BN.com Gift Guide

Microsoft Windows XP Professional: Administrator's Pocket Consultant

Overview

Again, at 384, Microsoft(R) Windows(R) XP Professional Administrator's Pocket Consultant is not something an administrator can fit in his/her pocket. This book has been criticized for being too basic. Our book will cover the top tasks an administrator performs on a daily basis.

Read More Show Less
... See more details below
Available through our Marketplace sellers.
Other sellers (Paperback)
  • All (17) from $1.99   
  • New (3) from $1.99   
  • Used (14) from $1.99   
Close
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any BN.com coupons and promotions
$1.99
Seller since 2014

Feedback rating:

(68)

Condition:

New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

New
PAPERBACK New 0735613818.

Ships from: FORT LAUDERDALE, FL

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
$23.99
Seller since 2008

Feedback rating:

(172)

Condition: New
0735613818 BRAND NEW NEVER USED IN STOCK 125,000+ HAPPY CUSTOMERS SHIP EVERY DAY WITH FREE TRACKING NUMBER

Ships from: fallbrook, CA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
$29.65
Seller since 2014

Feedback rating:

(323)

Condition: New
Brand New Item.

Ships from: Chatham, NJ

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
  • Express, 48 States
  • Express (AK, HI)
Page 1 of 1
Showing All
Close
Sort by
Sending request ...

Overview

Again, at 384, Microsoft(R) Windows(R) XP Professional Administrator's Pocket Consultant is not something an administrator can fit in his/her pocket. This book has been criticized for being too basic. Our book will cover the top tasks an administrator performs on a daily basis.

Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
Whether you're upgrading your entire enterprise or simply buying new PCs on an ad hoc basis, Windows XP Professional is coming into your enterprise. If you're responsible for supporting or administering it, this handy pocket guide offers you more useful answers per ounce than any other book we've seen. It's especially strong on XP's new administrative features, and those really important tasks (like setting up desktop VPN connections) that you won't do often enough to memorize on your own.

The book's organized into four sections: essentials, core administration, networking, and optimization/recovery. In 350 pages, it manages to be remarkably complete. Want to use Windows XP's new Remote Assistance feature to resolve users' problems without leaving your computer? Prohibit users from setting up Internet Connection Sharing on your DNS domain? Set a new home page for all your users at once? Place custom content on each user's desktop? Use System Restore across a network? Lock the taskbar, so it can't be moved or lost? William B. Stanek walks you through all these tasks, and more.

We could go on. Setting disk quotas. Managing security zones. Using notebook power schemes. Rolling back troublesome driver versions. Checking the status of a LAN connection. Configuring the synchronization of offline files. If you need to do it as a manager or support professional, there's no faster way to find out how. (Bill Camarda)

Bill Camarda is a consultant, writer, and web/multimedia content developer with nearly 20 years' experience in helping technology companies deploy and market advanced software, computing, and networking products and services. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.

Read More Show Less

Product Details

  • ISBN-13: 9780735613812
  • Publisher: Microsoft Press
  • Publication date: 9/26/2001
  • Series: IT Professional Series
  • Edition description: Older Edition
  • Pages: 353
  • Product dimensions: 5.37 (w) x 7.72 (h) x 1.03 (d)

Meet the Author

William R. Stanek is an award-winning author who's written more than 100 books, including Windows Server 2012 Inside Out, Windows 8 Administration Pocket Consultant, and Microsoft SQL Server 2012 Pocket Consultant. He is the series editor for the Pocket Consultant line of books.

Read More Show Less

Read an Excerpt

Chapter 8: Configuring User and Computer Policies


  • Group Policy Essentials
    • Understanding Policy Application
    • Accessing and Using Local Group Policies
    • Accessing and Using Site, Domain, and Unit Policies
    • Using the Group Policy Console
  • Configuring Policies
    • Viewing Policies and Templates
    • Enabling, Disabling, and Configuring Policies
    • Adding or Removing Templates
  • Working with File and Data Management Policies
    • Configuring Disk Quota Policies
    • Configuring System Restore Policies
    • Configuring Offline File Policies
  • Working with Access and Connectivity Policies
    • Configuring Network Policies
    • Configuring Remote Assistance Policies
  • Working with Computer and User Script Policies
    • Controlling Script Behavior Through Policy
    • Assigning Computer Startup and Shutdown Scripts
    • Assigning User Logon and Logoff Scripts
  • Working with Logon and Startup Policies
    • Hiding the Welcome Screen
    • Using Classic Logon vs. Simple Logon
    • Setting Policy-Based Startup Programs
    • Disabling Run Lists Through Policy

Chapter 8   Configuring User and Computer Policies

Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. You can think of a group policy as a set of rules that helps you manage users and computers. Group policies can be applied to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory service.

In this chapter, you’ll learn how to manage group policy settings. The chapter examines policies that you might want to configure in the domain and on local computers. These policies are organized by topic area, such as file and data management. Group policies apply only to systems running Microsoft Windows 2000 and Microsoft Windows XP. (In this book, "Windows XP" refers to Windows XP Professional unless otherwise indicated.) They will also apply to systems running the Windows .NET operating system.

Group Policy Essentials

Careful management of policies is essential to proper operations. Policy settings are divided into two broad categories: those that apply to computers and those that apply to users. Computer policies are normally applied during system startup, and user policies are normally applied during logon.

Understanding Policy Application

During logon, policies are applied in an exact sequence, which is often important in troubleshooting system behavior.

When multiple policies are in place, they are applied in the following order:

  1. Microsoft Windows NT 4 policies (NTCONFIG.POL)
  2. Local group policies
  3. Site group policies
  4. Domain group policies
  5. Organizational unit (OU) group policies
  6. Child OU group policies

If there are conflicts among the policy settings, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain group policies. As you might expect, there are exceptions to the precedence rule that allow administrators to block, overview, and disable policies.

The events that take place during startup and logon are as follows:

  1. The network starts and then Windows XP applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
  2. Windows XP runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn’t displayed to the user unless specified.
  3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows XP loads the user profile.
  4. Windows XP applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
  5. Windows XP runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn’t displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window.
  6. Windows XP displays the start shell interface configured in Group Policy.

Accessing and Using Local Group Policies

Each computer running Windows XP has one local group policy stored in its %SystemRoot%\System32\GroupPolicy folder. You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.
  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
  3. In MMC, click File, and then click Add/Remove Snap-in. This opens the Add/Remove Snap-In dialog box.
  4. Click the Stand-Alone tab, and then click Add.
  5. In the Add Snap-In dialog box, select Group Policy, and then click Add. This opens the Select Group Policy Object dialog box.
  6. Select Local Computer to edit the local policy on your computer or browse to find the local policy on another computer.
  7. Click Finish, and then click Close.
  8. Click OK. You can now manage the local policy on the selected computer. For more details, see the section of the chapter entitled "Configuring Policies."

