IT Leadership: Group Policies

Today we were given what again sounded like a simple task. We were to create three policies.

1. Folder redirection

2. Login script

3. No icons on the desktop

1. Folder Redirection

When working with group policies which involve paths, there are many variables that can go wrong.

1. The first step to redirect your user's documents to a shared folder on your server is to create that folder. To do this, create a folder on the c:\ drive of your server. We named ours JSUsers. Change the settings on this to Shared and give proper permissions

Click on the newly Created Folder and click right mouse button then select Sharing and Security

Click on Sharing Tab and then select the Share This Folder Option. Note the exact name

To set proper permission on the share folder click on the Permission button.

On the share permission dialog box select Read/Change allows. Then click Ok and close the dialog box, the click ok on the Share folder properties.

2. The second step is to actually create the folder redirect policy. Go to the Group Policy Management module which can be found on the Start menu through the Administrative tools option.

a. Right-click on the domain name where you wish the policy to be applied and choose Create and Link a GPO here.

b. Click New, and type the name to use for the GPO. We chose JS Folder Redirection

c. Click Edit to open the Group Policy snap-in and edit the new GPO.

d. In the Group Policy console, expand the User Configuration, Windows Settings, and Folder Redirection nodes. All Icons for personal folders that can be redirected will be displayed, choose JSUsers.

e. Right-click the folder name, click Properties, and then the Setting: Basic.

This will redirect everyone's folder to the same location. All folders affected by this Group Policy object will be stored on the JSUsers.

f. In the Target folder location drop down box select Create a folder for each user under the root path. In the Root Path text box, type the name of the shared network folder to use, or click Browse to locate it.

g. Select the Settings tab. Choose Grant the user exclusive rights to My Documents. This sets the NTFS security descriptor for the %username% folder to Full Control for the user and local system only.

h. click Finish to complete the Folder Redirection.

References we used:

Microsoft. (2002, March 1). How to figure folder redirection [Web log post]. Retrieved from http://technet.microsoft.com/en-us/library/cc782799(WS.10).aspx

Shaurya. (2009, January 9). Re: Configuring folder redirection in windows 2008 [Online forum comment]. Retrieved from http://www.itechtalk.com/thread1958.html

De Silva, P. (2009, January 29). Step-by-step guide to redirect users “my documents” to server folder and implement disk quota [Web log post]. Retrieved from http://padmandesilva.wordpress.com/2008/01/29/step-by-step-guide-to-redirect-users-%E2%80%9Cmy-documents%E2%80%9D-to-server-folder-and-implement-disk-quota/

2. Login Scripts Using Group Policy

<!--[if !supportLists]-->1. <!--[endif]-->Create a login script using Notepad. Open notepad and create the following file:

Save this file in the network's netlogon folder. Ensure that you add the .bat extension change the type to all files.)

2. Open the Group Policy Management Console from the Administrative Tools option on the Start button.

3. To apply the script to all JSServer domain users, right-click the domain name and select Create and Link a GPO Here.

4. In the New GPO window, give the new GPO a descriptive name. We call ours JSlogin Script Click Ok.

5. Click on the new GPO. You will be prompted with a message window. Click OK.

6. Right-click the new GPO and select Edit.

7. In the Group Policy Object Editor window, expand User Configuration > Windows Settings > Scripts.

a. Double-click Logon in the right-hand pane.

b. In the Logon Properties window, click Show Files.

c. A window will open. Click the Add button. Browse to the login script on the network netlogon folder. Do not add anything on the script parameter

8. Click Ok.

To update the group policies we used a program called specopsqpupdate. This was a time saver because we could force the group policies out to our workstations and then login to check if the policies were working.

We could manually have replicated the policies by using the command gpupdate at the command prompt. However, this command sometimes even takes time.

To test the login script, we logged in using one of our authenticated users and clicked on the file management tab on the taskbar and looked for a networked drive called s:\

The reference we used:

Petri, D. (2009). Setting up a login script through GPO in windows server 2008. Petri IT Knowledgebase. Retrieved from http://www.petri.co.il/setting-up-logon-script-through-gpo-windows-server-2008.htm

3. Group Policy - No Desktop

1. Open the Group Policy Management Console from the Administrative Tools option on the Start button.

2. To apply the policy to all JSServer domain users, right-click the domain name and select Create and Link a GPO Here.

3. In the New GPO window, give the new GPO a descriptive name. We called ours No desktop. Click Ok.

5. Click on the new GPO. You will be prompted with a message window. Click OK.

6. Right-click the new GPO and select Edit.

7. In the User Configuration, Preferences, Windows Settings, Registry, Right-Click and Click New Registry Wizard;
8. Browse to the item HideDesktopIcons and select.
The final step is to test if your policy works. Run the gpupdate command or the SECOPs program gpupdate and login to your workstations with authenticated users. If there is no desktop, you have been successful.
The reference we used for this was:

Louwers, H. (2010, July 24). Show / hide desktop Items windows 2008 R2 / windows 7 by means of registry and microsoft group policy preferences [Web log post]. Retrieved from http://hlouwers.wordpress.com/2010/07/24/show-hide-desktop-items-windows-2008-r2-windows-7-by-means-of-registry-and-microsoft-group-policy-preferences/

Today's challenges: It is always the small things. Our login script held us back for quite some time. In the end it was simply a space after the s: and before net logon. Thanks Jen! Yes, we can learn from each other's mistakes. We were also delayed when running the folder redirect policy. It had been working for some time before my muddled brain looked at exactly what it was supposed to be doing and it dawned on me that I had been looking for a home directory drive mapping but that is not what I had been asked to do. Yes, my documents folder is redirecting to the server's shared users folder. Aah...