Category: Group Policy

Latest Microsoft Group Policy Templates
article #1183, updated 4 days ago

It is often helpful to update the Group Policy templates for a domain. The most current set can be found quite easily via a Google search:

https://www.google.com/search?q=Administrative+Templates+%28.admx%29+for+Windows+10&ie=utf-8&oe=utf-8&client=firefox-b-1-ab

They install as an MSI which does nothing but dump them into a folder here:

 C:\Program Files (x86)\Microsoft Group Policy

Once you have the above done, we have manual steps. The best way to approach this is probably in an administrative CMD.

First, look in here:

%WINDIR%\PolicyDefinitions

We will be wiping everything there. If there are many files with numbers at the end of their names, you probably have Microsoft Office templates as well as Windows templates, and you will have to replace them too. There are other templates which could be involved, so be warned and be ready.

For now, we are going to write as if you have just Microsoft default templates there. Wipe them all. Then replace them with all of the .ADMX files in the dump folder, plus just the language folder appropriate for you. The dump folder will have all of the language folders, you want just yours.

The second destination folder is:

%WINDIR%\SYSVOL\sysvol\<domain>\Policies

where is the name of the Windows domain. Do not delete everything here, if you do you will do harm to your GPO system. Do, however, remove all of the .ADMXes, and the language folder(s) here, and replace them as above.

Categories:      

==============

Group Policy: Machine Inactivity Limit (Lock Screen Force) in Security Settings
article #1298, updated 26 days ago

There is a setting in Windows Group Policy which will force lockscreen / locked screensaver after a machine considers itself inactive for a specified amount of time:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit

This overrides all other related (e.g. screen saver) settings and PC-local settings. It’s located here in group policy:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

and while creating/linking group policy on a server:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Categories:      

==============

Tools to Update and Repair Group Policy
article #1297, updated 27 days ago

Have not tested these at all yet. But am rather glad someone has started working on them.

Repair / Restore Default Group Policy

Upgrade Group Policy

Fix Corrupt Local Group Policy

Categories:      

==============

Disable Microsoft compatibility telemetry by Group Policy
article #1248, updated 229 days ago

Local group policy has this here in Windows 10:

Computer Configuration, Administrative Templates, Windows Components, Data Collection and Preview Builds

We may disable “Allow Telemetry” and enable “Do not show feedback notifications” for excellent effect.

Domain group policy will only have the above, if it has been upgraded (or installed) with the appropriate very recent version of Group Policy templates.

Categories:      

==============

Block Removable Devices by Group Policy
article #1247, updated 229 days ago

It’s very possible, per user or per computer:

www.mustbegeek.com/block-usb-or-removable-devices-using-group-policy/

It’s done in Policies, Administrative Templates, System, Removable Storage Access. There are quite a few granulations available.

Categories:      

==============

"Launch folder windows in a separate process", by Group Policy
article #1246, updated 230 days ago

User Configuration, Preferences (not Policies!), Control Panel Settings, Folder Options. Create a new item. Choose “Launch folder windows in a separate process”.

Categories:      

==============

Get rid of the new Windows-controlled default printer setup
article #1225, updated 305 days ago

Windows 10 has some sort of automatic thing built in which is pretended to read our minds and decide for us which of our printers should be the default at any time. Needless to say this makes no sense at all, and causes lots of user frustration. To turn this off with Group Policy, browse to:

User Configuration -> Administrative Templates -> Control Panel -> Printers

and set “Turn off Windows default printer management” to Enabled.

Categories:      

==============

Set Loopback Mode for a Windows Group Policy
article #1224, updated 307 days ago

Normally, if a GPO is linked to an OU containing only computers, the user portion does not run. Loopback Mode makes it run. In GPMC, look here:

Computer Configuration, Policies, Administrative Templates, System, Group Policy, “Configure user Group Policy loopback processing mode”

Categories:      

==============

Usernames within Windows Group Policy setups
article #1220, updated 312 days ago

There is a strong tendency to want to use %username% as a macro in GPOs, to get the user’s name in. However, this doesn’t work in GPO. One has to use %LogonUser%. To get the whole list of macros, press F3 while the cursor is in the GPO setup field.

Categories:      

==============

Group Policy Improvement, Part I: General
article #1148, updated 343 days ago

First in a series on improving Windows Group Policy. This apply to the whole Group Policy milieu on a network, all domain controllers.

  • Even if there is only one domain controller, change the replication from 180 minutes to 15 minutes. These are in the properties of the site links, in Active Directory Sites and Services, under Inter-Site Transport, under IP. If you have more than one site link enabled, do it for all. Obviously you should moderate carefully, if you are using SMTP or have bandwidth issues.

  • Set services fdPHost and FDResPub as startup Automatic, from Manual.
  • Add Subnet(s) to each Site in Active Directory Sites and Services. Then show subnets in the Group Policy Management Console, and map group policies there. Even if there is only one Site, this can help a lot.

Part II, Destrangulation, is here.

Categories: