Page 1
Standard

How to manage Office 2013 screens by GPO

How to manage the First Run screens that appear when Microsoft Office 2013 applications are first launched

Microsoft Office 2013 shows the following screens when an application is launched for the first time:

 

office1

office2

office3

office4

 

Group Policy Management Editor

STEP ONE: If you have not already, download the Office 2013 Administrative Template files. These can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=35554

STEP TWO: Copy the ADMX files to %systemroot%\PolicyDefinitions and the ADML files to the language specific folder (such as en-us) under %systemroot%\PolicyDefinitions.

STEP THREE: Using the Group Policy Management Editor go to User Configuration | Policies | Administrative Templates: Policy definitions | Microsoft Office 2013 | First Run

office5

STEP FOUR: Set the Disable First Run Movie to Enabled and the Disable Office First Run on application boot to Enabled

office6

office7

 

How to manage the Opt-in or First things first prompt when Microsoft Office 2013 applications are first launched

Like the Office 2010 Welcome screen, Office 2013 shows the following First things first prompt, when a user launches an application for the first time:

 

office8

Group Policy:

STEP ONE: If you have not already, download the Office 2013 Administrative Template files. These can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=35554

STEP TWO: Copy the ADMX files to %systemroot%\PolicyDefinitions and the ADML files to the language specific folder (such as en-us) under %systemroot%\PolicyDefinitions.

STEP THREE: Using the Group Policy Management Editor go to User Configuration | Policies | Administrative Templates: Policy definitions | Microsoft Office 2013 | Privacy | Trust Center

office9

 

STEP FOUR: Configure each setting under Trust Center that best suits your needs.  If you wish to disable all of these settings, set the first one to Enabled and all the rest to Disabled as shown below

office10

 

How to manage the Start screen for all Microsoft Office 2013 applications

Unlike earlier versions of Microsoft Office, the Microsoft Office 2013 applications, when started, show a Start screen similar to the following, rather than opening the default blank template:

office11

Group Policy:

STEP ONE: If you have not already, download the Office 2013 Administrative Template files. These can be downloaded from http://www.microsoft.com/en-us/download/details.aspx?id=35554

STEP TWO: Copy the ADMX files to %systemroot%\PolicyDefinitions and the ADML files to the language specific folder (such as en-us) under %systemroot%\PolicyDefinitions.

STEP THREE: Using the Group Policy Management Editor, locate the “Disable the Office Start screen for all Office applications” under User Configuration | Policies | Administrative Templates: Policy definitions | Microsoft Office 2013 | Miscellaneous:

office12

STEP FOUR: Enable the “Disable the Office Start screen for all Office applications” setting:

office13

 

Standard

Configure Internet Explorer IE 11 Home Page / Proxy Settings in Group Policy Preferences

1) Open up Group Policy Management Console. Branch out until you get to the Group Policy Objects folder. Right click on it and click new.

ie11 pref 01

2) In the box that appears enter the name “Internet Explorer 11 Settings” and click ok.

3) Right click on the GPO you just created and click edit.

4) Branch out User, Configuration, Preferences, Control Panel Settings. Then click on Internet settings.

ie11 pref 02

 

5) Right click on the right hand side and then click new Internet Explorer 10 (Dont worry. If editing from a 2012 R2 server or a Windows 8.1 machines this also means IE11)

6) You will be prompted with the box below. Notice each field has green lines and red lines underneath it.

ie11 pref 03

 

7) Type a URL in for the home page. Notice how its still red. This means it wont take effect.

ie11 pref 04

 

8) With the cursor still in the text box press the F6 key. This will then make the line go green. This will now be part of the policy. Dont forget if you want this page to always launch you need to change IE10 / IE11 default behaviour and select “Start with home page”.

ie11 pref 05

 

9) If you want to set the proxy information go to the connections tab, then click the LAN settings button at the bottom.

ie11 pref 06

 

10) Tick the use a proxy server for your LAN option. Then enter your address and port number. Note how the options again are red.

ie11 pref 07

 

11) Once happy press the F6 Key to make them green. Click ok.

ie11 pref 08

 

Apply the GPO to your relevant OU and your good to go.

Standard

How to use Group Policy to control Services

Services are programs that are configured to run in the background of a Windows computer weather or not there is a users that is logged on. They are essential part of windows and are essential to the operation of any windows computers. Without services computer could not perform automatic updates, run scheduled tasks or even connect to a file share. Therefore the ability to control Windows Services is a vita task for IT administrators.

Quite often disabling services on a computer is the best way to reduce the security surface of a computer or to improve performance by turning off un-used components of the OS. Inversely it is also very important to have the ability to turn on services to enable certain functionality or to ensure that certain services are not turned off.

