Page 1
Standard

Seize the Operations Master Role

You can use the Ntdsutil.exe command-line tool to transfer and seize any operations master (also known as flexible single master operations or FSMO) role. You must use Ntdsutil.exe to seize the schema operations master, domain naming operations master, and relative ID (RID) operations master roles. When you use Ntdsutil.exe to seize an operations master role, the tool first attempts a transfer from the current role owner. If the current role owner is not available, the tool seizes the role.

When you use Ntdsutil.exe to seize an operations master role, the procedure is nearly identical for all roles. For more information about using Ntdsutil.exe, type ? at the ntdsutil: command prompt.

To seize an operations master role

  1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. At the command prompt, type ntdsutil, and then press ENTER.
  3. At the ntdsutil: prompt, type roles, and then press ENTER.
  4. At the fsmo maintenance: prompt, type connections, and then press ENTER.
  5. At the server connections: prompt, type connect to server <servername> (where <servername> is the name of the domain controller that will assume the operations master role), and then press ENTER.
  6. After you receive confirmation of the connection, type quit, and then press ENTER.
  7. Depending on the role that you want to seize, at the fsmo maintenance: prompt, type the appropriate command, and then press ENTER.

    Role Credentials Command
    Domain naming master Enterprise Admins Seize naming master
    Schema master Enterprise Admins Seize schema master
    Infrastructure master Domain Admins Seize infrastructure master
    Primary domain controller (PDC) emulator Domain Admins Seize pdc
    RID master Domain Admins Seize rid master

    The system asks for confirmation. It then attempts to transfer the role. When the transfer fails, some error information appears and the system proceeds with the seizure of the role. After the seizure of the role is complete, a list of the roles and the Lightweight Directory Access Protocol (LDAP) name of the server that currently holds each role appears.

    During seizure of the relative ID (RID) operations master role, the current role holder attempts to synchronize with its replication partners. If it cannot establish a connection with a replication partner during the seizure operation, it displays a warning and asks for confirmation that you want the seizure of the role to proceed. Click Yes to proceed.

  8. Type quit, and then press ENTER. Type quit again, and then press ENTER to exit Ntdsutil.exe.
Standard

Disable Java updates with Group Policy

By default, an installation of Java will check for updates and then will prompt the end user to install the update whether or not the user has Admin rights. In a small environment, this may not be a problem, but in a larger environment, this can generate a lot of unnecessary support requests when a user that doesn’t have Admin rights gets a UAC prompt that wants Admin credentials. Here’s how to disable the Java update checks so that your end users don’t see messages like this:

01-Disable-Java-Updates-with-Group-Policy

Disabling the Java update notifications is actually pretty easy. There’s a registry setting in HKEY_LOCAL_MACHINE that will allow you to completely disable both update notifications and the update functionality. The full path of the key is HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy. The registry entry is named EnableJavaUpdate and is a DWORD value that defaults to 1 for the update functionality to be enabled. Setting the value to 0 disables updates. Here’s what it looks like in the Registry with updates enabled:

02-Disable-Java-Updates-with-Group-Policy

You could set this manually, but there’s actually a much easier way to do this in Group Policy. First off you’ll need a Group Policy Object (GPO) that applies to your computers that need to have the updater disabled. In my example, it is an empty GPO, but there’s no reason why you can’t add this to an existing GPO.

In your GPO, go to Computer Configuration > Preferences > Windows Settings > Registry. Right-click and choose New > Registry Item.

03-Disable-Java-Updates-with-Group-Policy

If you have Java installed on your management station, you can browse the registry to the setting you’ll be changing. (If you don’t, you can skip the next couple of steps and copy the entry manually.) In the Window that opens, click the “…” button next to Key Path.

04-Disable-Java-Updates-with-Group-Policy

Browse down to HKEY_LOCAL_MACHINE > SOFTWARE > JavaSoft > Java Update > Policy. In the bottom window, you should see EnableJavaUpdate. Click on it and then click Select.

05-Disable-Java-Updates-with-Group-Policy

When you’re taken back to the last window, it should look something like the screenshot below. If you didn’t have Java installed on your management station, you can enter the following:

X32

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\JavaSoft\Java Update\Policy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000 (that’s 8 zero’s)

X64

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWAREWow6432NodeJavaSoftJava UpdatePolicy
Value name: EnableJavaUpdate
Value type: REG_DWORD
Value data: 00000000 (that’s 8 zero’s)

06-Disable-Java-Updates-with-Group-Policy

When you click OK, it should look something like this in the Group Policy Management Editor:

07-Disable-Java-Updates-with-Group-Policy

All that is left is to let Group Policy refresh on your test systems (or you can run a gpupdate.exe manually). If you open the Registry Editor, you should see the setting changed:

08-Disable-Java-Updates-with-Group-Policy

If you’re on a 32-bit OS, you can go to the Control Panel, run the Java Control Panel tool, and you’ll see that the Update tab is now gone. (For some reason, the 64-bit version of Java on a 64-bit OS doesn’t have the Update tab.)

09-Disable-Java-Updates-with-Group-Policy

Set ‘Action’  to ‘Update,’ , Group Policy will recreate the entry at the next refresh.

 

Standard

Local Domain groups, Global groups and Universal groups.

Types of Groups

Security groups are used to control access to resources.
Security groups can also be used as email distribution lists.Distribution groups can be used only for email distribution lists, or simple administrative groupings.
Distribution groups cannot be used for access control because they are not “security enabled.”

Group Scope

Universal groups
Provide a simple ‘does everything’ group suitable mainly for small networks. Typically, organizations using WANs should use Universal groups only for relatively static groups in which memberships change rarely. Changes in membership will impose global catalog replication throughout an entire enterprise.

