Group Policy Objects (GPO) Tricks!

Hi there everyone – I am harry brelsford, co-author of the Advanced Windows Small Business Server 2003 Best Practices book. I like to hold virtual book readings and I’m posting up right here, right now. BTW – I hold a big annual fall conference in early October (Las Vegas) and perhaps you’d like to attend (learn more about SMB Nation Fall here).

Group Policy TipsLet’s move on and discuss Group Policy, which is an area that didn’t get any air time in the introductory SBS 2003 book in this series (Small Business Server 2003 Best Practices). Provided here are discussions about:

  • Creating new group policy objects,
  • Group policy and software update services, and
  • GPO exception or override.

Working with Group Policies has changed. Where you used to be able right click an object such as an OU or the Domain and select Properties and the Group Policy tab, that is no longer the case. If you try, you will get You have installed the Group Policy Management snap-in, so this tab is no longer used. Instead the Group Policy Management Console will open. This console will make seeing the effects of your policies much easier. But actually editing a policy may take you a little bit to figure out.

I poked around the Group Policy Management snap-in for quite some time trying to figure out how to actually change a Group Policy Object (GPO). It seemed like everything I clicked on was a view, but not editable. Here is the solution. All you have to do is right-click on the GPO or the shortcut to that GPO and choose Edit from the context menu that appears. It is always so simple once you figure it out!



Creating New GPOs

It’s time for a little Group Policy 101. Let’s make sure we understand how GPOs work. First of all, GPOs have to be connected to a container. Valid containers for GPO’s are:

  • Sites,
  • Domains, and
  • Organizational Units (OUs).



y SECTIONBrelsford1 ☛ MBSBS 2003Consuting BestDeploymentPrac

  With SBS 2003, you will work mostly with OUs and the Domain Container. To be brutally honest, sites are more of an enterprise concept and don’t really relate to the world of SBS 2003.No matter where you create your GPO, the actual policy code will reside in the sysvol directory on the domain controller at %systemroot% \SYSVOL\ domain\Policies.

What you actually put in the container OU or Domain is a link to the GPO. You can have more than one link to the same policy because they are re-useable (another author in the GPO field refers to this as “tattooing”). GPO relationships follow the hierarchical OU tree downward, unless you specifically block the GPO from being applied. That is, a nested child OU will inherit the GPO functionality of a parent OU.

This section covers the following procedures:

·Creating a new OU

·Internet Explorer GPO trick

·Logoff command


Creating a New OU

Let’s start out by creating a new OU to hold the link to a new GPO:

  1. Logon to SBS 2003 as the administrator.
  2. Launch the Server Management console.

3.     Expand Advanced Management, select Active Directory Users and Computers, expand the domain name object, expand the MyBusiness OU, and expand Users.

  1. Right-click on the SBS Users OU and select New, Organizational Unit from the context menu.

5.     Title your new OU as LimitThese then click OK.

Now you will use the Group Policy Management snap-in:

1.      In the Server Management console under Advanced Management, select Group Policy Management.

2.   Expand Forest, Domains, your domain name, MyBusiness, Users, and SBSUsers.


pter CHAPTER1 ☛4 So You AdvanceWant o Setupan and SMB DeplymentConsultan


3.          Right click on the new OU you created above, LimitThese. Select Create and Link a GPO Here and name the new GPO NoRegeditNoRun.BEST PRACTICE: When possible, I like to use a name that will remind me about what the GPO does. For a look at the power of GPOs, complete this quick exercise:

Right-click on the NoRegeditNoRun GPO and select Edit from the context menu. As you can see, there are two main sections: Computer Configuration and User Configuration. Take a moment and observe the thousands of GPO settings available. It is here you start to see the power that Group Policy can put in your hands via GPOs.

4.          Expand User Configuration, Administrative Templates and click Start Menu and Taskbar.

  1. Scroll down to Remove Run menu from the Start Menu. Double- click on this setting to open it.
    1. Click the Enabled radio button.

You can click the Explain tab for a detailed explanation of the settings. Kudos to the Microsoft team that wrote this excellent on-line help!

7.        Click OK.

8.          Find and select the heading titled System. On the right-side pane open Don’t run specified Windows applications.

  1. Click the Enabled radio button.
  2. Click Add and enter regedit.exe in the text field.
  3. Click Add again and enter regdt32.exe in the text field.

12.       Click Add again and enter cmd.exe in the text field.

  1. Click Show. The Show Contents dialog box appears, similar to Fig­ure 4-3.
    1. Click OK twice and close the Group Policy Object Editor snap-in.





y SECTIONBrelsford1 ☛ SBS 2003Consuting BestDeploymentPrac



Figure 4-3

Observing the commands you have entered that will not run.






So what does the new GPO do at this point? Nothing. We have not put any users into the NoRegedtNoRun OU we created, so perhaps I just gottcha with that trick question, huh? But once users have been placed in the OU, they will be impacted by the GPO (the Run command will not be available from the Start menu on their desktop computer). Additionally, the users will not be able use registry editor or the command prompt.

BEST PRACTICE: A note of caution: be careful! You can really hurt yourself with group policy, so go lightly until you get a feel for it. Be especially careful that you don’t put yourself or the administrator in the OU that you just created. Why? Because you will find it difficult to administer your network with the above-cited functionality disabled.


pter CHAPTER1 ☛ 4 So You AdvanceWant o SetupBe an and SMB DeplymentConsultan


Always test your GPO on a temporary user to make sure it performs as expected, before turning it loose on your network. Go ahead and create a temporary user in the new OU. Log on to a workstation as that new user to see the effect of the policy. Log off and log back on as the administrator. See why we put our GPO in the user section instead of the computer section? It is very important to think about what it is you are trying to control. Also keep in mind that most user settings are applied at logon, whereas most computer settings are applied at boot-time.

Internet Explorer GPO Trick

Here is a tip that will help you win the hearts of your clients. People like to see their names in important places, so put the client’s company name on the title bar of Internet Explorer. How, you ask? With a GPO that will edit the Default Domain Policy:

  1. Assuming that the Group Policy Object Editor (Figure 4-3) is still open, expand the User Configuration section.

2.      Select the Windows Settings, Internet Explorer Maintenance, and Browser User Interface.

  1. Double-click on Browser Title object, select Customize Title Bars, and enter the client’s company name.

4.        Click OK.


Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s