10 Ways to Manage Desktops With Group Policy

7/23/2019 10 Ways to Manage Desktops With Group Policy

http://slidepdf.com/reader/full/10-ways-to-manage-desktops-with-group-policy 1/15

10 Ways to Manage Desktops with Group Policy

Group Policy, when properly planned and implemented, can be an

indispensable tool for managing Windows desktop systems. ut two obstacles

pre!ent administrators from e"ecti!ely using Group Policy. #irst is an

incomplete understanding of what Group Policy is and how to apply it. $econdis not being clear about what you want to accomplish with Group Policy. %t&s

easy to be o!erwhelmed by Group Policy because of the large number of

settings and the !ariety of ways you can apply those settings. 'nderstanding

Group Policy really isn&t di(cult, howe!er. )nce you ha!e a feel for it you *ust

need some ideas for putting it into action. With that in mind, let&s walk

through a basic course in Group Policy. +hen, %&ll show you 10 ways you can

begin using Group Policy to manage the desktop systems in your

en!ironment.

Group Policy 101

Group Policy gi!es you central control o!er certain aspects of the beha!ior of

the desktops in your Windows $er!er domain. +he Microsoft Management

onsole -MM Group Policy snap/in contains etensions and se!en main

nodes. +he nodes are the management entry point for each etension.

dministrati!e +emplates. dministrati!e +emplates are registry/based

policies that you use to alter registry settings that control the beha!ior and

appearance of the desktop, components, and applications. #i!e defaultdministrati!e +emplates load with a new Group Policy )b*ect -GP)2

$ystem.adm for the Windows $er!er 3004 family, Windows 3000, and

Windows 5P6 %netres.adm for %nternet 7plorer -%7 settings6 Wmplayer.adm

for Windows Media Player -WMP6 onf.adm for 8etMeeting 4.016 and

Wuau.adm for Windows 'pdate.

$ecurity $ettings. +he $ecurity $ettings node speci9es local computer,

domain, and network security settings.

$oftware %nstallation. +he $oftware %nstallation node assigns and publishes

software to users and assigns software to computers.

$cripts. +he $cripts node can a"ect computer startup and shutdown and user



logon and logo". :ou can place any Windows $cript ;ost -W$;<supported

language into a script ob*ect.

=emote %nstallation $er!ices -=%$. +he settings in this node control how the

=emote )perating $ystem %nstallation feature is presented to client

computers.

%nternet 7plorer Maintenance. +he %nternet 7plorer Maintenance node

settings manage %nternet 7plorer -%7 and customi>e its beha!ior.

#older =edirection. +his node&s settings redirect Windows special folders -i.e.,

My Documents, pplication Data, Desktop, and $tart Menu to an alternatelocation on the network.

dministrators use Group Policy 7ditor -GP7 to con9gure policy information

or settings, which are stored in a GP). %n turn, GP)s link to appropriate sites,

domains, or organi>ational units -)'s in cti!e Directory -D to determine

the computers or users to which the settings in the GP) will apply. :ou apply

most GP)s for managing desktop systems and users to an )' that contains

either user or computer ob*ects. :ou can also use $ecurity Group and

Windows Management %nstrumentation -WM% 9ltering to further narrow thescope of ob*ects to which a gi!en policy will be applied. +he ?earning Path for

this article directs you to more detailed information about using Group Policy.

?et&s get started le!eraging the power of Group Policy to manage your

desktop systems.

1. lways Wait for 8etwork at $tartup and ?ogon

+his setting a"ects the Group Policy engine and determines whether GP)s

are applied synchronously or asynchronously. Win3@ applies GP)s

synchronously. 5P Professional introduced a re9ned asynchronous processingmode to speed up both boot and login times. s a side e"ect, howe!er, in 5P

Pro, Group Policy settings that take a speci9c action according to security

group membership can take two or e!en three logons to become e"ecti!e.

+he shortcomings to this approach are ob!ious, especially when you use

Group Policy as part of your security strategy. :ou can, howe!er, guarantee

application of targeted policies in a single boot or login by enabling the



lways wait for the network at computer startup and logon setting.

+he $etting2

omputer on9gurationA dministrati!e +emplatesA $ystemA ?ogonA lwayswait for the network at computer startup and logon

3. utomated )$ %nstallation !ia =%$

What better way to le!erage Group Policy than to start using it right away as

you deploy client systemsB =%$, which showed up initially in Win3@ $er!er, is

an optional component that lets administrators create automated installation

images for Windows 3004, 5P, and Win3@. :ou can deploy these images to

clients and ser!ers. :ou use the =emote %nstallation $er!ices node of GP7 tocontrol the hoice $creen )ptions that Windows pro!ides to =%$ clients. #rom

the hoice )ptions Properties screen you can con9gure the utomatic $etup,

ustom $etup, =estart $etup, and +ools options for =%$.

+he $etting2

'ser on9gurationA Windows $ettingsA =emote %nstallation $er!icesA hoice

)ptions

4. $tartup, $hutdown, ?ogon, and ?ogo" $cripts

%f you think logon scripts are old news for managing desktops and user

en!ironments, you&re only partially correct. Group Policy gi!es you much

more control o!er where and when scripts can be run. %n addition to

specifying the traditional logon script, which runs when a user logs on to the

domain, you can specify a script to run when a user logs o" the system. :ou

can also specify indi!idual scripts to run both when a computer starts up and

when it shuts down. +hese four types of script triggers gi!e you much more

Ceibility to perform tasks that *ust don&t 9t in the traditional logon scriptparadigm.

+he $ettings2

omputer on9guration A Windows $ettings A $cripts -$tartup$hutdown



'ser on9guration A Windows $ettings A $cripts -?ogon?ogo"

E. $tandardi>e )$ F?ook and #eelF $ettings

:ou can use a combination of Group Policy settings to create and maintain astandard look and feel for your users& systems. $uch standardi>ation can be

helpful in de!eloping consistent and e"ecti!e approaches to training and

support. :ou can control a myriad of settingstoo many to list here. +he

following locations and settings, howe!er, will pro!ide some guidance and

food for thought.

+he $ettings2

'ser on9gurationA dministrati!e +emplatesA $tart Menu H +askbar

A=emo!e #a!orites menu from $tart Menu

A+urn o" personali>ed menus AIin Windows 3004 and 5P $P3AJ6 ADisable

Personali>ed menus AIin 5P and Win3@ $er!erAJ

APre!ent changes to +askbar and $tart Menu $ettings AIin Windows 3004 and

5P 3P3AJ6 ADisable changes to +askbar and $tart Menu $ettings AIin 5P and

Win3@ $er!erAJ

'ser on9gurationA dministrati!e +emplatesA Windows omponentsA

Windows 7plorer

A+urn on lassic $hell

A=emo!e the #older )ptions menu item from the +ools menu

A=emo!e FMap 8etwork Dri!eF and FDisconnect 8etwork Dri!eF

A8o F7ntire 8etworkF in My 8etwork Places

'ser on9gurationA dministrati!e +emplatesA Desktop

A;ide and disable all items on the desktop

A;ide My 8etwork Places icon on desktop

A=emo!e the Desktop leanup Wi>ard



'ser on9gurationA dministrati!e +emplatesA ontrol PanelA $how only

speci9ed ontrol Panel applets

'ser on9gurationA dministrati!e +emplatesA ontrol PanelA dd or =emo!e

ProgramsA ;ide hange or =emo!e Programs page

'ser on9gurationA dministrati!e +emplatesA ontrol PanelA DisplayA Desktop

+hemes

A=emo!e +heme option

A ?oad a speci9c !isual style 9le or force Windows lassic

K. on9gure Windows #irewall $ettings for 5P $ystems

+he !ast ma*ority of settings for controlling Windows #irewall were only

recently made a!ailable in 5P $er!ice Pack 3 -$P3. ut before we di!e into

those settings, it&s worth noting that you do ha!e a modicum of control o!er

how 5P&s original %nternet onnection #irewall beha!es. :ou eercise this

control by using the Prohibit use of %nternet onnection #irewall setting on

your D8$ domain network6 you&ll 9nd the setting under omputer

on9gurationA dministrati!e +emplatesA 8etworkA 8etwork onnections.

%n 5P $P3, Windows #irewall is accompanied by an array of Group Policy<

controllable features. +he Group Policy options for Windows #irewall in 5P $P3

let an administrator con9gure two di"erent sets of 9rewall con9gurations,

known as pro9les. :ou use the Domain pro9le when the client is connected to

the network on which the client&s domain controllers are located. :ou use the

$tandard pro9le when the client is connected through an alternate network.

:ou can create a more restricti!e set of 9rewall options in the $tandard pro9le

for when systems don&t ha!e the bene9t of a corporate 9rewall. :ou can also

con9gure eceptions in the Domain pro9le that facilitate connections from

internal systems management tools. #or these and other 5P $P3 settings, youneed to implement 5P $P3 dministrati!e +emplates, as the Microsoft +ech8et

article FDeploying Windows 5P $er!ice Pack 3 in 7nterprise 7n!ironmentsF

discusses

-http2www.microsoft.comtechnetprodtechnolwinpprodeploysp3entdp.ms

p.

