Using GPOs to Configure and Tune Desktops
Living without Registry ‘Hacks’
Ron Oglesby @RonOglesby
NOT A UNIDESK COMMERCIAL
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Gabe asked about golf carts
AgendaWhy use GPOs?Policy BasicsPolicies Vs PreferencesDesktop Configurations ADMs and ADMX/ADMLsTools you can use as venture into GPOs
Why do we hack the registryTune the OSSet defaultsHide things from usersOthers…
But is a hack a policy?Policies can be used for
more than just registry changes
Why use GPOs and Not Reg hacks???
Documentation….
How do to remove this spoiler?
Without opening the trunk?
What do GPOs TYPICALLY get used for?Windows Settings like folder redirectionHiding icons and Windows optionsConfiguring browser settingsSetting permissions? SometimesConfiguring Office or other app settings…Adding Users.. Occasionally.
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Login Times and the default profile????
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Common tasks in tuning the VDI image?Add and modify local security accounts (at times)Disable / reconfigure ServicesTune the local OS parameters
File System, desktop display, TCP parameters, etc, etc
Tune the user profile (like Menu show delay)Configure applications (like IE)Sometimes even create folders and move items like
tools into the image
Policy BasicsGPO Processing and Trigger events
GPUPDATE /FORCE
Trigger Policy Processing Type What is ProcessedComputer Restart Foreground Computer-specific Group Policy
Computer Shutdown Foreground Computer-specific Group Policy (specifically, shutdown scripts)
User Logon Foreground User-specific Group Policy
User Logoff Foreground User-specific Group Policy (specifically, logoff scripts)
On Domain Conrollers: every 5 mins Background User (if user is logged on) and
computer-specific policyOn Member Servers and Workstations: every 90 mins Background User (if user is logged on) and
computer-specific policy
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Policy BasicsComputer Config vs User Config
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Policy BasicsPolicy Vs Preferences…..
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Policy BasicsPreferences added in Win 2008Allow for SIMPLE config of numerous settingsNo Templates needed!
Policy TemplatesTraditionally known as
Policy ADMs (ADMX now)Set the options you see in
the GPOsOften created by the App
vendors or industrious System Engineers
ADM files are TXT filesCLASS xxx - User or MachineCATEGORY xxx - Major heading. “Windows Update”
KEYNAME xxx “Software\Microsoft\Office\12.0\Oulook”
Policy xxx - name of Policy shown in GPO editor
VALUENAME xxx - Registry entry we are changing
END POLICY
END CATEGORY
ADM file ExampleCLASS MACHINE
CATEGORY !!Reader
POLICY !!Checkforupdatesatstart
KEYNAME "Software\Adobe\Acrobat Reader\9.0\AVGeneral"
EXPLAIN !!Checkforupdatesatstart_Help
VALUENAME "bCheckForUpdatesAtStartup"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
ADM vs ADMXADMX are the ‘new’ ADM
XML based Policies/operative section of the policy are contained in
ADMX ADML are language specific files Not stored in individual policies, can be stored in 1 central
location in enterprise environments Will (by default) supersede existing ADM files (Inetres.adm,
system.adm, etc) or can be created to supersede and existing ADM
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
ADMX file sample comparison<categories>
<category name="Reader" displayName="$(string.Reader)" />
</categories>
<policies>
<policy name="Checkforupdatesatstart" class="Machine" displayName="$(string.Checkforupdatesatstart)" explainText="$(string.Checkforupdatesatstart_Help)" presentation="$(presentation.Checkforupdatesatstart)" key="Software\Adobe\Acrobat Reader\9.0\AVGeneral" valueName="bCheckForUpdatesAtStartup">
<parentCategory ref="Reader" />
<supportedOn ref="SUPPORTED_NotSpecified" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>Group Policy Samples from Microsoft:
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=3D7975FF-1242-4C94-93D3-B3091067071A&displaylang=en
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
ADM file ExampleCLASS MACHINE
CATEGORY !!Reader
POLICY !!Checkforupdatesatstart
KEYNAME "Software\Adobe\Acrobat Reader\9.0\AVGeneral"
EXPLAIN !!Checkforupdatesatstart_Help
VALUENAME "bCheckForUpdatesAtStartup"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
END POLICY
END CATEGORY
Building your own? Start with ADM files if you haven’t already.Then convert them w/ the ADM to ADMX converterThe hardest part is not building the text file….
