Section 8: Configuring the Desktop Environment with Group Policy Exploring Script Types and...
-
Upload
veronica-merritt -
Category
Documents
-
view
240 -
download
2
Transcript of Section 8: Configuring the Desktop Environment with Group Policy Exploring Script Types and...
Section 8: Configuring the Desktop Environment with Group Policy
Exploring Script Types and Controlling
Script Execution
Defining the Desktop, Start Menu, and Taskbar Settings
Defining the Control Panel Settings
Defining the Windows Components Settings
Configuring the Printer Management and
Pruning Settings
Defining Network Settings
New Settings for Windows 8 Client and Windows Server 2012
Managing Windows Environments with Group Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Section Objectives
After completing this section, you will be able to: Describe the startup, shutdown, logon, and logoff scripts
and settings Identify the many ways to control the user desktop, Start
menu, and taskbar settings Explain how to restrict the Control Panel settings Explain how to restrict the operations that users can
perform in Windows Explorer, Windows Internet Explorer, and Remote Desktop Services
Explain how to configure the printer management and pruning settings
Describe the network settings8-2
© 2013 Global Knowledge Training LLC. All rights reserved.
Exploring Script Types and Controlling Script Execution
8-3
Script Types
Controlling Script Processing Delegating Script Management
© 2013 Global Knowledge Training LLC. All rights reserved.
Script Types
Active Directory domains support four types of scripts: Computer Startup Computer Shutdown User Logon User Logoff
8-4
© 2013 Global Knowledge Training LLC. All rights reserved.
Computer Startup and Shutdown Scripts
Startup and shutdown scripts run in the context of the computer account.
A user account is not logged on.These scripts
must not require user input.
8-5
© 2013 Global Knowledge Training LLC. All rights reserved.
User Logon and Logoff Scripts (1)
A logon script runs when a user logs on to a Windows computer, using the user security context.
A logoff script runs when the user logs off, again using
the user security context.
Scripts can be: PowerShell VBScript BAT CMD EXE
8-6
© 2013 Global Knowledge Training LLC. All rights reserved.
User Logon and Logoff Scripts (2)
8-7
If Windows PowerShell is used to write logon scripts, the scripts will have to be signed or the Script Execution policy will have to be relaxed.
© 2013 Global Knowledge Training LLC. All rights reserved.
User Logon and Logoff Scripts (3)
8-8
This is an example of a PowerShell logon script that maps a drive and
displays a message box.
© 2013 Global Knowledge Training LLC. All rights reserved.
Controlling Script Processing
Run logon scripts synchronouslyRun startup scripts synchronouslyRun startup scripts visibleRun shutdown
scripts visibleMaximum wait
time for Group Policy scripts
8-9
© 2013 Global Knowledge Training LLC. All rights reserved.
Delegating Script Management
Control which users can configure scripts by limiting the MMC snap-in using the following Administrative Templates settings:User Configuration, Administrative Templates,
Windows Components, Microsoft Management Console, Restricted/Permitted snap-ins, Group Policy, Scripts (Logon/Logoff), Scripts (Startup/Shutdown)
User Configuration, Administrative Templates, Windows Components, Microsoft Management Console, Restrict users to the explicitly permitted list of snap-ins
8-12
© 2013 Global Knowledge Training LLC. All rights reserved.
Defining the Desktop, Start Menu, and Taskbar Settings
Control icons on the desktop.Customize and set the Start menu.Set access to taskbar settings.
8-13
© 2013 Global Knowledge Training LLC. All rights reserved.
Defining the Control Panel Settings
Restrict access completely. Control access to Add/Remove Programs.
Restrict the display properties.
Control printer management. Customize or set language options.
8-19
© 2013 Global Knowledge Training LLC. All rights reserved.
Defining the Windows Components Settings
8-23
File Explorer Settings
Internet Explorer Settings Remote Desktop Services Settings Other Notable Windows Components
© 2013 Global Knowledge Training LLC. All rights reserved.
File Explorer Settings
8-23
The File Explorer section
contains many settings dealing with the desktop and the File
Explorer.
© 2013 Global Knowledge Training LLC. All rights reserved.
Internet Explorer Settings
Previous group policies already contained a large number of Internet Explorer settings.
Now, more settingsthan ever are availablewith the latestversions of WindowsInternet Explorer.
8-26
© 2013 Global Knowledge Training LLC. All rights reserved.
Administrator Approved Controls
If users are constantly having problems with add-ons to Internet Explorer, you can configure an approved list of allowed controls.
8-28
© 2013 Global Knowledge Training LLC. All rights reserved.
Browser Menus
To provide a more streamlined or restrictive interface, menu options in Internet Explorer can be disabled.
8-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Internet Control Panel
Specific portions of Internet Control Panel can be disabled to prevent tampering with settings.
8-29
© 2013 Global Knowledge Training LLC. All rights reserved.
Offline Pages
Offline Pages governs the downloading and caching of pages for later viewing.
8-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Persistence Behavior
Some DHTML Web pages can store an enormous amount of data in the name of “persistence.”
This storage can be limited using Group Policy.
8-30
© 2013 Global Knowledge Training LLC. All rights reserved.
Toolbars
Similar to the text-based menu options, the icon-based toolbars can also be controlled.
8-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Remote Desktop Services Settings
The Remote Desktop Services settings are very important for restricting what users can do while connected to a desktop interface from a server.
8-32
© 2013 Global Knowledge Training LLC. All rights reserved.
Other Notable Windows Components
Microsoft Management ConsoleTask SchedulerWindows InstallerWindows Media PlayerWindows MessengerWindows Update
8-33
© 2013 Global Knowledge Training LLC. All rights reserved.
Configuring the Printer Management and Pruning Settings
Pruning Purges inactive printers from Active Directory
Publishing Controls the
listing of printers in Active Directory
8-34
© 2013 Global Knowledge Training LLC. All rights reserved.
Defining the Network Settings
8-36
DNS Client
Offline Files Network Connections
© 2013 Global Knowledge Training LLC. All rights reserved.
DNS Client
Some of the TCP/IP settings assigned to client computers come from DHCP.
Other more advanced settings can be configured centrally through a GPO.
8-36
© 2013 Global Knowledge Training LLC. All rights reserved.
Offline Files
Folder redirection is largely replacing the roaming profile.
Contents areautomaticallysynchronizedto the localcomputer forportability.
8-37
© 2013 Global Knowledge Training LLC. All rights reserved.
Network Connections
Relaxing some of the network restrictions can allow normal users a small amount of control over their networkconnection.
This feature is useful forindividuals who travel.
8-38
© 2013 Global Knowledge Training LLC. All rights reserved.
New Settings for Windows 8 Client and Windows Server 2012
Network Start Menu and Taskbar
System
Windows Components
8-39
© 2013 Global Knowledge Training LLC. All rights reserved.
Network
Remove “Work offline” commandThis policy setting removes the “Work offline”
command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode.
8-39
© 2013 Global Knowledge Training LLC. All rights reserved.
Start Menu and Taskbar
The few new Start Menu and Taskbar settings are listed below:
8-38
Clear history of tile notifications on exit
Do not allow taskbars on more than one display
Prevent users from uninstalling applications from Start
Show “Run as different user” command on Start
Turn off notifications of network usage
Turn off tile notifications
Turn off toast notifications
Turn off toast notifications on the lock screen
© 2013 Global Knowledge Training LLC. All rights reserved.
System
A minimal number of System settings have been added that are specific to Windows 8 Client and Windows Server 2012:
8-41
Enable optimized move of contents in Offline Files cache on Folder Redirection server path change
Redirect folders on primary computers only
Turn off access to the Store
© 2013 Global Knowledge Training LLC. All rights reserved.
Windows Components (1)
Almost two dozen new settings have been added within the Windows Components section:
8-42/43
Block launching desktop apps associated with a file
Block launching desktop apps associated with a protocol
Do not display the password reveal button
Turn off switching between recent apps
Turn off tracking of app usage
Location where all default Library definition files for users/machines reside
Start File Explorer with ribbon minimized
Do not include Non-Publishing Standard Glyph in the candidate list
© 2013 Global Knowledge Training LLC. All rights reserved.