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/sp2entdp.mspx






+he $ettings2

omputer on9gurationA dministrati!e +emplatesA 8etwork8etwork

onnectionsA Windows #irewallA Domain Pro9le

omputer on9gurationA dministrati!e +emplatesA 8etwork8etwork

onnectionsA Windows #irewallA $tandard Pro9le

L. $trengthen Desktop $ecurity

%mplementing secure desktop clients reuires a multifaceted management

approach, and Group Policy can help ensure a consistent, stable foundation

on which to build your security strategy. Group Policy gi!es you the ability to

centrally manage and enforce a wide range of security settings and policiesrelated to desktop computers and their users. +here are four general areas

you can focus your security e"orts on2 security settings, %P $ecurity -%P$ec

policies, software restriction policies, and wireless network policies. ecause

con9guring these policies reuires a thorough understanding of their possible

e"ects and plenty of testing before you implement them in a production

en!ironment, % won&t attempt to eplain the details here. :ou can read more

about con9guring these settings at

http2www.microsoft.comresourcesdocumentationWindows$er!3004allde

ployguideenusDefault.aspBurlNresources

documentationwindowsser!3004alldeployguideenusdmebgOdspOd*or.asp.

:ou use security settings to con9gure security/related )$ speci9cs such as

9le and registry ?s, audit policy, password policy, e!ent logging, and

ser!ice startup modes. :ou can import a security template into a GP), which

lets you organi>e security settings in a single, easily managed package.

Default templates are located in systemrootA$ecurityA+emplates and ha!e

an .inf etension.

+he $etting2

omputer on9gurationA Windows $ettingsA $ecurity $ettings

%P$ec is a relati!ely complicated security feature for 9ltering, authenticating,

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deployguide/enus/Default.asp?url=/resources/






and encrypting network tra(c. +o access an etensi!e list of resources for

learning more about %P$ec, check out the Microsoft Windows $er!er 3004

%P$ec +echnology enter at

http2www.microsoft.comwindowsser!er3004technologiesnetworkingipsec

default.msp.

+he $etting2

omputer on9gurationA Windows $ettingsA $ecurity $ettingsA %P $ecurity

Policies on cti!e Directory

$oftware restriction policies are self/eplanatory. +hey let you specify

applications that you want to allow or deny on a per/user or per/computer

basis.

+he $ettings2

omputer on9gurationA Windows $ettingsA $ecurity $ettingsA $oftware

=estriction Policies

'ser on9gurationA Windows $ettingsA $ecurity $ettingsA $oftware =estriction

Policies

Wireless network policies let you con9gure settings that control the beha!ior

of the Wireless on9guration $er!ice in 5P through the Wireless 8etwork

Policies 7tension in a Windows 3004 en!ironment.

+he $etting2

omputer on9gurationA Windows $ettingsA $ecurity $ettingsA Wireless8etwork -%777 Q03.11 Policies

R. ontrol Windows 'pdate and utomatic 'pdates

Generally speaking, 5P&s Windows 'pdate and utomatic 'pdates are great

http://www.microsoft.com/windowsserver2003/technologies/networking/ipsec/default.mspx






features. %n a corporate en!ironment, though, there are good reasons to

control their a!ailability and beha!ior. :ou can disable utomatic 'pdates and

remo!e user access to Windows 'pdate through Group Policy. )f course,

you&ll likely only do this if you ha!e a centrali>ed update distribution

mechanism such as $oftware 'pdate $er!ices -$'$ or its soon/to/be/

released successor Windows 'pdate $er!ices -W'$. oth $'$ and W'$ arecontrollable through Group Policy but might reuire an updated !ersion of the

Wuau.adm administrati!e template. +he settings for the built/in update tools

are user/speci9c. $'$ and W'$ settings are computer/based.

+he $ettings2

'ser on9gurationA dministrati!e +emplatesA $ystemA Windows utomatic

'pdates

'ser on9gurationA dministrati!e +emplatesA $ystemA Windows 'pdate

omputer on9gurationA dministrati!e +emplatesA Windows omponentsA

Windows 'pdate

Q. #older =edirection

#older =edirection lets you redirect the path of special folders such as My

Documents, Desktop, and pplication Data to a network location. $toring

these folders and their contents on a 9le ser!er a"ords them the superiorprotection that ser!er class hardware inherently pro!ides and also makes the

data a!ailable to users from multiple workstations. separate but

complementary technology is 5P&s )Sine #iles, which automatically makes

9les a!ailable oSine when you redirect them from a special folder. #or more

information about implementing #older =edirection, see F'sing %ntelliMirror to

Manage 'ser Data and $ettingsF -Tuly 3004, %nstantDoc %D 4U1U4.

+he $ettings2

'ser on9gurationA Windows $ettingsA #older =edirection

'ser on9gurationA 8etworkA )Sine #iles

U. $tandardi>e and $ecure %7

%7 is one of the most freuently used tools on many users& systems6



unfortunately, it&s also one of the most misused. %n addition, %7 presents an

oft/eploited a!enue for malware and other threats to security and pri!acy.

lthough there is no bulletproof solution to these risks when %7 is so widely

used, there are Group Policy settings to shore up security and better control

how %7 is used. %7 subkeys under 'ser on9guration and omputer

on9guration in GP7 let you customi>e settings and set restrictions on a per/user or per/computer basis -the ma*ority of settings are beneath 'ser

on9guration. ustomi>ations you can make include but aren&t limited to2

hanging the appearance of the browser interface

$etting custom '=?s for fa!orites, search page, and home page

on9guring default program for handling tasks such as email and

newsgroup acti!ities

ontrolling security >ones and content rating settings

on9guring connection settings for ?8 and dial/up

:ou can also restrict user access to certain %7 settings, menu items, and

con9guration pages to enforce consistency and bolster security. +ake a

minute to read the 7plain tab for the settings you con9gure to a!oid

confusion about what will happen when you enable or disable a setting. 5P

$P3 dramatically epands the %7 security options that Group Policy cancontrol. +he new features include M%M7 sni(ng safety, >one ele!ation

protection, cti!e5 installation restrictions, 9le download restrictions, and

dd/on management.

+he $ettings2

omputer on9gurationA dministrati!e +emplatesA Windows omponentsA

%nternet 7plorer

'ser on9gurationA dministrati!e +emplatesA Windows omponentsA %nternet7plorer

10. $oftware %nstallation Policy for utomated pplication Deployments

$oftware installation and maintenance are part of Microsoft&s %ntelliMirror

functionality, and you can control both with Group Policy. :ou can con9gure



settings within GP7 to assign or publish an application to users or computers.

$oftware installation and maintenance functionality works with programs that

use Windows %nstaller technology -i.e., .msi 9les. )f course, Microsoft

applications such as )(ce use Windows %nstaller technology for their

installation process, which means you can assign )(ce to a user or computer

population and ha!e it installed automatically. :ou can create custominstallations using msi transforms and use security group 9ltering to target

speci9c groups of users to which the custom installation will be applied. nd

in case you&re wondering, you can also use software installation and

maintenance functionality to deploy 5P $P3. :ou can assign 5P $P3&s

'pdate.msi only to machines6 assigning to users isn&t supported. #or more

information, see the Microsoft article Fest Practices for 'sing 'pdate.msi to

deploy $er!ice Packs,F http2www.support.microsoft.comBkbidN3RQK04.

+he $ettings2

'ser on9gurationA $oftware %nstallation

omputer on9gurationA $oftware %nstallation

Good Policy

8ow you know that some policies are simple and others, such as #older

=edirection, reuire preparation and testing to implement. +he best way to

approach policy creation is from the perspecti!e of sol!ing a particularproblem or pro!iding a particular ser!ice. Determine the appropriate settings

to accomplish the task at hand. =ead the description under the 7plain tab

when !iewing the properties for a setting within GP7 to make sure you fully

understand a setting&s impact and beha!ior before you turn it on. nd 9nally,

make sure you fully test both the result of the settings in your GP) as well as

your scope targeting method before putting a policy into production.

