52
Information Technology Unit OPERATIONS 341-345 High Road, Wembley, Middlesex HA9 6AQ. Telephone: 020 8937 6000 Fax: 020 8937 6073
Information Technology Unit
OPERATIONS
341-345 High Road, Wembley, Middlesex HA9 6AQ. Telephone: 020 8937 6000Fax: 020 8937 6073
An introduction to the use of policies and profiles on Windows XP Professional-based PC’s.
Contents.
Title Page No
Introduction...............................................................................................................................................1Introducing User Profiles..........................................................................................................................1Location and Content of User Profiles......................................................................................................1
Special Note – Location of User Profiles..............................................................................................1Special Note – Group Policies and User Profiles..................................................................................3
Types of Profiles.......................................................................................................................................3Common Profiles.......................................................................................................................................3
Special Note – View the Start Menu folder..........................................................................................4Setting Up a Default Profile......................................................................................................................4Working with User Profiles.......................................................................................................................4
Special Note – Viewing User Profiles...................................................................................................5Removing a User Profile...........................................................................................................................5
Special Note – Roaming Profiles..........................................................................................................6Copying a User Profile..............................................................................................................................6
Special Note – Copying a Profile..........................................................................................................6Copying the Default User Profile..............................................................................................................6Assigning a Profile....................................................................................................................................7Using Scripts That Run at Logon, Logoff, Startup, and Shutdown..........................................................8
Special Note – Moving the Documents and Settings Folder..............................................................10Using Roaming User Profiles..................................................................................................................10Using Mandatory User Profiles...............................................................................................................11Controlling User Capabilities with Group Policy...................................................................................11Starting Group Policy..............................................................................................................................11Starting Group Policy for a Remote Computer.......................................................................................12Customizing the Group Policy Window.................................................................................................13Displaying Only Policies You Want…...................................................................................................14Understanding the Local Group Policy Object.......................................................................................15
Special Note – Group Policy Files and Folders..................................................................................15How Group Policy Works.......................................................................................................................16
Special Note – Group Policy Settings.................................................................................................16How Local Group Policy Settings Interact with Active Directory–Based Group Policy Settings.........17Types of Settings.....................................................................................................................................19Making Settings.......................................................................................................................................20
Special Note – Policy Names can be Confusing.................................................................................20Making Different Settings for Different Users.......................................................................................21
Special Note – Denying Read Permission for Group Policy..............................................................21Setting User Rights..................................................................................................................................22
Special Note – Local Security Settings Console.................................................................................22Appendices..............................................................................................................................................24Appendix A: Table listing the default rights of built-in user groups in Windows XP Professional.......25Notes........................................................................................................................................................27
Introduction. This manual is intended as a guide for Information and Technology Unit (ITU) staff to the management and administration of user profiles and policies on a Windows XP-based PC with particular emphasis as to how this is implemented within the London Borough of Brent (LBB) Corporate Data Network (CDN). The manual assumes a beginners level knowledge of Windows XP/2000 administration/support.
Introducing User Profiles. A user profile contains all the settings and files for a user’s work environment. This includes the user’s personal registry settings for everything from mouse pointers to view settings used in Microsoft Word and files that are specific to a user, such as cookies the user receives while using Microsoft Internet Explorer, documents in the My Documents folder and its subfolders, and shortcuts to network places.
Location and Content of User Profiles. By default, each user who logs on to a computer has a local user profile, which is created when the user logs on for the first time. Local user profiles are stored in %SystemDrive%\Documents and Settings. Each user’s profile is stored in a subfolder with the user name as the folder name (for example, C:\Documents and Settings\LBBUser). The entire path for the current user’s profile is stored in another commonly used environment variable, %UserProfile%.
Special Note – Location of User ProfilesIf the Operating Syatem was upgraded from Microsoft Windows NT 4 (instead of performing a clean installation or upgrading from another version of Windows), user profiles are stored in %SystemRoot%\Profiles.
Within a user’s profile folder, you’ll find a hierarchy of folders, as illustrated. Tp prevent confusion, the My Document’s folder for another user is shown with that person’s name (e.g., LBBUser’s Documents).
The root of the profile (that is, the subfolder of Documents and Settings with the user name as the folder name) contains NTUser.dat, which is the user portion of the registry (i.e., the HKCU “hive”).
In addition, a computer that’s a member of a Microsoft Windows NT Server domain might have an Ntuser.pol file, a file that has system policy settings.
1
System policy is the Windows NT predecessor to Group Policy, which was introduced with Microsoft Windows 2000.
The profile includes the following folders:
Application Data. This hidden folder contains application-specific data, such as a custom dictionary for word processing programs, junk sender lists for an e-mail program, a CD database for a program that plays music CDs, and so on. Application vendors decide what information to put in this folder.
Cookies. This folder contains Internet Explorer cookies.
Desktop. This folder contains all items stored on the user’s desktop, including files and shortcuts.
Favorites. This folder contains Internet Explorer favorites.
