. Both Office 2003 and Adobe PDF Maker, for example, allow you to run patches on their software install points which is much better since it means clients have the latest software installed without the need to patch and upgrade the moment it is installed. (Integrated/Slipstreamed Patches often also mean faster software). Patch methods vary but most are: msiexec.exe /a [location of administrative installation]\setup.msi /p [location of patch]\<Patch>.msp

STEP- BY-STEP

INSTRUCTIONS

Assuming youve followed both sets of pre-requisites above, continue below for deployment: 1. Open up the Group Policy Management Tool 2. Navigate to your TEST OU that should be located our underneath the domain policy. 3. Create and Link a new Group Policy Object (GPO) to the Organisation Unit and call it Software Install or something which means something to you. This GPO will apply to all users/machines of the PCs/Laptops in that Organisation Unit. If you wish to be selective on which machines get the software installed via the GPO, use the Domain Security Group to filter the installation, discussed later. 4. Now decide if you are installing software based on User or Machine. Most software installs via machine policy and often only installs that way. However, if you have users occupying multiple machines, then a User-Based policy is best. In either case, don't deploy them through both methods! They are likely to break the install or cause problems! 5. In the New GPO, navigate to either: Computer Configuration\Software\Software Installation or User Configuration\Software\Software Installation 6. Right Click over Software Installation and Click: NEW-> PACKAGE 7. In the Browse Window, navigate to the location of the administrative Software MSI package. Be sure to specify valid UNC network paths! E.g. \\SERVER\Software\Office2003\Pro11.msi 8. Select this as Assigned deployment and Save & OK out of dialogue. If you select "Published" as a deployment method, users will be able to optionally install the product on workstations using the Add/Remove Programs utility from the Control Panel. You can select "Advanced" if you need to make advanced customisations (such as asking the installer to ignore the language of the PC, offering a Modifications (MST) file (such as office 2003) in the Modifications tab. Either way, once done, you should now see below:

9. Nearly there! Lastly in this GPO we need to allow the software install to be "escalated", which means it can install even if the user does not have administrative rights, which in most cases they don't nor should not! So, navigate to: Computer Configuration (or User Configuration)\Administrative Templates\Windows Components\Windows Installer 10. Make the value "Always install with elevated priveledges" to "Enabled". 11. Close the GPO and view the scope tab of the policy in the Group Policy Management Pane. Under Security Filtering add either Office 2003 Computers (if you used computer configuration method) or Office 2003 Users if you are deploying via user configuration. For ease, you could just leave it as "Authenticated Users", but the problem is every machine/user in that Organisation Unit will have the software installed!!! 12. Once computers/users have been assigned to the security groups, and a machine is moved from Active Directory Computers into your new Organisation Unit, log into a machine to test the policy. 13. Type in the Start->Run gpupdate /force on a test workstation. This will refresh the group policy. 14. Reboot the computer, login, and to see if at Windows Startup it says "Installing managed software.... Office 2003" 15. Congratulations, you've just deployed your software automatically, without the need to login as an administrator or any manual intervention! Wow Microsoft's Group Policy rocks! 5

*Please note, the steps above are slightly different for deployment of Office 2007. Office 2007 can only be deployed via Computer Policy and does not use the "Always install with elevated priveledges command". It also does not get patched in the same way and only installs on the first login to the computer, not at startup.

Forcing Group Policy Updates Locally

gpupdate [/target:{computer|user}] [/force] [/wait:value] [/logoff] [/boot] /target Apply only computer or user related policies /force - Reapplies all settings immediately /wait Interval in seconds the policy waits to finish /logoff - Logs off of the computer after the refresh has completed /boot - Reboots the computer after the refresh has completed

1. How to use Group Policy to disable USB drives on Windows XP

If a USB storage device is already installed on the computer, set the Start value in the following registry key to 4: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor When you do this, the USB storage device does not work when the user connects the device to the computer. To set the Start value, follow these steps: 1. Click Start, and then click Run. 2. In the Open box, type regedit, and then click OK. 3. Locate and then click the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor 4. In the details pane, double-click Start. 5. In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK. 6. Exit Registry Editor.

If a USB storage device is not already installed on the computer

If a USB storage device is not already installed on the computer, assign the user or the group and the local SYSTEM account Deny permissions to the following files: %SystemRoot%\Inf\Usbstor.pnf %SystemRoot%\Inf\Usbstor.inf

When you do this, users cannot install a USB storage device on the computer. To assign a user or group Deny permissions to the Usbstor.pnf and Usbstor.inf files, follow these steps: 1. Start Windows Explorer, and then locate the %SystemRoot%\Inf folder. 2. Right-click the Usbstor.pnf file, and then click Properties. 3. Click the Security tab. 4. In the Group or user names list, add the user or group that you want to set Deny permissions for. 5. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control. Note Also add the System account to the Deny list. 6. In the Group or user names list, select the SYSTEM account. 7. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK. 8. Right-click the Usbstor.inf file, and then click Properties. 9. Click the Security tab. 10. In the Group or user names list, add the user or group that you want to set Deny permissions for. 11. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control. 12. In the Group or user names list, select the SYSTEM account. 13. In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.