Yesterday I wrote a post about Deploying a ‘Mapped’ Drive to a couple of users using Group Policy. This received a comment that was basically ‘Why not simply use Client Targeting?’ To be fair that’s a good point, I was using a Group Policy Preference and they can be specifically targeted. So here’s how to do that.
Solution
If you do not already have one, create a group for your users.
Add the users, (as appropriate).
On a Domain Controller > Administrative Groups > Locate the OU that contains your users (Note: if your users are in multiple OU’s, then after you have created the policy simply ‘Link‘ it to the applicable OUs).
Edit the policy.
User Configuration > Preferences > Windows Settings > Drive Maps > New > Mapped Drive > Action = Create > Location = Set the UNC path to the mapped drive > Tick ‘reconnect’ > Label as ‘What you want the user to see it called’ > Select the drive letter you want.
Common tab > Select Item-level targeting > Targeting > New Item.
Security Group. (Look at all the other cool stuff you can specify to target this group policy preference!)
Group Policy Preferences (GPP) first came in with Server 2008 and were enhanced for Server 2008 R2, To be able to apply them to older Windows clients, you need to install the “Client side Extensions” (CSE), You can either script this, deploy with a group policy, or if you have WSUS you can send out the update that way. From windows 7 onwards they are already installed.
Solution : Group Policy Preferences
You may not have noticed, but if you edit or create a group policy anow, you will see there is a “Preferences” branch. Most IT Pro’s will have seen the addition of the “Policies” folder some time ago because it adds an extra level to get to the policies that were there before 🙂
OK Cool! What can you do with them?
1. Computer Preferences: Windows Settings
Environment: Lets you control, and send out Environment variables via Group Policy.
Files: Allows you to copy, modify the attributes, replace or delete a file (for folders see the next section).
Folder: As above, but for folders.
Ini Files: Allows you to Create, Replace, Update or Delete an ini file.
Registry: Allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send them out via group policy.
Network Shares: Allow you to Create, Replace, Update, or Delete shares on clients via group policy.
Shortcuts: Allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy.
2. Computer Preferences: Control Panel Settings
Data Sources: Allows you to Create, Replace, Update, or Delete, Data Sources and ODBC settings via group policy. (Note: there’s a bug if your using SQL authentication see here).
Devices: Lets you enable and disable hardware devices by type and class, to be honest it’s a little “clunky”.
Folder Options: Allows you to set “File Associations” and set the default programs that will open particular file extensions.
Local Users and Groups: Lets you Create, Replace, Update, or Delete either local users OR local groups. Handy if you want to create an additional admin account, or reset all the local administrators passwords via group policy.
Network Options: Lets you send out VPN and dial up connection settings to your clients, handy if you use PPTP Windows Server VPN’s.
Power Options: With XP these are Power Options and Power Schemes, With Vista and later OS’s they are Power Plans. This is much needed, I’ve seen many “Is there a group policy for power options?” or disabling hibernation questions in forums. And you can use the options Tab, to target particular machine types (i.e. only apply if there is a battery present).
Printers: Lets you install printers (local or TCP/IP), handy if you want all the machines in accounts to have the accounts printer. for further info see,
Scheduled Tasks: Lets you create a scheduled task or an immediate task (Vista or Later), this could be handy to deploy a patch or some virus/malware removal process.
Service: Essentially anything you can do in the services snap in you can push out through group policy, set services to disables or change the logon credentials used for a service. In addition you can set the recovery option should a service fail.
Drive Mappings: Traditionally done by login script or from the user object, but use this and you can assign mapped drives on a user/group basis.
Environment: As above lets you control and send out Environment variables via Group Policy, but on a user basis.
Files: As above. allows you to copy, modify the attributes, replace or delete a file (for folders see the next section), but on a user basis.
Folders: As above, but for folders on a user by user basis.
Ini Files: As above, allows you to Create, Replace, Update or Delete an ini file, on a user by user basis.
Registry: As above, allows you to Create, Replace, Update or Delete a Registry value, You can either manually type in the reference use a Wizard, or extract the key(s) values you want to send out via group policy, this time for users not computers.