Local Settings. This hidden folder contains settings and files that don’t roam with the profile, either because they’re machine-specific or because they’re so large that it’s not worthwhile to include them in a roaming user profile, which must be copied from and to a network server at each logon and logoff. (Roaming user profiles are discussed in the next section.) For example, the staging area for burning CDs—which is machine-specific and potentially large—is stored in a subfolder of Local Settings. The Local Settings folder contains four subfolders:
o Application Data. This hidden folder contains machine-specific application data.
o History. This folder contains the user’s Internet Explorer browsing history.
o Temp. This folder contains temporary files created by applications.
o Temporary Internet Files. This folder contains the offline cache for Internet Explorer.
My Documents. This folder is the default target for the My Documents shortcut that appears on the Start Menu, in the Windows Explorer task pane (under Other Places), and elsewhere. My Documents is the default location for storing user documents in most applications. When you view the profile folders for another user, the user’s name replaces My, although the actual folder name for all users is My Documents.
NetHood. This hidden folder contains the shortcuts that appear in My Network Places.
PrintHood. This seldom-used hidden folder can contain shortcuts to items in the Printers And Faxes folder.
Recent. This hidden folder contains shortcuts to the recently used documents; the most recent of these can appear on the Start menu. Although it appears in Windows Explorer as My Recent Documents, the actual folder name is Recent.
SendTo. This hidden folder contains shortcuts to the folders and applications that appear on the Send To submenu. Send To is a command that appears on the File menu in Windows Explorer when you select a file or folder; it also appears on the shortcut menu when you right-click a file or folder.
2
Start Menu. This folder contains the items (such as shortcuts to applications and documents) that appear on the Start Menu’s All Programs submenu.
Templates. This hidden folder contains shortcuts to document templates. These templates are typically used by the New command (on the File menu and the shortcut menu) in Windows Explorer and are referenced in the registry by the FileName value in the HKCR\class \ShellNew key, where class refers to the extension and file type.
Special Note – Group Policies and User ProfilesGroup Policy settings always take precedence over user settings in user profiles. This allows administrators to foil users who have the knowledge and permissions to make changes directly in their own user profile.
Types of Profiles. Windows XP Professional supports three types of profiles:
Local User Profiles. A local user profile is stored in the %SystemDrive%\ Documents and Settings (or %SystemRoot%\Profiles) folder on the local hard disk. Windows creates a local user profile the first time a user logs on to the computer. If the user makes changes to the profile, the changes affect only the computer where the changes are made.
Roaming User Profiles. A roaming user profile is stored on a network server, which makes it available when a user logs on to any computer on the network. Windows creates a local copy of the user profile the first time a user logs on to a computer. If the user makes changes to the profile, Windows merges the changes into the server copy when the user logs off; therefore, the revised profile is available the next time the user logs on to any computer. Roaming profiles may be managed by and are suited to Windows .NET Server and Windows 2000 Server. For further details, see "Using Roaming User Profiles."
Mandatory User Profiles. A mandatory user profile is one that can be changed only by an administrator. Like a roaming user profile, a mandatory profile is stored on a network server, and Windows creates a local copy when a user who has been assigned a mandatory profile logs on for the first time. Unlike a roaming user profile, a mandatory profile is not updated when the user logs off. This makes mandatory profiles useful not only for individual users whom you want to severely restrict, but also for multiple users (for example, all users in a certain job classification) to whom you want to apply consistent job-specific settings. Multiple users can share a mandatory user profile without affecting others. Users who have been assigned a mandatory profile can make profile changes while they’re logged on (unless prevented by policy settings), but the network copy remains unchanged. Although a copy of the profile—changes and all—remains on the computer after a user logs off, at the next logon Windows recopies the original profile from the network share. For information about assigning a mandatory user profile, see "Using Mandatory User Profiles."
Common Profiles. In the profiles folder (%SystemDrive%\Documents And Settings or %SystemRoot%\ Profiles), you’ll find two profiles that aren’t associated with a particular user account: All Users and Default User (this is a hidden folder)…
3
All Users. The content of the All Users folder appears for all users who log on to a workstation in addition to the content of each user’s own profile folder. For example, items in the All Users\Desktop folder appear on the desktop along with items that the current user has saved on the desktop. Similarly, the Start menu shows the combined contents of the All Users\Start Menu folder and the current user’s Start Menu folder. The All Users\Documents folder (which, by default, appears as Shared Documents in Windows Explorer) contains documents that are available to all users. The exception is the All Users\ Favorites folder, which appears to serve no purpose whatsoever.
By default, only members of the Administrators group and the Power Users group can add items to the Desktop and Start Menu folders in the All Users profile. All users can add items to Shared Documents.
Special Note – View the Start Menu folderWindows offers a simple way to get directly to either branch of the Start Menu hierarchy. Right-click the Start button and choose Open or Explore if you want to look at the Start Menu folder within the current user’s profile; choose Open All Users or Explore All Users to view the All Users\Start Menu folder in Windows Explorer.
Default User. When a user logs on to a computer for the first time (and his or her account is not set up to use a roaming profile or mandatory profile), Windows creates a new local profile by copying the content of the Default User folder to a new folder and giving it the user’s name. Therefore, you can configure the Default User profile the way you want new users’ initial view of Windows to appear. With the default security settings, only members of the Administrators group can make changes to the Default User profile.
Setting Up a Default Profile. You can populate the Default User profile with files that you want each new user to have available. In particular, you might want to supply a set of Internet links, a few desktop shortcuts, and perhaps some documents. You can easily do this simply by copying the appropriate shortcuts and files to the Favorites, Desktop, and My Documents folders.
Be sure that you copy files to the Default User profile so that they inherit the appropriate permissions from the destination folder. If you move files to the folder, they retain their existing permissions, which will likely prevent them from being copied to the new user’s profile.
Once all desired files and other settings have been configured (e.g., SendTo and Favorites shortcuts), the profile may be copied in the recommended manner.
Working with User Profiles. Armed with the knowledge of where profiles reside and what they contain, you might be tempted to manipulate them directly from Windows Explorer or a command prompt. Although you can safely add, modify, or remove objects such as the Start Menu and desktop items, you should not move, copy, or delete entire profiles in this manner.
4
Instead, you should use the User Profiles dialogue box (illustrated).
To get there, right-click My Computer and choose Properties (or choose System in Control Panel).
On the Advanced tab, click Settings under User Profiles.
Special Note – Viewing User ProfilesUsers who are not members of the Administrators group can’t see other user profiles in the User Profiles dialogue box, nor can they delete, copy, or change their own profile.
Removing a User Profile. The User Profiles dialogue box indicates the disk space occupied by a profile. To recover the space occupied by unused profiles, you can remove the profile in either of two ways (shown in order of desirability):
Open User Accounts in Control Panel and delete the user account associated with the profile.
From the User Profiles dialogue box, simply select a profile and click Delete. You cannot delete a profile that is currently logged on. Deleting profiles in this manner (instead of using Windows Explorer, for example) ensures that the appropriate profile also gets removed from the registry. Each user profile occupies a subkey of HKLM\Software\Microsoft\Windows NT\ CurrentVersion\ProfileList.
5
Special Note – Roaming ProfilesWith Roaming Profiles, Windows ordinarily saves the copy of the profile that has been copied to the local hard drive. Windows uses this local copy if the network copy happens to be unavailable the next time the user logs on.
Windows can be forced to automatically delete the local copy of a roaming profile when a user logs off.
To do that, open the Microsoft Management Console (MMC) snap-in, Group Policy (GpEdit.msc), go to Computer Configuration\Administrative Templates\System\User Profiles, and enable the policy named Delete Cached Copies Of Roaming Profiles. Other policies in the same folder also affect how roaming profiles are applied. For more information, see "Controlling User Capabilities with Group Policy."
Copying a User Profile. Copying a user profile (by selecting a profile and clicking Copy To) doesn’t add the profile to the registry; that happens the first time a user who has been assigned the profile you copy logs on. But copying from the User Profiles dialogue box instead of using Windows Explorer has an important advantage: Windows assigns the proper permissions to the copy. That is, it gives Full Control permission to the user or group you specify and removes permissions for other non-administrative users. Such permissions are necessary to allow a user access to his or her own profile—but no one else’s.
Special Note – Copying a ProfileYou cannot copy a profile that is currently logged on, including your own. If you want to copy your own profile, you’ll need to log on using a different account.
Copying the Default User Profile. The (Microsoft) recommended method of creating a profile to be used as the Default User profile is as follows…
1. Create a profile by logging on (ideally with a temporary user account you create for the purpose) and making the settings you want.
2. Log off and then log back on as a member of the Administrators group.
3. Right-click My Computer and choose Properties. In the System Properties dialogue box, click the Advanced tab and then click Settings under User Profiles.
4. Select the profile you created and click Copy To.
6
5. In the Copy Profile To box, type the full path of the destination profile folder (i.e., C:\Documents and Settings\Default User).
6. Under Permitted To Use, click Change and then type the names of the user groups who will have access to the profile.
When you click OK in the Copy To dialogue box, Windows copies the user profile to the specified folder and sets permissions on the destination folder and its contents. Windows gives Full Control permission to the Administrators group, any user or group entered in the Permitted To Use box, and the System account. This prevents non-administrative users from accessing a profile other than their own.
Assigning a Profile. If you want to assign a profile to a user account (note that you need to do this only if you want to use a profile that’s not stored in the default location, such as a roaming user profile or a mandatory user profile), you use Microsoft Management Console with the appropriate snap-in. Double-click the name of the user you want to assign the profile to and click the Profile tab.
7
On the Profile tab, you can specify the following…
The location of the user profile. (Note that you need to do this only if you want to use a profile that’s not stored in the default location, such as a roaming user profile or a mandatory user profile.) For more information, see "Using Roaming User Profiles."
The location and file name of a logon script. For more information, see the document "Notes on the LBB Login Scripts.doc".
