Setup up a Central ‘PolicyDefinitions’ Store (for ADMX files)

KB ID 0001339 

Problem

We have had ADMX files for group policies for ages now, they are the successor to the older ADM files. They only really trip you up if you have something unusual to do, (like roll out LAPS, or Forefront, or Customising Office Deployments.)

In most cases you will want to have a central store in your Windows domain, so the clients can see the ADMX files, (and ultimately enforce the policies within them). 

 

Solution

You probably already have ADMX files on your windows clients/servers,  look in C:\Windows\PolicyDefinisions. So if you have installed any new ADMX files, they will get put in this folder on your local machine, (or domain controller).

Do you already have a central PolicyDefinitions store? It’s easy  to find out, from any domain joined machine, run the following command;

[box]\\{Your-Domain-Name}\SYSVOL\{Your-Domain-Name}\Policies[/box]

If theres a PolicyDefinitions folder already there, half your work has been done for you!

Copying Files to the Central PolicyDefinitions Store

ADMX Files are usually accompanied by an ADML file, while the ADMX files live in the PolicyDefinitions folder, the ADML files are ‘location specific’, if you look in your PolicyDefinitions folder you will see another sub folder for your ‘locale’. Below you can see mine is en-US (English US) your ADML files will live in here.

IMPORTANT: As you can see, (below). I’ve navigated to the PolicyDefinitions folder ON A DOMAIN CONTROLLER, at the following path;

[box]C:\Windows\SYSVOL\sysvol\{Your-Domain-Name}\Policies[/box]

DON’T Try and copy the folder, (or ADMX and ADML) files to the network path of SYSVOL, or you ‘may’ get permission errors, (see error below).

You can simply copy the entire PolicyDefitions folder across if it does not already exist, or copy individual ADMX/ADML files (to the folder locations outlined above).

Now on your domain controller, Administrative tools > Group Policy Management console, create (or edit and existing policy). If you are setup correctly you should see this;

If something is wrong you will see this;

Copying PolicyDefinisions and ADMX/ADML Files: Access Denied

If this happens, you need to ensure you are NOT trying to copy folders or files to the network path of the SYSVOL folder, Open the LOCAL path to the SYSVOL folder directly on a domain controller.

Related Articles, References, Credits, or External Links

NA

VMware View – Using Persona Management

KB ID 0000615 

Problem

Persona Management, is the VMware version of “Roaming Profiles” and “Redirected Folders” rolled into one. Though the redirected folders bit is a lot easier to set up and less problematic than the Microsoft Folder Redirection policy.

Its handy if you using floating pools but still want your users to have a persistent user interface. Having these files centrally makes them easier to backup, and the more your users can customise their desktops and settings the better their level of equipment husbandry.

Solution

Create a “Roaming Profile” Network share with the correct permissions

1. On a network accessible server, create a folder and set the SHARE permissions as follows;

Share Permissions

Everyone = Read. Domain Users = Full Control.

Note: You may also want to DISABLE Caching on this folder.

2. Stop inheritable permissions from propagating to the folders and set the security permissions as follows;

Security / NTFS Permissions

Creator Owner (Subfolders and Files Only) = Full Control. Domain Users (This folder Only) = List Folder/Read Data and Create Folders/Append Data. System (This Folder, Subfolders and files) = Full Control. Creator Owner (Subfolders and Files Only) = Full Control. Everyone = No Permissions.

Note: I’m using domain users, you might have a different security group that you want to substitute.

3. Make sure that the machines that you will be using as view targets, have the View Persona Management option selected (this is selected by default).

Configure Windows 7 to be a VMware View Desktop

4. You need to get the administrative template for Persona Management. You will find it on your VMware Connection Server in the following location;

[box] C:Program FilesVMwareVMware ViewServerextrasGroupPolicyFiles [/box]

Locate the ViewPM.adm file and copy it to a domain controller.

5. Create a new group policy that is linked to the OU containing your View machines.

6. Edit the policy > Expand Computer Configuration > Policies >Administrative Templates > Right Click > add/Remove Administrative Temple > Add in the ViewPM.adm template.

7. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management [/box]

8. In the roaming and Synchronisation Section > Manage user persona > Set to Enabled > Next Setting.

9. Enable > Enter the shared folder you created earlier > Next Setting.

10. Enabled (to remove local cached copies of the profile).

11. Enabled to roam the local folder > That’s all I’m going to configure in this branch of the policy.

Persona Management Folder Redirection

12. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management > Folder Redirection [/box]

Here you will find the folders that can be redirected to a central location.

13. For example, here I’m redirecting the users “My Documents” folder.

14. And their “My Pictures” folder.

15. Make sure you have a pool created, and your users are have an ‘entitlement’ to them. These machines will also HAVE TO be in the OU your policy is applying to.

Creating a ‘Manual Pool’ and Connecting a View Client

Deploying Linked Clone View Desktops

16. Now when your users connect to their View Desktops.

17. Their user profile will be persistent.

18. Because their settings are stored in your profile shared folder.

Note: Persona Management will store the profile in username.domainname format. The reason there is a V2 on the end of it, denotes the profile is for Windows 7 or Vista. If users swap between these OS’s and any older Windows OS’s, then they will get a separate profile for those as well. If this is the case rely on the folder redirection rather than the profile.

Related Articles, References, Credits, or External Links

NA

Windows – Stop “Do you trust this printer?” Message

KB ID 0000508 

Problem

While setting up a new printer you might see this message on the screen, if you are manually installing a printer that’s fine, but if you are scripting the printer installs you DONT want all your users to see this popping up on their screens, it makes them flap, and then they will ring you up.