Below I will go through the two ways you can control services in windows by using Group Policy each ways has its own advantages and/disadvantages but together you can pretty much control any system service the way you want.

In the examples below I am going to show you how to enable the “Applications Identification” service that is required to be enabled to make AppLocker work in Windows 7. If you want to learn more about AppLocker then check out my other post

Using Group Policy to configured a Service

Even since Group Policy was introduced to Windows 2000 you have been able to configured some aspects of services using native group policy.

Now that you can control service using Group Policy Preference there are only two reason that you will still want to use this method.

  1. You want to control services on Windows 2000 or a computer that does not have the client side extensions installed.
  2. You want to configure the security so that non-administrators can start,stop and pause the service.

Step 1. Edit a computer Group Policy Object that is targeted at the computer that you want to configure

Step 2. Select the services that you want to configure.

Note: If the service that you want to configure is not present in the list you will need to install GPMC on a computer that has the service running. This is a painful restriction of controlling services this way and

GPO Service 01

Step 3. From the menu click on Action > Properties then tick “Define this policy setting” and then configured the service startup mode to what you want it configured.

GPO Service 02

Step 4. If you click on the “Edit Security…” button you can also configured who has control over the service. This would be useful if you want to give end users the ability to start and stop specific services. Tip: Tick “Start, stop and pause” for INTERACTIVE if you want the logged on user to control the services.

GPO Service 03

Now that you have configured the services via group policy you will need to reboot the computer for the new startup mode to take affect. This means if you are disabling a service then it will not stop until your next reboot which could be may days, weeks or even months after you made the policy change.

Using Group Policy Preferences to configure a Service

The newer and almost always better way to configure service now is to you the Group Policy Preference Services options. As opposed to the native method which only allowed you to control the startup and security of service, preference now allows you much greater control.

The only reasons you would not want to use Group Policy Preference to control services are:

  1. You need to configured the startup mode of a service on a computer running Windows 2000 or one that is not running the client side extensions.
  2. You want to be able to configured the security to allow non-admin to start, stop or pause the service.

Always remember that when you do configure a service startup mode using the native method that this will take precedence over Group Policy Preferences and you can use the security options in conjunction with preferences.

Step 1. Edit a computer Group Policy Object that is targeted to the computers that you want to control the service.

Step 2. Navigate to Computer Configuration > Preferences > Control Panel Settings > Services

GPO Service 04

Step 3. In the menu click on Action > New > Service and now click on the “…” button next to the Service Name field.

Note: From here you can either type in the service name in the “Service Name” field or click on the “…” button to chose the service from a predefined list of services.

GPO Service 05

Step 4. Select the service name that you want to configured and then click “Select”

GPO Service 06

Step 5. Now you can configure the Startup mode from the Startup mode drop down box and you can configure a service action.

GPO Service 07

Service Action will take place each time there is a group policy refresh so that you do not need to wait for the computer to reboot for the latest startup mode to take affect. This can also be handy to configure if you want a service to start if it crashes or if you have a pesky service that requires restarting on a regular basis to keep running properly.

Step 6. Click on the “Recovery” tab to configure the recovery options of the service as you would configure in the service control panel.

GPO Service 08

Step 7. As this is a preference you can also configure the standard “Common” options from such as item level targeting which will allow you to granularly control what computer you target this setting.

Standard

Disable Java updates with Group Policy

By default, an installation of Java will check for updates and then will prompt the end user to install the update whether or not the user has Admin rights. In a small environment, this may not be a problem, but in a larger environment, this can generate a lot of unnecessary support requests when a user that doesn’t have Admin rights gets a UAC prompt that wants Admin credentials. Here’s how to disable the Java update checks so that your end users don’t see messages like this:

01-Disable-Java-Updates-with-Group-Policy

Disabling the Java update notifications is actually pretty easy. There’s a registry setting in HKEY_LOCAL_MACHINE that will allow you to completely disable both update notifications and the update functionality. The full path of the key is HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy. The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates. Here’s what it looks like in the Registry with updates enabled:

02-Disable-Java-Updates-with-Group-Policy

You could set this manually, but there’s actually a much easier way to do this in Group Policy. First off you’ll need a Group Policy Object (GPO) that applies to your computers that need to have the updater disabled. In my example, it is an empty GPO, but there’s no reason why you can’t add this to an existing GPO.

In your GPO, go to Computer Configuration > Preferences > Windows Settings > Registry. Right-click and choose New > Registry Item.

03-Disable-Java-Updates-with-Group-Policy

If you have Java installed on your management station, you can browse the registry to the setting you’ll be changing. (If you don’t, you can skip the next couple of steps and copy the entry manually.) In the Window that opens, click the “…” button next to Key Path.