The path to the user’s home folder. The home folder is a folder in which a user can store his or her files and programs. To use a folder on a network server as a home folder, select a drive letter (Windows maps the folder to this letter at each logon) and specify the full UNC network path to the folder (e.g., \\[SERVERNAME]\USERS\%USERNAME%).
Using Scripts That Run at Logon, Logoff, Startup, and Shutdown.
With user profiles or group policy, you can implement scripts that run automatically. A logon script is a program that runs whenever a user logs on. Any executable file—that is, a batch program (.bat or .cmd extension), a Windows Script Host (WSH) script (.vbs, .js, or .wsf extension), or a program (.exe or .com extension)—can be used as a logon script. Logon scripts are commonly used to map network drives to a drive letter, to start certain programs, and to perform other similar tasks that should happen at each logon. As with most tasks in Windows, you can use other methods to perform each of these—but a logon script offers a convenient, flexible method (for more information, see the document "Notes on the LBB Login Scripts.doc").
Note that using system environment variables such as %UserName% makes it easy to use the same script for different users. Windows substitutes the correct user name when it runs the script.
To use a logon script, specify the script’s path and file name in the Logon Script box on the Profile tab of the user’s properties dialogue box.
Windows XP Professional also offers support for four other types of scripts:
Group Policy logon scripts, which run whenever a user logs on
Group Policy logoff scripts, which run whenever a user logs off
Group Policy startup scripts, which run whenever the computer starts up
Group Policy shutdown scripts, which run whenever the computer shuts down
Like ordinary logon scripts, you can use the executable file type for any of these scripts. Though it is possible to store scripts anywhere on the network, each type of script has a default location. The following are the default locations for local scripts on a Windows XP-based PC…
8
Logon script %SystemRoot%\System32\GroupPolicy\User\Scripts\Logon
Logoff script %SystemRoot%\System32\GroupPolicy\User\Scripts\Logoff
Startup script %SystemRoot%\System32\GroupPolicy\Machine\Scripts\Startup
Shutdown %SystemRoot%\System32\GroupPolicy\Machine\Scripts\Shutdown scriptNote: The %SystemRoot%\System32\GroupPolicy folder is hidden.
To implement any of these scripts, start Group Policy (GpEdit.msc) and go to Computer Configuration\Windows Settings\Scripts (for startup and shutdown scripts) or User Configuration\Windows Settings\Scripts (for logon and logoff scripts)…
When you double-click an entry in one of these folders, you’ll notice some additional improvements over legacy logon scripts:
You can specify more than one script for each of these events, and you can specify the order in which they run.
You can specify command-line parameters for each script.
9
Group Policy also offers a number of policy settings that affect how scripts run—synchronously (i.e., that in effect, nothing else runs until the script finishes running) or asynchronously, hidden or visible.
These settings, along with more complete explanations of their effects, may be found in the MMC Group Policy snap-in under Computer Configuration\Administrative Templates\System\Scripts and in User Configuration\Administrative Templates\System\Scripts.
Some policies appear in both places; if the settings are configured differently, the one in Computer Configuration takes precedence.
To move My Music or My Pictures, simply use Windows Explorer to move the folder to the desired location. Windows XP automatically updates all references to the folder, including those on the Start Menu.
In a domain or active directory-based network, Group Policy settings allow an administrator to use folder redirection to store on a network server the data files from a user’s profile. The Folder Redirection extension in Group Policy lets administrators change the location of the Application Data, Desktop, My Documents, and Start Menu components of the user profiles.
Special Note – Moving the Documents and Settings FolderIt’s possible—but not recommended—to move the entire Documents And Settings folder. For details, see Microsoft Knowledge Base article Q236621.
Using Roaming User Profiles. Roaming user profiles are a feature of domain-based networks (that is, a network that uses a member of the Windows .NET Server, Windows 2000 Server, or Windows NT Server family as a domain controller).
A roaming user profile allows a user to log on to a workstation and see his or her settings on the desktop, the Start Menu, and so on. Roaming user profiles work by storing the user profile in a shared network folder. When the user logs on, the profile information is copied from the shared network folder to the local hard disk. When the user logs off, the profile information—which might have changed during the computing session—is then copied back to the shared folder.
In an environment such as the London Borough of Brent CDN, user accounts and computer accounts are centrally managed at the domain level, so you need to make settings only one time and in only one place.
10
Using Mandatory User Profiles. A mandatory user profile works much like a roaming user profile: When a user logs on, the profile is copied from a network location to a local folder, thereby providing familiar settings. The difference is that a mandatory profile isn’t updated with user changes when the user logs off.
To assign a mandatory user profile to one or more users, in the folder where the shared profile is stored (e.g., C:\Documents and Settings\Default User), make the following changes:
1. Change the folder permissions to Read & Execute, List Folder Contents, and Read for everyone except Administrators and System.
2. Change the name of the hidden NTUser.dat file (in the profile’s top-level folder) to NTUser.man. Be sure to change NTUser.dat, not NTUser.dat.log, which may have a hidden extension. The *.man extension signifies a mandatory profile.