Printers
Do you trust this printer?
Windows needs to download and install software from the {print server name} computer to print to {printer name}. Proceed only if you trust the {print server name} computer on the network.

So using group policy let’s tun this off.

Solution

1.  Go to your domain controller. Start > Administrative tools > Group Policy management console > either create a new policy and link it to your domain (or required OU’s) or edit an existing policy.

2. Edit the policy and navigate to:

[box]Computer Configuration > Policies > Administrative Templates > Printers[/box]

3. Locate the “Point and Print Restrictions” policy and set it to enabled with the following settings:

When installing drivers for a new connection = Do not show warning or elevation prompt

When updating drivers from an existing connection = Do not show warning or elevation prompt

4. This is also set in user policy so now navigate to:

[box]User Configuration > Policies > Administrative Templates > Control Panel > Printers[/box]

5. Locate the “Point and Print Restrictions” policy and set it to enabled with the following settings:

When installing drivers for a new connection = Do not show warning or elevation prompt

When updating drivers from an existing connection = Do not show warning or elevation prompt

6. Apply the policies then close the policy editor. Then get the clients to reboot, wait a couple of hours, or manually run “gpupdate /force” on them.

Related Articles, References, Credits, or External Links

NA

Outlook – Disable Cached Mode with Group Policy

KB ID 0000507

Problem

I got asked how to do this today, a client has a number of roaming users (teachers) who don’t like waiting for Outlook to create a local copy of the mailbox each time they log on. To be honest as they have Exchange 2010 they would be better using the feature rich Outlook Web App (OWA) rather than the full client if they need to move around so much but hey, I was asked.

Solution

1. To do this you need to use a custom administrative template, thankfully Microsoft have them pre written go here to down load the administrative templates.

2. Download and extract the templates to your domain controller. Start > Administrative tools > Group Policy management console > either create a new policy and link it to your USERS or edit an existing policy.

3. Navigate to:

[box] User Configuration > Policies > Administrative Templates [/box]

Right click > Add/Remove Templates.

4. Add > Navigate to the folder where you extracted the templates > ADM folder > en-us folder (change depending on your locale) > Outlk14.adm > Open.

5. Now Navigate to:

[box] User Configuration > Policies > Administrative Templates > Classic Administrative Templates > Microsoft Outlook 2010 > Account Settings > Exchange > Cached Exchange Mode [/box]

Locate “Use Cached Exchange Mode for new and existing Outlook Profiles”

6. Set the policy to “Disabled” > Apply OK > Close the policy editor.

7. Then get the clients to log off and back on again, wait a couple of hours, or manually run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

NA

 

IE9 – Stop “Speed up browsing by disabling add-ons”

KB ID 0000466 

Problem

This morning my boss asked me “Why every time I open Internet Explorer does it ask me this?”

To which I replied, “I use Chrome so I don’t know, But I’ll find out.”

Solution

A brief internet search returned, just set the “Ask me later to a nice long time”. But that’s still not disabling it. If truth be known its a good thing, i.e. is trying to be helpful and improve your browsing experience. But if you want to kill it all together heres how.

On a single machine

1. When you installed/Updated to IE9 it added some new policy templates, the one controlling IE9 is called inetres.admx 

2. That means we can control what IE9 does with a policy, Click Start and in the search/run box type gpedit.msc {enter}. The group Policy Management Window will appear.

3. Navigate to:

[box] Computer Configuration > Administrative Templates > Windows Components > Internet Explorer [/box]

Locate “Disable add-on performance notifications” and open it.

4. Enable the policy > Apply > OK > Exit the Policy Editor.

In a Windows Domain Environment

Note: On older domains (Server 2003 for example) you will need to download and import the administrative templates to manage these settings via group policy, you can download the template from Microsoft.

1.  On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted COMPUTERS or edit an existing one, then navigate to:

[box] Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer [/box]

Locate the setting “Disable add-on performance notifications” and open it.

2. Enable the policy > Apply > OK > Exit the Policy Editor.

3. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

Remove “Speed up browsing by disabling add-ons” via Registry

I got an mailed a question this weekend;

I too want to get rid of the IE9 – Stop “Speed up browsing by disabling add-ons” dialog but only having Vista Home Premium, your solution (using gpedit.msc) is not available.  Also, I cannot add a Local Users and Groups snap-in to the Microsoft management Console.

How can I get rid of this bloody annoying feature in IE9?

Kind regards

Brian

Answer

1. No Problem, essentially the group policy editor is just changing registry entries anyway, on your machine Start > In the Search/Run box type > Regedit {enter}

2. Navigate to;

[box] HKEY_LOCAL_MACHINE>SOFTWARE > Microsoft > Windows > CurrentVersion > Policies [/box]

3. Create a NEW KEY called Ext > Within that key create a new DWORD (32 bit) value called DisableAddonLoadTimePerformanceNotifications and set its value to 1.

 

4. If your machine is 32 bit then you have finished.

How to Tell if Windows is 32 or 64 bit

6. for x64 bit machines, you need to also do the same as above with the following registry key:

[box] HKEY_LOCAL_MACHINE > SOFTWARE > Wow6432Node > Microsoft > Windows > CurrentVersion > Policies [/box]

Note: If that’s to much hassle, download and run one of these reg files (32bit or 64bit).

 

Related Articles, References, Credits, or External Links

Original article Written 20/06/11

Thanks to Brian Jones