04-Disable-Java-Updates-with-Group-Policy

Browse down to HKEY_LOCAL_MACHINE > SOFTWARE > JavaSoft > Java Update > Policy. In the bottom window, you should see EnableJavaUpdate. Click on it and then click Select.

05-Disable-Java-Updates-with-Group-Policy

When you’re taken back to the last window, it should look something like the screenshot below. If you didn’t have Java installed on your management station, you can enter the following:

X32

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\JavaSoft\Java Update\Policy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000 (that’s 8 zero’s)

X64

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWAREWow6432NodeJavaSoftJava UpdatePolicy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000 (that’s 8 zero’s)

06-Disable-Java-Updates-with-Group-Policy

When you click OK, it should look something like this in the Group Policy Management Editor:

07-Disable-Java-Updates-with-Group-Policy

All that is left is to let Group Policy refresh on your test systems (or you can run a gpupdate.exe manually). If you open the Registry Editor, you should see the setting changed:

08-Disable-Java-Updates-with-Group-Policy

If you’re on a 32-bit OS, you can go to the Control Panel, run the Java Control Panel tool, and you’ll see that the Update tab is now gone. (For some reason, the 64-bit version of Java on a 64-bit OS doesn’t have the Update tab.)

09-Disable-Java-Updates-with-Group-Policy

Set ‘Action’  to ‘Update,’ , Group Policy will recreate the entry at the next refresh.

 

Standard

Build a ThinBased-PC with Windows 7/8

Thin Clients are often used (lower costs) is currently not the case anymore in many cases. Using a traditional workstation for connecting to a SBC/VDI infrastructure is getting more and more logical, although the users is working on Full Desktop where all applications are running in the data center.

The most important step is to lock-down the workstation. It depends on requirements and wishes of the organization/customer how many settings should be removed out of the user interface.There are scenarios where you would like to remove as much as possible, but also offering some applications or configuration settings are pretty logical. Think again of adjust screen resolution, keyboard/mouse settings and regional settings.

While there are both very good third parties as freeware products available to use a standard workstation as a Thin Client you can do it also using default Microsoft technologies, when there is no budget or freeware is not allowed in the company. With the article I would like to show you an example configuration to change your workstation to ThinBasedPC with group policy only.

 

Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
NL_GPO_MGT_ThinbasedPC
Data collected on: 7/8/2014 11:46:35 AM
General
Details
Domain Raylin.local
Owner raylin\Domain Admins
Created 6/19/2014 11:38:14 AM
Modified 7/8/2014 11:17:52 AM
User Revisions 141 (AD), 141 (sysvol)
Computer Revisions 244 (AD), 244 (sysvol)
Unique ID {CDAAEC72-0CDF-4A24-A1FE-2F71FB694E23}
GPO Status Enabled
Links
Location Enforced Link Status Path
ThinBasedPC No Enabled raylin.local/Computers/ThinBasedPC

This list only includes links in the domain of the GPO.

Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
Name Allowed Permissions Inherited
raylin\Domain Admins Edit settings, delete, modify security No
raylin\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Public Key Policies/Trusted Root Certification Authorities
Properties
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Windows Firewall with Advanced Security
Global Settings
Policy Setting
Policy version Not Configured
Disable stateful FTP Not Configured
Disable stateful PPTP Not Configured
IPsec exempt Not Configured
IPsec through NAT Not Configured
Preshared key encoding Not Configured
SA idle time Not Configured
Strong CRL check Not Configured
Domain Profile Settings
Policy Setting
Firewall state Off
Inbound connections Not Configured
Outbound connections Not Configured
Apply local firewall rules Not Configured
Apply local connection security rules Not Configured
Display notifications Not Configured
Allow unicast responses Not Configured
Log dropped packets Not Configured
Log successful connections Not Configured
Log file path Not Configured
Log file maximum size (KB) Not Configured
Connection Security Settings
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Control Panel/Regional and Language Options
Policy Setting Comment
Force selected system UI language to overwrite the user UI language Enabled
Restricts the UI language Windows uses for all logged users Enabled
Restrict users to the following language: Dutch
Control Panel/User Accounts
Policy Setting Comment
Apply the default account picture to all users Enabled
Network/Background Intelligent Transfer Service (BITS)
Network/Network Connections
Network/Network Connections/Windows Firewall/Domain Profile
Policy Setting Comment
Windows Firewall: Protect all network connections Disabled
Network/Offline Files
Policy Setting Comment
Prevent use of Offline Files folder Enabled
Prohibit user configuration of Offline Files Enabled
Prevents users from changing any cache configuration settings.
Policy Setting Comment
Remove “Make Available Offline” command Enabled
Turn off reminder balloons Enabled
Network/Windows Connect Now
Printers
Policy Setting Comment
Always render print jobs on the server Enabled
Disallow installation of printers using kernel-mode drivers Enabled
Execute print drivers in isolated processes Enabled
Point and Print Restrictions Enabled
Users can only point and print to these servers: Enabled
Enter fully qualified server names separated by semicolons localhost
Users can only point and print to machines in their forest Disabled
Security Prompts:
When installing drivers for a new connection: Do not show warning or elevation prompt
When updating drivers for an existing connection: Do not show warning or elevation prompt
This setting only applies to:
Windows Vista and later
System/Device Installation
System/Filesystem/NTFS
System/Group Policy
Policy Setting Comment
Configure user Group Policy loopback processing mode Enabled
Mode: Replace
System/Internet Communication Management
Policy Setting Comment
Restrict Internet communication Enabled
System/Internet Communication Management/Internet Communication settings
System/Locale Services
Policy Setting Comment
Disallow changing of geographic location Enabled
System/Logon
Policy Setting Comment
Assign a default domain for logon Enabled
Default Logon domain: raylin.locall
Enter the name of the domain
Policy Setting Comment
Do not display the Getting Started welcome screen at logon Enabled
Hide entry points for Fast User Switching Enabled
Run these programs at user logon Enabled
Items to run at logon
iexplore.exe -K
Policy Setting Comment
Turn off Windows Startup sound Enabled
System/Power Management/Button Settings
Policy Setting Comment
Select the Power button action (on battery) Enabled
Power Button Action Shut down
Policy Setting Comment
Select the Power button action (plugged in) Enabled
Power Button Action Shut down
System/Power Management/Hard Disk Settings
Policy Setting Comment
Turn Off the hard disk (plugged in) Enabled
Turn Off the Hard Disk (seconds): 7200
System/Power Management/Sleep Settings
System/Power Management/Video and Display Settings
Policy Setting Comment
Turn off the display (plugged in) Enabled
Turn Off the Display (seconds): 3600
System/Remote Assistance
System/User Profiles
Windows Components/Application Compatibility
Policy Setting Comment
Prevent access to 16-bit applications Enabled
Windows Components/AutoPlay Policies
Policy Setting Comment
Turn off Autoplay Enabled
Turn off Autoplay on: All drives
Windows Components/Desktop Gadgets
Policy Setting Comment
Turn off desktop gadgets Enabled
Windows Components/Desktop Window Manager
Policy Setting Comment
Do not allow Flip3D invocation Enabled
Do not allow window animations Enabled
Windows Components/Game Explorer
Windows Components/HomeGroup
Policy Setting Comment
Prevent the computer from joining a homegroup Enabled
Windows Components/Internet Explorer
Policy Setting Comment
Disable Automatic Install of Internet Explorer components Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing connection settings Enabled
Disable Periodic Check for Internet Explorer software updates Enabled
Disable showing the splash screen Enabled
Do not allow users to enable or disable add-ons Enabled
Enforce full-screen mode Enabled
Prevent access to Internet Explorer Help Enabled
Prevent bypassing SmartScreen Filter warnings Enabled
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet Enabled
Prevent changing proxy settings Enabled
Prevent changing the default search provider Enabled
Prevent Internet Explorer Search box from appearing Enabled
Prevent managing pop-up exception list Enabled
Prevent managing SmartScreen Filter Enabled
Select SmartScreen Filter mode Off
Policy Setting Comment
Prevent managing the phishing filter Enabled
Select phishing filter mode Off
Policy Setting Comment
Prevent participation in the Customer Experience Improvement Program Enabled
Prevent running First Run wizard Enabled
Select your choice Go directly to home page
Policy Setting Comment