Controlling User Capabilities with Group Policy. Group Policy is a highly touted feature of Active Directory, which is part of Windows .NET Server and Windows 2000 Server. Group Policy allows administrators to configure computers throughout sites, domains, or organizational units (OUs). In addition to setting standard desktop configurations and restricting what users are allowed to change, administrators can use Group Policy to centrally manage software installation, configuration, updates, and removal; specify scripts to run at startup, shutdown, logon, and logoff; and redirect users’ special folders (such as My Documents) to the network. Administrators can customize all these settings for different computers, users, or groups.
Starting Group Policy. Group Policy settings are made using the Group Policy snap-in for Microsoft Management Console (MMC). Windows XP Professional includes an MMC console that shows only this snap-in, but you won’t find it on the Start Menu. You must be logged on as a member of the Administrators group to use Group Policy. To open the console, go to Start, Run and type GpEdit.msc.
11
If the computer is joined to a domain with Active Directory–based policies, and if you have appropriate domain administrative privileges, you can configure Group Policy to display snap-in extensions that let you view and modify domain policies as well as extensions for the local Group Policy object.
For more information, see "How Local Group Policy Settings Interact with Active Directory–Based Group Policy Settings."
Starting Group Policy for a Remote Computer. With some MMC snap-ins (for example, Computer Management), you can use a menu command to switch from the local computer to another computer on your network. This is not the case with Group Policy, which, once started, directs its attention toward a single computer.
You can, however, start Group Policy with turned toward another computer. To do that, you must have administrative privileges on both your own computer and the other computer.
You can use either of two methods to start Group Policy for a remote computer: a command-line parameter or a custom MMC console.
The simplest method is to append the /Gpcomputer parameter, as below:
GpEdit.msc /gpcomputer:"[PC_NAME]"
Where [PC_NAME] is host name of the target computer.
The computer name that follows /Gpcomputer can be either a NetBIOS-style name or a DNS-style name (e.g., [PC_NAME].redwood.swdocs.com), which is the primary naming form used by Windows .NET Server and Windows 2000 Server domains. In either case, you must enclose the computer name in quotation marks.
An alternative is to create a custom console that opens another computer’s Group Policy object.
The advantage of this approach is that you can create a single console that can open Group Policy for each computer you want to manage.
12
To create a custom console, follow these steps:
1. Go to Start, Run and type mmc.
2. Open the File menu and choose Add/Remove Snap-In.
3. On the Standalone tab, click Add.
4. Select Group Policy and click Add.
5. In the Select Group Policy Object dialogue box, click Browse.
6. Locate the computer and select it from a list.
7. Click OK and then click Finish.
8. Click Close and then click OK.
Group Policy options available under Windows .NET Server or 2000 Server are far more extensive than those used by any previous version of Windows.
Customizing the Group Policy Window. The Group Policy console has some easily overlooked options that you won’t find in other MMC snap-ins. You can add or remove administrative templates, and you can restrict the view to show only the policies that have been configured.
Adding or Removing Policy Templates The Administrative Templates folders (under Computer Configuration and User Configuration) are extensible. The Administrative Templates policies are defined in an *.adm file.
13
Windows XP includes several .adm files, of which four are displayed by default…
File Name Description
Conf.adm (displayed by default)
Conferencing settings for Microsoft NetMeeting that appear in Administrative Templates\Windows Components\NetMeeting (under Computer Configuration and User Configuration)
Inetcorp.adm Microsoft Internet Explorer settings for use with Internet Explorer Administration Kit (IEAK), not Group Policy
Inetres.adm (displayed by default)
Microsoft Internet Explorer settings that appear in Administrative Templates\Windows Components\Internet Explorer (under Computer Configuration and User Configuration)
Inetset.adm Microsoft Internet Explorer settings for use with Internet Explorer Administration Kit (IEAK), not Group Policy.
System.adm (displayed by default)
A wide variety of settings for Windows XP, encompassing most of the policies that appear in Group Policy
Wmplayer.adm (displayed by default)
Windows Media Player settings that appear in User Configuration\Administrative Templates\Windows Media Player
You might want to remove the templates that contain policies you never use, or you might want to add a custom template provided with another program. For example, the Microsoft Office XP Resource Kit includes policy templates for managing Microsoft Office; for details, visit www.microsoft.com/office/ork.
To add or remove a policy template, right-click Administrative Templates (either folder) and choose Add/Remove Templates. After you make your changes and click Close in the Add/Remove Templates dialogue box, both Administrative Templates folders reflect your new selections.
Adding a policy template merely copies the .adm file to %SystemRoot%\System32\GroupPolicy\Adm; removing a template deletes the copy in that folder. Adding or removing policy templates does not change the underlying policy settings, if any; it only controls whether those policies are displayed in Group Policy.
Displaying Only Policies You Want… With only the standard templates installed, Group Policy offers hundreds of policies that you can set. Many of these policies might be for areas of Windows that you never use; including these in the Group Policy console clutters the environment.
Windows offers a way to selectively filter the list of displayed Administrative Templates policies to include only the ones that might interest you.