Accessing and Using Site, Domain, and Unit Policies

Each site, domain, and OU can have one or more group policies. Group policies higher in the Group Policy list have a higher precedence than policies lower in the list. Group policies set at this level are associated with Active Directory. This ensures that site policies get applied appropriately throughout the related domains and OUs. Site, domain, and OU group policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers. In this folder you’ll find one subfolder for each policy you’ve defined on the domain controller. You shouldn’t edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use site, domain, and OU policies by completing the following steps:

  1. For sites, open the Active Directory Sites and Services console and start the Group Policy snap-in.
  2. For domains and OUs, open the Active Directory Users and Computers console and start the Group Policy snap-in.
  3. In the left pane, right-click the site, domain, or OU for which you want to create or manage a group policy. Then select Properties on the shortcut menu, which opens the Properties dialog box.
  4. In the Properties dialog box, click the Group Policy tab. To create a new policy or edit an existing policy, click New. Then you can configure the new policy.
  5. To edit an existing policy, select the policy and then click Edit. Then you can edit the policy. For more details, see the section of this chapter entitled "Configuring Policies."
  6. To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.

Using the Group Policy Console

Once you’ve selected a policy for editing or created a new policy, you use the Group Policy console to work with group policies. As Figure 8-1 shows, the Group Policy console has two main nodes:
  • Computer Configuration  Allows you to set policies that should be applied to computers, regardless of who logs on
  • User Configuration  Allows you to set policies that should be applied to users, regardless of which computer they log on to

  • NOTE:
    Keep in mind that user configuration options set through local group policies apply only to computers on which the options are configured. If you want the options to apply to all computers the user might use, you must use domain, site, or OU group policies.

Figure 8-1. Group Policy options depend on the type of policy you’re creating and the add-ons installed. (Image Unavailable)

The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you’re creating. You’ll usually find that both nodes have subnodes for the following:

  • Software Settings  Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.
  • Windows Settings  Sets policies for folder redirection, scripts, and security.
  • Administrative Templates  Sets policies for the operating system, Windows components, and programs. These policies, examined later in this chapter, apply specifically to users and computers.

Configuring Policies

When you want to manage users and computers, you’ll want to configure the administrative template policies. These policies provide easy access to registry-based policy settings that control the operating system, Windows components, and programs.

Viewing Policies and Templates

As shown in Figure 8-2, you can view the currently configured templates in the Group Policy console’s Administrative Templates node, which contains policies that can be configured for local systems, OUs, domains, and sites. Different sets of templates are found under Computer Configuration and User Configuration. You can add additional templates containing new policies manually in the Group Policy console and when you install new Windows components.

Figure 8-2. User and computer policies are set through administrative templates. (Image Unavailable)

Any changes you make to policies available through the administrative templates are saved in the registry. Computer configurations are saved in HKEY_LOCAL_MACHINE and user configurations are saved in HKEY_CURRENT_USER. The best way to get to know what administrative template policies are available is to browse the Administrative Templates node in the Group Policy console. As you browse the templates, you’ll find that policies are in one of three states:

  • Not Configured  The policy isn’t used and no settings for it are saved in the registry.
  • Enabled  The policy is actively being enforced and its settings are saved in the registry.
  • Disabled  The policy is turned off and isn’t enforced unless overridden. This setting is saved in the registry.

Enabling, Disabling, and Configuring Policies

In the Group Policy console, you’ll find administrative templates in two nodes: Computer Configuration and User Configuration. In most cases, the policies in these areas don’t overlap or cause conflict. If there is a conflict, however, computer policies have precedence, which means that the computer policy is the one that is enforced. You’ll find details on commonly used policies and how you can employ them later in this chapter.

You can enable, disable, and configure policies by completing the following steps:

  1. Access the Group Policy console for the resource you want to work with. Then in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set, access the Administrative Templates folder.
  2. In the left pane, click the subfolder containing the policies you want to work with. The related policies are then displayed in the right pane.
  3. Double-click or right-click a policy and select Properties to display its related Properties dialog box.
  4. Click the Explain tab to see a description of the policy. A description is only available if one is defined in the related .adm file.
  5. To set the policy’s state, click the Policy tab and then use the following buttons to change the state of the policy:
    • Not Configured  The policy is not configured.
    • Enabled  The policy is enabled.
    • Disabled  The policy is disabled.
  6. If you enabled the policy, set any additional parameters specified in the Policy tab, and then click Apply.
  7. Use the Previous Policy and Next Policy buttons to manage other policies in the current folder. Then configure them in the same way.
  8. Click OK when you’re finished managing policies.

Adding or Removing Templates

You can add or remove template folders in the Group Policy console. To do this, complete the following steps:
  1. Access the Group Policy console for the site, domain, or OU you want to work with.
  2. In the Computer Configuration or User Configuration node, whichever is appropriate for the type of template you want to add or remove, right-click the Administrative Templates folder. This displays the Add/Remove Templates dialog box shown in Figure 8-3.
  3. Figure 8-3. Use the Add/Remove Templates dialog box to add more templates or remove existing ones. (Image Unavailable)

  4. To add new templates, click Add. Then, in the Policy Templates dialog box, select the template you want to add and click Open.
  5. To remove an existing template, select the template to remove, and then click Remove.
  6. When you’re finished adding and removing templates, click Close.

Working with File and Data Management Policies

Every system administrator should be familiar with file and data management policies, which affect the amount of data a user can store on systems, how offline files are used, and whether the System Restore feature is enabled.

Configuring Disk Quota Policies

Policies that control disk quotas are applied at the system level. You access these policies through Computer Configuration\Administrative Templates\System\Disk Quotas. The available policies are summarized in Table 8-1.

Table 8-1.   Disk Quota Policies

Policy Name Description
Enable Disk Quotas Turns disk quotas on or off for all NT file system (NTFS) volumes of the computer and prevents users from changing the setting.
Enforce Disk Quota Limit Specifies whether quota limits are enforced. If quotas are enforced, users are denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.
Default Quota Limit And Warning Level Sets a default quota limit and warning level for all users. This setting overrides other settings and only affects new users.
Log Event When Quota Limit Exceeded Determines whether an event is logged when users reach their limit and prevents users from changing their logging options.
Log Event When Quota Warning Level Exceeded Determines whether an event is logged when users reach the warning level.
Apply Policy To Removable Media Determines whether quota policies apply to NTFS volumes on removable media. If you do not enable this policy, quota limits only apply to fixed media drives.