Print

reprints

#a!orite

7M%?

http://www.support.microsoft.com/?kbid=278503

http://www.support.microsoft.com/?kbid=278503



in$hare

Discuss this rticle U

nonymous 'ser -not !eri9ed

on pr 3R, 300K

;ardware V Dial/'p onnection V Portable omputer V attery Present V

PM% Present V P' $peed V Disk $pace V =M !ailable V M ddress

=ange %dentity V %P ddress =ange V D?DP uery V DomainWorkgroup V

)rgani>ational 'nit V $ite Membership V omputerD8$ 8ame V $ecurity

Group V 'ser Match $oftware V )perating $ystem V $er!ice Pack V +erminal

$ession V $ystem'ser ?anguage V #ile match V =egistry Match V 7n!ironment

Xariable )ther V #ilter Group V Message o V M$% Packages V =ecur 7!ery V

=un )nce V +ime =ange V WM% uery dditionally, Group Policy pro!ides arich delegation and hierarchical management model so that organi>ations

can make the system support the way they do business. ll in all Group Policy

has practically unlimited potential and tremendous =)%. %tYs well integrated,

etensible, hugely scalable and by far the most widely deployed desktop

management system for cti!e Directory networks. 7ric

?og %n or =egister to post comments


on pr Q, 300K

Dude you&re lame / this is an article comment section, not your opportunity

for a personal shameless plug.



on pr 1E, 300K

dam, +hanks for your thoughtful response. ;a!ing worked with %+ Pro -and

predecessors for many years, this is the type of in/depth discussion % would



epect readers to appreciate the most. Group Policy is an epansi!e and

!aluable topic, and itYs hard to get enough depth e!en in a feature article.

Generating discussion on the topic of whatYs missing is a great approach to

this problem. Please forgi!e me if % got the wrong impression regarding

sponsorship of the article, but itYs easy to come to this conclusion gi!en the

contents of the Z%nteract[ section at the top of the article -in both print andonline !ersions. % assumed that was a paid position associated with the

article < which of course was the co!er story for the pril print edition. My

mistake. % donYt know a lot about the $? product, but from what % understand

itYs dependent on @i5tart scripting, not Group Policy. +here are many ways to

accomplish management tasks in a distributed network < scripting, script

generators, !arious utility products and tools, infrastructure in!estments such

as \78works, $M$, +i!oli, ltiris, etc. $ome of these claim to ha!e association

with Group Policy. ;owe!er to actually pro!ide new Group Policy features

reuires implementing MicrosoftYs etensi!e speci9cation for Group Policy

7tension, including Group Policy )b*ect 7ditor etensions, =esultant $et of

Policy snap/in etensions, GPM integration, and lient $ide 7tensions. +his

is how the Microsoft etensions work. %tYs hard for me to come up with an

eample of desktop management functionality that cannot be managed

easily using a Group Policy etension. )f course there is not a Group Policy

etension to co!er e!ery concei!able management task, yet this is true of all

management products. $hould holes in nati!e functionality be 9lled by non/

Group Policy utilities if there are capable etensions a!ailableB +hatYs an

indi!idual decision, but one that should be made with an understanding of

the options. %n fairness, rian did state that third party products -presumably

etensions are reuired to 9ll the holes in Group Policy < but thatYs by design.

=eusing my own analogy, one wouldnYt argue that %7 was Ztoo limited[because Microsoft didnYt pro!ide all of the plug/ins. Tust the opposite is true.

Group Policy is practically VunlimitedV because itYs etensible and the

etensibility model is supported. +his isnYt true of most other desktop

management systems. rian missed an opportunity to point out a legitimate

limitation of Group Policy < it doesnYt support Windows 8+ E or Windows U

desktops. s % understand $? predates Group Policy and supports these

platforms. % assume he has a good product and %Ym sure it can 9ll some of the

holes left by nati!e Group Policy e!en on current platforms. ;owe!er, people

looking for Group Policy solutions should be aware that there are in fact true

Group Policy etensions that more than handle the issues raised. +herefore, %guess % should answer the other part of your uestion, ZWhat are some

speci9c eamples of desktop management functionality that ] can be done

easily with a Group Policy etensionB[ +hatYs a mighty long list, and this is

already getting too long < so %Yll follow up a little later. =egards, 7ric




dam -not !eri9ed

on Mar 3U, 300K

rian $tyles of $cript?ogic also has some thoughts about Group Policy. ;e

hopes to hear your thoughts and share more of his with this article. rian&s

comments2 Policy based control o!er desktop settings are a great starting

point to standardi>e and streamline the user&s en!ironment. +hey employ the

ability to make changes on multiple machines with a single administrati!e

change. ;owe!er, Group Policies are simply not enough for comprehensi!e

desktop administration for two reasons2 -1 limited scope of administrati!e

ability and -3 limited granularity of distribution. +he scope of administration

Group Policies master are limited to )$/ and -some application/speci9c

settings. +hird party solutions are reuired to handle the multitude of other

aspects that are reuired by the administrator to control the users

en!ironment. ?ike the administrati!e scope, granularity of policy distribution

is also etremely limited in that you ha!e only users, groups, computers and

)'s to use to di"erentiate policy deployment. )'s and ob*ect types are only

a few of the long list of methods you can use to categori>e and identify users.

