Group Policy preferences you must implement for securing Windows environment

Microsoft’s centralized management solution known as Group Policy is celebrating its 11th birthday this year. An administrative wonder that Microsoft provides for no added cost, I still find myself amazed at how unused Group Policy is in today’s IT environments. This is evident through the workshops, conference sessions, books, and training that continue to surface a decade after its release with Windows 2000 Server.

Adding to its feature set with Windows Server 2008 are new Group Policy preferences (GPPs). And while an explanation of what GPPs are and how they work is probably unnecessary for an article like this, what is important is how these “optional if you want them to be” configuration items really help out the Windows domain.

In this article, I’ll tell you about five of those policies that I consider to be must-have additions. In future articles I’ll go into further detail about how to use GPPs for scheduled and immediate tasks, eliminating your login scripts (something everyone wants!), and configuring power options. With this series, you won’t get an introduction to using GPP; you’ll get a powerful look at exactly how to leverage them in your production environment today.

With this in mind, let’s take a look at those five must-implement Group Policy preferences. Once you take a look through what they can do, you’ll surely find that they’re a perfect fit for your environment.

User Configuration | Internet Settings

The first setting is quite possibly the most painful centralized setting to date. Configuring Internet Explorer’s (IE) internal settings with traditional Group Policy has historically been a nightmare, based both on its original interface as well as the overall success of clients actually keeping the settings you want.

The problem with the previous Internet Explorer maintenance console is centered around the limitations of traditional Group Policy itself. Configuring IE settings with this tool gave you the option of importing custom settings from a sample machine — that is, the machine from where the console was running — and really not much else. This convoluted interface often forced administrators to make changes inadvertently as they attempted to merely see what settings were configured.

Configuring settings with Group Policy preferences becomes a far more logical experience with the manipulation of actual IE property screens based on the version you wish to configure. Further, GPPs are able to make some settings optional while keeping others required. They also have precise and easy-to-use targeting capabilities to ensure that you get the correct settings sent to the proper computers.

User Configuration | Drive Maps

In an environment without support for Group Policy preferences, one of the biggest reasons why login scripts have stuck around is the need to map drives. Users are used to their H: for the home drive and S: for the shared drive (or whatever mnemonic you’ve chosen). They also get particularly unhappy when those drive letters don’t follow them around as they move between computers.

Using the Drive Maps GPP under User Configuration, you can assuredly target drive mappings to sets of users based on who they are rather than where they are. This substantially improves upon traditional login scripts, which tend to be scripted by hand and targeted towards particular machines.

Going another step above is the ability of Group Policy preferences to not only create and manage drive maps, but also remove them when you’re done or change them around when necessary. Using GPPs, you can very easily reposition resources under the drive map by simply making changes to it. With a slight time delay for Group Policy processing, your users will have a nearly-seamless solution for accessing their needed data.

Computer Configuration | Services

Found under Computer Configuration is another enhanced tool for managing services as well as their startup modes, accounts, and recovery options.

If you have a security policy or compliance regulation that requires services to be specifically managed (and who doesn’t these days?), you’ll find that the Services GPP significantly improves the assurance that services are correctly configured. This Group Policy preference enjoys a properties dialog box that presents known services within the domain, provides areas for configuration, and like all GPPs can be set for optional or required configuration as well as very specific targeting.

Further, if your auditors need to see verifiable proof that you are configuring services properly, there’s no better screen than your GPP settings itself for seeing exactly which services are locked down and why.

Computer Configuration | Local Users and Groups

In pretty much every IT environment there is the need to populate the Local Users and Groups console with custom users and groups for administration. Notwithstanding the individual needs of each user and his or her computer, almost every environment wants to add a “Local IT” global group to the Administrators group to ensure that non-domain technicians can access the desktop.

Doing this with other tools has historically been a pain. Many environments get around the problem by adding the group assignment to their reference image or build process as the machine goes out the door. Some smarter solutions leverage scripting to solve the problem.

Using a Group Policy preference that is tagged to the Local Computer, you can now leverage a simple screen to add the right users and groups to targeted computers. With this console, you only need to add the group name and its members then target the GPP to the right set of computers. Immediately, you’ve got the access you need, with the assurance that it will stay there over the long term.

User Configuration | Data Sources

Lastly is the age-old pain of configuring data sources for database-driven applications. Even the most hardened IT professionals still scratch their head from time to time when remembering how to properly set ODBC connections to computers. But why worry about individual configurations when you can create an ODBC connection once and target it to the users who need it?

Such a configuration is possible with the Data Sources console under User Configuration. Using this console, it is possible to create that ODBC connection, its DSN, driver, attributes, and login information, and immediately tag it to the people who need its connection for an application. If targeting to swathes of machines is more your style, Data Sources is also available as a Group Policy preference under Computer Configuration.

These five GPPs will get you started, but they’re only the beginning of the centralized configuration that Group Policy preferences can provide… at no cost! In my next article, I’ll go into further detail regarding the Scheduled Tasks GPP. You’ll find that scheduling activities with this console (and a bit of instruction) is beyond easy.