Personal website of Dave Hope » Group Policy http://davehope.co.uk Open source projects, sysadmin stuff and general geekage Tue, 18 May 2010 11:46:44 +0000 en hourly 1 Creating a deny by default SRP http://davehope.co.uk/Blog/software-restriction-policy/ http://davehope.co.uk/Blog/software-restriction-policy/#comments Fri, 04 Jan 2008 12:58:12 +0000 Dave http://davehope.co.uk/Blog/creating-a-deny-by-default-srp/ Software Restriction Policies are a way of limiting what can be executed by a user. For more information see this page on technet. Basically, they allow you to limit what a user can run (No games etc). To create a basic Software restriction policy just follow the below guide.

1: Create the policy
Firstly you need to create a default policy from which you can build, to do this follow the below steps:

  1. Create your group policy as per normal
  2. When the policy editor is open (gpedit.msc) navigate to Computer Configuration -> Windows Settings ->Security Settings
  3. Right click “Software Restriction Policies” and click “Create New Policies”

At this point, you have a standard policy with nothing out of the ordinary.

2: Set policy enforcement
Now that you have the policy, you need to set what the policy will apply to.

  1. Click “Software Restriction Policies” if not already selected
  2. double-click “Enforcement”
  3. Choose “All Software files” and “All users except local administrators”

3: Remove links from protection
By removing link files, you’re allowing start menu entries, desktop shortcuts etc to execute. Make sure you prevent users from creating shortcuts then though.

  1. Double click “Designated File Types”
  2. Remove “LNK Shortcut” from the list and click OK
Reseller web host, shared and dedicated server web hosting offered by different companies can be compared with our services. Our cheap web host services include the domain names, seo tools and web site design templates.

4: Enable policy
Now, we need to enable the policy (or rather, change it from unrestricted to restricted)

  1. Expand “Security Levels”
  2. Right click “Disallowed” and choose “Set as default”
  3. Click “Yes” to set the defact action to restrict

If you then need to add exclusions to allow execution of programs etc, you can do that via the “Additional Rules” section.

]]> http://davehope.co.uk/Blog/software-restriction-policy/feed/ 0 Deploying the Java runtime environment (J2RE) http://davehope.co.uk/Blog/deploying-the-java-runtime-environment-j2re/ http://davehope.co.uk/Blog/deploying-the-java-runtime-environment-j2re/#comments Tue, 02 Oct 2007 11:29:32 +0000 Dave http://davehope.co.uk/Blog/deploying-the-java-runtime-environment-j2re/ This post will try and walk you through deploying J2RE using Group Policy Software Deployment.Firstly, download “Java Runtime Environment (JRE) 6″ from here, you’ll need the offline installer for this. Once downloaded, run it and an MSI will be extracted to your AppData folder, you can find it here:

%HOMEPATH%\Local Settings\Application Data\{3248F0A6-6813-11D6-A77B-00B0D0150060}

You then need to create an MST using Orcas and MsiTran or download mine. All you need to change if you create your own transform is change the IEXPLORER Property from 0 to 1.

Then put the MSI and MST in your distribution share and simply assign the MSI and apply the transform as you would normally and you’re done.

]]> http://davehope.co.uk/Blog/deploying-the-java-runtime-environment-j2re/feed/ 1 Deploying Office 2007 File Format Converters http://davehope.co.uk/Blog/deploying-office-2007-file-format-converters/ http://davehope.co.uk/Blog/deploying-office-2007-file-format-converters/#comments Thu, 31 May 2007 08:49:36 +0000 Dave http://davehope.co.uk/Beta/wordpress/Blog/deploying-office-2007-file-format-converters/ Since moving our network over to Office 2007 is a lot of work, and requires a fair ammount of user retraining I decided it best to just deploy the File Format Converters Microsoft realeased so that users with Office 2003 can open 2007 format documents.

For reasoning unknown to me, Microsoft released them as an exe as opposed to an MSI so it’s a little work to get them to deploy via group policy (and ZAP is evil).

Extract FileFormatConerters.exe to somewhere useful like so:

FileFormatConverters.exe /extract:\\nwtraders.msft\SoftwareDeployment\FileFormatConverters

Once that’s done setup the software installation as per usual and then use the following WMI filter to restrict the install to systems with Office 2003 (since we don’t want to install it if they have office 2007)

SELECT * FROM Win32_Product WHERE (Caption LIKE .Microsoft Office%2003%.)

]]> http://davehope.co.uk/Blog/deploying-office-2007-file-format-converters/feed/ 6 Apply Group policy to Windows XP and Windows Vista only http://davehope.co.uk/Blog/apply-group-policy-to-windows-xp-and-windows-vista-only/ http://davehope.co.uk/Blog/apply-group-policy-to-windows-xp-and-windows-vista-only/#comments Tue, 17 Apr 2007 08:56:03 +0000 Dave http://davehope.co.uk/Beta/wordpress/Blog/apply-group-policy-to-windows-xp-and-windows-vista-only/ Had an issue at work today on my work network where I wanted to have a group policy object apply only when they login to their desktops and not member servers.

SELECT * FROM Win32_OperatingSystem WHERE Caption LIKE '%Windows Vista%'OR Caption LIKE '%Windows XP%'

By applying the above WMI filter to the group policy you will restrict the policy to Windows XP and Windows Vista only.

]]> http://davehope.co.uk/Blog/apply-group-policy-to-windows-xp-and-windows-vista-only/feed/ 2