Whenever you work with quota limits, you’ll want to use a standard set of policies on all systems. Typically, you won’t want to enable all of the policies. Instead, selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:

  1. Access Group Policy for the system you want to work with, such as a file server. Next, access the Disk Quotas node through Computer Configuration\Administrative Templates\System\Disk Quotas.
  2. Double-click Enable Disk Quotas. In the Setting tab, select Enabled and then click Next Setting. This displays the Enforce Disk Quota Limit Properties dialog box.
  3. If you want to enforce disk quotas on all NTFS volumes residing on this computer, select Enabled. Otherwise, select Disabled and then set specific limits on a per-volume basis as discussed in Chapter 9, "Configuring Folder Options, Offline Files, and Quotas."
  4. Click Next Setting. This displays the Default Quota Limit And Warning Level Properties dialog box shown in Figure 8-4. Select Enabled....
Read More Show Less

Table of Contents

Acknowledgments
Introduction
Pt. I Microsoft Windows XP Professional Essentials
1 Introduction to Microsoft Windows XP Professional Administration 3
2 Configuring the Environment 23
3 Configuring Hardware Devices and Drivers 59
4 Customizing Menus, the Windows Taskbar, and Toolbars 85
5 Optimizing the Desktop and Screen Appearance 103
Pt. II Microsoft Windows XP Professional Core Administration
6 Managing User Access and Global Settings 129
7 Managing Laptops and Traveling Users 149
8 Configuring User and Computer Policies 165
9 Configuring Folder Options, Offline Files, and Quotas 191
Pt. III Microsoft Windows XP Professional Networking
10 Managing Internet Options 223
11 Configuring TCP/IP Networking, Security, and Authentication 247
12 Managing Mobile Networking and Remote Access 267
Pt. IV Microsoft Windows XP Professional Optimization and Recovery
13 Optimizing Microsoft Windows XP Professional 301
14 Troubleshooting Microsoft Windows XP Professional 323
Index 339
Read More Show Less

First Chapter

Chapter 8.
Configuring User and Computer Policies
  • Group Policy Essentials
    • Understanding Policy Application
    • Accessing and Using Local Group Policies
    • Accessing and Using Site, Domain, and Unit Policies
    • Using the Group Policy Console
  • Configuring Policies
    • Viewing Policies and Templates
    • Enabling, Disabling, and Configuring Policies
    • Adding or Removing Templates
  • Working with File and Data Management Policies
    • Configuring Disk Quota Policies
    • Configuring System Restore Policies
    • Configuring Offline File Policies
  • Working with Access and Connectivity Policies
    • Configuring Network Policies
    • Configuring Remote Assistance Policies
  • Working with Computer and User Script Policies
    • Controlling Script Behavior Through Policy
    • Assigning Computer Startup and Shutdown Scripts
    • Assigning User Logon and Logoff Scripts
  • Working with Logon and Startup Policies
    • Hiding the Welcome Screen
    • Using Classic Logon vs. Simple Logon
    • Setting Policy-Based Startup Programs
    • Disabling Run Lists Through Policy

Chapter 8   Configuring User and Computer Policies

Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. You can think of a group policy as a set of rules that helps you manage users and computers. Group policies can be applied to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory service.

In this chapter, you'll learn how to manage group policy settings. The chapter examines policies that you might want to configure in the domain and on local computers. These policies are organized by topic area, such as file and data management. Group policies apply only to systems running Microsoft Windows 2000 and Microsoft Windows XP. (In this book, "Windows XP" refers to Windows XP Professional unless otherwise indicated.) They will also apply to systems running the Windows .NET operating system.

Group Policy Essentials

Careful management of policies is essential to proper operations. Policy settings are divided into two broad categories: those that apply to computers and those that apply to users. Computer policies are normally applied during system startup, and user policies are normally applied during logon.

Understanding Policy Application

During logon, policies are applied in an exact sequence, which is often important in troubleshooting system behavior.

When multiple policies are in place, they are applied in the following order:

  1. Microsoft Windows NT 4 policies (NTCONFIG.POL)
  2. Local group policies
  3. Site group policies
  4. Domain group policies
  5. Organizational unit (OU) group policies
  6. Child OU group policies

If there are conflicts among the policy settings, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain group policies. As you might expect, there are exceptions to the precedence rule that allow administrators to block, overview, and disable policies.

The events that take place during startup and logon are as follows:

  1. The network starts and then Windows XP applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
  2. Windows XP runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn't displayed to the user unless specified.
  3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows XP loads the user profile.
  4. Windows XP applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
  5. Windows XP runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn't displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window.
  6. Windows XP displays the start shell interface configured in Group Policy.

Accessing and Using Local Group Policies

Each computer running Windows XP has one local group policy stored in its %SystemRoot%\System32\GroupPolicy folder. You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use local policies on a computer by completing the following steps:

  1. Open the Run dialog box by clicking Start and then clicking Run.
  2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
  3. In MMC, click File, and then click Add/Remove Snap-in. This opens the Add/Remove Snap-In dialog box.
  4. Click the Stand-Alone tab, and then click Add.
  5. In the Add Snap-In dialog box, select Group Policy, and then click Add. This opens the Select Group Policy Object dialog box.
  6. Select Local Computer to edit the local policy on your computer or browse to find the local policy on another computer.
  7. Click Finish, and then click Close.
  8. Click OK. You can now manage the local policy on the selected computer. For more details, see the section of the chapter entitled "Configuring Policies."

Accessing and Using Site, Domain, and Unit Policies

Each site, domain, and OU can have one or more group policies. Group policies higher in the Group Policy list have a higher precedence than policies lower in the list. Group policies set at this level are associated with Active Directory. This ensures that site policies get applied appropriately throughout the related domains and OUs. Site, domain, and OU group policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers. In this folder you'll find one subfolder for each policy you've defined on the domain controller. You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use site, domain, and OU policies by completing the following steps:

  1. For sites, open the Active Directory Sites and Services console and start the Group Policy snap-in.
  2. For domains and OUs, open the Active Directory Users and Computers console and start the Group Policy snap-in.
  3. In the left pane, right-click the site, domain, or OU for which you want to create or manage a group policy. Then select Properties on the shortcut menu, which opens the Properties dialog box.
  4. In the Properties dialog box, click the Group Policy tab. To create a new policy or edit an existing policy, click New. Then you can configure the new policy.
  5. To edit an existing policy, select the policy and then click Edit. Then you can edit the policy. For more details, see the section of this chapter entitled "Configuring Policies."
  6. To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.

Using the Group Policy Console

Once you've selected a policy for editing or created a new policy, you use the Group Policy console to work with group policies. As Figure 8-1 shows, the Group Policy console has two main nodes:

  • Computer Configuration  Allows you to set policies that should be applied to computers, regardless of who logs on
  • User Configuration  Allows you to set policies that should be applied to users, regardless of which computer they log on to

  • NOTE:
    Keep in mind that user configuration options set through local group policies apply only to computers on which the options are configured. If you want the options to apply to all computers the user might use, you must use domain, site, or OU group policies.

Figure 8-1. Group Policy options depend on the type of policy you're creating and the add-ons installed. (Image Unavailable)

The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you're creating. You'll usually find that both nodes have subnodes for the following:

  • Software Settings  Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.
  • Windows Settings  Sets policies for folder redirection, scripts, and security.
  • Administrative Templates  Sets policies for the operating system, Windows components, and programs. These policies, examined later in this chapter, apply specifically to users and computers.

Configuring Policies

When you want to manage users and computers, you'll want to configure the administrative template policies. These policies provide easy access to registry-based policy settings that control the operating system, Windows components, and programs.

Viewing Policies and Templates

As shown in Figure 8-2, you can view the currently configured templates in the Group Policy console's Administrative Templates node, which contains policies that can be configured for local systems, OUs, domains, and sites. Different sets of templates are found under Computer Configuration and User Configuration. You can add additional templates containing new policies manually in the Group Policy console and when you install new Windows components.

Figure 8-2. User and computer policies are set through administrative templates. (Image Unavailable)

Any changes you make to policies available through the administrative templates are saved in the registry. Computer configurations are saved in HKEY_LOCAL_MACHINE and user configurations are saved in HKEY_CURRENT_USER. The best way to get to know what administrative template policies are available is to browse the Administrative Templates node in the Group Policy console. As you browse the templates, you'll find that policies are in one of three states:

  • Not Configured  The policy isn't used and no settings for it are saved in the registry.
  • Enabled  The policy is actively being enforced and its settings are saved in the registry.
  • Disabled  The policy is turned off and isn't enforced unless overridden. This setting is saved in the registry.

Enabling, Disabling, and Configuring Policies

In the Group Policy console, you'll find administrative templates in two nodes: Computer Configuration and User Configuration. In most cases, the policies in these areas don't overlap or cause conflict. If there is a conflict, however, computer policies have precedence, which means that the computer policy is the one that is enforced. You'll find details on commonly used policies and how you can employ them later in this chapter.

You can enable, disable, and configure policies by completing the following steps:

  1. Access the Group Policy console for the resource you want to work with. Then in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set, access the Administrative Templates folder.
  2. In the left pane, click the subfolder containing the policies you want to work with. The related policies are then displayed in the right pane.
  3. Double-click or right-click a policy and select Properties to display its related Properties dialog box.
  4. Click the Explain tab to see a description of the policy. A description is only available if one is defined in the related .adm file.
  5. To set the policy's state, click the Policy tab and then use the following buttons to change the state of the policy:
    • Not Configured  The policy is not configured.
    • Enabled  The policy is enabled.
    • Disabled  The policy is disabled.
  6. If you enabled the policy, set any additional parameters specified in the Policy tab, and then click Apply.
  7. Use the Previous Policy and Next Policy buttons to manage other policies in the current folder. Then configure them in the same way.
  8. Click OK when you're finished managing policies.

Adding or Removing Templates

You can add or remove template folders in the Group Policy console. To do this, complete the following steps:

  1. Access the Group Policy console for the site, domain, or OU you want to work with.
  2. In the Computer Configuration or User Configuration node, whichever is appropriate for the type of template you want to add or remove, right-click the Administrative Templates folder. This displays the Add/Remove Templates dialog box shown in Figure 8-3.
  3. Figure 8-3. Use the Add/Remove Templates dialog box to add more templates or remove existing ones. (Image Unavailable)

  4. To add new templates, click Add. Then, in the Policy Templates dialog box, select the template you want to add and click Open.
  5. To remove an existing template, select the template to remove, and then click Remove.
  6. When you're finished adding and removing templates, click Close.

Working with File and Data Management Policies

Every system administrator should be familiar with file and data management policies, which affect the amount of data a user can store on systems, how offline files are used, and whether the System Restore feature is enabled.

Configuring Disk Quota Policies

Policies that control disk quotas are applied at the system level. You access these policies through Computer Configuration\Administrative Templates\System\Disk Quotas. The available policies are summarized in Table 8-1.

Table 8-1.   Disk Quota Policies

Policy Name Description
Enable Disk Quotas Turns disk quotas on or off for all NT file system (NTFS) volumes of the computer and prevents users from changing the setting.
Enforce Disk Quota Limit Specifies whether quota limits are enforced. If quotas are enforced, users are denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.
Default Quota Limit And Warning Level Sets a default quota limit and warning level for all users. This setting overrides other settings and only affects new users.
Log Event When Quota Limit Exceeded Determines whether an event is logged when users reach their limit and prevents users from changing their logging options.
Log Event When Quota Warning Level Exceeded Determines whether an event is logged when users reach the warning level.
Apply Policy To Removable Media Determines whether quota policies apply to NTFS volumes on removable media. If you do not enable this policy, quota limits only apply to fixed media drives.

Whenever you work with quota limits, you'll want to use a standard set of policies on all systems. Typically, you won't want to enable all of the policies. Instead, selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:

  1. Access Group Policy for the system you want to work with, such as a file server. Next, access the Disk Quotas node through Computer Configuration\Administrative Templates\System\Disk Quotas.
  2. Double-click Enable Disk Quotas. In the Setting tab, select Enabled and then click Next Setting. This displays the Enforce Disk Quota Limit Properties dialog box.
  3. If you want to enforce disk quotas on all NTFS volumes residing on this computer, select Enabled. Otherwise, select Disabled and then set specific limits on a per-volume basis as discussed in Chapter 9, "Configuring Folder Options, Offline Files, and Quotas."
  4. Click Next Setting. This displays the Default Quota Limit And Warning Level Properties dialog box shown in Figure 8-4. Select Enabled.
  5. Figure 8-4. Use the Default Quota Limit And Warning Level Properties dialog box to enforce disk quotas. (Image Unavailable)

  6. Under Default Quota Limit, set a default limit that is applied to users when they first write to the quota-enabled volume. The limit does not apply to current users and doesn't affect current limits. On a corporate share, such as a share used by all members of a team, a good limit is between 500 and 1000 MB. Of course, this depends on the size of the data files the users routinely work with. Graphic designers and data engineers, for example, might need much more disk space.
  7. If you scroll down in the subwindow provided in the Setting tab, you'll be able to set a warning limit as well. A good warning limit is about 90 per-cent of the default quota limit, meaning if you set the default quota limit to 1000 MB, you'd set the warning limit to 900 MB.
  8. Click Next Setting. This displays the Log Event When Quota Limit Exceeded Properties dialog box. Select Enabled so that limit events are recorded in the application log.
  9. Click Next Setting. This displays the Log Event When Quota Warning Exceeded Properties dialog box. Select Enabled so that warning events are recorded in the application log.
  10. Click Next Setting. This displays the Apply Policy To Removable Media Properties dialog box. Select Disabled so that the quota limits only apply to fixed media volumes on the computer.
  11. Click OK.

  12. TIP:
    To ensure that the policies are enforced immediately, access the Computer Configuration\Administrative Templates\System\Group Policy node and then double-click Disk Quota Policy Processing. Next, select Enabled and then select Process Even If The Group Policy Objects Have Not Changed. Click OK.

Configuring System Restore Policies

System Restore is designed to save the state of system volumes and enable users to restore a system in the event of a problem. It is a helpful feature for the average user, but it can use a tremendous amount of disk space. As you learned in Chapter 2, "Configuring the Environment," you can turn System Restore off for individual drives or for all drives on a computer.

In the Group Policy console, you'll find the System Restore policies under Computer Configuration\Administrative Templates\System\System Restore. Through System Restore policies, you can override and disable management of this feature. The following policies are available:

  • Turn Off System Restore  If you enable this policy, System Restore is turned off and can't be managed using the System utility or the System Restore Wizard. If you disable this policy, System Restore is enforced and cannot be turned off.
  • Turn Off Configuration  If you enable this policy, you prevent configuration of the System Restore feature. Users can't access the Settings dialog box but can still turn off System Restore. If you disable this policy, users can access the Settings dialog box but can't manipulate it, and they can still turn off System Restore.

To configure system restore policies, follow these steps:

  1. Access Group Policy for the system you want to work with. Next, access the System Restore node by expanding Computer Configuration\Administrative Templates\System\System Restore.
  2. To enable or disable System Restore, double-click Turn Off System Restore. In the Setting tab, select either Enabled or Disabled as appropriate. Click OK.
  3. To enable or disable configuration of System Restore, double-click Turn Off Configuration. In the Setting tab, select either Enabled or Disabled as appropriate. Click OK.

Configuring Offline File Policies

Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.

The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.

Table 8-2.   Offline File Policies

Policy Type Policy Name Description
Computer Allow Or Disallow Use Of The Offline Files Feature Forces enabling or disabling of the Offline Files feature and prevents overriding by users. In this way, you can administratively control Offline File settings for a system.
Computer\User Prohibit User Configuration Of Offline Files Prevents users from enabling, dis-abling, and configuring Offline Files. This locks down the default settings for Offline Files.
Computer\User Synchronize All Offline Files When Logging On Forces full synchronization when users log on and prevents them from changing synchronization timing.
Computer\User Synchronize All Offline Files Before Logging Off Forces full synchronization before users log off and prevents them from changing synchronization timing.
Computer\User Synchronize Offline Files Before Suspend Forces synchronization before a computer goes into standby or hibernate mode. You can specify quick or full synchronization.
Computer Default Cache Size Limits size of automatically cached offline files and prevents users from changing related options. If you enable this option you can set a cache size. If you disable this option the limit is 10 percent of drive space.
Computer\User Action On Server Disconnect Specifies how the system responds when a server becomes unavailable. The Work Offline action ensures offline files are available.
Computer\User Remove "Make Available Offline" Prevents users from making files available offline.
Computer\User Prevent Use Of Offline Files Folder Prevents users from accessing the Offline Files folder. Users can't view or open copies of cached files, but they can work offline.
Computer Files Not Cached Lists types of files that cannot be used offline by file extension.
Computer\User Administratively Assigned Offline Files Specifies files and folders that are always available offline by Universal Naming Convention (UNC) path.
Computer At Logoff, Delete Local Copy Of User's Offline Files Cleans up the offline file cache on the local computer at logoff.
Computer\User Event Logging Level Ensures offline file events are logged in the application log.
Computer Subfolders Always Available Offline Makes subfolders available offline when a parent folder is available offline.
Computer Encrypt The Offline Files Cache Determines whether offline files are encrypted to improve security.
Computer\User Prohibit "Make Available Offline" For These Files And Folders Prohibits users from making specific files and folders available offline. Enter UNC paths to resources.

Setting Offline File Configuration Policies

Offline file configuration can be easily controlled through policy. You can allow users to specify which files and folders should be available offline, prevent them from configuring offline file features on their own, and allow them to work offline but not access other cached resources. Follow these steps to set offline file configuration policies:

  1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
  2. To control the availability of offline files, double-click Allow Or Disallow Use Of The Offline Files Feature. In the Setting tab select either Enabled or Disabled as appropriate. Click OK. Users are now able to select specific files and folders that they want to have available when working offline. To prevent this and assign specific offline files folders, you'll need to prohibit this feature and administratively assign offline files.
  3. To prevent users from changing offline file configuration settings, double-click Prohibit User Configuration Of Offline Files. In the Setting tab, select Enabled. Once this policy is set, users can't configure offline file options.
  4. To prevent users from accessing the offline files folder but still allow them to work offline, double-click Prevent Use Of Offline Files Folder. In the Setting tab, select Enabled. Once you select this option, users cannot view or open copies of cached files. They can, however, save current work and continue to use active files when offline.

Administratively Controlling Offline Files and Subfolders

You can administratively control which files and folders are available for offline use. Typically, you'll want to do this on file servers or other systems sharing resources on the network. You can use several different techniques to administratively control which resources are available offline.

You can prevent users from making files available offline and assign specific offline resources by following these steps:

  1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
  2. To prevent users from making files available offline, double-click Remove "Make Available Offline." In the Setting tab, select Enabled. Click OK. Once this policy is enforced, users are unable to specify files that should be used offline.
  3. To assign resources that are available offline automatically, double-click Administratively Assigned Offline Files. In the Setting tab, select Enabled. Next click Show, and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \\corpserver\data. Figure 8-5 shows a list of resources that have been added to the Show Contents list.
  4. Figure 8-5. Use the Show Contents dialog box to specify resources according to their UNC path. (Image Unavailable)


    CAUTION:
    You should carefully consider which resources are available offline automatically. The more resources you assign through this technique, the more network traffic is generated to maintain offline file caches. You can slow down an entire network by assigning too many resources to be available automatically.

You can make specific files automatically available and prevent others from being used offline by following these steps:

  1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
  2. To assign resources that are available offline automatically, double-click Administratively Assigned Offline Files. In the Setting tab, select Enabled. Next click Show, and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \\corpserver\data.
  3. To specify resources that users shouldn't be able to make available offline, double-click Prohibit "Make Available Offline" For These Files And Folders. In the Setting tab, select Enabled. Next click Show, and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \\corpserver\data. This setting doesn't prevent automatic caching of resources assigned through step 2.
  4. Click OK until all open dialog boxes are closed.

Setting Offline File Synchronization Policies

Offline file synchronization is normally controlled using the Synchronization Manager. However, you can set specific synchronization timing and techniques through policies. Normally resources are either fully synchronized, meaning that all files are checked to ensure they are complete and current, or quickly synchronized, meaning files are checked to ensure they are current, but file contents are not examined for completeness.

Several events can trigger synchronization automatically, such as logon, logoff, standby, and hibernate. Again, the Synchronization Manager normally determines which events are used. Using policies you can override this behavior. In most circumstances, you'll want to synchronize files only when a user logs on. The advantage to synchronizing when users log on is that they'll always have the freshest copies of files. The disadvantage is that the logon process may take longer. The notable exception for synchronizing at logon is for laptop users. Here, you may want to synchronize at logoff to ensure that users have the freshest copy of files when they go home and use their laptop offline.

To configure synchronization policies, follow these steps:

  1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
  2. The policies that control synchronization are Synchronize All Offline Files When Logging On, Synchronize All Offline Files Before Logging Off, and Synchronize Offline Files Before Suspend. Double-click the policy related to the synchronization technique that you want to use for this computer. In the Setting tab, select Enabled.
  3. Click OK.

Setting Offline File Cache Policies

Careful configuration of the offline file cache is essential to managing the system and network overhead generated by offline file usage. You can specify a maximum file cache size, whether the cache is encrypted for security, and which file types should never be cached. To configure policies for the offline file cache, follow these steps:

  1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
  2. To set the maximum cache size, double-click Default Cache Size. In the Setting tab, select Enabled. Afterward, use the Default Cache Size Properties box, shown in Figure 8-6, to set the default cache size. The value entered is percentage of disk space used times 10,000, meaning that if you enter 15,000 the cache can use up to 15 percent of the free space on the system drive.
  3. Figure 8-6. Set a default cache size for offline files in the Default Cache Size Properties dialog box. (Image Unavailable)


    NOTE:
    If you don't configure the Default Cache Size policy or disable it, the cache size limit is 10 percent of the free space on the system drive.
  4. To specify file types that are not cached, double-click Files Not Cached and then select Enabled. Next, in the Extensions field, enter a semicolon-separated list of file extensions to exclude. Each extension must be pre-ceded by an asterisk and a period. Following this you could enter *.wbk; *.tmp; *.lnk; *.ndx to block caching of many temporary types of files.
  5. To encrypt the cache, double-click Encrypt The Offline Files Cache and then select Enabled. Once enforced, all existing and new files in the cache are encrypted and users cannot unencrypt the offline files.

Working with Access and Connectivity Policies

Access and connectivity policies control network connections, dial-up connections, and Remote Assistance configurations. These policies affect a system's connectivity to the network and connectivity to the system.

Configuring Network Policies

Many network policies are available. Network policies that control Internet Connection Sharing, Personal Firewall, and Network Bridge are configured at the computer level. Network policies that control local area network (LAN) connections, Transmission Control Protocol/Internet Protocol (TCP/IP) configuration, and remote access are configured at the user level. The primary policies that you'll want to use are summarized in Table 8-3. You'll find Network policies under Computer Configuration\Administrative Templates\Network\Network Connections and User Configuration\Administrative Templates\Network\Network Connections.

Table 8-3.   Network Policies

Policy Type Policy Name Description
Computer Prohibit Use Of Internet Connection Sharing On Your DNS Domain Network Determines whether administrators can enable and configure connection sharing. This policy only applies to the domain in which it is assigned.
Computer Prohibit Use Of Internet Connection Firewall On Your DNS Domain Network Determines whether users can enable the personal firewall. This policy only applies to the domain in which it is assigned.
Computer Prohibit Installation And Configuration Of Network Bridge On Your DNS Domain Network Determines whether users can install and configure network bridges. This policy only applies to the domain in which it is assigned.
User Prohibit Access To Properties Of Components Of A Remote Access Connection Determines whether users can access and change properties of remote access connections.
User Prohibit TCP/IP Advanced Configuration Determines whether users can access advanced TCP/IP settings.
User Prohibit Access To Properties Of A LAN Connection Determines whether users can change the properties of LAN connections.
User Ability To Change Properties Of An All User Remote Access Connection Determines whether users can access connection available to all users of the computer.
User Prohibit Deletion Of Remote Access Connections Determines whether users can delete remote access connections.
User Ability To Delete All User Remote Access Connections Determines whether users can delete remote access connections available to all users of the computer.
User Ability To Enable/Disable A LAN Connection Determines whether users can enable or disable LAN connections.

As shown in the table, network policies for computers are designed to restrict actions on the organization's network. When you enforce these restrictions, users are prohibited from using features such as Internet Connection Sharing in the applicable domain. This is designed to protect the integrity of corporate networks but it doesn't prevent users with laptops, for example, from taking their computers home and using these features on their own networks. To enable or disable these restrictions, follow these steps:

  1. Access Group Policy for the resource you want to work with. Next, access the Network Connections node by expanding Computer Configuration\Administrative Templates\Network\Network Connections.
  2. Double-click the policy that you want to configure. In the Setting tab, select Enabled or Disabled as appropriate. Click OK.

User policies for network connections usually prevent access to certain configuration features, such as the advanced TCP/IP property settings. To configure these policies, follow these steps:

  1. Access Group Policy for the resource you want to work with. Next, access User Configuration\Administrative Templates\Network\Network Connections.
  2. Double-click the policy that you want to configure. In the Setting tab, select Enabled or Disabled as appropriate. Click OK.

Configuring Remote Assistance Policies

Remote Assistance policies can be used to prevent or permit use of remote assistance on computers. Typically, when you set Remote Assistance policies, you'll want to prevent unsolicited offers for remote assistance while allowing requested offers. You can also force a specific expiration time limit for invitations through policy rather than setting this through the System utility. To configure policy in this manner, follow these steps:

  1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Remote Assistance.
  2. Double-click Solicited Remote Assistance. In the Setting tab, select Enabled. When enabled, this policy allows authorized users to respond to remote assistance invitations.
  3. In the properties area, you can now specify the level of access for assistants. The Permit Remote Control Of This Computer selection list has two options:
    • Allow Helpers To Remote Control This Computer Permits viewing and remote control of the computer.
    • Allow Helpers To Only View This Computer Permits only viewing; assistants cannot take control to make changes.
  4. Next, as shown in Figure 8-7, use the Maximum Ticket Time (Value) and Maximum Ticket Time (Units) fields to set the maximum time limit for remote assistance invitations. The default maximum time limit is 30 days.
  5. Figure 8-7. Set a time expiration limit for Remote Assistance invitations. (Image Unavailable)

  6. Click Next Setting. In the Offer Remote Assistance Properties dialog box, select Disabled. Disabling this policy prevents unsolicited assistance offers.
  7. Click OK.

To prevent remote assistance and remote control of computers entirely, follow these steps:

  1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Remote Assistance.
  2. Double-click Solicited Remote Assistance. In the Setting tab, select Disabled and then click Next Setting.
  3. In the Permit Unsolicited Offers Of Remote Assistance Properties dialog box, select Disabled and then click Next Setting.
  4. In the Offer Remote Assistance dialog box, select Disabled and then click OK.

Working with Computer and User Script Policies

Script policies control the behavior and assignment of computer and user scripts. Four types of scripts can be configured:

  • Computer startup  Executed during startup
  • Computer shutdown  Executed prior to shutdown
  • User logon  Executed when a user logs on
  • User logoff  Executed when a user logs off

You can write these scripts as command-shell batch or Windows scripts. Batch scripts use the shell command language. Windows scripts use Windows Script Host (WSH) and are written in a scripting language, such as VBScript or JScript.

Controlling Script Behavior Through Policy

Through policy you can control the behavior of startup, shutdown, logon, and logoff scripts. The key policies that you'll use are described in Table 8-4. As you'll see, there are quite a few options for configuring script behavior.

