Typical Group Policies

  1. Printers: set policy to automatically deploy printers, then allow logon to trigger the deployment and set a default printer
    • Computer Configuration – Policies – Windows Settings – Printer Connections – Path = \\printserver\{printer_name}
    • Computer Configuration – Policies – Windows Settings – Administrative Templates – All Settings – User Group Policy loopback processing mode = enabled (mode: merge)
    • User Configuration – Preferences – Control Panel Settings – Printers – Share Printer (name: \\printserver\{printer_name}) – update – Common – Item Level Targeting – computers in OU…
  2. Printers: allow users to install drivers
    • Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these devices setup classes >> Enabled >> Device class GUID of printers: {4d36e979-e325-11ce-bfc1-08002be10318}
    • User Configuration/Policies/Administrative Templates/Control Panel/Printers/Point and Print Restrictions
      •  User can only P&P to these servers => Disabled
      • User can only P&P to machines in their forest => Enabled
      • When installing drivers for a new connection => Do not show warning or elevation prompt
      • When installing drivers for an existing connection => Do not show warning or elevation prompt
  3. Allow users to change system time
    • Computer Configuration – Windows settings – security settings – local policy – user rights- change system time
  4.  Allow users to install software (Methods)
    • If PCs are Windows 7 Enterprise or above, use AppLocker in AD
    • If Network is protected by Enterprise Antivirus, use Endpoint Protection Manager
    • Local Administrators Option: create a group such as “LocalAdmins” >> add managers into that group >> Apply a new GP to correct OU >> Computer Configurations\Windows Settings\Security Settings\Restricted Groups >> add “Software Installers” as “Administrators” and “Remote Desktop Users”
    • If going the deployed software route: Users > Policy > Software Settings > Software installation then go New > Package… Select the Advanced option and then change the Deployment type to “Published”
  5. Password Policy
    • Computer Configuration – Policies – Windows Settings – Security Settings
  6. Disable some default Windows behaviors
    • Computer Configuration – Policies – Administrative Templates:
      • Don’t display the Getting Started welcome screen at logon – enabled
      • Disable showing the splash screen – enabled
      • Do not show First Use Dialog Boxes – Enabled
      • Prevent Quick Launch Toolbar Shortcut Creation – Enabled
      • Do not automatically start Windows Messenger – Enabled
      • Do not allow Windows Messenger to be run – Enabled
  7. Lock Control Panel (more restrictive)
    • User Configuration > Administrative Templates > Control Panel > double-click “Prohibit access to Control Panel and PC settings” > Enabled > OK
  8. Launch IE at startup with default Intranet
    • Lauch IE: User Configuration\Admin Templates\System\Logon\Run these Programs at logon > Enabled >Items to run at logon: click Show > value=iexplore.exe > OK > OK
    • Whitelist Intranet URL:
      • User Configuration\Preferences\Windows Settings\ > right-click Registry > New > Registry Item
        • Action: Update
        • Hive: HKEY_CURRENT_USER
        • Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{Intranet.net}\
        • Value name: http (and a second key for https)
        • Value type: REG_DWORD
        • Value data: 1 (base decimal)
      • Computer Configuration\Preferences\Windows Settings\Registry\http\Common
        • Stop processing items on this extension if an error occurs on this item No
        • Run in logged-on user’s security context (user policy option) No
        • Remove this item when it is no longer applied No
        • Apply once and do not reapply No
      • Repeat: Computer Configuration\Preferences\Windows Settings\Registry\https\General and Common
      • Repeat: User Configuration\Preferences\Windows Settings\Registry\{http|https}\{General|Common}
    • Set default home page of IE: User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > right-click “Disable changing home page settings” > Edit > Enabled > Home Page = {Intranet_url}

Leave a Reply

Your email address will not be published. Required fields are marked *