To use this feature, right-click Administrative Templates and choose View, Filtering. In the Filtering dialogue box illustrated, you can choose to hide items that apply only to certain versions of Windows or Internet Explorer.
14
After you configure the Group Policy as desired, you can clean up the display by hiding the myriad policies that you aren’t interested in setting: select Only Show Configured Policy Settings.
Filtering the display of policies does not change the underlying policy settings, if any; it only controls whether those policies are displayed in Group Policy.
Unlike the Add/Remove Templates command, filtering applies only to the Administrative Templates folder that you select. If you want to filter the policies in both Computer Configuration and User Configuration, you must repeat the process in each folder.
Understanding the Local Group Policy Object. A Group Policy object (often abbreviated as GPO) is simply a collection of Group Policy settings. In a domain based on Windows .NET Server or Windows 2000 Server, Group Policy objects are stored at the domain level and affect users and computers based on their membership in sites, domains, and organizational units. Each computer running Windows XP has a single local Group Policy object.
The local Group Policy object is stored as a series of files and folders in the hidden %SystemRoot%\System32\GroupPolicy folder. By default, the local Administrators group and the operating system itself have Full Control permissions for this folder and all the objects it contains; Authenticated Users has Read & Execute permissions. The GroupPolicy folder typically contains the following files and folders:
Gpt.ini. This file stores information about which extensions (identified by their globally unique identifier, or GUID) contain modified settings and whether the Computer Configuration or User Configuration branch is disabled.
Adm. This folder contains the administrative templates (stored as *.adm files) that are in use. (See "Adding or Removing Policy Templates.")
User. This folder holds the Registry.pol file, which contains registry settings that apply to users. The User folder includes these subfolders:
o Microsoft\IEAK contains settings for the items that appear in the \User Configuration\Windows Settings\Internet Explorer Maintenance folder in Group Policy.
o Scripts includes two folders, Logon and Logoff, which contain the scripts that run when a user logs on or logs off.
Machine. This folder holds the Registry.pol file, which contains registry settings that apply to the computer. Within the Machine folder is a Scripts subfolder that holds two folders, Startup and Shutdown; these contain the scripts that run when the computer starts up or shuts down.
Special Note – Group Policy Files and FoldersSome of these files and folders are created only when Group Policy settings have been applied.
15
How Group Policy Works. The majority of the Group Policy settings are in the Administrative Templates extension of the Group Policy snap-in.
As noted elsewhere, the content of the Administrative Templates folders is derived from the *.adm files in the Group Policy object. When you configure a policy in the Administrative Templates folder (that is, you select either Enabled or Disabled and, optionally, set a value), Group Policy stores that information as a custom registry setting in one of the two Registry.pol files.
As you’d expect, Group Policy uses the copy of Registry.pol in %SystemRoot%\System32\ GroupPolicy\Machine for settings you make in the Computer Configuration\ Administrative Templates folder in Group Policy and uses the copy in User for settings you make in User Configuration\Administrative Templates.
Computer-related Group Policy settings—those stored in Machine\Registry.pol—are copied to the appropriate registry keys in the HKLM hive when the operating system initialises and during the periodic refresh. User-related settings (in User\Registry.pol) are copied to the appropriate keys in HKCU when a user logs on and during the periodic refresh.
Special Note – Group Policy SettingsGroup Policy settings—either local or Active Directory–based—take precedence over user settings (that is, settings that you make through Control Panel and other methods available to ordinary users).
This is because Group Policy settings are not written to the "normal" registry key for a particular setting; instead, they’re written to a value in a "policies" key.
For example, if you use the Taskbar and Start Menu Properties dialogue box to disable personalized menus, the data in the Intellimenus value in the HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced key changes. But if you use Group Policy, the Intellimenus value in the HKCU\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer key changes instead.
In cases of conflicts, the value under the Policies key overrules the other.
The periodic refresh mentioned above occurs at intervals that can be defined as a Group Policy setting.
By default, the Registry.pol files are copied to the registry every 90 minutes plus a random offset of 0 to 30 minutes. This random offset is intended for Active Directory–based policies; on a large network (such as the LBB CDN), where it is not advisable to have all the refresh activity occurring simultaneously.
By enabling and modifying the Group Policy Refresh Interval For Computers setting in Computer Configuration\Administrative Templates\System\Group Policy and the Group Policy Refresh Interval For Users setting in User Configuration\ Administrative Templates\System\Group Policy, you can change the interval and the random offset. You can set the interval to any value from 0 minutes (in which case settings are refreshed every 7 seconds) through 64,800 minutes (45 days).
To refresh Group Policy settings immediately, type gpupdate at a command prompt.
To display a list of optional switches for Gpupdate.exe, type gpupdate /?.
16
How Local Group Policy Settings Interact with Active Directory–Based Group Policy
Settings. If your computer is joined to a domain, it might be affected by Group Policy settings other than those you set in the local Group Policy object. Group Policy settings are applied in this order:
1. Settings from the local Group Policy object
2. Settings from site Group Policy objects, in administratively specified order
3. Settings from domain Group Policy objects, in administratively specified order
4. Settings from organizational unit Group Policy objects, from largest to smallest organizational unit (parent to child organizational unit), and in administratively specified order at the level of each organizational unit
Policies applied later overwrite previously applied policies, which means that in a case of conflicting settings, the highest-level Active Directory–based policy settings take precedence. The policy settings are cumulative, so all settings contribute to the effective policy. The effective policy is called the Resultant Set of Policy (RsoP).
