Group Policies

Thin Clients are often used (lower costs) is currently not the case anymore in many cases. Using a traditional workstation for connecting to a SBC/VDI infrastructure is getting more and more logical, although the users is working on Full Desktop where all applications are running in the data center.

The most important step is to lock-down the workstation. It depends on requirements and wishes of the organization/customer how many settings should be removed out of the user interface.There are scenarios where you would like to remove as much as possible, but also offering some applications or configuration settings are pretty logical. Think again of adjust screen resolution, keyboard/mouse settings and regional settings.

While there are both very good third parties as freeware products available to use a standard workstation as a Thin Client you can do it also using default Microsoft technologies, when there is no budget or freeware is not allowed in the company. With the article I would like to show you an example configuration to change your workstation to ThinBasedPC with group policy only.

Windows 8.1 Enterprise is now available, and included in it is a brand new feature called Start screen control. For those not familiar with this new feature, it is designed to allow IT pros to configure the layout of the Start screen for a group of users, preventing those users from making changes to that layout.

Once arranged, you can export this layout into an XML file using a simple PowerShell command:

Export-StartLayout -path C:\StartLayout.xml -As XML

Next, you can specify a path to this layout file using Active Directory Group Policy. From the Group Policy Management Editor, navigate to “User Configuration \ Policies \ Administrator Templates \ Start Menu and Taskbar” where you can find the “Start Screen Layout” policy setting:

One of the common lock down’s that administrator apply is to remove all but the essential control panel items.

Previous to Windows 7 you had to specify the .cpl (e.g. timedate.cpl) file name of the control panel item you wanted to show or hide however this has changed in Windows 7 and you now need to use the Canonical Name when hiding or showing specific items.

Step 1. Edit the Group Policy object that is applied to the users that you want to apply the Control Panel configuration.

Step 2. Navigate to User Configuration > Policies > Administrative Templates > Control Panel

Step 3. Double click on hide specified Control Panel items setting then check Enabled and then click then Show button.

The following are the Control Panel items available in Windows 8.1:

Action Center
Administrative Tools : Microsoft.AdministrativeTools
AutoPlay : Microsoft.AutoPlay
Biometric Devices : Microsoft.BiometricDevices
BitLocker Drive Encryption : Microsoft.BitLockerDriveEncryption
Color Management : Microsoft.ColorManagement
Credential Manager : Microsoft.CredentialManager
Date and Time : Microsoft.DateAndTime
Default Programs : Microsoft.DefaultPrograms
Device Manager : Microsoft.DeviceManager
Devices and Printers : Microsoft.DevicesAndPrinters
Display : Microsoft.Display
Ease of Access Center : Microsoft.EaseOfAccessCenter
Family Safety : Microsoft.ParentalControls
File History : Microsoft.FileHistory
Folder Options : Microsoft.FolderOptions
Fonts : Microsoft.Fonts
HomeGroup : Microsoft.HomeGroup
Indexing Options : Microsoft.IndexingOptions
Infrared : Microsoft.Infrared
Internet Options : Microsoft.InternetOptions
iSCSI Initiator : Microsoft.iSCSIInitiator
iSNS Server : Microsoft.iSNSServer
Keyboard : Microsoft.Keyboard
Language : Microsoft.Language
Location Settings : Microsoft.LocationSettings
Mouse : Microsoft.Mouse
MPIOConfiguration : Microsoft.MPIOConfiguration
Network and Sharing Center : Microsoft.NetworkAndSharingCenter
Notification Area Icons : Microsoft.NotificationAreaIcons
Pen and Touch : Microsoft.PenAndTouch
Personalization : Microsoft.Personalization
Phone and Modem : Microsoft.PhoneAndModem
Power Options : Microsoft.PowerOptions
Programs and Features : Microsoft.ProgramsAndFeatures
Recovery : Microsoft.Recovery
Region : Microsoft.RegionAndLanguage
RemoteApp and Desktop Connections : Microsoft.RemoteAppAndDesktopConnections
Sound : Microsoft.Sound
Speech Recognition : Microsoft.SpeechRecognition
Storage Spaces : Microsoft.StorageSpaces
Sync Center : Microsoft.SyncCenter
System : Microsoft.System
Tablet PC Settings : Microsoft.TabletPCSettings
Taskbar and Navigation : Microsoft.Taskbar
Troubleshooting : Microsoft.Troubleshooting
TSAppInstall : Microsoft.TSAppInstall
User Accounts : Microsoft.UserAccounts
Windows Anytime Upgrade : Microsoft.WindowsAnytimeUpgrade
Windows Defender : Microsoft.WindowsDefender
Windows Firewall : Microsoft.WindowsFirewall
Windows Mobility Center : Microsoft.MobilityCenter
Windows To Go : Microsoft.PortableWorkspaceCreator
Windows Update : Microsoft.WindowsUpdate
Work Folders : Microsoft.WorkFolders

Group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
We have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account.
The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account.
The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account.

If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:

The User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:

The User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

The enabled “Loopback in replace mode”. The Loopback processing of Group Policy has two different modes, Replace and Merge. Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.

Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in this scenario, in case of the conflict the User Configuration 2 would be enforced.

To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.