Using GPOs to Configure and Tune Desktops discusses how Group Policy Objects (GPOs) can be used as an alternative to directly editing the registry (registry "hacks") to configure and tune desktop environments. The document outlines why GPOs are preferable to registry hacks, provides examples of common GPO configurations like Windows settings, services, and user profiles. It also covers policy basics, templates, and tools to help implement GPO-based configurations and tuning.
3. Agenda Why use GPOs? Policy Basics Policies Vs Preferences Desktop Configurations ADMs and ADMX/ADMLs Tools you can use as venture into GPOs
4. Why do we hack the registry Tune the OS Set defaults Hide things from users Others… But is a hack a policy? Policies can be used for more than just registry changes
5. Why use GPOs and Not Reg hacks??? Documentation…. How do to remove this spoiler? Without opening the trunk?
6. What do GPOs TYPICALLY get used for? Windows Settings like folder redirection Hiding icons and Windows options Configuring browser settings Setting permissions? Sometimes Configuring Office or other app settings… Adding Users.. Occasionally.
13. Policy Templates Traditionally known as Policy ADMs (ADMX now) Set the options you see in the GPOs Often created by the App vendors or industrious System Engineers
14. ADM files are TXT files CLASS xxx - User or Machine CATEGORY xxx - Major heading. “Windows Update” KEYNAME xxx “Softwareicrosoftffice2.0ulook” Policy xxx - name of Policy shown in GPO editor VALUENAME xxx - Registry entry we are changing END POLICY END CATEGORY
15.
16. ADM file Example CLASS MACHINE CATEGORY !!Reader POLICY !!Checkforupdatesatstart KEYNAME "Softwaredobecrobat Reader.0VGeneral" EXPLAIN !!Checkforupdatesatstart_Help VALUENAME "bCheckForUpdatesAtStartup" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY
20. Building your own? Start with ADM files if you haven’t already. Then convert them w/ the ADM to ADMX converter The hardest part is not building the text file…. Its finding the registry keys
21. Ron’s rules for Policies Vs Preferences… When to use a policy Something that the usermay have access to but I don’t want them to change IE security, connectivity, or application settings When to use a preference When I set a default setting that they may change IE default start page or default short cuts on the desktop When I want to change a registry setting that they do not have a GUI to change Default user screen saver, machine settings like NTFS last access time stamp, etc.
22. Policy Preference Options Create Create the object (reg entry, drive mapping, etc, etc) Will do nothing if the entry/object already exists Replace Delete existing setting (if exist) and create a new object Update Modification of an existing object Will create if it does not exist Delete
24. Preference WARNINGS These are like defaults NOT Policies…. These can tattoo the machine Newer policies do not tattoo. That was a benefit of getting away from some of the old school NT type policies Registry changes made via Preferences can leave a tattoo after removal of policy UNLESS you counter/remove the VM from having the policy apply. Other changes (Directories, User/group modifications or additions) also stick Preferences are basically like your image “HACK” but with management….
26. Windows 7 Services Examples Desktop Window Manager Session manager Disk Defragmenter Diagnostic Policy Services IP helper (if no IPv6) Security Center Superfetch Themes Service (classic interface) Windows Defender Windows Search Windows Update http://www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf
32. Finding the Registry Entry GOOGLE http://lmgtfy.com/ RegSnap/Registry Monitoring Tools Good old fashion digging and guessing! My Favorite:SysTracerhttp://www.blueproject.ro/systracer
34. Where to start? GPAnswers.com http://www.gpanswers.com/resources/gp-tips-and-tricks.html PolicyPak.com http://policypak.com/ Off 2007 Policy Templates http://www.microsoft.com/downloads/en/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7&displaylang=en Off 2010 Policy Templates http://www.microsoft.com/downloads/en/details.aspx?FamilyID=64B837B6-0AA0-4C07-BC34-BEC3990A7956&displaylang=en Using GPOs to Customize XenApp http://support.citrix.com/proddocs/index.jsp?topic=/online-plugin-110-windows/ica-import-icaclient-template-v2.html IE 9 Preferences not working? http://blogs.technet.com/b/asiasupp/archive/2011/03/30/internet-explorer-9-ie9-group-policy-preferences-gpp.aspx XenApp Blog’s XenApp and XenDesktop Policies http://www.xenappblog.com/downloads/
35. ADM/Xs and Policy references? Microsoft ADM to AMDX migrator? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0F1EEC3D-10C4-4B5F-9625-97C2F731090C Group Policy Settings References from MS? http://www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb Group Policy ADMX Syntax Guide: http://technet.microsoft.com/en-us/library/cc753471(WS.10).aspx Group Policy Survival Guide http://technet.microsoft.com/en-us/library/cc754151(WS.10).aspx Managing with ADMX files http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx