Enable RDP via Group Policy

KB ID 0000043

Problem

Rather than enabling on an ad-hoc basis, you want to turn on RDP for multiple machines via Group Policy.

Solution

Group Policy Location

To simply enable RDP, change the following policy;

[box]

Computer Configuration > Admin Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections

[/box]

Locate and change the “Allow users to connect remotely using Remote Desktop Service” policy.

Allow RDP on the Windows Firewall with Group Policy

Navigate to the following policy;

[box]

Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules

[/box]

Right click > New rule > Change Predefines to “Remote Desktop” > Next > Next.

Allow the connection > Finish.

Allow users to connect via RDP though Group Policy

Any member of the machines ‘Remote Desktop Users’ group can log on via RDP, if you have a lot of machines you can create a global security group in active directory (mine below is called SG-Remote-Desktop-Users). And I’ve added it globally to all the computers local ‘Remote Desktop Users’ groups using ‘Restricted groups’.

Navigate to the following policy;

[box]

Computer Configuration > Windows Settings > Security Settings > Restricted Groups

[/box]

Right click > Add Group > Browse > Add your group > In the LOWER (This group is a member of) section click Add > Type in Remote Desktop Users > OK > OK.

2008 RDP Policy Location

Computer Configuration > Policies > Administrative Templates > Windows Components > Terminal Services > Terminal Server > Connections.

“Allow users to connect remotely using Terminal services”

To enable Remote Desktop, click Enabled.

To disable Remote Desktop, click Disabled.

2000/ 2003 RDP Policy Location

Computer Configuration > Administrative Templates > Windows Components > Terminal Services.

“Allows users to connect remotely using Terminal services”

To enable Remote Desktop, click Enabled.

To disable Remote Desktop, click Disabled.

 

Related Articles, References, Credits, or External Links

Original article written 17/07/09

Deploying Printers with Group Policy Preferences

KB ID 0000492

Problem

I’ve touched on this briefly in KB0000389, I suggest you read through that first so you understand what the requirements are to deploy a GPP instead of the GPO’s you are probably used to.

Solution

1. First thing to do is install the printer that needs deploying on a print server. Make sure if your clients are NOT x64 bit that you also add the x86 drivers for your clients to use.

How to tell if a machine is x86 (32 bit) or x64 (64 bit).

2. The following is a “Gotcha” (especially on HP printers), on the Printer Properties page, General tab > Select “Print Processor” > Ensure it’s set to winprint and RAW.

3. On a domain controller, Start > administrative tools > Group Policy Editor > Either edit an existing policy or create a new one (Remember its a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).

4. Give the policy a sensible name.

5. Edit the policy you have just created.

6. Navigate to > Computer Configuration > Preferences > Control Panel Settings > Printers > In the right hand window, right click > New > TCP/IP Printer.

7. Select Create > I prefer to use the IP address of the printer but you can use the DNS name if you wish > The Local Name is what the client will see > Enter the Path to the printer (In UNC format) > You can also enter a location and comment if you wish > Apply > OK.

8. All being well you should see the printer listed.

9. Now for another “Gotcha” in the same policy navigate to > Computer Configuration > Policies > Administrative Templates > Printers > Locate the “Point and Print Restrictions” policy.

10. Change the settings for this policy so that it is disabled.

12. Close the Policy editor, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

Server 2008 Group Policy Preferences and Client Side Extensions

Delete Local ‘Cached’ Copies of User Profiles with Group Policy

KB ID 0000602 

Problem

I have a client who manages the network at a school. They wanted to stop the profiles of their users being cached, in either the c:documents and settings or c:users folders (depending on the version of Windows and profile the users were using).

Solution

1. Log into a domain controller or a machine running the RSAT tools, Start > Administrative Tools > Group Policy Management > Either edit an existing group policy, or create a new one that is linked to your COMPUTERS.

2. If creating new policy, give it a sensible name > OK

3. Edit the relevant policy.

4. Navigate to;

[box]Computer Configuration > Policies > Administrative Templates > System > User Profiles[/box]

Locate and edit “Delete User Profiles older than a specified number of days on system restart”.

5. Enable the policy and set it to 1 (24 hours) > Apply > OK.

6. Then edit the “Delete cached copies of roaming profiles” and enable that policy. (This will stop the copies caching locally as the user logs on) > Apply > OK.

7. Close the policy editor. Then get the clients to reboot, wait a couple of hours, or manually run “gpupdate /force” on them.

Related Articles, References, Credits, or External Links

NA

Disable ‘Offline Files’ with Group Policy

KB ID 0000779

Problem

You want to disable the ‘offline files feature’ for caching network files and folders. Note: In Windows XP this was called CSC (Client Side Caching).

Solution

1. On a domain controller Start > Administrative Tools > Group Policy Management Console.

2. Navigate to where you want to create your policy, or edit an existing one.

3. Navigate to;

[box]
Computer Configuration > Administrative Templates > Network > Offline Files[/box]

4. Locate the “Allow or Disallow use of the Offline Files feature”. Set it to disabled > Apply > OK > Close the policy editor.