Table 8-4.   Computer and User Script Policies

Policy Type Policy Name Description
Computer/User Run Logon Scripts Synchronously Ensures the system waits for logon scripts to finish before displaying the Windows interface.
Computer Run Startup Scripts Asynchronously Allows the system to run startup scripts simultaneously rather than one at a time.
Computer Run Startup Scripts Visible Displays startup scripts and their instructions as they execute.
Computer Run Shutdown Scripts Visible Displays shutdown scripts and their instructions as they execute.
Computer Maximum Wait Time For Group Policy Scripts Sets the maximum time to wait for scripts to finish running. The default value is 600 seconds (10 minutes).
User Run Legacy Logon Scripts Hidden Hides logon scripts configured through System Policy Editor in Windows NT 4.
User Run Logon Scripts Visible Displays logon scripts and their instructions as they execute.
User Run Logoff Scripts Visible Displays logoff scripts and their instructions as they execute.

Although there are many ways to control script behavior and many different combinations, you'll usually want scripts to behave as follows:

  • Logon and startup scripts should run simultaneously (in most cases).
  • All scripts should be hidden rather than visible.
  • The system should wait no more than one minute for a script to complete (in most cases).

To enforce this behavior, follow these steps:

  1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Scripts.
  2. Double-click Run Logon Scripts Synchronously. In the Setting tab, select Disabled and then click Next Setting.
  3. In the Run Startup Scripts Asynchronously Properties dialog box, select Enabled and then click Next Setting.
  4. In the Run Startup Scripts Visible Properties dialog box, select Disabled and then click Next Setting.
  5. In the Run Shutdown Scripts Visible Properties dialog box, select Disabled and then click Next Setting.
  6. In the Maximum Wait Time For Group Policy Scripts Properties dialog box, select Enabled and then enter the wait time in the Seconds field, as shown in Figure 8-8. You should use a value between 60 and 120, with a preference for 60 seconds. Click OK.
  7. Figure 8-8. Set the maximum wait time for scripts. (Image Unavailable)

  8. Access User Configuration\Administrative Templates\System\Scripts.
  9. Double-click Run Legacy Logon Scripts Hidden. In the Setting tab, select Enabled and then click Next Setting.
  10. In the Run Logon Scripts Visible Properties dialog box, select Disabled and then click Next Setting.
  11. In the Run Logoff Scripts Visible Properties dialog box, select Disabled and then click OK to complete the configuration process for scripts.

Assigning Computer Startup and Shutdown Scripts

Computer startup and shutdown scripts can be assigned as part of a group policy. In this way, a computer and all its users or all computers that are members of the site, domain, or OU execute scripts automatically when they're booted or shut down.

To assign computer scripts, follow these steps:

  1. For easy management, copy the scripts you want to use to the Scripts\Startup or Scripts\Shutdown folder for the related policy. Computer policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers and %WinDir%\System32\GroupPolicy\Machine on Windows XP workstations.
  2. Access the Group Policy console for the resource you want to work with. Then access Computer Configuration\Windows Settings\Scripts.
  3. To work with startup scripts, right-click Startup and then select Properties. To work with shutdown scripts, right-click Shutdown and then select Properties. This opens a dialog box similar to the one shown in Figure 8-9.
  4. Figure 8-9. Manage computer startup scripts using the Startup Properties dialog box.  (Image Unavailable)

  5. Click Show Files. If you copied the computer script to the correct location in the policies folder, you should see the script.
  6. Click Add to assign a script. This opens the Add A Script dialog box. In the Script Name field, type the name of the script you copied to the Scripts\Startup or the Scripts\Shutdown folder for the related policy. In the Script Parameter field, enter any command-line arguments to pass to the command-line script or parameters to pass to the scripting host for a WSH script. Repeat this step to add other scripts.
  7. During startup or shutdown, scripts are executed in the order in which they're listed in the Properties dialog box. Click Up or Down to reposition scripts as necessary.
  8. If you want to edit the script name or parameters later, select the script in the Script For list and then click Edit.
  9. To delete a script, select the script in the Script For list and then click Remove.

Assigning User Logon and Logoff Scripts

User scripts can be assigned as part of a group policy. In this way, all users who access a computer or are members of the site, domain, or OU execute scripts automatically when they log on or log off.

To assign user scripts, complete the following steps:

  1. For easy management, copy the scripts you want to use to the Scripts\Logon or the Scripts\Logoff folder for the related policy. User policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers and %WinDir%\System32\GroupPolicy\Machine on Windows XP workstations.
  2. Access the Group Policy console for the resource you want to work with. Then access User Configuration\Windows Settings\Scripts.
  3. To work with logon scripts, right-click Logon and then select Properties. To work with logoff scripts, right-click Logoff and then select Properties. This opens a dialog box similar to the one shown in Figure 8-10.
  4. Click Show Files. If you copied the user script to the correct location in the policies folder, you should see the script.
  5. Click Add to assign a script. This opens the Add A Script dialog box. In the Script Name field, type the name of the script you copied to the Scripts\Logon or the Scripts\Logoff folder for the related policy. In the Script Parameter field, enter any command-line arguments to pass to the command-line script or parameters to pass to the scripting host for a WSH script. Repeat this step to add other scripts.
  6. During logon or logoff, scripts are executed in the order in which they're listed in the Properties dialog box. Click Up or Down to reposition scripts as necessary.
  7. If you want to edit the script name or parameters later, select the script in the Script For list and then click Edit.
  8. To delete a script, select the script in the Script For list and then click Remove.
  9. Figure 8-10. Manage user logon scripts using the Logon Properties dialog box. (Image Unavailable)

Working with Logon and Startup Policies

Windows XP provides a set of policies to control the logon process, some of which allow you to configure the way programs run at logon. This makes them similar to logon scripts, in that you can execute specific tasks at logon. Other policies change the view in the welcome and logon screens. The main logon and startup policies that you'll use are summarized in Table 8-5.

Table 8-5.   Logon and Startup Policies

Policy Type Policy Name Description
Computer Don't Display The Getting Started Welcome Screen At Logon Hides the welcome screen that is displayed when new users log on. This only applies to Windows XP and not to servers.
Computer Always Use Classic Logon This overrides the default simple logon screen and uses the logon screen from previous versions of Windows.
Computer/User Run These Programs At User Logon Sets programs that all users should run at logon. Use the full file path (unless program is in %SystemRoot%).
Computer/User Do Not Process The Run-Once List Forces the system to ignore customized run-once lists.
Computer/User Do Not Process The Disable Legacy Run List Disables running startup applications other than those set through System Policy Editor in Windows NT 4.

Hiding the Welcome Screen

Experienced users often find the welcome screen annoying, particularly because it is displayed automatically every time they log on to a new computer. To hide the welcome screen at logon, follow these steps:

  1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
  2. Double-click Don't Display The Getting Started Welcome Screen At Logon. In the Setting tab, select Enabled and then click OK.

