Section 8.8: Managing User Environment

You can use Group Policy to control user environments such as their desktop settings, network connections, and user interfaces. Windows Server 2003 includes Group Policy settings that give administrators extensive control over user's computer configurations. It allows you to manage desktop configurations for groups of computers and users, including registry settings, security settings, Administrative Template settings, script settings, and folder redirection. You can also use Group Policy in conjunction with Windows Installer to deploy and manage software applications with a minimal amount of administrative effort.

8.8.1: Administrative Templates

Windows Server 2003 has Administrative Template settings, which uses the .adm file extension, for both computers and user accounts. You can use Administrative Templates to control the user's environment by restricting access to user desktops, network resources, and administrative tools and applications while the Administrative Template settings that you can apply to computers allows you to manage Windows. There are seven types of Administrative Template settings. Table 8.8 lists the types of settings in the Administrative Templates extension.

Table 8.8: Administrative Templates

Type of Setting Use
Windows Components Control the Windows components that a user can gain access. This includes access to Microsoft Management Console (MMC). Available and can be applied to both computers and users.
System Controls logon and logoff procedures and can be applied to both computers and users.
Network Controls the properties of network connections and dial-in connections, which include shared network access. This can be applied to both computers and users.
Printers Controls printer settings that can force printers to be automatically published in Active Directory and can disable Web-based printing. This can only be applied to computers.
Start Menu and Taskbar Controls which features that users can access from the Start menu. It also allows you to make the Start menu read-only and disable users' ability to make changes. This can only be applied to users
Desktop Controls the Active Desktop and allows you to control a user's ability to gain access to the network and the Internet by hiding the appropriate desktop icons and controlling what users can do with their My Documents folder. This can only be applied to users
Control Panel Allows you to restrict a user's access to several applications in Control Panel. This includes restricting the use of Add/Remove Programs, Display, and Printers. This can only be applied to users
8.8.2: Desktop Security Settings

Windows Server 2003 allows you to secure a user's desktop by allowing you to set up a computer so that it can only perform a limited number of functions that users cannot modify. Table 8.9 lists the common Group Policy settings that you can configure to secure a user's desktop.

Table 8.9: Desktop Security Settings

Desktop Security Setting Effect
Hide all icons on desktop Hides all desktop icons, including menus, folders, and shortcuts.
Do not save settings at exit Prevents configuration changes from being saved and ensures that the original settings are restored each time users log off.
Hide these specified drives in My Computer Hides icons that represent the selected drives from My Computer, Windows Explorer, and My Network Places.
Remove Run command from Start menu Removes the Run command from the Start menu but not from Task Manager.
Prohibit access to Display in Control Panel Prevents users from changing display settings, such as the wallpaper, screen saver, or color schemes.
Disable and remove links to Windows Update Removes the Windows Update command from the Settings menu but not from Internet Explorer.
Disable changes to Taskbar and Start Menu settings Removes the Taskbar and Start Menu command from the Settings menu
Disable/Remove the Shut Down command Prevents users from shutting down and restarting Windows.

You can also use Group Policies to restrict a user's access to network resources and Administrative Tools and applications. Table 8.10 lists the common Group Policy settings that you can use to restrict a user's access to network resources.

Table 8.10: Group Policy Settings to control the Network Environment

Group Policy Setting Effect
Hide My Network Places icon on desktop Removes the My Network Places icon from the desktop and disables support for UNC file names
Remove the Map Network Drive and Disconnect Network Drive options Removes the Map Network Drive and Disconnect Network Drive options from Windows Explorer. However, users can still connect to computers by using the Run command on the Start menu.
Tools menu: Disable Internet Options…menu option Removes the Internet Options menu option from Internet Explorer

Table 8.11 lists the Group Policy settings you can use to restrict a user's access to administrative tools and applications.

Table 8.11: Group Policy Settings to Control Access to the Administrative Tools

Group Policy Settings Effect
Remove Search menu from Start menu Removes the Search menu from the Start menu but not from Windows Explorer and Internet Explorer.
Remove Run command from Start menu Removes the Run command from the Start menu.
Disable Task Manager Prevents users from starting applications by using Task Manager.
Run only allowed Windows applications Prevents users from running applications other than those you specify in this Group Policy setting
Remove the Documents menu from the Start menu Removes the Documents menu from the Start menu.
Disable changes to Taskbar and Start Menu settings Removes the Taskbar and Start Menu command from the Settings menu.
Hide common program groups in Start menu Removes common program groups from the Start menu and leaves only the Start menu items that are specified in the user's profiles.

To gain access to the Policy tab for an Administrative Template setting:

• Click on the START button

• Point to PROGRAMS



• Right-click the appropriate site, domain, or organizational unit


• On the Group Policy tab that appears, create a new GPO, or select an existing GPO, and then click edit

• Expand Computer Settings or User Settings

• Expand Administrative Templates until you locate the setting that you want to modify

• In the details pane of Group Policy, double-click the Group Policy setting that you want to modify

8.8.3: Group Policy Script Settings

You can use Group Policy script settings to centrally configure scripts to run automatically at startup and shutdown or when users log on and log off. These include batch files, executable programs, and Windows Script Host-supported scripts.

• You can run pre-defined scripts to manage user environments until you configure Group Policy to replace the tasks that these scripts perform.

• You can run scripts that perform tasks that cannot be configured through Group Policy settings

• You can use scripts to remove connections that you added with logon or startup scripts when users log off and shut down computers so that the computer is returned to the same state that it was when the user started the computer.

Note: You can assign logon scripts to individual user accounts in the Properties dialog box for each user account. However, Group Policy is the preferred method of running scripts because you can manage these scripts centrally, along with startup, shutdown, and logoff scripts

Windows Server 2003 executes scripts in the order that they are listed on the Script tab of the Script Properties dialog box. The scripts that are applied last are ultimately applied, thus if there is a conflict between different scripts, the script that is processed last prevails. You should also run scripts that are dependant on the successful execution of another script in the correct order.

When a user starts a computer the startup scripts are run synchronously. Each of these scripts must complete or time out before the next one starts. Then when the user logs on, logon scripts are run. These are also run synchronously. Non-Group Policy logon scripts that are associated with a specific user account run after the Group Policy logon scripts run for the user account.

When a user logs off and shuts down a computer logoff scripts and shutdown scripts are run.

Note: The default timeout value for processing scripts is 10 minutes. Therefore, if a script requires more than 10 minutes to process, you must adjust the timeout value by configuring the wait time for Group Policy scripts, in:

Computer ConfigurationAdministrative TemplatesSystemLogonMaximum wait time.

This setting affects all scripts that run.

You can use Windows Server 2003 to redirect folders, which are part of the user profile, from users' local hard disks to a central location on a server. By redirecting these folders, you can ensure that users' data is in a central location, which makes it easier to manage and back up. Also, you can ensure that users' data is available to them. The folders that you can redirect are My Documents, Start Menu, Desktop, and Application Data. Windows Server 2003 automatically creates these folders and makes them part of the user profile for each user account.

8.8.4: Folder Redirection

When you redirect folders, you change the storage location of folders from the local hard disk on the user's computer to a shared folder on a network file server. Once you have redirect a folder to a file server, a user will be able to access the folder regardless of the computers to which they log on. This also ensures that the data in the folders is stored centrally so that the files that are contained in the folders can easily be manage and back up. You can use the Folder Redirection extension in Group Policy to store the My Documents, Application Data, Desktop, and Start Menu folders on a server.