Open Active Directory Users and Computers (located on the Start Menu ˆ’ > Administrative Tools ).
In the console tree in the left column, right-click the OU labeled East Wing and choose Properties .
The East Wing Properties window appears. Click the Group Policy tab. Notice that there are no Group Policies assigned to the East Wing OU.
Click the New button. A new GPO appears in the list with the default title of New Group Policy Object . Rename this GPO to East Wing GPO (Art Department) .
Double-click East Wing GPO (Art Department) . The Group Policy Object Editor appears. Notice the settings in the left column:
From this point, we can control GPOs based on users or computers . For this exercise, we concentrate on the User Configuration . Recall that the members of the East Wing Art Department must have the ability to configure their computers' appearance; but they should not be able to edit the inner workings of the Windows subsystem. We therefore need to lock the East Wing's members out of key system components such as the Registry Editor, Command Prompt, and the Add/Remove Programs control panel.
In the left pane of the Group Policy Object Editor under User Configuration , expand Administrative Templates by clicking the plus (+) sign to its left.
Now, expand the Control Panel entry and click Add or Remove Programs .
Several options appear in the right pane that define the behavior of the Add/Remove Programs control panel on Windows 2000/XP computers. Locate the item titled Remove Add or Remove Programs and double-click it.
A new window appears with three choices: Not Configured , Enabled , and Disabled . A setting of Not Configured tells the server to not process this particular rule, which can save server resources. A setting of enabled turns the rule on, effectively removing the Add/Remove Programs control panel from any client in the South Wing OU. A setting of disabled turns the rule off. The server still processes the rule, which can use system resources, unlike the not configured option. For this exercise, click Enabled and then OK .
Back in the left pane, click the folder labeled Start Menu and Taskbar . In the right pane, Windows Server 2003 lists all the rules that govern the behavior of the Windows Start menu and taskbar on client computers in the East Wing OU.
Double-click the item labeled Remove Run menu from Start Menu and choose the Enabled setting. Click OK . This removes the Run command from users' Start menus .
Back in the left pane, click the folder labeled System .
In the right pane, Windows Server 2003 lists all the rules that govern the behavior of many system functions on client computers in the East Wing OU. Double-click the item marked Prevent access to the command prompt , and choose the Enabled setting. Choose the No setting for Disable the command prompt script processing also . Click OK . This prevents a user from opening a DOS/command prompt, but still allows the system to process scripts through the command prompt.
Again in the right pane, double-click Prevent access to registry editing tools , enable it, and click OK . This prevents users from running software that would allow them to edit the Windows Registry.
Close the Group Policy Object editor . Click OK at the East Wing Properties window.
Congratulations! You've just created your first Group Policy Object. Of course, as with all computer settings, it's always a good idea to test our configuration to make sure that things are working as intended.
Remember that most of the GPOs in Windows Server 2003 affect only Windows 2000 and XP Professional clients .
On either your Windows 2000 or XP Professional client, log out if you're still logged in as tknot ( Start Menu ˆ’ > Shut Down ˆ’ > Log off tknot )
Log back into the client using mkin (recall that this is one of our artists from the East Wing OU, Mr. Mann A. Kinn).
Let's try to run the Add/Remove Programs control panel. Pull up Control Panels and double-click Add/Remove Programs . You should receive a warning similar to the following:
Our user is unable to launch the Add/Remove Programs control panel, just as we defined in the GPO.
Recall that we removed the Run command from the Start menu. You can confirm this by clicking the Start menu .
Launching the Registry Editor is normally accomplished by choosing Run from the Start menu and typing regedit . But we have removed the Run command. However, the user may still try to run regedit by locating it in the C:\WINNT folder. Navigate to this folder and try double-clicking the Regedit icon. Windows denies access and posts a message stating :
Registry editing has been disabled by your administrator.
Try launching a command prompt, located in Start Menu ˆ’ > Programs ˆ’ > Accessories (Windows 2000) or Start Menu ˆ’ > All Programs ˆ’ > Accessories (Windows XP). Windows should pull up a command prompt with the following error message:
The command prompt has been disabled by your administrator. Press any key to continue
We have satisfied all conditions specific to our East Wing Art Department. One thing that you should definitely keep in mind is that the East Wing GPO only applies to the East Wing OU and all objects inside of it. It does not travel any deeper down the domain.
Open Active Directory Users and Computers .
In the console tree in the left column, right-click the OU labeled South Wing and choose Properties .
The South Wing Properties window appears. Click the Group Policy tab and click the New button. Name this new GPO South Wing GPO (Marketing Department) and click the Edit button.
The Group Policy Object Editor window appears. In the left column under User Configuration , expand Administrative Templates .