%t should come as no surprise to %+ professionals that $cript?ogic would ha!e

an opinion on Group Policies gi!en that $cript?ogic has made a business out

of de!eloping intuiti!e management solutions in the areas of desktop

administration, cti!e Directory and Group Policy management. 8ow it&s your

turn to gi!e us your feedback. $hare with us your eperiences of using GroupPolicies to manage Windows clients and feel free to post your uestions. We&ll

be monitoring your feedback and posting replies. / rian $tyles



on pr 3R, 300K

dam, +hese are the etensions that are a!ailable when you install the

PolicyMaker suite. 8ati!e -Microsoft Group Policy etensions make up *ust 14

of these. +he dministrati!e +emplates etension includes hundreds of

indi!idual security and other operating system con9guration parameters.

$oftware 'pdate pro!ides Group Policy patch management using $'$W'$

data. Printers pro!ides mapping of shared printers or connection of %P



printers. +he solutions possible with these etensions and the numerous

policy types they include are innumerable. V7n!ironment Xariables V?ocal

'sers and Groups Vpplication $ecurity VDe!ice =estrictions VWireless

V8etwork )ptions VDri!e Maps V#older =edirection Vdministrati!e +emplates

VMicrosoft Disk uota Vo$ Packet $cheduler V$cripts V$ecurity V%nternet

7plorer randing V7#$ reco!ery V$oftware %nstallation V$oftware 'pdate V%P$ecurity V#olders V#iles VData $ources V%ni #iles VWindows $er!ices V#older

)ptions V$cheduled +asks V=egistry Vpplications VPrinters V$hortcuts VMail

Pro9les V%nternet $ettings V$tart Menu $ettings V=egional )ptions VPower

)ptions )ne of the strengths of Group Policy is its ability to target groups of

settings in a GP) to users andor computers by site, domain, and

organi>ational unit. dditionally, GP)s can be 9ltered by security group and

WM% 9lters. PolicyMaker etensions add to this Ceibility by implement per/

setting targeting using a graphical drag and drop 9lter interface common to

all etensions and settings. +his allows administrators to create a much

smaller number of GP)s and target contained settings more granularly. #ilter

classes include2



on pr R, 300K

ob, +hanks for the plug. learly Group Policy is the most widely utili>eddesktop management technology system < and the beast feature of cti!e

Directory. s far as % know the only scoping limitations are that machines

must be Windows 3000 or later, and for central management they must be

*oined to D. 7!eryone with an cti!e Directory network is already using

Group Policy. 'nfortunately some people miss out on the rich possibilities by

focusing entirely on the etensions that are pro!ided with Windows. +hatYs

like complaining that %7 canYt !iew a PD# 9le. Group Policy is an etensible

architecture by design. +he 11 etensions that ship with Windows 5P include

security settings, software deployment and more. ;owe!er, when we

introduced the 9rst product based on this speci9cation, a whole new world oftrue Group Policy was opened up. )ur PolicyMaker suite includes a total of 34

etensions -e.g. printers, dri!e maps, patching, local users and groups

management, power options, least pri!ilege security, )utlook pro9les, and

much more, and each supports the full speci9cation < including GPM

integration, backup and restore, planning and logging modes, delegation, and

more. +here are no ser!ers or ser!ices to install, it all works inside the

eisting architecture. We implement a number of common features in our



etensions, including drag/and/drop 5M? importeport, 3K categories of

graphical per/setting 9lters -no limit to granularity, per/setting

documentation, en!ironment !ariable integration, etension/le!el delegation,

and much more. )ur customers 9nd that Group Policy pro!ides the ideal

combination of Ceibility, power, control, and operating system integration <

a combination that cannot be found in scripting, script generators, or utilityproducts. +his article is a great introduction, and for more information on

Group Policy, etensions, architecture, third party products, etc., check out

the following wiki site2 http2www.grouppolicy.org #or more information on

PolicyMaker, see2 http2www.desktopstandard.compolicymaker 7ric Xoskuil,

+) Desktop$tandard orporation MXP -Windows $er!er < Management

http://www.grouppolicy.org/

http://www.desktopstandard.com/policymaker

http://www.grouppolicy.org/

http://www.desktopstandard.com/policymaker

10 Ways to Manage Desktops With Group Policy

Documents

Transcript of 10 Ways to Manage Desktops With Group Policy