Security Zones: Do not allow users to add/delete sites Enabled
Security Zones: Do not allow users to change policies Enabled
Turn off ability to pin sites in Internet Explorer on the desktop Enabled
Turn off Automatic Crash Recovery Enabled
Turn off Crash Detection Enabled
Turn off Favorites bar Enabled
Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled
Select SmartScreen Filter mode for Internet Explorer 8 Off
Policy Setting Comment
Turn off page-zooming functionality Enabled
Turn off pop-up management Enabled
Turn off Quick Tabs functionality Enabled
Turn off Reopen Last Browsing Session Enabled
Turn off tabbed browsing Enabled
Turn off the quick pick menu Enabled
Turn off the Security Settings Check feature Enabled
Windows Components/Internet Explorer/Accelerators
Policy Setting Comment
Turn off Accelerators Enabled
Windows Components/Internet Explorer/Browser menus
Policy Setting Comment
Turn off Print Menu Enabled
Windows Components/Internet Explorer/Compatibility View
Policy Setting Comment
Use Policy List of Internet Explorer 7 sites Enabled
List of sites
raylin.nl
raylin.local
Windows Components/Internet Explorer/Delete Browsing History
Policy Setting Comment
Allow deleting browsing history on exit Enabled
Windows Components/Internet Explorer/Internet Control Panel
Windows Components/Internet Explorer/Internet Control Panel/Security Page
Policy Setting Comment
Intranet Sites: Include all network paths (UNCs) Enabled
Intranet Sites: Include all sites that bypass the proxy server Enabled
Site to Zone Assignment List Enabled
Enter the zone assignments here.
https://desktop.raylin.nl/vpn/index.html 1
http://ctxweb.raylin.local/Citrix/XenApp/ 1
https://netwerk.raylin.nl/vpn/index.html 1
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
Policy Setting Comment
Launching applications and files in an IFRAME Enabled
Launching applications and files in an IFRAME Enable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
Policy Setting Comment
Allow active scripting Enabled
Allow active scripting Enable
Policy Setting Comment
Launching applications and files in an IFRAME Enabled
Launching applications and files in an IFRAME Enable
Windows Components/Internet Explorer/Internet Settings/Component Updates/Help Menu > About Internet Explorer
Policy Setting Comment
Prevent specifying cipher strength update information URLs Enabled
Cipher Strength Update Information URL:
Windows Components/Internet Explorer/Internet Settings/Component Updates/Periodic check for updates to Internet Explorer and Internet Tools
Policy Setting Comment
Prevent specifying the update check interval (in days) Enabled
Update check interval (in days): 30
Windows Components/Internet Explorer/Security Features
Policy Setting Comment
Turn off Data Execution Prevention Enabled
Windows Components/Internet Explorer/Toolbars
Policy Setting Comment
Hide the Command bar Enabled
Lock all toolbars Enabled
Turn off Developer Tools Enabled
Turn off toolbar upgrade tool Enabled
Windows Components/Internet Information Services
Policy Setting Comment
Prevent IIS installation Disabled
Windows Components/NetMeeting
Policy Setting Comment
Disable remote Desktop Sharing Enabled
Windows Components/Network Projector
Policy Setting Comment
Turn off Connect to a Network Projector Enabled
Windows Components/Online Assistance
Policy Setting Comment
Turn off Active Help Enabled
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
Policy Setting Comment
Do not allow passwords to be saved Enabled
Windows Components/RSS Feeds
Windows Components/Security Center
Policy Setting Comment
Turn on Security Center (Domain PCs only) Disabled
Windows Components/Sound Recorder
Policy Setting Comment
Do not allow Sound Recorder to run Enabled
Windows Components/Windows Calendar
Policy Setting Comment
Turn off Windows Calendar Enabled
Windows Components/Windows Customer Experience Improvement Program
Windows Components/Windows Defender
Policy Setting Comment
Turn off Windows Defender Enabled
Windows Components/Windows Error Reporting
Policy Setting Comment
Disable logging Enabled
Disable Windows Error Reporting Enabled
Windows Components/Windows Installer
Policy Setting Comment
Prevent Internet Explorer security prompt for Windows Installer scripts Enabled
Turn off Windows Installer Enabled
Disable Windows Installer Never
Windows Components/Windows Mail
Policy Setting Comment
Turn off Windows Mail application Enabled
Windows Components/Windows Media Center
Policy Setting Comment
Do not allow Windows Media Center to run Enabled
Windows Components/Windows Media Digital Rights Management
Policy Setting Comment
Prevent Windows Media DRM Internet Access Enabled
Windows Components/Windows Media Player
Windows Components/Windows Messenger
Policy Setting Comment
Do not allow Windows Messenger to be run Enabled
Windows Components/Windows Mobility Center
Policy Setting Comment
Turn off Windows Mobility Center Enabled
Windows Components/Windows PowerShell
Policy Setting Comment
Turn on Script Execution Enabled
Execution Policy Allow all scripts
Preferences
Windows Settings
Registry
AutoAdminLogon (Order: 1)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name AutoAdminLogon
Value type REG_SZ
Value data 1
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DefaultDomainName (Order: 2)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name DefaultDomainName
Value type REG_SZ
Value data raylin.local
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DefaultUserName (Order: 3)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name DefaultUserName
Value type REG_SZ
Value data Kiosk
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DefaultPassword (Order: 4)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name DefaultPassword
Value type REG_SZ
Value data Kiosk1!
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DisableLockWorkstation (Order: 5)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value name DisableLockWorkstation
Value type REG_SZ
Value data 1
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
FullScreen (Order: 6)
General
Action Replace