To see which settings are in effect for a particular user, you can use a command-line tool (GpResult.exe). To display RSoP for yourself, simply type gpresult at a command prompt. Type gpresult /? for information about other options.
The Help And Support Center also includes a tool that shows effective Group Policy settings for the current user. To use that tool, open Help And Support Center…
17
On the home page, click on “Use Tools to view your computer information and diagnose problems.
Select “Advanced System Information” from the scrolling list at the left hand side of the window.
Then select “View Group Policy Settings Applied” from the list on the right hand side of the window.
The Group Policy tool then shows which settings are in effect—something which is not readily apparent in a domain environment.
18
Types of Settings. The Computer Configuration branch of Group Policy includes a variety of computer-related settings, and the User Configuration branch includes a variety of user-related settings. The line between computer settings and user settings is often blurred, however. Because local Group Policy settings apply to all users, the best method for discovering the policies required is to examine each one. The Administrative Templates folders, list more than 240 computer settings and more than 440 user settings, which at first appears daunting—however, it is possible to rapidly scan the available policies in each folder, many of which can be ignored.
To learn more about each policy, simply select it, as shown below. If you have selected the Extended tab at the bottom of the window, a description of the selected policy appears in the centre pane.
Some settings appear in both User Configuration and Computer Configuration. In a case of conflicting settings, the Computer Configuration setting always takes precedence.
You can speed up the application of Group Policy settings by disabling those you don’t use. To see at a glance which types of policies are in use, right-click Local Computer Policy (at the top of the console tree) and choose Properties.
In the dialogue box that appears, the Revisions line under Summary shows the number of Computer Configuration and User Configuration settings in use. If either value is 0 (or if you want to disable Group Policy settings for some other reason), select the appropriate check box under Disable.
19
Making Settings. Each policy in the Administrative Templates folders of Group Policy has one of three settings: Not Configured, Enabled, or Disabled. By default, all policies in the local Group Policy object are initially set to Not Configured (the policies in the Windows Settings folders do not have a Not Configured option and therefore have other default settings).
To change a setting, simply double-click the name of the policy you want to change or click the Properties link that appears in the centre pane of the Extended tab.
The properties dialogue box then appears. The dialogue box for each policy under Administrative Templates looks much like the one illustrated.
The Setting tab includes the three options—Not Configured, Enabled, and Disabled—and a large area where policy-specific settings may be set.
Controls in this centre area appear dimmed and are unavailable unless you select the Enabled option. Many simple policies—as illustrated—leave this area blank because the policy needs no further setting.
The Explain tab provides detailed information about the policy (the same information that appears in the centre pane of the Extended tab); see also the Microsoft Windows XP Professional ResourceKit Documentation (Microsoft Press, 2001) for further information on policy settings. Both tabs include Previous Setting and Next Setting buttons, which make it convenient to go through an entire folder without opening and closing the properties dialogue box for each policy individually.
Special Note – Policy Names can be ConfusingPay close attention to the name of each policy, because the settings can be “counterintuitive”. A number of policies begin with the word disable (e.g.,, Disable Active Desktop in User Configuration\Administrative Templates\Desktop\ Active Desktop). For those policies, if you want to allow the specified option, you must select the Disable setting. (In other words, you must disable the disabling policy.) Conversely, if you want to prohibit the option, you must select Enable.
20
Making Different Settings for Different Users. Centrally managed Group Policy settings—that is, those that are stored in Active Directory in Windows .NET Server or Windows 2000 Server—can be applied to individual users, computers, or groups of either. You can have multiple sets of Active Directory–based Group Policy objects, allowing you to create an entirely different collection of settings for different users, groups or computers.
Such is not the case with local Group Policy. Local Group Policy settings apply to all users who log on to the computer.
If the computer is joined to a domain, however, the local settings might be overridden by Active Directory–based settings. For details, see "How Local Group Policy Settings Interact with Active Directory–Based Group Policy Settings."
You can’t have multiple sets of local Group Policy objects. Although you can’t have customised settings for each of several different groups, you can effectively have two groups of users: those who are affected by local Group Policy settings and those who are not.
This duality affects only the User Configuration settings; Computer Configuration settings are applied before anyone logs on.
This can happen because local Group Policy depends on users having Read access to the local Group Policy object, which is stored in the %SystemRoot%\System32\GroupPolicy folder. Policies are not applied to users who do not have Read access; therefore, by denying Read access to administrators or others whom you don’t want to restrict, you free those users from control by group policies.
To use this method, follow these steps:
1. Make the Group Policy setting changes that are required.
2. In Windows Explorer, right-click the %SystemRoot%\System32\GroupPolicy folder and choose Properties. (GroupPolicy is a hidden folder; if you can’t find it in System32, choose Tools, Folder Options, View, Show Hidden Files And Folders.)