Shortcuts: As Above, allows you to Create, Replace, Update, or Delete shortcuts on clients via group policy for users.
4. User Configuration: Control Panel Settings
All of the following options are covered above on “Computer Configuration”
Data Sources Devices Folder Options Local Users and Groups Network Options Power Options Printers Scheduled Tasks
Internet Settings: Using this Group Policy you can specify Internet Explorer settings/options on a user by user basis.
Regional Options: Designed so you can change a users Locale, handy if you have one user who wants an American keyboard.
Start Menu: Provides the same functionality as right clicking your task bar > properties > Start Menu > Customise, only set user by user.
Related Articles, References, Credits, or External Links
This question appeared in my inbox today, ‘Edge’ has a nasty habit of assigning itself the default PDF reader, particularly after a round of updates!
Solution
First I went and had a look at my old Experts Exchange Buddy Ramesh’s site (www.winhelponline.com) who had done the heavy lifting and worked out the registry keys;
Note: I’m only concerned with .pdf files, if you want to block .htm and/or .html files, then just repeat this process using the the REG_SZ values from above;
The solution for a single machine is to create the following two registry string values;
HKEY_CURRENT_USER\Software\Classes\AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723
REG_SZ Name = NoOpenWith
REG_SZ Name = NoStaticDefaultVerb
Then set the correct file associate like so;
Which is fine for one machine but what if you have hundreds of complaining users! Then we need to employ some Group Policies. But there’s a few hoops to jump though first. On your client machine, the one you have just tested the procedure on, export your file association to an XML file. Open an administrative command window, and execute the following command;
If you take a look at the a file you will see, (providing you did it right) the Adobe/PDF file association.
Now copy the file to a location all your domain clients can see, in my case I’m going to drop it in the sysvol directory.
Crete a new Group Policy linked to the computers you want to apply the change to, then edit it.
Navigate to;
[box]Computer Configuration > Policies> Administrative Templates > Windows Components > File Explorer > Set default associations configuration file >Enable > Put in the path to your .XML file[/box]
Save and exit the, group policy, now create a SECOND POLICY linked to your USERS.
Navigate to;
[box]User Configuration > Preferences > Windows Settings > Registry > New > Registry Item[/box]
Note: Ive already created the registry values on the machine I’m configuring the policy on, (you can export the key and import it on a domain controller to make things easier for you). Close and exit the policy editor.
This problem was originally identified by Microsoft here. But none of the fixes recommended by them were really practical in my clients situation.
I did read one promising post that said, if you disable offline file caching by GPO this problem would cease. However this particular client HAD TO have that feature enabled (for Ranger Offline).
Someone else had written a PowerShell script that ran through and changed the permissions on the offending file (see below), but what about new users?
Solution
I’ve got three options either, setup an FSRM screen and set it to remove the offending file, use a group policy preference, or add the following to the users login script (or run as a script with GPO);
Option 1 – Remove Desktop.ini with Group Policy Preference
1. This is the file in question ‘desktop.ini’, it changes the icon and display-name of the folder (on Windows Vista and newer). You will notice the actual name of the folder does not change (see the example I posted above), which you can see by turning on the filename column in Windows Explorer.
Note: desktop.ini is a system and a hidden file.
2. I’m creating a GPP to remove the desktop.ini file. On a domain controller Start > Administrative Tools > Group Policy Management Console > Navigate to where you want to create your policy, or edit an existing one > Navigate to;
[box]
User Configuration > Preferences > Windows Settings > Files[/box]
Select New > File > Action = Delete > Source Files N:desktop.ini > Tick ‘Suppress errors on individual file actions’ > Common Tab > Tick ‘Run in logged-on-users’s security context (user policy option)’ > Apply > OK.
3. It should now look like this.
Option 2 – Use a File Screen
1. You need to have the ‘file services’ role installed, open the ‘Server and Storage Management’ Snap-in > File Group > Create File Group > Give it a name > Add in desktop.ini > OK.
2. Right click ‘File System Templates’ > Create File Screen Template > Give it a name > Select Active Scanning > Tick desktop.ini > OK.
