09 April 2012

Active Directory User GPO

These are settings for an Active Directory User GPO (Group Policy Object) including:

Note it is good practice to split group policies into different (logical) objects e.g. one for roaming profiles, one for remote access etc. Here I have kept it all in one object to avoid confusion: they can conflict and then it is hard to know where a setting is. Your requirements may be different. 

Create a User Profile GPO:
Group Policy Management/Domains/[Domain name]; right click and select “Create a GPO in this domain and Link it here”. Call it “User Profiles” or something relevant.
In the GPO: Computer Configuration/Policies/Administrative Templates
  • System: Verbose vs normal status messages enabled
  • User Profile:
    • Add the Administrators security group to roaming user profiles
    • Set Roaming profile path: \\[FileServer]\Users$\%username%\profile
      NB: THIS IS ACTUALLY WHERE ROAMING PROFILES ARE IMPLEMENTED or it can be done in the user object. I like to do it here so it can be over-written on a per-machine basis e.g. disabled on a server.
User Configuration
  • Policies/Windows Settings/Folder Redirection
    • Enable “Basic –redirect everyone’s folder to the same location” for all folders except AppData
    • Set Target folder location as “Create a folder for each user under the root path
    • Set Root Path as: \\[servername].[domain name]\Users$
  • Policies/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page. Set Site to Zone Assignment List to file://*.[domain name] to enable browsing within the domain.

User Settings GPO
I also like to setup a few settings to ensure better user experience.
The following are under Computer Configuration, Policies:
  • Remote access on:
  • Under Administrative Templates:
    • Network/Network Connections/Windows Firewall/Domain Profile/Windows Firewall: Allow inbound Remote Desktop Exception. Enter IP restriction e.g. specific IP ( or "localsubnet"
    • Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Allow log on through Remote Desktop Services
  • Under Windows Settings, Security Settings, Local Policies, User Rights:
    • Allow log on through Terminal Services: add a group e.g. Domain Users
    • Allow log on locally: add a group e.g. Domain Users (You also have to add (local) administrators).
  • UAC off: Windows Settings, Security Settings, Local Policies, Security Options, User Account Control
    • Behaviour of the elevation prompt for administrators in Admin Approval Mode: Enable without Prompting
    • Detect application installations and prompt for elevation: Disabled
    • Only elevate UIAccess applications that are installed in secure locations: Disabled 
    • Run all Administrators in Admin Approval Mode: Disabled
  • Start up sound off: Administrative Templates/System/Logon.

    User Configuration:
    • Policies/Administrative Templates
      • Control Panel/Display/Desktop Themes: Windows Classic (enable but leave theme blank).
      • Desktop/Desktop: Disable Active Desktop (disallows HTML and JPG wallpaper
      • System/User Profile: Limit Profile Size: Max Profile Size set to 30GB (30,000,000). NB this doesn’t actually limit the size but rather just displays a message.
        NB: I have since turned this off as I found the process ‘proquota.exe’ was hogging my system.
      • System/Logon: Run these programs at user logon: I have added a bat file to delete downloads older than 7 days, to avoid them taking up too much space. I created it in \\[Server]\NETLOGON\DeleteDownloads.bat
    • Preferences
      • Windows Settings/Drive Maps: setup any maps you need.
      • Control Panel Settings/Folder Options/General
        Hide extensions for known file types: Disabled
    You can apply update the Group Policy locally by running cmd.exe as administrator and running gpupdate from the machine you wish to update the policies on.

    No comments:

    Post a Comment