/a

 

Related Articles, References, Credits, or External Links

NA

Disable Internet Explorer Welcome Screen

KB ID 0000175

Problem

On a home PC, the welcome screen is not so bad, but in a corporate environment where users move round a lot, this popping up every time you log onto a new machine can get quite annoying.

 

Solution

You have two options,

Option 1: The simplest way in a domain is to disable it via group policy. You can find the relevant group policy at Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Prevent performance of First Run Customize Settings.

Set to “Enabled”, then set what you want the browser to do > Apply >OK.

Option 2: You can do this via registry key as well (on a user by user basis). Simply save the following as remove-welcome.reg and run it on the machine in question.

[box]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftInternet ExplorerMain] “DisableFirstRunCustomize”=dword:00000001

[/box]

 

 

Related Articles, References, Credits, or External Links

NA

 

Defining / Locking and Managing Proxy Settings

KB ID 0000181 

Problem

If you have a proxy server at your corporate/home location, then there a few methods you can use to ensure that your clients use it. Before you start running though this, remember if you have a proxy server then it’s common sense that your firewall/router will block web access for your clients, and only allow the Proxy server (and any other servers/machines) that need direct web access out. If you are forcing your users out through one machine, for either caching, URL filtering, monitoring usage or just because it’s part of your corporate security strategy, then locking down Internet access around the proxy server should be your first consideration.

Once that’s done you can install your proxy and deploy the settings to the client PC’s

Solution

How you do this depends on your circumstances.

It’s a single stand alone machine. (Option 1)

To manually configure one machine simply open internet explorer (other browsers are also available) Tools > Internet Options > Connections > Tick Use a proxy server for your LAN > Enter the IP address of the Proxy server > Enter the port number > Tick Bypass proxy server for local addresses (If you have web servers on your local network). > OK >OK > restart Internet Explorer.

It’s a single stand alone machine. (Option 2)

Optionally you can set the proxy with local policy – this is preferable if lots of people use the same computer and you don’t want to configure each user separately. Click start > In the search/run box type gpedit.msc {enter}

The Group Policy Editor window will open > Navigate to User Configuration > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.

Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick Do not use proxy server for local (intranet) addresses, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).

Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.

It’s a single stand alone machine. (Option 3)

You can also set the proxy options by directly editing the registry (Warning editing the registry can cause earthquakes and lead to teenage pregnancy!). Click start > In the search/run box type regedit {enter}.

Navigate to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings. The keys that look after your proxy settings are,

ProxyEnable set 0 for disabled and 1 for enabled
ProxyOverride set <local> for bypass proxy for local addresses (Note:you can also add domains seperated by a semi colon ; that you don’t want to use the proxy for).
ProxyServer Sets the IP address and Port i.e. 192.168.99.1:808 (Note this setting WONT BE THERE if there’s never been a proxy set), you will need to create it as a new string value (REG_SZ).

Or you can simply run the following .reg file

[box]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"ProxyEnable"=dword:00000001
"ProxyOverride"=""
"ProxyServer"="192.168.99.1:808"

[/box]

It’s On a Network with DHCP

You can lease proxy settings with your DHCP scope, its known as DHCP option 252.

To add Option 252 to a Server 2008 DHCP scope, On the Server Click Start > Administrative tools > DHCP > Expand your Server name> Right Click IPv4 > Select Set Predefined Options.

In the Predefined Options and Values dialog box, click Add In Name type WPAD >In Code, type 252 > In Data type, select String, and then click OK > In String, type http://192.168.99.1:808/wpad.dat, (change as appropriate).

Then You need to ad that option to your existing scope > Expand the scope > Right click server options > Select Configure Options > Advanced > Scroll down top option 252 and select > Apply > OK.

Now you need to create a wpad.dat file (simply create it in notepad) and serve it from the URL you entered above.

Sample wpad.dat file (simply change the URL’s and port numbers as applicable).

[box]

function FindProxyForURL(url, host)
{
// variable strings to return
var proxy_yes = "PROXY 192.168.99.1:808";
var proxy_no = "DIRECT";

if (shExpMatch(url, "http://www.petenetlive.com*")) { return proxy_no; }
if (shExpMatch(url, "http://www.dont_want_to_proxy.com*")) { return proxy_no; }
if (shExpMatch(url, "http://192.168.99.5*")) { return proxy_no; }
if (shExpMatch(url, "https://subdomain.dont_want_to_proxy.com*")) { return proxy_no; }

// Proxy if PC is on local LAN
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "proxy_yes";
else
return "DIRECT";
}

[/box]

Once that’s done you need to allow .dat as a MIME extention on your IIS Server > Start Administrative tools > Internet Information Services (IIS) Manager > Select The Server name > Select MIME Types.

In the right hand column > Click Add > Put in the file extension as .dat and the MIME Type as “application/x-ns-proxy-autoconfig” > OK.