Global groups
Provide domain-centric membership, place all user accounts into Global groups. Global groups can be nested within other Global groups, this may be particularly useful when delegating OU administrative functionality.

It can be useful to give each Global group a name that is meaningful to the staff involved, i.e. matching the name of a Team or a Project, particularly if the group is also to be used as an email distribution list.

Domain Local groups
Used for the direct assignment of access permissions on files, printer queues, and other such resources.

It can be useful to give each Domain Local group a name that is meaningful to the IT Operations team e.g. if a group assigns rights to a shared folder on a specific server then the group name might include a prefix or suffix indicating the server name.

Local groups
Stored on the local SAM (Local Computer) use for security settings that apply just to this one machine.
Local groups will work even if the network becomes unavailable, e.g. during a disaster recovery exercise.

 

Best Practice

Place users in Global groups, nest those inside Domain Local groups which in turn are used to apply permissions, as shown below. This will also maximise performance in a multi-domain forest.

syntax-groups

Group membership is evaluated when a user logs on to a domain. To be sure that any membership changes have taken effect, ask the users to log-off. In contrast ACL changes or permissions applied directly to User accounts will take place immediately.
Granting permissions using a group from a different domain is only possible where a trust relationship exists between the domains.

 

Nesting one Group within another with a different scope

Rules that govern when a group may be added to another group (same domain):

– Global groups can be nested within Domain Local groups, Universal groups and within other Global groups in the same domain.

– Universal groups can be nested within Domain Local groups and within other Universal groups in any domain.

– A Domain Local group cannot be nested within a Global or a Universal group.

syntax-groupnesting

Rules that govern when a group may be added to another group (different domain):

– Domain Local groups can grant access to resources on the same domain. For example a Domain Local group named Sales on the raylin.local domain can only grant access to resources on that domain, and not on raylin.com– Domain Local groups can accept anything, except for Domain Local groups from another domain. Domain Local groups accept user accounts from any domain.- Global groups can grant access to anything, including files/folders in any domain.- Global groups cannot be nested across domains. You cannot take a Global group from raylin.local, and nest it within another Global group in raylin.com.- A user or computer account from one domain cannot be nested within a Global group in another domain- Universal groups accept user/computer accounts from any domain. A Global group can also be nested within a Universal group (from any domain).
A Universal group can be nested within another Universal group or Domain Local group in any domain.

 

Members – who can join a group:

Group Scope Location Local Users can join? Domain Users can join? User accounts from another domain? Local Computer accounts Domain Computer accounts Computer accounts from another domain Machine Local groups Domain Local groups Global groups Universal groups
Machine Local Stored in local sam database Yes Yes No No No Yes Yes Yes
Domain Local Stored in AD No Yes Yes No Yes Yes No Yes
(same domain)
Yes Yes
Global Stored in AD No Yes No No Yes No No No Yes
(same domain)
No
Universal Stored in AD No Yes Yes No Yes Yes No No Yes Yes

Resources that a group may grant access to:

Group Scope Location Can act as distribution list? File Permissions (local machine) File Permissions Domain Fileserver File/Printer SHARE permissions Can be Mail enabled Can use to assign Mailbox permissions Permissions on Active Directory objects
Machine Local Stored in local sam database No Yes No Yes
(same machine only)
No No No
Domain Local Stored in AD Yes Yes Yes Yes Yes Yes Yes*
Global Stored in AD Yes Yes Yes* Yes* Yes Yes Yes
Universal Stored in AD Yes Yes Yes* Yes* Yes Yes Yes

* Possible but not recommended by Microsoft.

Admin rights

To modify groups in AD, you must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group, or you must have been delegated the appropriate authority.

Standard

Command-line Powercfg

The following command-line options are available for powercfg.

powercfg [-l ] [-q ] [-x ] [-changename ] [-duplicatescheme ] [-d ] [-deletesetting ] [-setactive ] [-getactivescheme ] [-setacvalueindex ] [-setdcvalueindex ] [-h ] [-a ] [-devicequery ] [-deviceenablewake ] [-devicedisablewake ] [-import ] [-export ] [-lastwake ] [-?] [-aliases ] [-setsecuritydescriptor ] [-getsecuritydescriptor ]

So having delved into this utility a little more – here are my top commands for powercfg ready to use in your scripts:

sets the power configuration to High Performance
powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

tweaks the basic power settings
powercfg -change -hibernate-timeout-ac 0
powercfg -change -hibernate-timeout-dc 0

turns hibernation off
powercfg -hibernate OFF

require password when console wakes up (0=false, 1=true)
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c fea3413e-7e05-4911-9a71-700331f1c294 0e796bdb-100d-47d6-a2d5-f7d2daa51f51 0
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c fea3413e-7e05-4911-9a71-700331f1c294 0e796bdb-100d-47d6-a2d5-f7d2daa51f51 0

also needed to show up on Power Menus…
powercfg -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e fea3413e-7e05-4911-9a71-700331f1c294 0e796bdb-100d-47d6-a2d5-f7d2daa51f51 0
powercfg -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e fea3413e-7e05-4911-9a71-700331f1c294 0e796bdb-100d-47d6-a2d5-f7d2daa51f51 0

power plan type (0=power saver, 1=high performance, 2=balanced)
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c fea3413e-7e05-4911-9a71-700331f1c294 245d8541-3943-4422-b025-13a784f679b7 1
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c fea3413e-7e05-4911-9a71-700331f1c294 245d8541-3943-4422-b025-13a784f679b7 1

hard disk timeout
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 0012ee47-9041-4b5d-9b77-535fba8b1442 6738e2c4-e8a5-4a42-b16a-e040e769756e 0

wireless adapter power (0=max perf, 1=low power saving, 2=med power saving, 3=max power saving)
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 19cbb8fa-5279-450e-9fac-8a3d5fedd0c1 12bbebe6-58d6-4636-95bb-3217ef867c1a 0

sleep timeout
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 238c9fa8-0aad-41ed-83f4-97be242c8f20 29f6c1db-86da-48c5-9fdb-f2b67b1f44da 0

close action (0=do nothing, 1=sleep, 2=hibernate, 3=shutdown)
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0

also needed to show up on Power Menus…
powercfg -setacvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0
powercfg -setdcvalueindex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 0

processor power cstate (0,1=power saver, 2,3=balanced, 4,5=high perf)
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 54533251-82be-4824-96c1-47b60b740d00 68f262a7-f621-4069-b9a5-4874169be23c 4
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 54533251-82be-4824-96c1-47b60b740d00 68f262a7-f621-4069-b9a5-4874169be23c 4

minimum processor state
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 54533251-82be-4824-96c1-47b60b740d00 893dee8e-2bef-41e0-89c6-b55d0929964c 100
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 54533251-82be-4824-96c1-47b60b740d00 893dee8e-2bef-41e0-89c6-b55d0929964c 100

processor power perfstate settings
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 54533251-82be-4824-96c1-47b60b740d00 bbdc3814-18e9-4463-8a55-d197327c45c0 4
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 54533251-82be-4824-96c1-47b60b740d00 bbdc3814-18e9-4463-8a55-d197327c45c0 4

monitor timeout
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 7516b95f-f776-4464-8c53-06167f40cc99 3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e 0
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 7516b95f-f776-4464-8c53-06167f40cc99 3c0bc021-c8a8-4e07-a973-6b14cbcb2b7e 0

multimedia settings (0=take no action, 1=prevent computer from sleeping, 2=enable away mode)
powercfg -setacvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 9596fb26-9850-41fd-ac3e-f7c3c00afd4b 03680956-93bc-4294-bba6-4e0f09bb717f 2
powercfg -setdcvalueindex 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c 9596fb26-9850-41fd-ac3e-f7c3c00afd4b 03680956-93bc-4294-bba6-4e0f09bb717f 2

set the absentia power scheme (the scheme used when no one is logged in)
powercfg -setabsentia 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c

Standard

Build a ThinBased-PC with Windows 7/8

Thin Clients are often used (lower costs) is currently not the case anymore in many cases. Using a traditional workstation for connecting to a SBC/VDI infrastructure is getting more and more logical, although the users is working on Full Desktop where all applications are running in the data center.

The most important step is to lock-down the workstation. It depends on requirements and wishes of the organization/customer how many settings should be removed out of the user interface.There are scenarios where you would like to remove as much as possible, but also offering some applications or configuration settings are pretty logical. Think again of adjust screen resolution, keyboard/mouse settings and regional settings.

While there are both very good third parties as freeware products available to use a standard workstation as a Thin Client you can do it also using default Microsoft technologies, when there is no budget or freeware is not allowed in the company. With the article I would like to show you an example configuration to change your workstation to ThinBasedPC with group policy only.

 

Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
NL_GPO_MGT_ThinbasedPC
Data collected on: 7/8/2014 11:46:35 AM
General
Details
Domain Raylin.local
Owner raylin\Domain Admins
Created 6/19/2014 11:38:14 AM
Modified 7/8/2014 11:17:52 AM
User Revisions 141 (AD), 141 (sysvol)
Computer Revisions 244 (AD), 244 (sysvol)
Unique ID {CDAAEC72-0CDF-4A24-A1FE-2F71FB694E23}
GPO Status Enabled
Links
Location Enforced Link Status Path
ThinBasedPC No Enabled raylin.local/Computers/ThinBasedPC

This list only includes links in the domain of the GPO.

Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
Name Allowed Permissions Inherited
raylin\Domain Admins Edit settings, delete, modify security No
raylin\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Public Key Policies/Trusted Root Certification Authorities
Properties
Policy Setting
Allow users to select new root certification authorities (CAs) to trust Enabled
Client computers can trust the following certificate stores Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
To perform certificate-based authentication of users and computers, CAs must meet the following criteria Registered in Active Directory only
Windows Firewall with Advanced Security
Global Settings
Policy Setting
Policy version Not Configured
Disable stateful FTP Not Configured
Disable stateful PPTP Not Configured
IPsec exempt Not Configured
IPsec through NAT Not Configured
Preshared key encoding Not Configured
SA idle time Not Configured
Strong CRL check Not Configured
Domain Profile Settings
Policy Setting
Firewall state Off
Inbound connections Not Configured
Outbound connections Not Configured
Apply local firewall rules Not Configured
Apply local connection security rules Not Configured
Display notifications Not Configured
Allow unicast responses Not Configured
Log dropped packets Not Configured
Log successful connections Not Configured
Log file path Not Configured
Log file maximum size (KB) Not Configured
Connection Security Settings
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Control Panel/Regional and Language Options
Policy Setting Comment
Force selected system UI language to overwrite the user UI language Enabled
Restricts the UI language Windows uses for all logged users Enabled
Restrict users to the following language: Dutch
Control Panel/User Accounts
Policy Setting Comment
Apply the default account picture to all users Enabled
Network/Background Intelligent Transfer Service (BITS)
Network/Network Connections
Network/Network Connections/Windows Firewall/Domain Profile
Policy Setting Comment
Windows Firewall: Protect all network connections Disabled
Network/Offline Files
Policy Setting Comment
Prevent use of Offline Files folder Enabled
Prohibit user configuration of Offline Files Enabled
Prevents users from changing any cache configuration settings.
Policy Setting Comment
Remove “Make Available Offline” command Enabled
Turn off reminder balloons Enabled
Network/Windows Connect Now
Printers
Policy Setting Comment
Always render print jobs on the server Enabled
Disallow installation of printers using kernel-mode drivers Enabled
Execute print drivers in isolated processes Enabled
Point and Print Restrictions Enabled
Users can only point and print to these servers: Enabled
Enter fully qualified server names separated by semicolons localhost
Users can only point and print to machines in their forest Disabled
Security Prompts:
When installing drivers for a new connection: Do not show warning or elevation prompt
When updating drivers for an existing connection: Do not show warning or elevation prompt
This setting only applies to:
Windows Vista and later
System/Device Installation
System/Filesystem/NTFS
System/Group Policy
Policy Setting Comment
Configure user Group Policy loopback processing mode Enabled
Mode: Replace
System/Internet Communication Management
Policy Setting Comment
Restrict Internet communication Enabled
System/Internet Communication Management/Internet Communication settings
System/Locale Services
Policy Setting Comment
Disallow changing of geographic location Enabled
System/Logon
Policy Setting Comment
Assign a default domain for logon Enabled
Default Logon domain: raylin.locall
Enter the name of the domain
Policy Setting Comment
Do not display the Getting Started welcome screen at logon Enabled
Hide entry points for Fast User Switching Enabled
Run these programs at user logon Enabled
Items to run at logon
iexplore.exe -K
Policy Setting Comment
Turn off Windows Startup sound Enabled
System/Power Management/Button Settings
Policy Setting Comment
Select the Power button action (on battery) Enabled
Power Button Action Shut down
Policy Setting Comment
Select the Power button action (plugged in) Enabled
Power Button Action Shut down
System/Power Management/Hard Disk Settings
Policy Setting Comment
Turn Off the hard disk (plugged in) Enabled
Turn Off the Hard Disk (seconds): 7200
System/Power Management/Sleep Settings
System/Power Management/Video and Display Settings
Policy Setting Comment
Turn off the display (plugged in) Enabled
Turn Off the Display (seconds): 3600
System/Remote Assistance
System/User Profiles
Windows Components/Application Compatibility
Policy Setting Comment
Prevent access to 16-bit applications Enabled
Windows Components/AutoPlay Policies
Policy Setting Comment
Turn off Autoplay Enabled
Turn off Autoplay on: All drives
Windows Components/Desktop Gadgets
Policy Setting Comment
Turn off desktop gadgets Enabled
Windows Components/Desktop Window Manager
Policy Setting Comment
Do not allow Flip3D invocation Enabled
Do not allow window animations Enabled
Windows Components/Game Explorer
Windows Components/HomeGroup
Policy Setting Comment
Prevent the computer from joining a homegroup Enabled
Windows Components/Internet Explorer
Policy Setting Comment
Disable Automatic Install of Internet Explorer components Enabled
Disable changing Automatic Configuration settings Enabled
Disable changing connection settings Enabled
Disable Periodic Check for Internet Explorer software updates Enabled
Disable showing the splash screen Enabled
Do not allow users to enable or disable add-ons Enabled
Enforce full-screen mode Enabled
Prevent access to Internet Explorer Help Enabled
Prevent bypassing SmartScreen Filter warnings Enabled
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet Enabled
Prevent changing proxy settings Enabled
Prevent changing the default search provider Enabled
Prevent Internet Explorer Search box from appearing Enabled
Prevent managing pop-up exception list Enabled
Prevent managing SmartScreen Filter Enabled
Select SmartScreen Filter mode Off
Policy Setting Comment
Prevent managing the phishing filter Enabled
Select phishing filter mode Off
Policy Setting Comment
Prevent participation in the Customer Experience Improvement Program Enabled
Prevent running First Run wizard Enabled
Select your choice Go directly to home page
Policy Setting Comment
Security Zones: Do not allow users to add/delete sites Enabled
Security Zones: Do not allow users to change policies Enabled
Turn off ability to pin sites in Internet Explorer on the desktop Enabled
Turn off Automatic Crash Recovery Enabled
Turn off Crash Detection Enabled
Turn off Favorites bar Enabled
Turn off Managing SmartScreen Filter for Internet Explorer 8 Enabled
Select SmartScreen Filter mode for Internet Explorer 8 Off
Policy Setting Comment
Turn off page-zooming functionality Enabled
Turn off pop-up management Enabled
Turn off Quick Tabs functionality Enabled
Turn off Reopen Last Browsing Session Enabled
Turn off tabbed browsing Enabled
Turn off the quick pick menu Enabled
Turn off the Security Settings Check feature Enabled
Windows Components/Internet Explorer/Accelerators
Policy Setting Comment
Turn off Accelerators Enabled
Windows Components/Internet Explorer/Browser menus
Policy Setting Comment
Turn off Print Menu Enabled
Windows Components/Internet Explorer/Compatibility View
Policy Setting Comment
Use Policy List of Internet Explorer 7 sites Enabled
List of sites
raylin.nl
raylin.local
Windows Components/Internet Explorer/Delete Browsing History
Policy Setting Comment
Allow deleting browsing history on exit Enabled
Windows Components/Internet Explorer/Internet Control Panel
Windows Components/Internet Explorer/Internet Control Panel/Security Page
Policy Setting Comment
Intranet Sites: Include all network paths (UNCs) Enabled
Intranet Sites: Include all sites that bypass the proxy server Enabled
Site to Zone Assignment List Enabled
Enter the zone assignments here.
https://desktop.raylin.nl/vpn/index.html 1
http://ctxweb.raylin.local/Citrix/XenApp/ 1
https://netwerk.raylin.nl/vpn/index.html 1
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
Policy Setting Comment
Launching applications and files in an IFRAME Enabled
Launching applications and files in an IFRAME Enable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
Policy Setting Comment
Allow active scripting Enabled
Allow active scripting Enable
Policy Setting Comment
Launching applications and files in an IFRAME Enabled
Launching applications and files in an IFRAME Enable
Windows Components/Internet Explorer/Internet Settings/Component Updates/Help Menu > About Internet Explorer
Policy Setting Comment
Prevent specifying cipher strength update information URLs Enabled
Cipher Strength Update Information URL:
Windows Components/Internet Explorer/Internet Settings/Component Updates/Periodic check for updates to Internet Explorer and Internet Tools
Policy Setting Comment
Prevent specifying the update check interval (in days) Enabled
Update check interval (in days): 30
Windows Components/Internet Explorer/Security Features
Policy Setting Comment
Turn off Data Execution Prevention Enabled
Windows Components/Internet Explorer/Toolbars
Policy Setting Comment
Hide the Command bar Enabled
Lock all toolbars Enabled
Turn off Developer Tools Enabled
Turn off toolbar upgrade tool Enabled
Windows Components/Internet Information Services
Policy Setting Comment
Prevent IIS installation Disabled
Windows Components/NetMeeting
Policy Setting Comment
Disable remote Desktop Sharing Enabled
Windows Components/Network Projector
Policy Setting Comment
Turn off Connect to a Network Projector Enabled
Windows Components/Online Assistance
Policy Setting Comment
Turn off Active Help Enabled
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
Policy Setting Comment
Do not allow passwords to be saved Enabled
Windows Components/RSS Feeds
Windows Components/Security Center
Policy Setting Comment
Turn on Security Center (Domain PCs only) Disabled
Windows Components/Sound Recorder
Policy Setting Comment
Do not allow Sound Recorder to run Enabled
Windows Components/Windows Calendar
Policy Setting Comment
Turn off Windows Calendar Enabled
Windows Components/Windows Customer Experience Improvement Program
Windows Components/Windows Defender
Policy Setting Comment
Turn off Windows Defender Enabled
Windows Components/Windows Error Reporting
Policy Setting Comment
Disable logging Enabled
Disable Windows Error Reporting Enabled
Windows Components/Windows Installer
Policy Setting Comment
Prevent Internet Explorer security prompt for Windows Installer scripts Enabled
Turn off Windows Installer Enabled
Disable Windows Installer Never
Windows Components/Windows Mail
Policy Setting Comment
Turn off Windows Mail application Enabled
Windows Components/Windows Media Center
Policy Setting Comment
Do not allow Windows Media Center to run Enabled
Windows Components/Windows Media Digital Rights Management
Policy Setting Comment
Prevent Windows Media DRM Internet Access Enabled
Windows Components/Windows Media Player
Windows Components/Windows Messenger
Policy Setting Comment
Do not allow Windows Messenger to be run Enabled
Windows Components/Windows Mobility Center
Policy Setting Comment
Turn off Windows Mobility Center Enabled
Windows Components/Windows PowerShell
Policy Setting Comment
Turn on Script Execution Enabled
Execution Policy Allow all scripts
Preferences
Windows Settings
Registry
AutoAdminLogon (Order: 1)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name AutoAdminLogon
Value type REG_SZ
Value data 1
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DefaultDomainName (Order: 2)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name DefaultDomainName
Value type REG_SZ
Value data raylin.local
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DefaultUserName (Order: 3)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name DefaultUserName
Value type REG_SZ
Value data Kiosk
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DefaultPassword (Order: 4)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Value name DefaultPassword
Value type REG_SZ
Value data Kiosk1!
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
DisableLockWorkstation (Order: 5)
General
Action Replace