Windows Components (2)
8-43/44
Restrict character code range of conversion
Turn off custom dictionary
Turn off history-based predictive input
Turn off Internet search integration
Turn off Open Extended Dictionary
Turn off saving auto-tuning data to file
Turn on misconversion logging for misconversion report
Specify default connection URL
Turn off storage and display of search history
Turn off the Store application
© 2013 Global Knowledge Training LLC. All rights reserved.
Windows Components (3)
8-44/45
Do not throttle additional data
Send additional data when on battery power
Send data when on connected to a restricted/costed network
Set the default source path for Update-Help
Turn on Module Logging
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary
Computer startup and shutdown scripts: GPOs support computer-specific startup and shutdown scripts. When a workstation or server is located in an OU, it runs the assigned script in the context of the Local System account. You can use these scripts to perform cleanup or maintenance routines, even when a user is not logged on to the console of the system.
8-47
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
User logon and logoff scripts: Logon and logoff scripts apply to a user account that can be contained at the site, domain, or OU container, or all of these locations. These scripts are typically used to map drives or perform other activities that are not found as part of typical Group Policy settings.
8-47
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
To restrict the operations that users can perform on their computers, go to the Group Policy console settings under the User Configuration node. Some settings are located under the Policies subnode, while others are found under the Administrative Templates subnode. You can set many different restrictions to the following:
Desktop Start menu Taskbar Control Panel Windows Explorer Windows Internet Explorer
8-47
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Most of the Remote Desktop Services policies appear in the Group Policy console under the Computer Configuration node, although you can set a few timeouts in the User Configuration node.
To configure the printer management and pruning settings, go to Computer Configuration, Administrative Templates, and Printers node in the Group Policy console. Some User Configuration client-side printer settings exist in Control Panel.
8-47
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
The network settings are:DNS Client: Preset values that control the functioning
of DNS, including dynamic update, DNS suffixes, Time-to-Live values, etc.
Offline Files: Configure the settings for caching offline files on the local computer.
Network Connections: Restrict or allow access to network settings like, TCP/IP properties, viewing network adapter properties, and disabling or enabling network adapters.
8-47
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check
1. Where in the Group Policy console can you configure the pruning settings?a. User Configuration, Administrative Templates, and
Printers node
b. User Configuration, Policies, and Printers node
c. Computer Configuration, Administrative Templates, and Printers node
d. Computer Configuration, Policies, and Printers node
8-48
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
2. If you wanted to hide specific Control Panel items, what would you do?a. Navigate to User Configuration, Policies,
Administrative Templates, and Control Panel.
b. Find the file name of the desired Control Panel item(.cpl extension) in %Systemroot%\System32.
c. Right-click the item and select Hide.
8-48
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
3. Internet Explorer settings exist in three primary locations in the Group Policy console. Name them. Computer Configuration, Policies, Administrative
Templates, Windows Components, and Internet Explorer
User Configuration, Policies, Administrative Templates, Windows Components, and Internet Explorer
Computer Configuration, Policies, Windows Settings, and Internet Explorer Maintenance
8-48
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
4. In which node of the Group Policy console (Computer Configuration or User Configuration) would you expect to find DNS settings? Why?Computer Configuration, because the settings apply to the computer as a whole
8-48
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
5. Which setting would you use to prevent users from applying patches and updates, block access to the Windows Update Web site, and remove the Windows Update hyperlink from the Start menu and from the Tools menu in Windows Internet Explorer? (Hint: Go to User Configuration, Policies, Administrative Templates, and Start Menu and Taskbar.)Remove links and access to Windows Update
8-48
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
6. What types of scripts does the following text describe?
These scripts apply to a user account that can be contained at the site, domain, or OU container, or all of these locations. These scripts are typically used to map drives or perform other activities that are not found as part of typical Group Policy settings.User logon and logoff scripts
8-49