Then either reboot or run “iis /restart”

It’s on a Windows Domain

You can set the proxy settings for your USERS (Note: its a user policy so it CANT be applied to computers). On your Server Click Start > Administrative Tools > Group Policy Management > Right click Your domain (if you want the policy to apply at domain level) > Select Create a GPO in this domain and link it here > Give it a sensible name > OK.

 

Right Click your new Policy and select Edit > Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Connection > Proxy Settings.

Note: In modern domains this policy has been removed, see the following article;

Managing IE Settings via GPO

 

Double click proxy settings > Tick Enable Proxy settings > Enter the IP address(es) > Enter the Port(s) > Tick “Do not use proxy server for local (intranet) addresses”, (If you have web servers on your local network). > Apply > OK > Close the policy editor > Reboot. (or run gpupdate /force).

Note: Using this method a technically savvy user can simply get into the settings and change them in the browser – to stop this happening you can hide the tab that displays the proxy settings.

 

My Users complain that their Laptops don’t work when they go home since I set the proxy?

 

Well that’s to be expected? While at home they can’t see your proxy server, some companies like this option, as it stops their users surfing the internet from their home internet connection. For other people this is a big problem, there are essentially three ways to solve this problem. 1) Send out your proxy settings Via DHCP. Then while your users are offsite they wont get any proxy settings (see above). Or 2) feel free to use the script I wrote (below), this can be applied via policy (Local or Domain), or simply put in the startup folder of your users laptops. Finally you can use a “Proxy.pac” file to autoconfigure the clients proxy settings.

How it works: It pings an IP address on your corporate network, (in this case the router) which is always on, if it gets a reply – then it must be on the corporate network so it enables the proxy Server, If it gets no reply, then it must not be connected to the corporate network and turns off the proxy server.

[box]

::-----------------------Begin Script------------------------------------
@ECHO OFF
:: Check LAN connectivity

PING 192.168.99.254 | FIND "TTL" > NUL
IF NOT ERRORLEVEL 1 GOTO ON_LAN
GOTO OFF_LAN

:ON_LAN
::**************Proxy ON**************

::Enable the Proxy Server (ticks the box "user a proxy server for your LAN...")
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f

:: SET the proxy (fills in the Address and port values)
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyServer /t REG_SZ /d "192.168.99.1:808" /f

:: Set the bypass proxy server for local addresses option -  ticks the box each subsequent entry is additional domains to bypass for
REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyOverride /t REG_SZ /d ";*.local;www.dontproxy.com" /f

GOTO END

:OFF_LAN
::**************Proxy OFF**************

REG ADD "HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f

:END
::-----------------------End Script------------------------------------

[/box]

Or to use a proxy.pac file

1. Create a file on your PC in notepad and call it proxy.pac change the relevant network details, proxy IP address, and port number from the example below.

[box]

function FindProxyForURL(url, host)
{
if (isInNet(myIpAddress(), "192.168.99.0", "255.255.255.0"))
return "PROXY 192.168.99.1:808";
else
return "DIRECT";
}
[/box]

2. Save the file in your C:windowssystem32 directory.

3. On the client open Internet Explorer > Tools > Options > Connections > LAN Settings > Tick “Use an automatic configuration script” and enter the following

file://c:/windows/system32/proxy.pac

Note: this can be done with a registry file see below.

[box]

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
"AutoConfigURL"="file://c:/windows/system32/proxy.pac"

[/box]

Note: This can be set in Policy as well, the policy lives in User Configuration > Windows Settings > Internet Explorer Maintenance > Automatic Browser Configuration> Configure as below.

Related Articles, References, Credits, or External Links

NA

Deploy McAfee Anti Virus Via GPO

KB ID0000057

Problem

Without ePO deploying McAfee can be time consuming and they go out of their way to hide the .msi file from you

Solution

1. Assuming you have already downloaded the software from the NAI secure portal (you will need you agreement number) extract the files to your server and navigate to that folder at command prompt. Issue a “setup /a” command.

2. Go and have a coffee.

3. Next.

4. Extract the files to a location that you can deploy then to your client machines. > Install.

5. The files will be created.

6. Finish.

7. Reboot.

8. Make sure he files are where they are supposed o be.

9. Share the folder you are distributing from.

10. Make sure the users have at least read and execute permissions.

11. On the DC Start > Run > dsa.msc {enter} Right click the domain (Or OU with the computers in) > Properties.

12. Group Policy Tab > New > Give it a sensible name > Edit.

13. Navigate to Computer Configuration > Software Settings > Right Click > New Package.

14. Remember use the UNC path to the .msi file DO NOT Navigate to the local drive letter or all the clients wont be able to see it! > Open.

15. OK.

16. And there she is – close the group policy editor and all other open windows.

17. Remember your clients will need an update to get the latest virus definitions…..

18… Unless you wait till 17:00 hours or do them manually.

Related Articles, References, Credits, or External Links

NA