Properties

Hive HKEY_LOCAL_MACHINE
Key path SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Value name DisableLockWorkstation
Value type REG_SZ
Value data 1
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
FullScreen (Order: 6)
General
Action Replace

Properties

Hive HKEY_CURRENT_USER (HKU\.DEFAULT)
Key path Software\Microsoft\Internet Explorer\Main
Value name FullScreen
Value type REG_SZ
Value data yes
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied Yes
Control Panel Settings
Power Options
Power Plan (Windows Vista) (Name: Balanced)
Power Plan (Windows Vista and later) (Order: 1)
Properties
Action Create
Make this the active Power Plan: Enabled
Name Balanced
When computer is: Plugged in Running on batteries
Require a password on wakeup: No No
Allow hybrid sleep: Off Off
Lid close action: Do nothing Do nothing
Power button action: Shutdown Shutdown
Start menu power button: Shutdown Shutdown
Link State Power Management: Moderate power savings Maximum power savings
Minimum processor state: After 5 minutes After 5 minutes
Maximum processor state: After 100 minutes After 100 minutes
Adaptive display: On On
Critical battery action: Do nothing Do nothing
Low battery level: After 10 minutes After 10 minutes
Critical battery level: After 5 minutes After 5 minutes
Low battery notification: Off Off
Low battery action: Do nothing Do nothing
Common