Properties

Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Microsoft\Internet Explorer\Main
Value name FullScreen
Value type REG_SZ
Value data yes
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
Control Panel Settings
Power Options
Power Plan (Windows Vista) (Name: Balanced)
Power Plan (Windows Vista and later) (Order: 1)
Properties
Action Create
Make this the active Power Plan: Enabled
Name Balanced
When computer is: Plugged in Running on batteries
Require a password on wakeup: No No
Allow hybrid sleep: Off Off
Lid close action: Do nothing Do nothing
Power button action: Shutdown Shutdown
Start menu power button: Shutdown Shutdown
Link State Power Management: Moderate power savings Maximum power savings
Minimum processor state: After 5 minutes After 5 minutes
Maximum processor state: After 100 minutes After 100 minutes
Adaptive display: On On
Critical battery action: Do nothing Do nothing
Low battery level: After 10 minutes After 10 minutes
Critical battery level: After 5 minutes After 5 minutes
Low battery notification: Off Off
Low battery action: Do nothing Do nothing
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
User Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Control Panel
Policy Setting Comment
Always open All Control Panel Items when opening Control Panel Enabled
Show only specified Control Panel items Enabled
List of allowed Control Panel items
desk.cpl
Microsoft.Display
Control Panel/Add or Remove Programs
Policy Setting Comment
Hide Add/Remove Windows Components page Enabled
Control Panel/Personalization
Policy Setting Comment
Enable screen saver Disabled
Force a specific visual style file or force Windows Classic Enabled
Path to Visual Style: %windir%\Resources\Ease of Access Themes\basic.theme
To select Aero type:
%windir%\resources\Themes\Aero\aero.msstyles
To select a different visual style, type:
ie: \\<server>\share\Corp.msstyles
To select Windows Classic, leave the box
above blank and enable this setting
Policy Setting Comment
Prevent changing color and appearance Enabled
Prevent changing color scheme Enabled
Prevent changing desktop background Enabled
Prevent changing desktop icons Enabled
Prevent changing mouse pointers Enabled
Prevent changing screen saver Enabled
Prevent changing sounds Enabled
Prevent changing theme Enabled
Prevent changing visual style for windows and buttons Enabled
Prohibit selection of visual style font size Enabled
Control Panel/Printers
Policy Setting Comment
Prevent addition of printers Enabled
Prevent deletion of printers Enabled
Control Panel/Programs
Desktop
Desktop/Desktop
Policy Setting Comment
Disable Active Desktop Disabled
Network/Windows Connect Now
Start Menu and Taskbar
Policy Setting Comment
Clear history of recently opened documents on exit Enabled
Clear the recent programs list for new users Enabled
Do not allow pinning items in Jump Lists Enabled
Do not allow pinning programs to the Taskbar Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not display or track items in Jump Lists from remote locations Enabled
Do not keep history of recently opened documents Enabled
Do not search communications Enabled
Do not search for files Enabled
Do not search Internet Enabled
Do not search programs and Control Panel items Enabled
Do not use the search-based method when resolving shell shortcuts Enabled
Do not use the tracking-based method when resolving shell shortcuts Enabled
Hide the notification area Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Pin Apps to Start when installed Disabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Prevent users from adding or removing toolbars Enabled
Prevent users from customizing their Start Screen Enabled
Prevent users from moving taskbar to another screen dock location Enabled
Prevent users from rearranging toolbars Enabled
Prevent users from resizing the taskbar Enabled
Prevent users from uninstalling applications from Start Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove Balloon Tips on Start Menu items Enabled
Remove common program groups from Start Menu Enabled
Remove Default Programs link from the Start menu. Enabled
Remove Documents icon from Start Menu Enabled
Remove Downloads link from Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove frequent programs list from the Start Menu Enabled
Remove Games link from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Homegroup link from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Enabled
Remove Music icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove Network icon from Start Menu Enabled
Remove Pictures icon from Start Menu Enabled
Remove pinned programs from the Taskbar Enabled
Remove pinned programs list from the Start Menu Enabled
Remove Recent Items menu from Start Menu Enabled
Remove Recorded TV link from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Remove Search link from Start Menu Enabled
Remove See More Results / Search Everywhere link Enabled
Remove the Action Center icon Enabled
Remove the battery meter Enabled
Remove the networking icon Enabled
Remove user folder link from Start Menu Enabled
Remove user name from Start Menu Enabled
Remove user’s folders from the Start Menu Enabled
Remove Videos link from Start Menu Enabled
Show QuickLaunch on Taskbar Disabled
Turn off all balloon notifications Enabled
Turn off feature advertisement balloon notifications Enabled
Turn off notification area cleanup Enabled
Turn off personalized menus Enabled
Turn off user tracking Enabled
System/Ctrl+Alt+Del Options
Policy Setting Comment
Remove Change Password Enabled
Remove Lock Computer Enabled
Remove Logoff Enabled
Remove Task Manager Enabled
Windows Components/AutoPlay Policies
Policy Setting Comment
Set the default behavior for AutoRun Enabled
Default AutoRun Behavior Do not execute any autorun commands
Policy Setting Comment
Turn off Autoplay Enabled
Turn off Autoplay on: All drives
Windows Components/Desktop Gadgets
Policy Setting Comment
Turn off desktop gadgets Enabled
Windows Components/File Explorer
Policy Setting Comment
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
Policy Setting Comment
Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
Policy Setting Comment
Remove Search button from File Explorer Enabled
Turn off Windows+X hotkeys Enabled
Windows Components/Internet Explorer
Policy Setting Comment
Disable changing home page settings Enabled
Home Page http://ctxweb.raylin.local/Citrix/XenApp/
Policy Setting Comment
Enforce full-screen mode Enabled
Search: Disable Find Files via F3 within the browser Enabled
Turn off the quick pick menu Enabled
Windows Components/Internet Explorer/Browser menus
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Policy Setting Comment
Turn on Caret Browsing support Disabled
Windows Components/Internet Explorer/Privacy
Windows Components/Internet Explorer/Toolbars
Policy Setting Comment
Turn off Developer Tools Enabled
Windows Components/Microsoft Management Console
Policy Setting Comment
Restrict the user from entering author mode Enabled
Windows Components/Windows Calendar
Policy Setting Comment
Turn off Windows Calendar Enabled

