Group Policy Preferences – TechNet Edge video

When Microsoft introduced Group Policy Preferences with Windows Server 2008, they gave sys admins the ability to easily do a bunch of common tasks (adding domain users to local groups, mapping drives, creating shortcuts, etc) in Group Policy without having to write scripts. I’m a fan of scripting, but I still see that as a good thing!

Yesterday TechNet Edge released a video about Group Policy Preferences, which I’d recommend you check out. It starts off slow, but then talks about how you can manage the scope of different preferences, so within the same Group Policy Object you could map a particular drive for everyone using a PC under the policy scope, plus additional ones just for users in particular security groups. This means that you can have a relatively complex arrangement of drive mappings for all the users you manage all in the same policy. 🙂

If you’ve not come across TechNet Edge before and you’re an IT Pro managing Windows systems, head over there now and see what you’ve been missing.

TechNet Edge

In case you missed them, James put some posts on this very blog a little while ago about using Group Policy Preferences to add domain users to local groups and mapping network drives.

Windows XP x64 SP3…?

Something else I didn’t know!

With the release of XP SP3 I assumed there was an x64 version but…

It seems this is not the case as XP x64 already has the V5.2 kernel and (something else I didn’t know) the x64’s SP2 release was 3 years later than the x86 version so it is much more up to date.

Confusing but that’s why you won’t see any SP3 x64 builds (at least for a while)!

Limiting software usage through GP delegation

To apply a group policy to just a few selected computers in an OU containing many other computers, you can use Group Policy delegation. There are a couple of ways of doing this: one involves Denying access to a group of computers and the other involves Allowing access to a group of computers. It really depends on your local OU structure and what you want to achieve as to which method you use.

DENY

First of all, create a security group of computers (call it something meaningful) and add the PCs that you *don’t* want to get the policy.

Run the Group Policy Management Console/Snapin, and browse to the group policy in question. Click/double-click it so that you see the tabs Scope, Settings, Detail and Delegation in the right-hand pane.

Click on the Delegation tab.

Click Advanced.

Click Add and enter the name of the group of computers. (If you just want to specify a single computer name, that’s okay, but you’ll need to click on Object types first and check the Computers box – groups are easier to maintain though).

Once you’ve added the computer/group of computers to the ACL, you’ll need to check the *DENY* on Apply Group Policy. In this example, I’ve denied rights to UCS Cluster Computers to apply the policy 3 Central 7-zip 4.42:

ALLOW

This is more or less the same procedure. Create a group of computers that you *do* want to get the policy. Click on Delegation… Advanced so that the Security box appears. Remove Authenticated users from the ACL, and add your group of computers. Ensure that Apply Group Policy is selected for this group. ISS use this method for securing the 5 Licensed software policies.

Now what?

Now when you apply the group policy to an OU, only the PCs that are in the allow/deny group will be allowed/denied access to the software.

If you’re using the old Group Policy management tool (the one that’s integrated into Users and Computers), you can make the same changes by just right-clicking the Group Policy, selecting Properties, and then the Security tab.

You can use this method to secure any Group Policy regardless of its purpose, the policy doesn’t necessarily need to be a software policy. For example you can limit application of a policy that adds users to a local machine admin group.

Something to note

To change delegation on a group policy, you must have rights to modify the policy security.

Vista is so protective…

A bit of a gotcha with using the Active Directory Users and Computers tool on Vista is that it (very sensibly) protects the objects you create from accidental deletion but (very annoyingly) doesn’t inform you that it’s done this. If you are using the AD Tools on Vista and you suddenly find that you can’t delete something you created, then check the Object tab on the object in question. If the “Protect Object from Accidental Deletion” box is checked as shown here within the red circle:

Active Directory object

… you’ll need to uncheck it before you can delete or move it.

RSAT Part 3: Mapping network drives with Group Policy and without Scripts!

One of most common scripts we write for users and groups of users is a simple drive map.

For example:

net use S: \\campus\software /persistent:yes

Now, Group Policy Preference Client Side Extensions & RSAT now allow for drive to be mapped without any extra work.

1. Create and name a new Policy.

2. User Configuration > Preferences > Windows Settings > Drive Maps

3. Right Click > New > Mapped Drive

Map1

4. Choose the behaviour (Create, Replace, Update or Delete) from the Action dropdown.

Map2

5. Enter a location e.g. \\campus\software\

6. Tick reconnect if you want the connection to persist (this replaces the /persistent:yes switch)

7. Choose a drive letter.

8. If you wish you can set the Connect as fields.

Map3

9. Make sure the permissions are correct for the target folder.

10. Save and apply your policy.

RSAT Part 2: Deploying Printers with Group Policy and without Scripts!

Historically, in order to deploy printers using Group Policy we would have had to use a combination of scripts.

Now, Group Policy Preference Client Side Extensions an updated AD Schema and RSAT allow for printers deployed without any extra work.

1. Create and name a new Policy.

2. If you want to deploy the printer to a machine

Computer Configuration > Windows Settings > Deployed Printers

Or

If you want to deploy the printer to users

User Configuration > Windows Settings > Deployed Printers

3. Right click in a blank area of the right-hand pane and select Deploy Printer.

1.

4. Make sure the permissions are correct for the printer.
5. Type in the path to the printer e.g. \\myprintserver\hplaserjet9040

1.

6. Save and apply your policy.

BgInfo v4.13

In case anyone missed it. BgInfo v4.13 was released a few weeks ago. I know that a number of School Computing Officers use this useful tool for audit and support purposes.

Link.

I have previously used BGInfo in a startup script to have machines ‘Check in’ to an Access DB. You can use somthing like this (one line):

\\campus\software\pathtofile\Bginfo.exe \\pathtoconfigfile\config.bgi /timer:0

The config.bgi file allows you to set what data you want to capture and set a path for the DB file.

BgInfo

http://technet.microsoft….s/bb897557.aspx