Understanding Group Policy (Part 2 of 3): Webcast (11-15-2006)

  • Article

 

Here is the link to the Part 2 webcast: Understanding Group Policy (Part 2 of 3)

Here are the questions and answers for Part 2:

Question: I am trying to find a way with GPO to redirect the Favorites folder to the server
Answer: This one was something I thought was done by default however, I found out that you have to make a custom .adm file to accomplish this. Thanks to one of the attendees, Dan, who sent me the template and if you would like to see it, ping me.

Question: If you restrict access to the registry GP can you further define which registry keys can be restricted or written to?
Answer: Yes, the registry still has it’s own set of ACls.

Question: If you change the local policy on the local computer, will it override the domain policy or the OU policy?
Answer: No, it may temporarily win, GPO re-apply at logon or startup or a time interval.

Question: How can you go about creating *.msi files for applications?
Answer: Take a look at this KB: https://support.microsoft.com/kb/257718

Question: Is there a way we can print out our group policies for documentation purposes?
Answer: Yes, in GPMC right click on the settings tab and select save report.

Question: How to run scripts using group policy?
Answer: Take a look at this KB for a start: https://support.microsoft.com/kb/198642

Question: Can users be prevented from accessing the internet during certain hours of the day using group policy?
Answer: I could not find a GPO setting that would work for this, however I would really configure this at the firewall.

Question: If you have your own CA, can you assign a certificate to any application to use for software restrictions?
Answer: Yes, however I would do some initial testing on this.

Question: If I want to apply GPs in an OU only to certain users (part of a users group) and computers (part of a computers group) so that only those users can logon to those computers in that OU, what should be under names in the security filtering section of the GPO?
Answer: I would set the deny application of group policy for the users/computers you did not want to have the settings applied.

Question: Can you restrict access to USB devices with GP?
Answer: Yes, you can there is a section in GPO to deny removable storage. However this capability in Windows Vista gets greatly improved! Take a look at this excellent document to learn more how Windows Vista handles this: https://www.microsoft.com/technet/windowsvista/library/9fe5bf05-a4a9-44e2-a0c3-b4b4eaaa37f3.mspx

Question: What is Better : Create Single GPO with all setting or Make Small GPO's with each have a single setting?
Answer: That is an excellent question, the number of settings really do not have the impact on performance as a lot of actual GPO's.  Remember each GPO has a registry.pol file that has to be applied the more GPO's the more files.  However, if you have one gigantic policy file it will be very large, but more importantly it would be very difficult to troubleshoot.  I still do not recommend just 1 policy file but a few will give you a nice mix of performance and ease of troubleshooting.

Question: Can you audit websites visited in IE in GP?
Answer: Even I could do this with GPO, I would still use your firewall to monitor this activity.