 

Standard

Start screen Control Windows 8.1

Windows 8.1 Enterprise is now available, and included in it is a brand new feature called Start screen control. For those not familiar with this new feature, it is designed to allow IT pros to configure the layout of the Start screen for a group of users, preventing those users from making changes to that layout.

STARTSCREEN2

 

Once arranged, you can export this layout into an XML file using a simple PowerShell command:

Export-StartLayout -path C:\StartLayout.xml -As XML

Next, you can specify a path to this layout file using Active Directory Group Policy. From the Group Policy Management Editor, navigate to “User Configuration \ Policies \ Administrator Templates \ Start Menu and Taskbar” where you can find the “Start Screen Layout” policy setting:

STARTSCREEN1

Standard

Create a Power Plan in Group Policy

Create a group policy object

Open the Group Policy editing tool and create a new policy object.

Expand Computer Configuration \ Preferences \ Control Panel Settings \ Power Options.

 

POWERSCHEME1
2.
Create a Power Plan

Edit the policy (right click and “Edit”).

Go to: User configuration > Preferences > Control Panel Settings > Power Options

Right click in the window and “Create a Power Plan”

POWERSCHEME2

3.
Edit the Power Plan settings

Go through all the options and set them as you need.

POWERSCHEME3

4.
Save the Power Plan

Change the Action switch at the top to “Create”, then hit OK.

When you edit the settings next time, you need to change the action field to “Update”, and remember to tick the box to “Set as the active power plan”.

Standard

Hide Unwanted Items From the Control Panel

One of the common lock down’s that administrator apply is to remove all but the essential control panel items.

Previous to Windows 7 you had to specify the .cpl (e.g. timedate.cpl) file name of the control panel item you wanted to show or hide however this has changed in Windows 7 and you now need to use the Canonical Name when hiding or showing specific items.

Step 1. Edit the Group Policy object that is applied to the users that you want to apply the Control Panel configuration.

Step 2. Navigate to User Configuration > Policies > Administrative Templates > Control Panel

CONTROLPANELGPO1

Step 3. Double click on hide specified Control Panel items setting then check Enabled and then click then Show button.

CONTROLPANELGPO2

 

CONTROLPANELGPO3

 

The following are the Control Panel items available in Windows 8.1:

Action Center
Administrative Tools : Microsoft.AdministrativeTools
AutoPlay : Microsoft.AutoPlay
Biometric Devices : Microsoft.BiometricDevices
BitLocker Drive Encryption : Microsoft.BitLockerDriveEncryption
Color Management : Microsoft.ColorManagement
Credential Manager : Microsoft.CredentialManager
Date and Time : Microsoft.DateAndTime
Default Programs : Microsoft.DefaultPrograms
Device Manager : Microsoft.DeviceManager
Devices and Printers : Microsoft.DevicesAndPrinters
Display : Microsoft.Display
Ease of Access Center : Microsoft.EaseOfAccessCenter
Family Safety : Microsoft.ParentalControls
File History : Microsoft.FileHistory
Folder Options : Microsoft.FolderOptions
Fonts : Microsoft.Fonts
HomeGroup : Microsoft.HomeGroup
Indexing Options : Microsoft.IndexingOptions
Infrared : Microsoft.Infrared
Internet Options : Microsoft.InternetOptions
iSCSI Initiator : Microsoft.iSCSIInitiator
iSNS Server : Microsoft.iSNSServer
Keyboard : Microsoft.Keyboard
Language : Microsoft.Language
Location Settings : Microsoft.LocationSettings
Mouse : Microsoft.Mouse
MPIOConfiguration : Microsoft.MPIOConfiguration
Network and Sharing Center : Microsoft.NetworkAndSharingCenter
Notification Area Icons : Microsoft.NotificationAreaIcons
Pen and Touch : Microsoft.PenAndTouch
Personalization : Microsoft.Personalization
Phone and Modem : Microsoft.PhoneAndModem
Power Options : Microsoft.PowerOptions
Programs and Features : Microsoft.ProgramsAndFeatures
Recovery : Microsoft.Recovery
Region : Microsoft.RegionAndLanguage
RemoteApp and Desktop Connections : Microsoft.RemoteAppAndDesktopConnections
Sound : Microsoft.Sound
Speech Recognition : Microsoft.SpeechRecognition
Storage Spaces : Microsoft.StorageSpaces
Sync Center : Microsoft.SyncCenter
System : Microsoft.System
Tablet PC Settings : Microsoft.TabletPCSettings
Taskbar and Navigation : Microsoft.Taskbar
Troubleshooting : Microsoft.Troubleshooting
TSAppInstall : Microsoft.TSAppInstall
User Accounts : Microsoft.UserAccounts
Windows Anytime Upgrade : Microsoft.WindowsAnytimeUpgrade
Windows Defender : Microsoft.WindowsDefender
Windows Firewall : Microsoft.WindowsFirewall
Windows Mobility Center : Microsoft.MobilityCenter
Windows To Go : Microsoft.PortableWorkspaceCreator
Windows Update : Microsoft.WindowsUpdate
Work Folders : Microsoft.WorkFolders

Standard

Loopback processing of Group Policy

Group policy has two main configurations, user and computer. Accordingly, the computer policy is applied to the computer despite of the logged user and the user configuration is applied to the user despite of the computer he is logged on.
We have a Domain, this Domain has two different organizational units (OU) Green and Red, Green OU contains a Computer account and Red OU contains User account.
The Green policy, which has settings “Computer Configuration 2” and “User Configuration 2” is applied to the OU with the computer account.
The Red policy, which has settings “Computer Configuration 1” and “User Configuration 1”, is applied to the OU with the User account.

LOOPBACK1

If Loopback processing of Group Policy is not enabled and our User logs on to our Computer, the following is true:

LOOPBACK2

The User gets Computer Configuration 2 and User Configuration 1. This is absolutely standard situation, where policies are applied according to the belonging to the OU. User belongs to the Red OU, he gets the Red User configuration 1 accordingly.

Enable the Loopback processing of Group Policy for the Green OU. In this case if the User logs on to the Computer, the policies applied in the following way:

LOOPBACK3

The User is getting User Configuration 2 despite of the fact that he belongs to the Red OU. So, what has happened in this scenario, the User Configuration 1 was replaced with the User Configuration 2, i.e. with the configuration applied to the Computer account.

The enabled “Loopback in replace mode”. The Loopback processing of Group Policy has two different modes, Replace and Merge. Replace mode replaces User Configuration with the one applied to the Computer, whereas Merge mode merges two User Configurations.

LOOPBACK4

 

Merge mode, if there is a conflict, for example two policies provide different values for the same configuration setting, the Computer’s policy has more privilege. For example in this scenario, in case of the conflict the User Configuration 2 would be enforced.

To enable Loopback Processing navigate to: Computer Configuration/Administrative Templates/System/Group Policy/Configure user Group Policy loopback processing mode

LOOPBACK5

 

Standard

How to exclude individual users or computers from a Group Policy Object

 

Step 1. Open the Group Policy Object that you want to apply an exception and then click on the “Delegation” tab and then click on the “Advanced” button.

GPMC1

Step 2. Click on the “Add” button and select the group (recommended) that you want to exclude from having this policy applied.

GPMC2

Step 3. In this example I am excluding the “Users GPO Exceptions” group for this policy. Select this group in the “Group or user names” list and then scroll down the permission and tick the “Deny” option against the “Apply Group Policy” permission.

GPMC3

Now any members of this “User GPO Exceptions” security group will not have this Group Policy Object applied. Having a security group to control this exception makes it much easier to control as someone only needs to modify the group membership of the group to makes changes to who (or what) get the policy applied. This makes the delegation of this task to level 1 or level 2 support much more practical as you don’t need to grant them permission to the Group Policy Objects.