Options

Stop processing items on this extension if an error occurs on this item No
Remove this item when it is no longer applied No
Apply once and do not reapply No
User Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Control Panel
Policy Setting Comment
Always open All Control Panel Items when opening Control Panel Enabled
Show only specified Control Panel items Enabled
List of allowed Control Panel items
desk.cpl
Microsoft.Display
Control Panel/Add or Remove Programs
Policy Setting Comment
Hide Add/Remove Windows Components page Enabled
Control Panel/Personalization
Policy Setting Comment
Enable screen saver Disabled
Force a specific visual style file or force Windows Classic Enabled
Path to Visual Style: %windir%\Resources\Ease of Access Themes\basic.theme
To select Aero type:
%windir%\resources\Themes\Aero\aero.msstyles
To select a different visual style, type:
ie: \\<server>\share\Corp.msstyles
To select Windows Classic, leave the box
above blank and enable this setting
Policy Setting Comment
Prevent changing color and appearance Enabled
Prevent changing color scheme Enabled
Prevent changing desktop background Enabled
Prevent changing desktop icons Enabled
Prevent changing mouse pointers Enabled
Prevent changing screen saver Enabled
Prevent changing sounds Enabled
Prevent changing theme Enabled
Prevent changing visual style for windows and buttons Enabled
Prohibit selection of visual style font size Enabled
Control Panel/Printers
Policy Setting Comment
Prevent addition of printers Enabled
Prevent deletion of printers Enabled
Control Panel/Programs
Desktop
Desktop/Desktop
Policy Setting Comment
Disable Active Desktop Disabled
Network/Windows Connect Now
Start Menu and Taskbar
Policy Setting Comment
Clear history of recently opened documents on exit Enabled
Clear the recent programs list for new users Enabled
Do not allow pinning items in Jump Lists Enabled
Do not allow pinning programs to the Taskbar Enabled
Do not display any custom toolbars in the taskbar Enabled
Do not display or track items in Jump Lists from remote locations Enabled
Do not keep history of recently opened documents Enabled
Do not search communications Enabled
Do not search for files Enabled
Do not search Internet Enabled
Do not search programs and Control Panel items Enabled
Do not use the search-based method when resolving shell shortcuts Enabled
Do not use the tracking-based method when resolving shell shortcuts Enabled
Hide the notification area Enabled
Lock all taskbar settings Enabled
Lock the Taskbar Enabled
Pin Apps to Start when installed Disabled
Prevent changes to Taskbar and Start Menu Settings Enabled
Prevent users from adding or removing toolbars Enabled
Prevent users from customizing their Start Screen Enabled
Prevent users from moving taskbar to another screen dock location Enabled
Prevent users from rearranging toolbars Enabled
Prevent users from resizing the taskbar Enabled
Prevent users from uninstalling applications from Start Enabled
Remove access to the context menus for the taskbar Enabled
Remove All Programs list from the Start menu Enabled
Remove Balloon Tips on Start Menu items Enabled
Remove common program groups from Start Menu Enabled
Remove Default Programs link from the Start menu. Enabled
Remove Documents icon from Start Menu Enabled
Remove Downloads link from Start Menu Enabled
Remove Favorites menu from Start Menu Enabled
Remove frequent programs list from the Start Menu Enabled
Remove Games link from Start Menu Enabled
Remove Help menu from Start Menu Enabled
Remove Homegroup link from Start Menu Enabled
Remove links and access to Windows Update Enabled
Remove Logoff on the Start Menu Enabled
Remove Music icon from Start Menu Enabled
Remove Network Connections from Start Menu Enabled
Remove Network icon from Start Menu Enabled
Remove Pictures icon from Start Menu Enabled
Remove pinned programs from the Taskbar Enabled
Remove pinned programs list from the Start Menu Enabled
Remove Recent Items menu from Start Menu Enabled
Remove Recorded TV link from Start Menu Enabled
Remove Run menu from Start Menu Enabled
Remove Search link from Start Menu Enabled
Remove See More Results / Search Everywhere link Enabled
Remove the Action Center icon Enabled
Remove the battery meter Enabled
Remove the networking icon Enabled
Remove user folder link from Start Menu Enabled
Remove user name from Start Menu Enabled
Remove user’s folders from the Start Menu Enabled
Remove Videos link from Start Menu Enabled
Show QuickLaunch on Taskbar Disabled
Turn off all balloon notifications Enabled
Turn off feature advertisement balloon notifications Enabled
Turn off notification area cleanup Enabled
Turn off personalized menus Enabled
Turn off user tracking Enabled
System/Ctrl+Alt+Del Options
Policy Setting Comment
Remove Change Password Enabled
Remove Lock Computer Enabled
Remove Logoff Enabled
Remove Task Manager Enabled
Windows Components/AutoPlay Policies
Policy Setting Comment
Set the default behavior for AutoRun Enabled
Default AutoRun Behavior Do not execute any autorun commands
Policy Setting Comment
Turn off Autoplay Enabled
Turn off Autoplay on: All drives
Windows Components/Desktop Gadgets
Policy Setting Comment
Turn off desktop gadgets Enabled
Windows Components/File Explorer
Policy Setting Comment
Hide these specified drives in My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
Policy Setting Comment
Prevent access to drives from My Computer Enabled
Pick one of the following combinations Restrict A, B, C and D drives only
Policy Setting Comment
Remove Search button from File Explorer Enabled
Turn off Windows+X hotkeys Enabled
Windows Components/Internet Explorer
Policy Setting Comment
Disable changing home page settings Enabled
Home Page http://ctxweb.raylin.local/Citrix/XenApp/
Policy Setting Comment
Enforce full-screen mode Enabled
Search: Disable Find Files via F3 within the browser Enabled
Turn off the quick pick menu Enabled
Windows Components/Internet Explorer/Browser menus
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
Policy Setting Comment
Turn on Caret Browsing support Disabled
Windows Components/Internet Explorer/Privacy
Windows Components/Internet Explorer/Toolbars
Policy Setting Comment
Turn off Developer Tools Enabled
Windows Components/Microsoft Management Console
Policy Setting Comment
Restrict the user from entering author mode Enabled
Windows Components/Windows Calendar
Policy Setting Comment
Turn off Windows Calendar Enabled

 

Standard

Control Panel Applets and Command Line Launch

Here is a list of Control Panel command line syntax for Windows 8 and Windows Server 2012.