Its finding the registry keys
Ron’s rules for Policies Vs Preferences…When to use a policy
Something that the user may have access to but I don’t want them to change
IE security, connectivity, or application settings
When to use a preference When I set a default setting that they may change
IE default start page or default short cuts on the desktop
When I want to change a registry setting that they do not have a GUI to change
Default user screen saver, machine settings like NTFS last access time stamp, etc.
Policy Preference OptionsCreate
Create the object (reg entry, drive mapping, etc, etc) Will do nothing if the entry/object already exists
Replace Delete existing setting (if exist) and create a new object
Update Modification of an existing object Will create if it does not exist
Delete
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Preference Common Settings
Preference WARNINGSThese are like defaults NOT Policies….These can tattoo the machine
Newer policies do not tattoo. That was a benefit of getting away from some of the old school NT type policies
Registry changes made via Preferences can leave a tattoo after removal of policy UNLESS you counter/remove the VM from having the policy apply.
Other changes (Directories, User/group modifications or additions) also stick
Preferences are basically like your image “HACK” but with management….
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
So let’s look at how you can do this in a Policy
Windows 7 Services Examples Desktop Window Manager Session manager Disk Defragmenter Diagnostic Policy Services IP helper (if no IPv6) Security Center Superfetch Themes Service (classic interface) Windows Defender Windows Search Windows Update http://
www.vmware.com/files/pdf/VMware-View-OptimizationGuideWindows7-EN.pdf
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Demo
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Windows Settings Examples Recycle Bin – Do not move files to recycle bin Screen saver (XP disable .default screen saver, Win7 Blank) Disable System Restore UAC settings Windows Update disabled Tune the file system (last access time stamp, 8.3 file names,
etc) Remove Tablet PC components (or disable services) Project VRC Phase III – www.projectvrc.nl
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Demo
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
User Tuning?
Focus on HKCU IE and other application settingsGraphics/video settingsCustomer templates are out there and checkout
PolicyPak.com
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
Demo
Finding the Registry Entry
GOOGLE http://lmgtfy.com/ RegSnap/Registry Monitoring ToolsGood old fashion digging and guessing!My Favorite:SysTracer http://
www.blueproject.ro/systracer
Copyright © 2010 Unidesk Corporation. All Rights Reserved. www.unidesk.com
You didn’t convince me Ron!Windows Enabler
http://www.bluemoonpcrepair.com/wp/?p=39 http://
www.wincert.net/tips/microsoft-windows/windows-7/2109-how-to-copy-a-user-profile-on-windows-7.html
Pierre’s VUEM - VirtuAll User Environment Manager http://www.virtualdesktops.info/Products.aspx Login scripts, User configs, Printer configs, registry values,
Port mapping, and File and folder operations.
Where to start?GPAnswers.com http://www.gpanswers.com/resources/gp-tips-and-tricks.html
PolicyPak.com http://policypak.com/
Off 2007 Policy Templates http://www.microsoft.com/downloads/en/details.aspx?FamilyID=92d8519a-e143-4aee-8f7a-e4bbaeba13e7&displaylang=en
Off 2010 Policy Templates http://www.microsoft.com/downloads/en/details.aspx?FamilyID=64B837B6-0AA0-4C07-BC34-BEC3990A7956&displaylang=en
Using GPOs to Customize XenApp http://support.citrix.com/proddocs/index.jsp?topic=/online-plugin-110-windows/ica-import-icaclient-template-v2.html
IE 9 Preferences not working? http://blogs.technet.com/b/asiasupp/archive/2011/03/30/internet-explorer-9-ie9-group-policy-preferences-gpp.aspx
XenApp Blog’s XenApp and XenDesktop Policies http://www.xenappblog.com/downloads/
ADM/Xs and Policy references? Microsoft ADM to AMDX migrator?
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0F1EEC3D-10C4-4B5F-9625-97C2F731090C
Group Policy Settings References from MS? http://
www.microsoft.com/downloads/en/details.aspx?FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb
Group Policy ADMX Syntax Guide: http://technet.microsoft.com/en-us/library/cc753471(WS.10).aspx
Group Policy Survival Guide http://technet.microsoft.com/en-us/library/cc754151(WS.10).aspx
Managing with ADMX files http://technet.microsoft.com/en-us/library/cc709647(WS.10).aspx