Click one time on the folder labeled Desktop .
The first stop is to restrict our Marketing users from using the Windows Active Desktop technology to add web content to their desktops. In the right column, double-click the folder labeled Active Desktop .
Double-click the item labeled Disable all items and enable it.
In the left column, expand the item labeled Control Panel .
Expand the item marked Display , and click the folder labeled Desktop Themes .
In the right column, double-click the item labeled Remove Theme option and enable it.
Close the Group Policy Object Editor and click OK on the South Wing Properties dialog.
As with the Art Department, we must now test the Marketing Department to ensure that our GPO indeed works as expected.
For Windows 2000 Professional (Note: Windows 2000 does not support custom themes in the way Windows XP does):
Boot Windows 2000 Professional and log into the domain using an account from the South Wing. For this example, we use our old standby Tye D. Knot (username tknot ).
Right-click anywhere on the Windows desktop and choose Properties . Inspect the tabs across the top of the window. Notice the absence of a Web tab. Because there is no Web tab, the user is not able to place custom web content on the Windows Desktop, just as we specified in our GPO for the South OU.
Click the Background tab. In the list of pictures at the bottom of the window, click the picture titled Chateau . Chateau is a desktop picture saved in the JPEG format. Click Apply .
The Desktop is now filled with a landscape picture.
This satisfies our GPO of allowing our Marketing Department to place JPEG picture files as backdrops on their computers.
Get Info | So what exactly does the JPEG image file format have to do with the Active Desktop function that we turned off in the South Wing GPO? The Active Desktop, introduced way back in Internet Explorer 4.0 for Windows 95, allows the user to place actual web content on the desktop. For example, a user can place a stock ticker on his desktop that updates every few minutes, live from the internet. Traditionally, Windows could only place graphics on the desktop that were saved in the BMP format (Windows Bitmap). With the introduction of the Active Desktop, users can place other, more common graphics formats as backdrops. But in order to enable this ability, the Active Desktop must be activated. But activating it also enables the custom web content feature. Using our specialized GPO, we can prevent the custom web content and still allow the placement of diverse image files on the desktop. |
For Windows XP Professional:
Windows XP Professional handles the Active Desktop a bit differently from Windows 2000. Boot Windows XP and log in using an account from the South Wing OU. For this example, we use tknot.
Right-click anywhere on the Windows desktop and choose Properties . The Display Properties window appears. Normally on Windows XP, this window contains five tabs: Themes , Desktop , Screen Saver , Appearance , and Settings . However, on this window, there are only four tabs. Recall that we removed the option to use custom themes for anyone logged in from the South Wing OU, and so the Themes tab is absent.
Click the Desktop tab, and at the bottom of the window, click the Customize Desktop button. The Desktop Items window appears. On a normal Windows XP system, there are two tabs on this window: General and Web . However, on this window there is only one tab, with the Web tab missing. This is because we removed the ability to add custom web content to the desktop. Click OK to dismiss the Desktop Items window.
Back on the Desktop tab of the Display Properties window, you are presented with a list of backdrop picture files toward the bottom of the window. Click the item labeled Wind , and click Apply . The Windows background changes to a picture of sweeping sand dunes. This particular image is in JPEG format, a format that normally requires the Active Desktop function to be turned on. Recall that our GPO for the South Wing OU disables the custom web content of the Active Desktop, while still allowing diverse image files to be used as desktop backgrounds. Click OK to dismiss the dialog.
This tutorial is dedicated to those of you out there who love to control things. Recall that the North Wing OU's members (the Accounting Department) do not need any sort of extras in their Windows computers; only the bare essentials for them ( Note: in the real world, it might not be a good idea to get these people too angry with you, as they do control the flow of money into your bank account ).
On the server, open Active Directory Users and Computers . Right-click the North Wing OU , choose Properties , and in the same way as with the two previous examples, create a new GPO titled North Wing OU (Accounting) . Double-click this new GPO.
On the left column of the Group Policy Object Editor, expand the Administrative Templates folder. Now expand the Windows Components folder.
Click the folder labeled Windows Explorer once. A list of GPO rules appears in the right column.
We wish to restrict this OU's members' access to the floppy drives on their computers. This may help in preventing viruses from infecting our systems via floppy disks. Double-click the rule labeled Hide these specified drives in My Computer and enable the rule. Since we only wish to hide floppy drives from the My Computer window, choose the option labeled Restrict A and B drives only , as shown below. Click OK :
Now that the A and B drives are hidden, we need to completely restrict access to them. Double-click the rule labeled Prevent Access to Drives from My Computer , enable it, and apply it to drives A and B only. Click OK .