Control Panel Applet Command
Action Center control /name Microsoft.ActionCentercontrol wscui.cpl
Add Features to Windows 8 control /name Microsoft.WindowsAnytimeUpgrade
Administrative Tools control /name Microsoft.AdministrativeToolscontrol admintools
AutoPlay control /name Microsoft.AutoPlay
Biometric Devices control /name Microsoft.BiometricDevices
BitLocker Drive Encryption control /name Microsoft.BitLockerDriveEncryption
Bluetooth Devices control bthprops.cpl
Color Management control /name Microsoft.ColorManagement
Credential Manager control /name Microsoft.CredentialManager
Date and Time control /name Microsoft.DateAndTimecontrol timedate.cplcontrol date/time
Default Programs control /name Microsoft.DefaultPrograms
Device Manager control /name Microsoft.DeviceManagercontrol hdwwiz.cpldevmgmt.msc
Devices and Printers control /name Microsoft.DevicesAndPrinterscontrol printers
Display control /name Microsoft.Display
Ease of Access Center control /name Microsoft.EaseOfAccessCentercontrol access.cpl
Family Safety control /name Microsoft.ParentalControls
File History control /name Microsoft.FileHistory
Flash Player Settings Manager control flashplayercplapp.cpl
Folder Options control /name Microsoft.FolderOptionscontrol folders
Fonts control /name Microsoft.Fontscontrol fonts
Game Controllers control /name Microsoft.GameControllerscontrol joy.cpl
Get Programs control /name Microsoft.GetPrograms
Home Group control /name Microsoft.HomeGroup
Indexing Options control /name Microsoft.IndexingOptions
Infrared control /name Microsoft.Infraredcontrol irprops.cplcontrol /name Microsoft.InfraredOptions
Internet Options control /name Microsoft.InternetOptionscontrol inetcpl.cpl
iSCSI Initiator control /name Microsoft.iSCSIInitiator
Keyboard control /name Microsoft.Keyboardcontrol keyboard
Language control /name Microsoft.Language
Location Settings control /name Microsoft.LocationSettings
Mail control mlcfg32.cpl
Mouse control /name Microsoft.Mousecontrol main.cplcontrol mouse
Network and Sharing Center control /name Microsoft.NetworkAndSharingCenter
Network Connections control ncpa.cplcontrol netconnections
Network Setup Wizard control netsetup.cpl
Notification Area Icons control /name Microsoft.NotificationAreaIcons
Offline Files control /name Microsoft.OfflineFiles
Pen and Touch control /name Microsoft.PenAndTouchcontrol tabletpc.cpl
Performance Information and Tools control /name Microsoft.PerformanceInformationAndTools
Personalization control /name Microsoft.Personalizationcontrol desktop
Phone and Modem control /name Microsoft.PhoneAndModemcontrol telephon.cpl
Power Options control /name Microsoft.PowerOptionscontrol powercfg.cpl
Printers and Faxes control printers
Programs and Features control /name Microsoft.ProgramsAndFeaturescontrol appwiz.cpl
Recovery control /name Microsoft.Recovery
Region control /name Microsoft.RegionAndLanguagecontrol intl.cplcontrol international
RemoteApp and Desktop Connections control /name Microsoft.RemoteAppAndDesktopConnections
Scanners and Cameras control /name Microsoft.ScannersAndCameras
Screen Resolution control desk.cpl
Sound control /name Microsoft.Soundcontrol mmsys.cpl
Speech Recognition control /name Microsoft.SpeechRecognition
Storage Spaces control /name Microsoft.StorageSpaces
Sync Center control /name Microsoft.SyncCenter
System control /name Microsoft.System
System Properties control sysdm.cpl
Tablet PC Settings control /name Microsoft.TabletPCSettings
Task Scheduler control schedtasks
Taskbar control /name Microsoft.Taskbarrundll32.exe shell32.dll,Options_RunDLL
Taskbar and Start Menu control /name Microsoft.TaskbarAndStartMenurundll32.exe shell32.dll,Options_RunDLL
Text to Speech control /name Microsoft.TextToSpeech
Troubleshooting control /name Microsoft.Troubleshooting
User Accounts control /name Microsoft.UserAccountscontrol userpasswords
Windows 7 File Recovery control /name Microsoft.BackupAndRestore
Windows Anytime Upgrade control /name Microsoft.WindowsAnytimeUpgrade
Windows CardSpace control /name Microsoft.CardSpacecontrol infocardcpl.cpl
Windows Defender control /name Microsoft.WindowsDefender
Windows Firewall control /name Microsoft.WindowsFirewallcontrol firewall.cpl
Windows Mobility Center control /name Microsoft.MobilityCenter
Windows Sidebar Properties control /name Microsoft.WindowsSidebarProperties
Windows SideShow control /name Microsoft.WindowsSideShow
Windows Update control /name Microsoft.WindowsUpdate
Standard

Environment Variables List

Variable Refers to folder or drive
%SYSTEMDRIVE% The drive / partition where Windows is installed, default = C:
%PROFILESDIRECTORY% Users, default = %SYSTEMDRIVE%\Users
%WINDIR% Windows, default = %SYSTEMDRIVE%\Windows
%ALLUSERSPROFILE% ProgramData, default = %SYSTEMDRIVE%\ProgramData
%APPDATA% %PROFILESDIRECTORY%\{username}\AppData\Roaming
%COMMONPROGRAMFILES% %SYSTEMDRIVE%\Common Files
%COMMONPROGRAMFILES(x86)% %SYSTEMDRIVE%\Program Files (x86)\Common Files
%COMSPEC% %WINDIR%\System32\cmd.exe
%HOMEDRIVE% The drive where Users is located, default = C:
%HOMEPATH% %PROFILESDIRECTORY%\{username}
%LOCALAPPDATA% %PROFILESDIRECTORY%\{username}\AppData\Local
%PROGRAMDATA% ProgramData, default = %SYSTEMDRIVE%\ProgramData
%PROGRAMFILES% %SYSTEMDRIVE%\Program Files
%PROGRAMFILES(X86)% %SYSTEMDRIVE%\Program Files (x86) (only in 64-bit version)
%PUBLIC% %PROFILESDIRECTORY%\Public
%SYSTEMROOT% %WINDIR%
%TEMP% and %TMP% %PROFILESDIRECTORY%\{username}\AppData\Local\Temp
%USERPROFILE% %PROFILESDIRECTORY%\{username}

NOTE: C:\ is the system drive (ie, where Windows is installed). It will differ if you installed Windows to a different drive.