Using Classic Logon vs. Simple Logon

The simple logon window is new in Windows XP. It is the default authentication, and although that view can be useful, some users might prefer to see only the classic logon window. To use classic logon rather than simple logon, follow these steps:

  1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
  2. Double-click Always Use Classic Logon. In the Setting tab, select Enabled and then click OK.

Setting Policy-Based Startup Programs

Although users can configure their startup applications separately, it usually makes more sense to handle this through policy, especially in an enterprise in which the same applications should be started by groups of users. To specify programs that should start at logon, follow these steps:

  1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
  2. Double-click Run These Programs At User Logon. In the Setting tab, select Enabled.
  3. To assign startup applications through policy, click Show. In the Show Contents dialog box that appears, specify applications according to their full file or UNC path, such as D:\Program Files\Internet Explorer\IEXPLORE.EXE or \\DCServ01\Apps\STATS.EXE.
  4. Close all open dialog boxes.

Disabling Run Lists Through Policy

Using policy, you can disable legacy run lists as well as run-once lists. Legacy run lists are stored in the registry in

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows
\CurrentVersion
\Run

and

HKEY_CURRENT_USER
\Software
\Microsoft
\Windows
\CurrentVersion
\Run

Run-once lists can be created by administrators to specify programs that should run the next time the system starts but not on subsequent restarts. Run-once lists are stored in the registry under

HKEY_LOCAL_MACHINE
\Software
\Microsoft
\Windows
\CurrentVersion
\RunOnce

To disable run lists, follow these steps:

  1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon or User Configuration\Administrative Templates\System\Logon.
  2. Double-click Do Not Process The Run Once List. In the Setting tab, select Enabled and then click Next Setting.
  3. In the Do Not Process The Legacy Run List Properties dialog box, select Enabled and then click OK.
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing all of 12 Customer Reviews
  • Anonymous

    Posted November 19, 2002

    Helpful with a lot of insight

    Where I work we planned a move to Windows XP for some time. It's a major change from where we were (Windows 98 and Windows NT 4.0 Workstation). I knew I would need a great new reference to help with my part of the transition. I bought several books. Two in the pocket series (this one and the Windows 2000 Administrator's Pocket Consultant). William Stanek's, 'Windows Xp Administrator', is a tremendous help for anyone working with Windows XP. The book has 14 chapters. It covers everything you are going to use on a day to day basis. I found the writing style is easy to follow. For the last few months I grabbed for this book every time I needed a fast answer about Windows XP. Everyone using Windows XP needs this book. I had trouble putting a book down and have no complaints at all about it.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted November 9, 2002

    Another unimpressive Windows book

    Some technical books I use every day, while others end up in the proverbial recycle bin. This book falls into the second category. There is not much to say about it, other than the fact that it is not terribly insightful or useful. I looked though it a few times after purchasing it, but it doesn't have anything that isn't covered by other, better books. It's not really an "administrator's" book, either, but rather a cursory overview of the simpler windows features that really don't need documentation in the first place. It's the paperback equivalent of 'bloatware.'

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted November 14, 2002

    Best for Windows XP I've found

    If you need to learn about Windows XP Pro and related technologies this is the book for you. It is very easy to read and the author has obviously come from working in the real IT world. It is actually enjoyable to read for a text book. I've found concepts are written in a way that is useful. The book focusses on a lot of Group Policy issues. The types of every day questions and issues are answered. All the essential technical are explained clearly. I don't know why anyone would give it low marks unless they were a competing author or they just didn't understand what the book is about. It's not meant to be an all in one reference. Like the description says it focuses on daily tasks and key issues. The things you use. When you pair this book with the Windows 2000 Server Pocket Consultant like the author says on Page 1 you really do have a complete library. It's an excellent day-to-day reference. It also helped me study for the Microsoft exams (but it's not a replacement for actual exam guide). There isn't an administrator I know that doesn't have it or one of the others.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted November 2, 2002

    Excellent!

    For daily administration this book is the best you can find. I highly recommend it.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted August 21, 2002

    Highly recommended

    Others have said this is the best #1 Windows XP Professional book you can buy. I'd go a step further and say this is the only Windows XP Pro book you really need. I am a consultant with 25 years field experience. I'm not ashamed to say I use this book and I've learned more than a few things from it. When people ask me what book they should get to learn what they really need to know about Windows XP to be successful, this is the book I recommend. I carry a copy with me when I'm out on a job. I've given copies of this to clients.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted July 26, 2002

    Don't Waste Your Money

    I use computers for a living, and have tried to build a pretty complete library of computer books. That way, I'm never more than a few minutes away from an answer to just about any question. I've been disappointed with some of Stanek's previous work, but decided to give him one last chance. He's obviously gone to some great lengths to market this rather thin reference, but unfortunately, he didn't put the same effort into writing it. Much of the material appears to have been taken directly from a bunch of Windows XP websites and even from other XP books on the market. This explains the inconsistent writing style. Also, this is a Microsoft press book, which may explain the one-sided and incomplete the material. Not surprisingly, the book is filled with plugs for other Microsoft products (as are all the other reviews on this page). Overall, I felt ripped off by this book, and will be returning it immediately. Don't waste your time -- or money -- on this one.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted August 1, 2002

    The #1 best Windows XP book available today

    The previous reviewer who gave this a bad rating must be a friend of a competing author. That's the only way someone would write such a review about this awesome book. Every administrator in our company uses this book. I personally bought a copy of this book for every member of IT staff in my department. Our corporate library has every volume in the Pocket Consultant series. There's not an administrator that I know who doesn't own at least one pocket consultant and this one is tops on the list.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted April 1, 2002

    The one Windows XP book I use

    I bought a bunch of Windows XP books to help me learn. The only one I ever use these days is this one. The fact that it has stood the test of time and is the one I reach for whenever I have questions says a lot. This book pays for itself just about every day.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted March 19, 2002

    #1 Best Windows XP book I found!

    Of all the XP books I bought this is the one is use. I am always surprised by how much information is packed in these pocket consultants and this one especially so! I've made so much use of this book and its been a big help as I study for certification.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted May 8, 2002

    Not Complete without Windows 2000 Pro Pocket Consultant

    I loved this book and use it all the time. It Makes my MCSE studies easier. The MS courses are too vague. The author does an extremely good job with this book! I have found that if you purchase both APC's then you have all the info as 2000 and XP are relatively the same. In order to take advantage of all the new technology the two books go hand in hand. I am sure the author would agree.

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted December 27, 2001

    WOW!

    THANK YOU! THANK YOU! This book is excellent!

    Was this review helpful? Yes  No   Report this review
  • Anonymous

    Posted November 26, 2001

    Excellent! Every user, admin and developer should own this...

    I'm a Windows/Java developer and I use this book religiously. I've found it to be incredibly helpful and surprisingly complete (especially considering this book is only 350 pages). The guys in my admin shop use this book too now and it has helped them get up and running with XP on our desktops.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing all of 12 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)