Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
programming4us
Windows 7

Group Policy Settings (part 1) - Managing User Profiles with Group Policy & Logon and Startup Scripts

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
6/9/2011 9:30:23 AM
There are thousands of Group Policy settings that can be configured for users and computers. There's no way that we'll cover them all, and that's not the goal in this section.

One of the goals of this book is to cover the objectives in the 70-685 and 70-686 exams. Thus, in this section I've used these objectives as a guide to help determine what Group Policy settings to include. The settings included in this section are

  • Managing Profiles

  • Logon And Startup Scripts

  • Deploying An Application

1. Managing User Profiles with Group Policy

As a reminder, a local profile is created on a system when a user logs on. Normally the profile is created from the Default Users profile, and then, as the user makes changes to the environment, the user's profile is modified to retain these changes.

If a roaming profile is used, the profile is retrieved from a server and copied down to the client's computer. Changes are copied back to the server when the user logs off unless the profile is configured as a mandatory profile. When a mandatory profile is used, changes can be made locally, but the changes are not copied back to the server, and the next time the user logs on, the local profile is again overwritten by the mandatory profile.

Figure 1 shows the User Profiles node, which includes several settings that can modify the default behavior of user profiles. You can access these settings from Computer Configuration => Policies => Administrative Templates => System => User Profiles.

Figure 1. Group Policy User Profiles node

These are some of the key User Profile settings in this node:


Delete User Profiles Older Than A Specified Number Of Days On System

This can be useful to reclaim space consumed by older profiles. If this setting isn't enabled, older profiles will remain on the system until they're manually deleted by an administrator.


Delete Cached Copies Of Roaming Profiles

Roaming profiles are downloaded to the local system each time a user logs on. When a user logs off, the changes are uploaded. This setting will cause the local version of the profile to be deleted each time the user logs off.


Only Allow Local User Profiles

This can be used to prevent the use of roaming profiles on specific computers.


Set Roaming Profile Path For All Users Logging Onto This Computer

This allows you to set the roaming profile path for all users logging onto the computer. This is much more efficient than setting the roaming profile on a per-user basis using Active Directory Users and Computers.


Prevent Roaming Profile Changes From Propagating To The Server

This setting is similar to creating a mandatory profile because the profile cannot be changed. When a user logs off, changes to the profile are not merged to the server, so when the user logs on again, they have the same profile each time.

Some of the User Profiles settings in the User Configuration node can also be used to modify the default behavior. These are located in the User Configuration => Policies => Administrative Templates => System => User Profiles node.


Exclude Directories In Roaming Profile

When this setting is enabled, you can list the directories that should not be included in the roaming profile. This can be used to limit the size of the profile and the amount of bandwidth needed to download it.


Limit Profile Size

Because the profile includes the Documents folders, it can become large. This setting allows you to set a maximum size of either local profiles or roaming profiles. You can include a custom message to the user when the maximum size has been exceeded.

2. Logon and Startup Scripts

You can use Group Policy to run scripts automatically on computers. You have the option of configuring the scripts to run during one of the following four events:

  • User logon

  • User logoff

  • Computer startup

  • Computer shutdown

One of the common ways a script is used is to show a logon banner. Logon banners are often used to remind users of acceptable usage policies or other security-related policies. As an example, the following script could be used to show a message box when a user logs on:

msgbox "Usage of this computer is subject to monitoring at all times."
& vbcrlf & vbcrlf &
"If you aren't an employee of Acme corporation you shouldn't be using
this computer. Log off now.", vbExclamation, "Usage Policy"

You can create this script in Notepad. You should enter it as a single line with no carriage returns and save it with a .vbs extension. The msgbox Visual Basic script command creates a message box, and this script creates the message box shown in Figure 2.

Figure 2. Script result

The first set of text (up to Log off now) identifies what will be displayed as the text. The & vbcrlf string represents a carriage return and line feed to start a new line; vbExclamation indicates that the warning triangle with an exclamation point icon should be included. The last set of text, Usage Policy, is used as the title of the message box.

You can also configure messages that will be presented when users attempt to log on with the Interactive Logon: Message Text For Users Attempting To Log On and Interactive Logon: Message Title For Users Attempting To Log On Group Policy settings. These are available in the Computer Configuration => Windows Settings => Security Settings => Security Options node.



Exercise: Configuring a Logon Script

  1. Launch Notepad by clicking Start, typing in Notepad, and pressing Enter.

  2. Enter the following text in Notepad:

    msgbox "Usage of this computer is subject to monitoring.", vbInformation, Time


    vbInformation will display an information icon, and Time is a variable that will display the current time.

    (If you cut and paste this from the book's PDF file, the copied quote characters will cause this to fail. Delete the quotes and retype them within the Notepad document.)

  3. Press Ctrl+S to save the file. Browse to a location on your hard drive where you can save the file. You can name it whatever you like but you must save it with the .vbs extension.

  4. Launch Windows Explorer and browse to the location of the script you created. Double-click it to ensure it runs, and correct the script if there are any typos preventing it from running successfully.

  5. Right-click the script and select Copy. You will paste this into another folder in a later step.

  6. Launch the Group Policy Management console and expand the domain.

  7. Right-click the Default Domain Policy and select Edit.

  8. Browse to the User Configuration => Policies => Windows Settings => Scripts (Logon/Logoff) node.

  9. Right-click Logon and select Properties. Click Show Files. Right-click within the Windows Explorer window, and click Paste to paste your script into this folder. Close Windows Explorer.

  10. Click Add. Click Browse. Select the script you pasted into this folder and click Open. Click OK, and your display will look similar to the following graphic.



  11. Click OK and close all open windows. At this point, each time a user logs on to the domain, this script will run and display the message box.


Although this exercise showed how a basic script can be created and configured to run when a user logs on, you can use the same procedure to configure any scripts to run. When it comes to scripting, there are almost no limitations. If you can't accomplish a task another way, you can almost always accomplish it with a script.

It is possible to have more than one script configured to run for any of the four events (logon, logoff, startup, and shutdown). By default, multiple logon and logoff scripts will run simultaneously, though you can change this with Group Policy.

In contrast, multiple startup and shutdown scripts are configured to run asynchronously by default, but you can also change this. When scripts are configured to run asynchronously, a script will not start until the previous script has completed.

In addition, with Windows 7 and Windows Server 2008 R2, you can include PowerShell scripts with Group Policy. Figure 3 shows the GPMC with the Logon Properties page and the PowerShell scripts selected. This looks the same in the Logon, Logoff, Startup, and Shutdown Group Policy Properties pages.

Figure 3. Configuring PowerShell scripts via Group Policy

One difference with PowerShell scripts is that you can configure whether PowerShell scripts should be run first or last. This can be useful if multiple scripts are running and they conflict with one another.

Other -----------------
- Group Policy and the GPMC (part 3) - Advanced Group Policy Settings
- Group Policy and the GPMC (part 2) - RSAT and the Group Policy Management Console
- Group Policy and the GPMC (part 1) - Enabling a GPO Setting & Applying Multiple GPOs
- Managing Windows 7 in a Domain : Anti-Malware Software
- Managing Windows 7 in a Domain : Understanding User Profiles (part 2)
- Managing Windows 7 in a Domain : Understanding User Profiles (part 1) - Standard Profiles & Roaming Profiles
- Managing Windows 7 in a Domain : Identifying and Resolving Logon Issues
- Managing Windows 7 in a Domain : Authentication vs Authorization
- Managing Windows 7 in a Domain : Joining a Domain
- Accessing Resources on a Network : Identifying and Resolving Network Printer Issues
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server