3. Right click ‘File Screen’ > Create File Screen > Browse to the volume or Folder > Select your file screen template > Create.
Locate and Remove ALL instances of Desktop.ini
Download and run this PowerShell Script to remove all instances of Desktop.ini from a folder and subfolders.
Related Articles, References, Credits, or External Links
I’ve briefly mentioned this before when I wrote about Group Policy Preferences so when I had to do this on-site this week, I jumped straight into the group policy management console, and found that because my ODBC connection was using SQL authentication (with the SQL sa account), this would NOT WORK, (it only works with Windows authentication and even then it needs a tweak). If you are using SQL authentication jump down to the bottom of the article.
Solution
NOTE: Below I’m dealing with user DSNODBC connections, so I’m looking at User Policies, if you want to send out Machine DSNODBC connections then you need to be looking at Computer Policies.
Deploy ODBC Settings via Group Policy Preferences (Windows Authentication)
The GPP is pretty easy to locate you will find it in;
[box]
User Configuration > Preferences > Control Panel Settings > Data Sources
OR
Computer Configuration > Preferences > Control Panel Settings > Data Sources
[/box]
However you will find there is a bug in the system which means it does not deploy.
ODBC Settings fail to Deploy via GPO
1. Locate the ODBC connection that you are trying to deploy > right click > Copy.
2. Right click your desktop and ‘paste’ > You will get an XML file > Open it with notepad > Delete the username and the cpassword information > Save the file.
3. Then delete the original ODBC file from your group policy.
4. Drag the XML file into the policy, in its place > Select ‘Yes’ to import it.
WARNING: Do not open its settings/properties from this point forward, or it will break again.
Getting ODBC Settings from a Clients Registry
1. You may wish to locate and extract the ODBC settings from a working client, you can locate the settings in a working client machines registry and simply export them so you can import them on a target machine, or deploy them via GPP or logon script.
[box]
User DSN's
Computer>HKEY_CURRENT_USER>Software>ODBC>ODBC.INI
Machine DSN's
Computer>HKEY_LOCAL_MACHINE>Software>ODBC>ODBC.INI
[/box]
2. Simply right click the key that corresponds to the ‘name’ of the ODBC connector that you wish to export, > right click > Export > Save.
Deploy ODBC Settings via Group Policy Preferences (SQL Authentication)
In this example I’ve merged the ODBC connection details into the registry, you could just as easily set them up manually, as long as they exist, either on the machine you are creating the policy on, or another machine you have ‘remote registry’ rights to.
I’ve touched on this briefly in KB0000389, I suggest you read through that first so you understand what the requirements are to deploy a GPP instead of the GPO’s you are probably used to.
Solution
1. First thing to do is install the printer that needs deploying on a print server. Make sure if your clients are NOT x64 bit that you also add the x86 drivers for your clients to use.
2. The following is a “Gotcha” (especially on HP printers), on the Printer Properties page, General tab > Select “Print Processor” > Ensure it’s set to winprint and RAW.
3. On a domain controller, Start > administrative tools > Group Policy Editor > Either edit an existing policy or create a new one (Remember its a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).
4. Give the policy a sensible name.
5. Edit the policy you have just created.
6. Navigate to > Computer Configuration > Preferences > Control Panel Settings > Printers > In the right hand window, right click > New > TCP/IP Printer.
7. Select Create > I prefer to use the IP address of the printer but you can use the DNS name if you wish > The Local Name is what the client will see > Enter the Path to the printer (In UNC format) > You can also enter a location and comment if you wish > Apply > OK.
8. All being well you should see the printer listed.
9. Now for another “Gotcha” in the same policy navigate to > Computer Configuration > Policies > Administrative Templates > Printers > Locate the “Point and Print Restrictions” policy.
10. Change the settings for this policy so that it is disabled.
12. Close the Policy editor, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.
Related Articles, References, Credits, or External Links
Normal users probably won’t care, but if you’re in a corporate environment or a school for example, you might not want your users having access to the personal folder in their Start Menu. The video below runs though how to remove this option on a single machine and how to remove it with Group Policy Preferences (GPP).
Solution
Related Articles, References, Credits, or External Links