Some Notes on the Machines

Go here in GPO:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

and set:

Interactive logon: Machine inactivity limit

Enforce a zero to make sure it never happens.

When we install new group policy templates from Microsoft, e.g., the Windows 10 set by which we may upgrade existing networks, they now come in the newer ADMX format. Do this on every domain controller:

1. The package is downloaded as a self-installing EXE which requires you to specify a folder. Do not try to manually unpack this, for some reason the contents are in small pieces which the installer assembles. Just run the EXE and give a useful path, e.g., C:\IT.
2. Open an administrative CMD, and CD to the extraction point. Then CD into the folder “admx”, one level down.
3. Run the following. If your language is not en-us, replace it in the last two lines. If your servers have multiple languages, you’ll need to replicate lines with multiple language specifications.

xcopy *.admx \\%userdnsdomain%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions /Y /I
xcopy *.admx %SystemRoot%\PolicyDefinitions /Y /I
xcopy en-US\*.adml \\%userdnsdomain%\sysvol\%userdnsdomain%\Policies\PolicyDefinitions\en-us /Y /I
xcopy en-US\*.adml %SystemRoot%\PolicyDefinitions\en-us /Y /I

Another very common set needing this install, is the Office Administrative Templates.

Multiple versions of Office templates coexist nicely. But the same cannot be said for Windows OS templates. It appears that when a complete refresh of OS templates is required, good results obtain by removing all of the OS templates and then installing new.

If you see GPO policies get implemented and re-implemented even though the settings have been removed, or if it just doesn’t happen, try the following in administrative Powershell. These clear the GPO cache on the machine you’re looking at.

Remove-Item "$env:windir\system32\GroupPolicy" -Force -Recurse
Remove-Item "HKLM:\Software\Policies\Microsoft" -Force -Recurse
Remove-Item "HKCU:\Software\Policies\Microsoft" -Force -Recurse
Remove-Item "HKCU:\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects" -Force -Recurse
Remove-Item "HKCU:\\Software\Microsoft\Windows\CurrentVersion\Policies" -Force -Recurse

Here’s a very nice article.

It is often helpful to update the Group Policy templates for a domain. The most current set can be found quite easily via a Google search:

https://www.google.com/search?q=Administrative+Templates+%28.admx%29+for+Windows+10&ie=utf-8&oe=utf-8&client=firefox-b-1-ab

They install as an MSI which does nothing but dump them into a folder here:

 C:\Program Files (x86)\Microsoft Group Policy

Once you have the above done, we have manual steps. The best way to approach this is probably in an administrative CMD.

First, look in here:

%WINDIR%\PolicyDefinitions

We will be wiping everything there. If there are many files with numbers at the end of their names, you probably have Microsoft Office templates as well as Windows templates, and you will have to replace them too. There are other templates which could be involved, so be warned and be ready.

For now, we are going to write as if you have just Microsoft default templates there. Wipe them all. Then replace them with all of the .ADMX files in the dump folder, plus just the language folder appropriate for you. The dump folder will have all of the language folders, you want just yours.

The second destination folder is:

\\<localdomain>\SYSVOL\<localdomain>\policies\PolicyDefinitions

where is the name of the Windows domain. If the folder does not exist, create it, this is creation of your Central Store. If the folder does exist, replace them as above.

If your Active Directory dates back to Server 2003, you may have “Internet Explorer Maintenance” items in GPO. These are obsolete IE control specifications which can not be edited on newer servers. To delete these items:

support.microsoft.com/en-us/help/2722241/policy-reporting-tools-indicate-empty-internet-explorer-maintenance-po

There is a setting in Windows Group Policy which will force lockscreen / locked screensaver after a machine considers itself inactive for a specified amount of time:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit

This overrides all other related (e.g. screen saver) settings and PC-local settings. It’s located here in group policy:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

and while creating/linking group policy on a server:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options

Have not tested these at all yet. But am rather glad someone has started working on them.

Repair / Restore Default Group Policy

Upgrade Group Policy

Fix Corrupt Local Group Policy

It’s very possible, per user or per computer:

www.mustbegeek.com/block-usb-or-removable-devices-using-group-policy/

It’s done in Policies, Administrative Templates, System, Removable Storage Access. There are quite a few granulations available.

User Configuration, Preferences (not Policies!), Control Panel Settings, Folder Options. Create a new item. Choose “Launch folder windows in a separate process”.