Windows – Stop the Welcome to Internet Explorer from launching via GPO

KB ID 0000459

Problem

If your’e logging on as a new user and Internet Explorer has not yet been ran, then it wants to run the “Setup Windows Internet Explorer Wizard”.

On just one machine with one user that’s fine, but if you are logging in all over the place, with multiple credentials, this can get quite annoying. Also you might not want your domain users having to do this at all, for security reasons.

Solution

On a Single (stand alone) machine.

1. Click start and in the run/search box type gpedit.msc{enter}

2. Navigate to > Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Prevent Running First Run wizard.

Note: In older versions of Windows its called, ‘Prevent Performance of First Run Customize settings

3. If you enable the policy you can set it to either:

a. Go directly to home page.
b. Go to the “Welcome to Internet Explorer” Web page.

4. Reboot the PC or Force a Group Policy Refresh.

In a Windows Domain Environment

1. On one of your domain controllers > Start > Administrative Tools > Group Policy Management Console > Either select and existing policy or create and link one to the COMPUTERS you want this policy to affect. Then edit the policy.

2. Navigate to > Computer Configuration Policies > Administrative Templates > Windows Components > Internet Explorer > Prevent Running First Run wizard.

Note: On older Windows Platforms this is called ‘Prevent Performance of First Run Customize settings.

3. If you enable the policy you can set it to either:

a. Go directly to home page.
b. Go to the “Welcome to Internet Explorer” Web page.

4. Reboot the PC or Force a Group Policy Refresh.

Related Articles, References, Credits, or External Links

Group Policy Preferences and Client Side Extensions

Prevent Users changing Desktop Wallpaper with Group Policy

KB ID 0000461 

Problem

If you need to lock down your client machines desktops and prevent your users from changing the wallpaper, then here’s a run through on how to do it.

Solution

1. On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted USERS or edit an existing one, then navigate to;

[box] User Configuration > Administrative Templates > Control Panel > Personalization [/box]

Locate “Prevent Changing Desktop Background”.

2. Set the policy to enabled, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

3. Your users will no longer be able to select the “Desktop Background” link to change it.

4. If your users locate a picture on the internet they cannot select “Set as Background”.

5. If your users download a graphic and preview it, the option to “Set as desktop Background” is there but it no longer works.

My users can still “Set as Background” and “Set as desktop Background”

The above procedure works fine with Windows 7 and 2008, however some older versions of Windows still have access to these options. To fix that you need to lock active desktop then disable it.

If that’s the case, in addition to the above also do the following.

1. On the policy you edited above, navigate to;

[box] User Configuration > Administrative Templates > Desktop > Desktop [/box]

Locate “Desktop Wallpaper”.

2. Enable the policy > Set the wallpaper name to ??? (a value that does not exist) > Set the wallpaper style to Stretch.

3. On the policy you edited above, navigate to;

[box] User Configuration > Administrative Templates > Desktop > Desktop [/box]

Locate “Disable Active Desktop”.

4. Set it to enabled, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

NA

Remove the Recycle Bin Via Group Policy

KB ID 0000463 

Problem

You might ask “why would I want to do this?” But if your users do not have access to local drives, then nothing’s going to get put in the recycle bin anyway, so it’s one less thing they can fiddle with.

Solution

1. On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted USERS or edit an existing one, then navigate to:

[box]User Configuration > Policies > Administrative Templates > Desktop[/box]

Locate the setting “Remove Recycle bin form the desktop”.

2. Set it to enabled.

3. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

Related Articles, References, Credits, or External Links

NA

Change the default Shutdown / Log Off Option via GPO

KB ID 0000465 

Problem

Out of the box, the default power option presented to your users is shutdown. People with multiple users on their machines, may prefer the log off option to be the default.

Note: You can also set the default option to:

Shutdown
Sleep
Log off
Lock
Restart
Switch User (Unless blocked by other policy then it will revert to shutdown).
Hibernate

 

Solution

1. On your domain controller , Start > Administrative Tools > Group Policy Management Console > Either create a new policy and link it to your targeted COMPUTERS or edit an existing one, then navigate to;

[box]
User Configuration > Policies > Administrative Templates > Start Menu and Taskbar
[/box]

Locate the setting “Change Start Menu power button”.

2. Edit to the required action, i.e. Log off.

3. Then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

 

Related Articles, References, Credits, or External Links

Thanks to Seb Cerazy for the feedback

Disable High Contrast with Group PolicyDisable Accessibility Options with Group Policy

KB ID 0000472 

Problem

A few weeks back I wrote about a client who was having problems with kids at his school launching the ease of access button from the login screen. And how I disabled the ease of access button.

High Contrast

After a site visit it seems that the “little darlings” had now worked out that by pressing “Alt+Shift+Print Screen” they could turn on high contrast. And this, which is obviously hilarious (once again), and annoying for their teachers, needs disabling.

As with the ease of access button, these options are designed for the disabled. So there is no mechanism for doing this. I had great fun working out how to do this via group policy.

Caveats

1. This uses Group Policy Preferences, so your domain needs to be at least 2008.

2. This assumes your clients are Windows 7 if your client OS’s are earlier, you need to install the Client Side Extensions.

If you don’t have a 2008 domain, you can still disable these options via the registry, click here

If you want to import a Group Policy Object to do this, click here.

Solution

Disable Accessibility via Group Policy

Note: creating the policy is VERY time consuming and soul destroyingly boring! I’ve pre-written it for you download this file.

1. Once you have downloaded the file above, extract it to the desktop of your domain controller.

2. Launch the “Group Policy Management Console”.

3. Create a policy, and either link it to the domain or the OU that contains the users you want to enforce the policy on, (Or edit an existing policy).

4. Right click the policy you are working with, and select edit.

5. Right click the policy > Properties > Take note of the policy’s “Unique name”.

6. Now you need to locate the policy itself, click Start > in the search run box type:

[box]{your domain name}sysvol{your domain and extension}policies[/box]

e.g. My test domain ins domaina.com so the command I would use is domainasysvoldomaina.compolicies

7. Once there locate and open the folder that has the same unique name as the policy you noted down in step 5. Within that folder open the “User Folder. Then from the file you extracted above copy the “Preferences” Folder into the “User” Folder.

So now your policy will look like:

{CFE1314E-A13B-4E31-9EC5-FD9028D21945} Yours will have a different name! — Machine — User —- Preferences —— Registry ——– Registry.xml

8. That’s you finished. if you want to see what the policy is doing, go back the the Group Policy Management Console > Edit the policy and navigate to:

[box]User Configuration > Preferences > Windows Settings > Registry[/box]

There you will see all the registry keys that this policy resets (and I had to configure, one by one!).

Disable Accessibility via the Registry

1. Download this file containing the registry files, and extract it onto your target machine.

2. Within the extracted files you will find a folder called “Registry Keys”. There are two called AccessibilityOFF and AccessibilityON (As the name suggests, the fist disables the settings, and the second reinstates them). Simply double click them to merge them into the registry.

Disable Accessibility via Group Policy

Import the following file and save it with a .adm extension.

[box]

CLASS MACHINE
CLASS USER
CATEGORY "Control Panel"
CATEGORY "Accessibility Lockdown"
KEYNAME "SoftwarePoliciesAccessibility"
POLICY "Automatic Reset"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "TimeoutConfig"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "3"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "Flags"
VALUE "2"
END ACTIONLISTOFF
PART "Timeout after idle for" DROPDOWNLIST
REQUIRED
KEYNAME "Control PanelAccessibilityTimeout"
VALUENAME "TimeToWait"
ITEMLIST
NAME "5 minutes"
VALUE "300000"
NAME "10 minutes"
VALUE "600000"
NAME "15 minutes"
VALUE "900000"
NAME "20 minutes"
VALUE "1200000"
NAME "25 minutes"
VALUE "1500000"
NAME "30 minutes"
VALUE "1800000"
END ITEMLIST
END PART
END POLICY
POLICY "Disable StickyKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "StickyKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "506"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityStickyKeys"
VALUENAME "Flags"
VALUE "510"
END ACTIONLISTOFF
END POLICY
POLICY "Disable FilterKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "FilterKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "122"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityKeyboard Response"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable ToggleKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "ToggleKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityToggleKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
POLICY "Disable High Contrast (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "HighContrastLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "122"
VALUENAME "Pre-High Contrast Scheme"
VALUE ""
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityHighContrast"
VALUENAME "Flags"
VALUE "126"
END ACTIONLISTOFF
END POLICY
POLICY "Disable MouseKeys (including shortcut)"
KEYNAME "SoftwarePoliciesAccessibility"
VALUENAME "MouseKeysLockdown"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0
ACTIONLISTON
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "58"
END ACTIONLISTON
ACTIONLISTOFF
KEYNAME "Control PanelAccessibilityMouseKeys"
VALUENAME "Flags"
VALUE "62"
END ACTIONLISTOFF
END POLICY
END CATEGORY
END CATEGORY

[/box]

Related Articles, References, Credits, or External Links

NA

Deploying Office 2010 via Group Policy

KB ID 0000464 

Problem

What used to be the simplest task, has now been overly complicated (Thanks Microsoft!) Simply deploying from a single .msi file would have been far too easy! This procedure uses group policy to install Microsoft Office 2010 via group policy. It uses the Microsoft preferred method of employing startup scripts.

Below I’ve also disabled UAC, I found it was stopping my automated install, (If I ran the script manually I was prompted by UAC to continue – that took me about 3 hours to work out).

It also automatically “Activates” Office as soon as its installed, (using a MAK key). In the following scenario I deployed Office 2010 (Pro Plus) x32 bit to Windows 7 machines. In a clean VMware test environment my target machine took 6 minutes to silently install. So on a production network it will probably take a little longer (be patient). But any more than 10 minutes and the process will time out, if that’s happening make sure you do this.

Solution

1. On a server create a shared folder called Office_2010, give Authenticated Users – read access.

2. . In that folder create a folder called LogFiles.

3. Copy the contents of the Office DVD to this share.

4. Open the shared folder locate the ProPlus.WW folder and open it.

5. Locate config.xml open it with notepad.
Change:

<Display Level=”full” CompletionNotice=”yes” SuppressModal=”no” AcceptEula=”no” />
to
<Display Level=”none” CompletionNotice=”no” SuppressModal=”yes” AcceptEula=”yes” />

6. You can also change Username and companyname if you wish.

7. Save and exit config.xml

8. While in the Office_2010 folder Shift+Right Click > Open New command windows here.

9. Run setup.exe /admin

10. Accept the defaults on the popup menus.

11. Locate “Licensing and User interface.”

12. Enter a valid MAK license key (Take out the dashes and/or spaces). Tick to accept the EULA, and set the display level to none.

13. Locate “Set feature installation stats”, and set for the Office features you require.

To Set Office to Auto Activate (Without user intervention).

 

14. Locate “Modify Setup properties” , add a new one.

15. Set the name the value to AUTO_ACTIVATE.

16. Set the value to 1 (number one), and click OK.

Note: If you need to remove previous versions of Office you will find the option to do that in here also.

17. Click File > Save as > Save the msp file in the shareupdates folder (you can call it what you want).

18. Open notepad and paste in the following text:

[box]

setlocal

REM *********************************************************************
REM Environment customization begins here. Modify variables below.
REM *********************************************************************

REM Get ProductName from the Office product’s core Setup.xml file, and then add “office14.” as a prefix.
set ProductName=Office14.PROPLUS

REM Set DeployServer to a network-accessible location containing the Office source files.
set DeployServer=DC2AOffice_2010

REM Set ConfigFile to the configuration file to be used for deployment (required)
set ConfigFile=DC2AOffice_2010ProPlus.WWconfig.xml

REM Set LogLocation to a central directory to collect log files.
set LogLocation=DC2AOffice_2010LogFiles

REM *********************************************************************
REM Deployment code begins here. Do not modify anything below this line.
REM *********************************************************************

IF NOT “%ProgramFiles(x86)%”==”” (goto ARP64) else (goto ARP86)

REM Operating system is X64. Check for 32 bit Office in emulated Wow6432 uninstall key
:ARP64
reg query HKEY_LOCAL_MACHINESOFTWAREWOW6432NODEMicrosoftWindowsCurrentVersionUninstall%ProductName%
if NOT %errorlevel%==1 (goto End)

REM Check for 32 and 64 bit versions of Office 2010 in regular uninstall key.(Office 64bit would also appear here on a

64bit OS)
:ARP86
reg query HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall%ProductName%
if %errorlevel%==1 (goto DeployOffice) else (goto End)

REM If 1 returned, the product was not found. Run setup here.
:DeployOffice
start /wait %DeployServer%setup.exe /config %ConfigFile%
echo %date% %time% Setup ended with error code %errorlevel%. >> %LogLocation%%computername%.txt

REM If 0 or other was returned, the product was found or another error occurred. Do nothing.
:End

Endlocal

[/box]

19. Change the ProductName to the correct one you are deploying (search for ProductName in the setup.xml file that’s in the same folder you found config.xml in).

20. Change the THREE values in this script “DC2A” to your servername.

21. Save the file as a batch file (not a .txt file!) and right click the file > copy.

22. On your domain controller Start > Administrative tools > Group Policy management console > either create a new policy and link it to your COMPUTERS or edit an existing policy.

23. Navigate to:

[box] Computer Configuration > Policies > Windows Settings > Scripts > Startup. [/box]

24. Add the batch file you created earlier (open the folder and right click > paste).

Note: That should be all you need to do however – The first time I did this, UAC on the Windows 7 machines blocked the install, so I had to turn it off. You can do that in the same policy.

25. Navigate to:

[box] Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options[/box]

Set the Following:

a. User Account Control Behaviour of the elevation prompt for administrators in Admin approval mode – No Prompt or Elevate without Prompting.
b. User Account Control Detect Application installations and prompt for elevation – Disabled.
c. User Account Control Run all administrators in Admin approval mode – Disabled.

Timing

Policies like this will “time out” if running for more than 600 seconds (10 minutes). Our install may take longer than that, so you may need to set the time out in the policy, Navigate to:

[box] Computer Configuration > Policies > Administrative Templates > System > Scripts[/box]

Select “Maximum wait time for group policy scripts” set it to 0 (zero) for unlimited.

26. Close the policy editor.

Note: At this point every time Office starts for a new user, it presents you with:

27. To Suppress that you need to create a USER policy with a Custom ADM Template, download the template here.

28. Note this is a USER Policy, so if you add it to the policy you have already created to deploy Office, then that policy needs to be linked to your users. So I would just create a new user policy and link it separately. Navigate to:

[box] User Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Microsoft Office 2010 > Miscellaneous [/box]

29. Locate the “Suppress recommended settings dialog” and enable it.

Related Articles, References, Credits, or External Links

Office 2010 Administrative templates.