This is our ARCHIVE site. This site contains content that was on our community site "amset.info" and is no longer maintained. However as there are large numbers of links to the content on the internet, it has been retained on this site so that people who find that information of use, can still access it. However it cannot be guaranteed to be up to date, or accurate, particularly with regards to modern best practises. Most of the content was originally written between 1998 and 2008.

Image watermarks refer to the old url of amset.info, which is another domain under control of Sembee Ltd.

Our Exchange Server related content can be found at http://exchange.sembee.info/ and is actively maintained. Other sites from Sembee include: dosprompt.info - loginscripts.info - office-recovery.com - wuauclt.info - statuspages.co.uk

Windows

Using Local Policy to Turn Off Windows Features

Windows 2000 and XP are very feature rich products. However you may not want all the features to be enable for all users. For example not everyone likes the "Auto play" feature on the CD-ROM drives. While you can get a work around for them or make registry changes, Microsoft have thoughtfully provided a method of turning these off for all users.

Primarily designed for network administrators to make changes across the entire network, you can also use these tools to make changes on a local machine, without having to delve in to the registry. This tool is known as a policy. The network version is called "Group Policy" and the version used on your local machine is called "Local Policy".

Starting the Policy Editor

Starting the policy edit is quite simple.

1. Click start and then run.
2. Type "gpedit.msc" (minus the quotes) and press enter.
3. The policy editor will start.

It should say in the top left corner "local computer policy"

Using the Policy Editor

Before making any changes, you should familiarise yourself with the editor.
It is split in to two main sections: "Computer Configuration" and "User Configuration".

Predictably, the "Computer Configuration" section makes changes to how the computer itself is configured.
The "User Configuration" makes changes to how the user environment is setup.

In both sections you will find the same subsections, some of which you have no need to touch. The one you will be most interested in for both User and Computer configuration is the section marked "Administrative Templates".

When you are making changes, there are usually three states:

1. Not configured. This is the default state. This means that the policy is not over riding any configuration changes that have been made on the machine by the user. If you don't want to specify a certain setting, then the setting should be left with this option enabled.
2. Enabled. This means that the particular setting or option is set. Be careful when you are setting options. For example "Enabled" against "Auto Play is disabled" means that Auto Play is disabled.
3. Disabled. This is the opposite of enabled. This typically means you have turned off access to a feature that would normally be accessible.

There will be exceptions to some settings, where you are asked to actually enter text or choose from a list. Often, you will enable a setting then will have further options available to you once it has been enabled.

If you are using Windows 2000, you can access an explanation of what each change will do by right clicking the setting and choosing properties. The "explain" tab will give you information.
You can access this same information in Windows XP by choosing the "Extended" tab at the bottom of the Policy Editor window. It is also available from properties as per Windows 2000.

Seeing the Changes

In many cases the changes you make will take affect immediately. You may hear your machine work for a moment while it applies the changes and the desktop refresh. However you may want to reboot the machine to see whether they have the affect you were after. 

Policy Highlights

Here are a couple of changes to the policy that you might want to consider making.

Set Internet Explorer Homepage. Stop your home page being changed. It is changed back each time you login. Will affect all users of your machine.

User Configuration: Windows Settings: Internet Explorer Maintenance: URLs: Home Page

Disable External Branding of Internet Explorer. Fed up with "Internet Explorer Provided by..." all over your browser. Turn it off with this change:

User Configuration: Administrative Templates: Windows Components: Internet Explorer: Disabled External Branding

Disable Auto Play. Turn off auto play of new CD-ROMs and music CD's:

User Configuration: Administrative Templates: System: Disable Auto Play
Computer Configuration: Administrative Templates: System: Disable Auto Play

Remove CD Burning Features (Windows XP). If you have 3rd Party CD burning software, then the built in tools can get in the way. Turn them off.

User Configuration: Administrative Templates: Windows Components: Windows Explorer: Remove CD Burning Features

Turn Off Personalised Menus. Does the start menu annoy you by not showing everything? Turn off personalised menus for all users by enabling this setting.

User Configuration: Administrative Templates: Windows Components: Start Menu and Task Bar: Disable Personalised Menus

Turn off the "Set Program Access and Defaults" options. Introduced with the latest service packs was the option to change the default programs on Windows. You may want to disable this option.

User Configuration: Administrative Templates: Control Panel: Add or Remove Programs: Hide Set Program Access and Defaults page

Recovery Console - Allow Floppy Copy and Access to all drives and folders. If you have installed the recovery console, then you need to make this change before the recovery console needs to be used. It will give you access to the entire machine should you need to use the recovery console.

Computer Configuration, Windows Settings, Security Settings, Security Options, Recovery Console, Allow Floppy Copy and Access to all drives and folders.

Disable Shutdown Event Tracker (Windows XP and Windows 2003 Server). If you have used Windows 2003 server you will have seen the new "Shutdown Event Tracker" facility where you have to choose a reason for shutting down the server. It can also be enabled in Windows XP. This is for statistic collection. If you want to turn this new feature off on all machines, then make the following change.

Local Computer Policy, Computer Configuration, Administrative Templates, System, where you will find it under "display event tracker".

Applying Internet Explorer Security Settings to All Machines

One of the features of Group Policy is its ability to apply security settings to Internet Explorer that takes affect on all machines in the OU. The most useful of this is to add Intranet sites to the list so that Integrated Windows Authentication Works.

However the capability to do this is not that clear. However you can set it how you like.

1. Open the Group Policy editor for the domain.
2. Go to the following location in the Group Policy location: User Configuration, Windows Settings, Internet Explorer Maintenance, Security.
3. In the right window you will see an object called "Security Zones and Content Ratings". Double-click it to open it.
4. The "Security Zones and Content Ratings" window will open. In the section labelled "Security Zones and Privacy" there are two radio buttons. Choose the second one - "Import the current security zones and privacy settings" so that "Modify Settings" becomes enabled.
5. Click on "Modify Settings".
6. The Internet Explorer security window will be opened and you can change the settings to what you wish.
   For example, if you want to add an address to to the list of sites in the Intranet zone (allowing you to use Windows Integrated Authentication) you need to do the following.
   1. Click on "Local Intranet" so that the "Sites" button becomes enabled.
   2. Click on the "Sites" button.
   3. You will see three options already enabled. Leave those alone and click on the "Advanced..." button below them.
   4. Enter the addresses of the sites you want to include.
      Note. You can use wildcards. Therefore if you have sites called home.domain.com and intranet.domain.com you might want to enter *.domain.com instead.
   5. If you are using a certificate on these sites, then you could enable "Require server verification (https:) for all sites in the zone" but you should test first.
7. Once you have finished making your changes just click "OK" until you are back to the Group Policy window again.
8. You will need to log off and log back on again for the changes to take affect on workstations.

These settings override any that the users may have put in themselves, so be aware before you enable the features.

Third Party and Other Application GPO Plugins

Third parties are now starting to provide Group Policy controls.

Microsoft Office: Don't forget that if you download and install the Office Resource Kit (free download from MS) then you get control over Office applications as well. If you are using mixed versions of Office then you will need to install the ResKit for each version and set the GPO options appropriately.