Prevent users from disjoining from domain using GPO

Posted on October 29th, 2009 in Active Directory, GPO, Microsoft, Vista, Windows 7, Windows XP by Gil Kreslavsky

 

There is no 100% foolproof  solution that blocks local admin users access the option of disjoining their computer from domain , but you can make it harder to get to system menu.

I remove the "properties" from when you right click on my computer.
Then i also remove system applet from control panel menu ,and disable registry editing.

To disable right click on my computer go to Group Policy.
Navigate to  User Configuration>Administrative templates>Desktop
Locate “Remove Properties from the My Computer context menu” and set it to “Enable

You should check also How disable  Right Click Properties on my computer on windows 7/Vista

Remove Properties from the My Computer 

Than navigate to User Configuration>Administrative templates>Control PanelLocate “Hide specified Control Panel applets”Set it to “Enabled” and add Sysdm.cpl to the list of disallowed Control Panel applets.

list of disallowed Control Panel applets

To block Sysdm.cpl  from executing

Navigate to User Configuration>Administrative Templates>System

Navigate to “Don’t run specified Windows application” set it to “Enabled” and add Sysdm.cpl  to the list of disallowed applications

Don’t run specified Windows application

Prevent users from deleting start menu items via GPO

Posted on March 29th, 2009 in Active Directory, GPO, Vista, Windows 7, Windows XP by Gil Kreslavsky
  • Open Group Policy Editor:
  • Link Policy to relevant OU
  • Navigate to User Configuration>Administrative Templates>Start menu and taskbar.
  • Edit “Prevent Changes to Taskbar and Start Menu Settings”
  • Set it to enable
    Prevent Changes to taskbar
  • Pres OK

Note: To enforce group policy: Navigate to Start>Run type gpupdate /force and hit Enter

How to apply Windows 2008 gpo when you have 2003 DC’s only

Posted on February 2nd, 2009 in Active Directory, GPO, Microsoft, Server 2003, Server 2008, Vista by Gil Kreslavsky

Recently I installed 2 2008 terminal servers , and when I started configuring them I realized that I can’t use lot of new features that are available only via 2008 Group Policy . The network was 2003 , and adding or upgrading current DC to 2008 domain controller rises project costs ( 2008 CAL’s for entire domain ) I had to look for other solution .

Since windows 2008 GPO templates changed their format from ADM to ADMX I couldn’t import windows 2008 templates to windows 2003 DC.

So here how you solve this.

You must use Vista +sp1 Desktop

First , you need to extend your schema to 2008
The first schema updates need to be applied to the Active Directory Forest. In order to apply them you need to run the adprep application from the domain controller that holds the schema role master. To run the forest schema updates use the following command: adprep /forestprep


forest-prep
Once the forest updates have been updates, the next step is to run the adprep for each domain in the forest. This should be run on the domain controller that holds the Infrastructure operations master role. The command to run is: adprep /domainprep

domain-prep

After you finish with with schema expansion

Go to your Vista desktop.
Download RSAT tool for vista x64 and for vista x86 and install it

After instalation is completed.

  • Go to Control Panel click on Program & Features
  • Locate and click on Turn Windows features on or off
  • Install relevant Feature Administration and Role Administration tools (For group policy install Group Policy Management Tools)

vista_remote_server_admin_tools


Now you can use all Windows 2008 and Vista  GPO goodies on your windows 2003 domain .

Change default save as location for Office 2007 via GPO

Posted on January 15th, 2009 in Microsoft, Office 2007, Outlook 2003, Outlook 2007, Server 2003 by Gil Kreslavsky

When user is trying to save attachment from outlook or save word/excell file usualy hi is directly redirected to his “My Documents”  folder set in his profile.
When you work on Terminal server and want to restrict C: drive access it becomes a problem . User receives multiple errors when he try’s to save file or email attachment.

  • To change default save location for office applications via GPO you first must download office 2007 GPO ADM to your Domain Controler .
  • Extract files to a local folder.
  • Go to group policy by running gpo.msc from run.
  • Navigate to User Configuration\ Administrative Templates.
  • Pres Right Click on Administrative Templates and chose “Add/Remove templates”
  • Press on “Add” and navigate to localy extracted ADM file.
  • Now you should see Office 2007 settings in GPO.

To change default save location for for Excell 2007

  • Navigate to Microsoft Office Excell 2007\Excell Options\Save
  • On the right menu locate “Default file location” change setting to enabled and insert your save path.

To change default save location for for Power Point 2007

  • Navigate to Microsoft Power Point 2007\Power PointOptions\Save
  • On the right menu locate “Default file location” change setting to enabled and insert your save path.

To change default save location for for Project 2007

  • Navigate to Microsoft Power Project 2007\Tools | Options\Save\File Locations
  • On the right menu locate “Projects and User Templates ” change setting to enabled and insert your save path.

To change default save location for for Word 2007

  • Navigate to Microsoft Word 2007\Word Options\Advanced\File Locations
  • On the right menu locate “Default file location ” change setting to enabled and insert your save path.

Outlook 2007 is little bit tricky you can’t set options via Outlook GPO , you can do that via registry or by changing default system “save in” location.

To change Outlook 2003/2007  save path via registry

To change default system “save in” location.

  • In group policy go to User Configuration \Administrative Templates\Windows Components\Windows Explorer
    \Common Open File Dialog
  • Click on “Items displayed in Places Bar”
  • Add your Save Location. for example \\servername\sharename ( It can be mounted I:\ folder)

Terminal Server 2008 Sounds and Beeps on errors

Posted on December 25th, 2008 in Microsoft, Server 2008 by Gil Kreslavsky

Disable sound in RDP not working in Windows Terminal Services

OK, the same bug was in Windows 2003sp1 terminal server, MS fixed it in SP 2.
The problem is that even after you disable sound redirection via GPO you still got beeps on error messages.

I found a way to fix it.

  • Click Start, click Run, type regedit, and then click OK.
  • Locate and edit  the following registry subkey:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server
  • On the Edit menu, point to New, and then click DWORD Value.
  • Type DisableBeep, and then press ENTER.
  • Right-click DisableBeep, and then click Modify.
  • In the Value data box, type 1, and then click OK
  • Quit Registry Editor.
  • Click Start, click Run, type services.msc and hit enter button.
  • Locate Terminal Services service and press restart (That will drop all users connected to TS server)
  • Reconnect to terminal server

Note You can disable the MessageBeep function by changing the value to 1 to enable back change to 0.

Disable File And Folder Sharing, via GPO

Posted on January 21st, 2007 in Active Directory, Microsoft, Server 2003 by Gil Kreslavsky

To disable the Security tab from Windows 2000/XP Professional-based workstations that are members of a Windows 2000/2003 domain:

  1. Start Active Directory Users and Computers.
  2. Right-click the domain, and then click Properties .
  3. Click the Group Policy tab on the domain properties dialog box to view the default domain policy.
  4. Click New . New Group Policy Object should appear in the list of objects. Rename this Policy to Remove Security Tab . Make sure this policy is positioned directly under the default domain policy.
  5. Click Remove Security Tab , and then click Edit to start the Group Policy Editor.
  6. Expand Computer Configuration, Windows Settings, Security Settings, and then click Registry .
  7. Right-click in the left pane, and then click Add Key .
  8. Paste the following key in the text box, and then click OK :
    CLASSES_ROOT\CLSID\{1F2E5C40-9550-11CE-99D2-00AA006E086C}     Note that there may be a delay before you can proceed to the next step, and this is normal.
  9. The Database Security Editor appears. You need to add the user or group that you want the Security tab to be removed from.
  10. Change the permission on this key for the users and/or groups that you added in the previous step to “Deny Read.” This prevents the user from being able to instantiate the needed components to display the Security and Sharing tabs. Click OK twice to complete the settings and exit the Group Policy Editor.
  11. Click New . New Group Policy Object should appear in the list of objects. Rename this Policy to Remove Sharing Tab . Make sure this policy is positioned directly under the default domain policy.
  12. Click Remove Security Tab , and then click Edit to start the Group Policy Editor.
  13. Expand Computer Configuration, Windows Settings, Security Settings, and then click Registry .
  14. Right-click in the left pane, and then click Add Key .
  15. Paste the following key in the text box, and then click OK :
     CLASSES_ROOT\CLSID\{40dd6e20-7c17-11ce-a804-00aa003ca9f6} Note that there may be a delay before you can proceed to the next step, and this is normal.
  16. The Database Security Editor appears. You need to add the user or group that you want the Security tab to be removed from.
  17. Change the permission on this key for the users and/or groups that you added in the previous step to “Deny Read.” This prevents the user from being able to instantiate the needed components to display the Security and Sharing tabs. Click OK twice to complete the settings and exit the Group Policy Editor.