3. On the Security tab of the GroupPolicy Properties dialogue box, select the Administrators group and select the Deny check box for the Read permission. (If you want to exclude any other users or groups from Group Policy control, add them to the Group Or User Names list and then deny their Read permission.)
Special Note – Denying Read Permission for Group PolicyYou must deny the Read permission rather than simply clear the Allow check box. Otherwise, all users would continue to inherit Read permission because of their automatic membership in the Authenticated Users group.
At your next logon using one of the Read-disabled user accounts, you’ll find that you’re no longer encumbered by Group Policy settings. Without Read permission, however, you’ll find that you’re also unable to run Group Policy—so you can’t view or modify Group Policy settings.
To regain that power, you need to revisit the Group Policy Properties dialogue box and grant Administrators Full Control permission.
21
Keep in mind that, even without the aforementioned security amendments, the default security settings effectively produce two groups of users. Although the local Group Policy settings apply to all users who have Read access to the local Group Policy object, only members of the local Administrators group can view or change these settings.
Setting User Rights. A user right is authorisation to perform an operation that affects an entire computer. A permission, by contrast, is authorisation to perform an operation on a specific object—such as a file or a printer—on a computer.
For each user right, you can specify which user accounts and groups have the user right. To review or set user rights, in Group Policy (GpEdit.msc) navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. Then double-click a user right to view or change the list of users and groups, as illustrated.
Special Note – Local Security Settings ConsoleThe Local Security Settings console provides a shorter path to User Rights Assignment, so it’s useful when you’re not setting other policies, such as the ones in the Administrative Templates folders. To open Local Security Settings, double-click Local Security Policy in the Administrative Tools folder or type secpol.msc at a command prompt.
22
Ten of the user rights—Access This Computer From The Network, Allow Logon Through Terminal Services, Log On As A Batch Job, Log On As A Service, Log On Locally, and their corresponding "Deny" user rights—are known more precisely as logon rights.
They control how users are allowed to access the computer—whether from the keyboard ("locally") or through a network connection, or whether as a service or as a batch facility (such as Task Scheduler). You can use these logon rights (in particular, Log On Locally and Deny Logon Locally) to control who can log on to a given computer.
By default, Log On Locally is granted to the local Guest account and members of the Administrators, Backup Operators, Power Users, and Users groups. If you want to prevent certain users from logging on at the keyboard (but still allow them to connect via the network, for example), create a group, add those user accounts to it, and then assign the Deny Logon Locally user right to the new group.
Like deny permissions, deny logon rights take precedence over allow logon rights, so if a user is a member of a group that is allowed to log on (such as Power Users) and a group that is not (such as the one described in the previous sentence), the user will not be allowed to log on. Such users see an error message after they type their user name and password in the Log On To Windows dialogue box.
The Microsoft Windows XP Professional Resource Kit Documentation contains a description of each user right.
See “Appendix A” for a table listing the default rights assigned to the built-in user groups for Windows XP professional.
23
Appendices.
Appendix A: The default rights of built-in user groups in Windows XP Professional.
24
Appendix A: Table listing the default rights of built-in user groups in Windows XP
Professional.
Group Default Rights
Administrators Access this computer from the network Adjust memory quotas for a process Allow logon through Terminal Services Back up files and directories Bypass traverse checking Change the system time Create a page file Debug programs Force shutdown from a remote system Increase quotas Increase scheduling priority Load and unload device drivers Log on locally Manage auditing and security log Modify firmware environment values Perform volume maintenance tasks Profile single process Profile system performance Remove computer from docking station Restore files and directories Shut down the system Take ownership of files or other objects
Backup Operators Access this computer from the network Back up files and directories Bypass traverse checking Log on locally Restore files and directories Shut down the system
Everyone Access this computer from the network Bypass traverse checking
Guest (account) Deny logon locally Deny access to this computer from the network* Log on locally
Power Users Access this computer from the network Bypass traverse checking Change the system time Log on locally Profile single process Remove computer from docking station Shut down the system
Remote Desktop Users Allow logon through Terminal Services
25
The default rights of built-in user groups in Windows XP Professional (continued).
Users Access this computer from the network Bypass traverse checking Log on locally Remove computer from docking station Shut down the system
(Not assigned to any group) Act as part of the operating system Add workstations to domain Create a token object Create permanent shared objects Deny logon as a batch job Deny logon as a service Deny logon through Terminal Services Enable computer and user accounts to be trusted for delegation Generate security audits Lock pages in memory Log on as a batch job Log on as a service Replace a process-level token Synchronize directory service data
* The Guest account is removed from the list of accounts with the Deny Access To This Computer From The Network right when you enable network file sharing.
26
Notes.
27
28
29
30
Author:
Paul Godden – I.T. Unit (Operations), Elizabeth House, 341-345 High Road Wembley, Middlesex HA9 6AQ. Tel: 020 8937 6000Fax: 020 8937 6073
31