Standard

Start screen Control Windows 8.1

Windows 8.1 Enterprise is now available, and included in it is a brand new feature called Start screen control. For those not familiar with this new feature, it is designed to allow IT pros to configure the layout of the Start screen for a group of users, preventing those users from making changes to that layout.

STARTSCREEN2

 

Once arranged, you can export this layout into an XML file using a simple PowerShell command:

Export-StartLayout -path C:\StartLayout.xml -As XML

Next, you can specify a path to this layout file using Active Directory Group Policy. From the Group Policy Management Editor, navigate to “User Configuration \ Policies \ Administrator Templates \ Start Menu and Taskbar” where you can find the “Start Screen Layout” policy setting:

STARTSCREEN1

Standard

Create a Power Plan in Group Policy

Create a group policy object

Open the Group Policy editing tool and create a new policy object.

Expand Computer Configuration \ Preferences \ Control Panel Settings \ Power Options.

 

POWERSCHEME1
2.
Create a Power Plan

Edit the policy (right click and “Edit”).

Go to: User configuration > Preferences > Control Panel Settings > Power Options

Right click in the window and “Create a Power Plan”

POWERSCHEME2

3.
Edit the Power Plan settings

Go through all the options and set them as you need.

POWERSCHEME3

4.
Save the Power Plan

Change the Action switch at the top to “Create”, then hit OK.

When you edit the settings next time, you need to change the action field to “Update”, and remember to tick the box to “Set as the active power plan”.

Standard

Hide Unwanted Items From the Control Panel

One of the common lock down’s that administrator apply is to remove all but the essential control panel items.

Previous to Windows 7 you had to specify the .cpl (e.g. timedate.cpl) file name of the control panel item you wanted to show or hide however this has changed in Windows 7 and you now need to use the Canonical Name when hiding or showing specific items.

Step 1. Edit the Group Policy object that is applied to the users that you want to apply the Control Panel configuration.

Step 2. Navigate to User Configuration > Policies > Administrative Templates > Control Panel

CONTROLPANELGPO1

Step 3. Double click on hide specified Control Panel items setting then check Enabled and then click then Show button.

CONTROLPANELGPO2

 

CONTROLPANELGPO3

 

The following are the Control Panel items available in Windows 8.1:

Action Center
Administrative Tools : Microsoft.AdministrativeTools
AutoPlay : Microsoft.AutoPlay
Biometric Devices : Microsoft.BiometricDevices
BitLocker Drive Encryption : Microsoft.BitLockerDriveEncryption
Color Management : Microsoft.ColorManagement
Credential Manager : Microsoft.CredentialManager
Date and Time : Microsoft.DateAndTime
Default Programs : Microsoft.DefaultPrograms
Device Manager : Microsoft.DeviceManager
Devices and Printers : Microsoft.DevicesAndPrinters
Display : Microsoft.Display
Ease of Access Center : Microsoft.EaseOfAccessCenter
Family Safety : Microsoft.ParentalControls
File History : Microsoft.FileHistory
Folder Options : Microsoft.FolderOptions
Fonts : Microsoft.Fonts
HomeGroup : Microsoft.HomeGroup
Indexing Options : Microsoft.IndexingOptions
Infrared : Microsoft.Infrared
Internet Options : Microsoft.InternetOptions
iSCSI Initiator : Microsoft.iSCSIInitiator
iSNS Server : Microsoft.iSNSServer
Keyboard : Microsoft.Keyboard
Language : Microsoft.Language
Location Settings : Microsoft.LocationSettings
Mouse : Microsoft.Mouse
MPIOConfiguration : Microsoft.MPIOConfiguration
Network and Sharing Center : Microsoft.NetworkAndSharingCenter
Notification Area Icons : Microsoft.NotificationAreaIcons
Pen and Touch : Microsoft.PenAndTouch
Personalization : Microsoft.Personalization
Phone and Modem : Microsoft.PhoneAndModem
Power Options : Microsoft.PowerOptions
Programs and Features : Microsoft.ProgramsAndFeatures
Recovery : Microsoft.Recovery
Region : Microsoft.RegionAndLanguage
RemoteApp and Desktop Connections : Microsoft.RemoteAppAndDesktopConnections
Sound : Microsoft.Sound
Speech Recognition : Microsoft.SpeechRecognition
Storage Spaces : Microsoft.StorageSpaces
Sync Center : Microsoft.SyncCenter
System : Microsoft.System
Tablet PC Settings : Microsoft.TabletPCSettings
Taskbar and Navigation : Microsoft.Taskbar
Troubleshooting : Microsoft.Troubleshooting
TSAppInstall : Microsoft.TSAppInstall
User Accounts : Microsoft.UserAccounts
Windows Anytime Upgrade : Microsoft.WindowsAnytimeUpgrade
Windows Defender : Microsoft.WindowsDefender
Windows Firewall : Microsoft.WindowsFirewall
Windows Mobility Center : Microsoft.MobilityCenter
Windows To Go : Microsoft.PortableWorkspaceCreator
Windows Update : Microsoft.WindowsUpdate
Work Folders : Microsoft.WorkFolders