Defining Client Administration and Configuration Standards
Defining Client Administration and Configuration Standards |
|
You can use Group Policy to control many desktop settings and configuration options, such as:
The following sections discuss configuration options in each of these categories. These are representative examples and are not an exhaustive list. Remember, there are over 550 different Group Policy settings, and the best way to see all the different options is to study an installed version of Windows 2000. For more information about Group Policy settings, see "Group Policy" in the Microsoft® Windows® 2000 Server Resource Kit Distributed Systems Guide.
As you read through the remainder of this chapter, and subsequently work with Windows 2000, note the options that might be of use to your organization. Then, when your list is complete, you can begin to customize Group Policy objects to meet your needs. You should also include the complete list of options and Group Policy settings in your Client Configuration Plan.
Windows 2000 provides numerous ways to customize logon and logoff processes. For example, you can specify that a diagnostics or virus program be run every time a user logs on or logs off.
Table 23.5 lists some logon and logoff options that might be useful to you.
Table 23.5 Sample Logon and Logoff Group Policy Options
| Policy | Description |
|---|---|
| Run legacy logon scripts hidden | By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run (it does not display logon scripts written for Windows 2000). Enabling this policy prevents logon scripts written for Windows NT 4.0 and earlier from displaying. |
| Add Logoff to the Start Menu | Adds the "Log Off <username>" item to the Start menu and prevents users from removing it. |
| Do not save settings at exit | Rolls back changes made to the desktop by users during their last session. |
| Do not display welcome screen at logon | Hides the Getting Started with Windows 2000 welcome screen that is displayed on Windows 2000 Professional each time the user logs on. |
Group Policy can assist you in preventing users from making potentially counter-productive changes to their computers. In addition, it can enable you to optimize the desktop for the particular tasks performed in your organization. Table 23.6 lists some policies that you can use to customize the desktop.
Note
Many organizations will want to create custom configurations of their Internet and intranet browser software. For more information about customizing and managing Internet Explorer 5, see the Microsoft® Internet Explorer Administration Kit (IEAK) link on the Web Resources page at http://windows.microsoft.com/windows2000/reskit/webresources. Windows 2000 includes a Group Policy snap-in to configure and manage Internet Explorer 5, called Internet Explorer Maintenance.
Table 23.6 Sample Custom Desktop Options
| Policy | Description |
|---|---|
| Prohibit user from changing My Documents path | Prevents users from changing the path to the My Documents folder. |
| Disable Control Panel | Disables all Control Panel programs. |
| Hide the Add a program from CD-ROM or floppy disk option | Removes the Add a program from CD-ROM or floppy disk option from the Add New Programs page. |
| Hide specified Control Panel programs | Hides specified Control Panel items and folders. |
| Prohibit changes to the Active Desktop | Allows you to enforce a standard desktop by preventing the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. |
| Active Desktop wallpaper | Specifies the desktop background wallpaper displayed on all users' desktops. |
| Century Interpretation for Year 2000 (System) | Specifies the last year for which two-digit years are interpreted as being in the 21st century. |
| Hide these specified drives in My Computer | Removes the icons representing the selected hard drives from My Computer, Windows Explorer, and My Network Places. Also, the drive letters representing the selected drives do not appear in the Open dialog box. |
| Desktop screen saver executable name | Specifies the screen saver used on the computer. |
| Disable the command prompt | Prevents users from running the interactive command prompt, Cmd.exe. This policy also determines whether batch files (.bat, .cmd) can run on the computer. |
| Disable registry editing tools | Disables the Windows registry editors, Regedt32.exe and Regedit.exe. |
In your organization, you might want to have control over which Start menu features are enabled. Group Policy allows you to disable the options you do not want to make available, and to create an optimized Start menu that reflects the needs of your organization and its users. Table 23.7 illustrates a few examples.
Table 23.7 Representative Start Menu Options
| Policy | Description |
|---|---|
| Re | |
| Disable and remove links to Windows Update | Removes the Windows Update hyperlink. This policy removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer. |
| Remove Run command from Start Menu | Removes the Run command from the Start menu and removes the New Task (Run) command from Task Manager. Also, users with extended keyboards can no longer display the Run dialog box by using the Run command keyboard shortcut. |
| Add Logoff to the Start Menu | Adds the "Log Off <username>" item to the Start menu and prevents users from removing it. |
| Disable drag-and-drop shortcut menus on the Start menu | Prevents users from using the drag and drop method to reorder or remove items on the Start menu. Also, removes shortcut menus from the Start menu. |
| Do not use the search-based method when resolving shell shortcuts | Prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. |
| Do not run specified Windows-based applications | Prevents Windows from running the programs that you specify in this policy. |
Note
The Start menu that you customize and provide to users can be stored locally, or it can be stored on a network server.
The growing number of users with portable computers in many organizations has made managing these remote computers a major administrative concern. The strategies in Table 23.8 can be useful in managing user data for remote access users.
Table 23.8 Portable and Remote Computer Options
| Strategy | Description |
|---|---|
| Limit the use of Group Policy | Group Policy cannot be turned off, even over slow links. (Be careful about applying excessively restrictive Group Policy settings or those that download lots of data to portable computers or users' home computers. Consider logon scripts and the default time-out of 600 seconds.) |
| Automatically detect slow network connections | Allows you to set threshold levels for what is considered a slow link. You can then define certain bandwidth-intensive activities that must not take place when slow links are encountered. |
| Specify network files and folders that are always available offline | Allows you to specify network files and folders that are always available for offline use. |
| Disable Make Available Offline | Prevents users from making certain files and folders available. |