We do not want to grant the members of the North Wing OU the ability to burn CDs (CD-R or CD-RW) if they are using Windows XP ( XP provides native support for burning CDs right within Windows Explorer without the need for third party applications ). Double-click the rule labeled Remove CD Burning features and enable it. Click OK .
We do not wish to allow the members of the North Wing OU to install third party software from any removable media. We have already locked users out of the floppy drives, but software may still be installed via CD/DVD, ZIP, and Jaz media. In the left column under Windows Components, click the folder labeled Windows Installer .
In the right column, enable the rule labeled Prevent removable media source for any install . This prevents our users from installing any software program from removable media.
We do not wish to allow our North Wing users to use Windows Messenger, a chat program included with Windows. In the left column under Windows Components, click the Windows Messenger folder.
Enable the rule labeled Do not allow Windows Messenger to be run ( Note: this rule does not work on Windows 2000 systems. To restrict Messenger on 2000 systems, see step 17 of this tutorial ).
We now wish to add a Log Off item to the Windows Start Menu for all North Wing clients. This is primarily for Windows 2000 based clients, as 2000 does not add a Log Off item by default. In the left column, click the folder labeled Start Menu and Taskbar located under the Administrative Templates folder.
Enable the rule labeled Add Logoff to the Start Menu .
Like the East Wing OU, we wish to limit the North Wing OU from accessing certain key system components. One of these involves the Run command on the Start menu. In the right column, enable the rule labeled Remove Run menu from Start Menu .
We wish to limit the ability of the North Wing OU to alter the Windows Taskbar position ( This may help alleviate those calls to the help desk asking "..where did my taskbar go?" ). On the left column under the Administrative Templates folder, Click the Desktop folder. Enable the rule labeled Don't save settings on exit .
As with the East Wing OU, we need to remove the North Wing OU's ability to edit the Registry, and prevent access to the command prompt. On the left column, click the folder labeled System and enable the rules labeled Prevent access to registry editing tools and Prevent access to the command prompt .
We wish to limit our North Wing OU users' ability to run the built-in games that ship with Windows. Enable the rule labeled Don't run specified Windows applications and click the Show button. We must now add the applications that we wish to restrict. It is in this dialog box that we see that Windows has still not shed its DOS heritage. For example, if we want to restrict access to the Solitaire application, we cannot simply type solitaire. Instead, we must add the actual application name, which is sol.exe . To block access to the Windows games, click the Add button and enter the names of each game, one at a time. The current list of games is as follows :
bckgmz.exe
chkrzm.exe
freecell.exe
hrtzzm.exe
mshearts.exe
pinball .exe
rvsezm.exe
shvlzm.exe
sol.exe
spider.exe
winmine.exe
In addition, we need to block Windows 2000 users from running MSN Messenger. To do this, add msnmsgr.exe to the list of restricted applications.
Get Info | How do you find the actual name of an application in which you wish to restrict access? In Windows Explorer , right-click the application and choose Properties . The Target field contains that actual path to your application, and the actual name of the application. |
Oh, yes, friends ; we must test all of this. You never know when some GPOs may have unexpected results, and a good administrator always tests the system to avoid problems.
Log into your Windows XP or 2000 Professional system as a member of the Accounting group. For this example, we use Mr. Mac N. Tosh's username of macn .
Open Windows Explorer (or My Computer ) and view the listing of available drives. Notice that the floppy drives are absent, as we chose to hide these from members of this OU.
Insert a floppy drive into drive A or B (if you have a B drive). In the Windows address bar, type either A: or B: and hit the Enter key on the keyboard. Windows displays a warning message:
Access to the resource ˜a <or ˜b: > has been disallowed
This is expected behavior, as we blocked access to these two drives.
On the Windows XP Professional client only, insert a recordable CD (CD-R or CD-RW) and try to burn data to it. Windows denies this, per our settings in the GPO.
On either Windows XP or 2000, insert a CD containing any software installers . Try to install the software. You are either greeted with a dialog asking for an administrator username/password, or the installation appears to work but then fails abruptly. This is per our settings in our GPO, which is configured to deny any software installations via any removable media.
Recall that we restricted access to Windows Messenger/MSN Messenger. To test this on Windows XP systems, click Start , point to All Programs , and click Windows Messenger . It does not launch, as per our GPO. On Windows 2000, click Start , point to Programs , and click MSN Messenger . Windows presents you with an error message stating that the specified application is restricted.
On both Windows XP and 2000 systems, verify that the Start Menu contains a Log Off menu.
On both XP and 2000 systems, verify that the Run command is absent from the Start Menu.
On both XP and 2000 systems, move the Windows Taskbar to either side of the screen, or to the top of the screen. Log out, and log back in. The taskbar is repositioned at the bottom of the screen. This satisfies our condition to not save certain settings upon user logout.
