Tips and Tricks

GPO Treasures

A bevy of often-overlooked settings are available in Group Policy Objects.

• By Don Jones
• 08/01/2004

Group Policy is a feature of Windows 2000 and later that allows a new level of centralized control over your environment. You've probably used Group Policy Objects (GPOs) to perform folder redirection for your users, assign standardized desktop wallpaper and more. But there's a bevy of often-overlooked settings available in a GPO that every administrator should be aware of. Here are my favorites, which you'll find under the Computer Configuration | Administrative Templates | Windows Components section of any GPO:

• Under Internet Information Services, use the Prevent IIS installation setting to stop IIS 6 from being installed on Windows 2003 servers.
• Under Windows Installer, the Always install with elevated privileges can allow users to install applications that need administrator-level privileges, such as applications that update system files. It works on Win2K and later.
• Under Windows Messenger, Do not allow Windows Messenger to be run makes it simple to ensure that users don't employ this instant messaging utility, in case yours is one of the many organizations that don't permit it. It works with Win2K and later.
• Under Windows Update, several policies allow you to force clients to use an internal Software Update Services (SUS) server.

Other settings apply on a per-user basis and can be found in User Configuration | Administrative Templates | Windows Components:

• Under Microsoft Management Console, enable the Restrict the user from entering author mode to keep users from making custom consoles. Enable Restrict users to the explicitly permitted list of snap-ins to control the snap-ins users can access. The Restricted/Permitted snap-ins folder lets you decide what snap-ins are legit. Works on Win2K and later.
• Under Windows Installer, use the Prevent removable media source for any install setting to keep users from installing software—and viruses—from their own CDs or floppies. Works on Win2K and later.
• Under Windows Update, the Remove access to use all Windows Update features will turn off Windows Update completely. A great choice if you want to use SUS to control what updates users install. Works on Windows XP and later.
• Concerned about data theft? Use the Remove CD Burning features setting (under Windows Explorer) to keep Windows XP and Windows 2003 from burning CDs from within Explorer.
• If you've locked down access to things like the Run dialog, users may be able to use the Windows key on their keyboard to access those features anyway (Windows+R, for example, opens the Run dialog). The Turn off Windows+X hotkeys setting under Windows Explorer disables this workaround, but only for Windows 2003 and later.

Make it Easier with GPMC Microsoft's free Group Policy Management Console (GPMC), available as a feature pack for Windows 2003 Server, makes working with GPOs much easier than using the Active Directory Users and Computers console. GPMC works fine in both Win2K and Windows 2003 domains and can be installed on XP Pro.

Group Policy settings can also be used to control Microsoft Office. These settings have to be added in to a GPO from an ADM file; you can find Office 2003's at www.microsoft.com/office/ork/2003/tools/BoxA19.htm. Some useful settings for Office:

• Point users to a network file share for centralized document template storage.
• Disable Visual Basic for Applications for all Office applications.
• Centrally control macro security settings for all Office applications, or on an application-by-application basis.
• Force Office encryption settings for all company computers.

There's lots more—literally hundreds of settings for individual Office applications and Office as a whole.