Microsoft’s official Group Policy blog
We often have groups of customers come to Redmond to visit and provide their feedback about the direction in which we are taking our products. Recently, a group of folks joined us for a few days to talk specifically about the desktop and its direction as it relates to their corporate environments. The goal was to learn how they (and most likely you) are using Group Policy and how they would like to see it improved.
We asked a couple of key questions in the meeting that I would like to repeat here. Please take a couple of minutes to respond to this blog post.
We will appreciate any and all feedback.
Technical Editor (Group Policy, Windows Server Update Services, and Server Manager)
Hi, I have a few remarks on group policies:
1) Policies we would like to see, but are unavailable today:
-> The ability to manage scheduled tasks via Group Policies
-> The ability to enforce that only one network is active (prohibit that user is wired connected to the corporate LAN and wireless to a hotspot)
-> The ability to manage system restore in Windows Vista (we've lost control over that. be able to determine a maximum percentage of diskspace it can consume)
-> The ability to manage the shadow copying service (set a maximum percentage of diskspace it can consume, define a number of versions to keep, ...)
-> The ability to manage the schedule of the build-in defragger
-> The ability to set a maximum size for the Internet Explorer Cache
-> The ability to set the default network profile (private/work, public) + the ability to predefine some networks that should be considered as private.
-> The ability to suppress the EULA of the Windows Mobile Device Center
-> The ability to suppress all update links of the Windows Mobile Device Center
2) Policies that exist, but lack some functionality:
ActiveX Installer Service:
You should have the option to specify wild characters
You should have an additional option that blocks all other sites for installation (=no UAC prompt), if not listed
At our company we want that after 15 minutes of idle time the screen saver is turned on and password protected, but we don't want to enforce the screen saver. Today you can't accomplish that.
Today you can enforce UAC, however the user (if he/she has permissions) can still modify this using the interface or using msconfig.
Normally in both interfaces this option should be grayed out and furthermore this registry key should be protected by a system integrity level.
Internet Explorer Add-on Management:
It still lacks the ability to allow/block add-ons based on publisher (similar to what's available for the sidebar)
3) Policies that don't work:
Windows Sidebar - Turn Off User Installed Windows Sidebar Gadgets
4) Some things about Policy processing:
Make policy processing more robust when connections are slow/unreliable. Even if the processing fails the computer should still has its old settings. We had a Fix for this issue on XP, but on Vista the problem is still there.
I'm not sure how WMI filters work, but I believe each time a policy is processed the WMI filter is processed as well. This means if you have 10 policies with the same WMI filter attached, the WMI query is executed 10 times. This would be very inefficient and if this is the case today, could you please adapt this?
Wow, Thanks Kris...
This is a fantastic list! we really appreciate the thought you put into this.
Yes, thank you, Kris! Really appreciate the list.
Anyone else want to jump in here? We don't bite. :)
Very basic request: SUPPORT FOR the GPMC on Server 2003 x64 Edition!! It's so frustrating to read the FAQs for the GPMC....they simply say that it's not supported on x64 edition. They don't give any explanation for why this is the case. Even worse, they give no indication that this is ever going to be fixed.
Their solution: install the GPMC on an XP workstation. Yes, I know I can do that, but I'm an IT consultant and most of the time I'm managing servers and GPOs through a remote desktop connection over the internet. Since many of my clients have small, one-server environments, running the GPMC from another computer on their network is almost always not an option for me.
Not being able to manage GPOs straight from an x64 domain controller is going to be a HUGE problem.
Can someone shed some light on this?
There are a few things, really
1. I agree with the "only one active network connection" comment - this is a major security concern for us. We have 150,000 laptops, and want to disable the wireless network card when they're connected to the corporate lan. This is to prevent people pulling up in a car outside our offices and using a connected laptop as a network bridge. We’re in your Vista “TAP”, and had hoped to see this – it would be great to see it for SP1.
2. Fix the local RSOP tool! Requiring GPMC to be able to read all local RSOP on Vista clients is unrealistic for an enterprise LAN like ours!
3. These last two really come down to the granularity of control: in Internet Explorer, many settings that are entered are completely unavailable – an example would be the proxy server or autoconfig url (ACURL). If a user is having problems connecting to the internet, and the helpdesk want the user to read the string, all they can see is http://acurlconfig.ourcompany.com/ - nothing useful, as we need to know the specific settings after this which determine how the ACURL script is created dynamically depending on a user’s machine configuration, which is in turn set by site group policy.
4. In the “Advanced” tab in Internet Explorer, grey out the settings that are set by GP (like when you attempt to edit Local Group Policy, and domain-wide settings override some options – you just can’t edit them). This way, we would be able to leave the tab there so that more advanced users could change the ones that we don’t set (i.e. ones that have little affect on the client, but which they may want to change for their own personal reasons).
I second the SUPPORT FOR the GPMC on Server 2003 x64 Edition!! How can this not happen? From what I can tell, MS wants us on the 64 bit bandwagon but yet they don't have basic tools for it? I sold my boss on a 64 bit DC for a brand new domain we are migrating to and have no GPMC to edit from on the server. I can't do an XP machine for each of the three domains I am working on unless of course MS wants to give us one since they don't have a GPMC for 64 bit. :)
Lots of other good suggestions listed above. I wish I had time to compile a list but I am swamped at the moment.
Setting location of IE History via GP.
Setting location of ALL logable outputs via GP.
Setting redirection of desktop, appdata etc per Computer policy, not just user policy.
Enforcement of a controlled Outlook Disclaimer via Group Policy.
I could slightly understand MS$ unwillingness to put resources into creating a 64bit version of GPMC if there was no need. The 64bit version exists for Vista and Group Policies should be managed from a desktop. BUT! My network has approx 15,000 desktops and we are using Forefront client security. This requires considerable amounts of constant database communication therefore for a high I/O box with 64bit is in order. We are unable to install the Forefront SQL database on our 64bit SQL 2005 server simply because there is no GMPC installed. This is where i believe MS$ has left users like me in a bind.
I can't believe I didn't spot this earlier...
Anyway, first let me say that Group Policy is the best thing since sliced bread - I love it. Thank you!
Secondly, I don't know if it's too late to answer your questions...but here goes...
1). At the moment I am trying to disable Smart Card Readers via Group Policy and I'm unable to do so. I have used the "Restrict Driver Installation" - but the drivers are already installed. I need to find a solution to two problems...
a) ...prevent users from copying data from our network onto Smart Card devices...
b) ...the logon script automatically map drives for our users. However, it is errorring because the drive letters that should be mapped to network shares are being used by Smart Card Readers. On our new machines there are 4/5 drive letters that are being used by devices I want disabled (centrally).
Although the "Prevent Driver Installation" policy is useful, please can we have a new policy that "Disables Hardware Devices..."? Many thanks!
2). I've never modified a Local Policy - yet! I'm using Group Policy to manage the computers in my environment. By making/creating/modifying the Local Policy then I would be moving away from Central Management - This is the devil as far as I'm concerned. :-)
3) Purchasing DesktopStandard's Policy Maker is FANTASTIC news for us administrators. The features in this product is AMAZING.
Is this thread a good place to place any future Group Policy suggestions?