As with our East Wing OU, ensure that the command prompt and registry editor are not functional on the test systems.
Test that the games shipped with Windows do not work on your test systems. For Windows XP, the games are located on the Start Menu ˆ’ > All Programs ˆ’ > Games . On Windows 2000, they are located on the Start Menu ˆ’ > Programs ˆ’ > Accessories ˆ’ > Games . In either case, Windows warns you that the programs are restricted and cannot be run.
Congratulations! You have now set up three different Group Policy Objects and applied them to three different OUs!
Now that we have three GPOs applied to three different OUs, we shift our attention to the entire domain. Suppose that you have several global settings that you wish to apply to all objects in the domain. You could create a GPO with those settings and apply it to each object in the domain, one at a time. But this adds more work for both you ( because you must apply the the GPO to each OU in the domain ) and the server ( because it must process each GPO on each object in the domain ). But, as your teacher in elementary school always told you, there is a better way. Recall that GPOs are similar to NTFS and network share permissions in that all children under them inherit their attributes. So if we apply a GPO to the highest point on the domain, all objects in the domain inherit this GPO's settings.
In Active Directory Users and Computers, the highest point in a domain is the domain itself . In this tutorial, we create a simple GPO that does two things:
Brands Internet Explorer with our company's name
Brands Internet Explorer with our company's logo
Before we even start to think about creating a new GPO for these purposes, we need to create a common sharepoint on the server that will store our custom logo artwork.
Create a new shared folder inside our shares directory and name it public . Assign it the following permissions ( Note: for more information on creating shared folders and setting permissions, see Chapter 3 ):
Network share permissions:
Administrators: Full Control
Everyone: Read OnlyNTFS file permissions:
Administrators: Full Control (already inherited from parent)
Everyone: Read & Execute, List Folder Contents, and Read
Inside this new share, create a folder and name it logos .
In your favorite paint program, create two graphics and save them as 256- color Windows Bitmap (.BMP) format. They must have the following dimensions (measured in pixels):
22 22
38 38
You don't need to get too elaborate, as this is just a test. For our example here, we used the following pictures:
Name each picture 22x22.bmp and 38x38.bmp according to each picture's size . Place them in the public folder you created in step 1.
Open Active Directory Users and Computers . In the left column, right-click guinea.pig and choose Properties .
Click the Group Policy tab. Notice that we already have a GPO in place titled Default Domain Policy. Create a new GPO and title it Internet Explorer title and logo GPO . Double-click the new GPO.
The Group Policy Object Editor appears, which should be quite familiar by now. Under the User Configuration item in the left column, expand the folder titled Windows Settings . Now expand Internet Explorer Maintenance and click the folder labeled Browser User Interface .
On the right column, double-click the folder labeled Browser title .
The Browser Title window appears. This window allows us to append our company's name to the Internet Explorer title bar. Place a check in the box labeled Customize Title Bars and enter Guinea Pig, Inc. in the text field. Once this GPO is activated, anyone in our domain who opens Internet Explorer will see the words Microsoft Internet Explorer Provided by Guinea Pig, Inc. printed at the top of all Internet Explorer title bars. Click OK .
In the right column, right-click the folder labeled Custom Logo . The Custom Logo window appears. This window allows us to place our newly created logos in the upper right corner of the Internet Explorer window. Place a check in the box labeled Customize the static logo bitmaps .
We now need to point the GPO to the locations of each of our logos, both the 22x22 and 38x38 .bmp files. We do not want to give the files' local location, but instead the full network path location. Click the Browse button and navigate to each .bmp file's location. For example, the location of the 22x22 .bmp file is:
\\DC01\public\logos\22x22.bmp
The location of the larger 38x38 .bmp file is:
\\DC01\public\logos\38x38.bmp
When you have the correct network path information entered, your window should appear similar to this:
When you finish entering the path information, click OK . Close the Group Policy Object Editor , and close the guinea.pig Properties dialog box.
This new GPO is now applied to the entire domain. This means that no matter what user logs in, he or she gets our modified Internet Explorer settings.
Using any user account, log into the domain with your Windows 2000 or XP system and open Internet Explorer . Notice the title bar and the static logo in the upper right corner of the Explorer window. Our example appears as such:
Remember that since this special GPO is applied at the domain level, all child objects within the domain receive its settings. This means that no matter what user logs in to the domain, he or she will have the same, consistent Internet Explorer appearance.
Get Info | Microsoft offers extensive tools for creating and customizing your Internet Explorer experience through its Internet Explorer Administration Kit ( IEAK ). For more information, go to microsoft.com and do a search for IEAK. |