Win Server 2008 Directory Services, Group Policy Preferences - Control Panel Settings

Friday Nov 6th 2009 by Marcin Policht

Group Policy Preferences makes it possible to reap the biggest benefits of an Active Directory environment by simplifying client management. Control Panel Settings help facilitate this.

In the previous installment of our series dedicated to the most prominent features available in Windows Server 2008 based Directory Services, we introduced the concept of Group Policy Preferences. In addition to describing their basic characteristics (focusing in particular on the aspects of their functionality that distinguish them from Group Policies), we also started discussing specifics of their implementation. So far, we have covered configuration options grouped under the Windows Settings node in the Group Policy Management Editor interface.

This article will focus on the other type, labeled Control Panel Settings. As the name indicates, items in this category correspond to individual Control Panel applets and manage functionality they represent. The majority of them can be assigned via either User or Computer Configuration (similarly to Windows Settings), although there are several exceptions, which we will point out throughout the course of our presentation.

Control Panel SettingsData Sources

These enable you to create, replace, update, or delete user and system connections (the latter is the only choice available via Computer Configuration node) to data sources (leveraging variety of data providers) exposed via Data Sources (ODBC) utility (accessible from Administrative Tools menu). When creating a new entries, you might want to first configure them on the administrative computer (on which the Group Policy Preferences will be defined) using graphical interface of Data Sources (ODBC) utility. This will allow you to select an existing Data Source Name, eliminating the need to type in its parameters. On the other hand, if you are creating an entry manually, keep in mind that the Data Source Name field supports Preference variables, a listing you can display by pressing F3 key.

If you decide to specify credentials to authenticate to data sources (rather than relying on Windows integrated authentication), note that they are stored in the 256-bit AES encrypted format in the corresponding Group Policy Preferences XML file (named, in this case, DataSources.xml) residing within GPO-specific folder hierarchy under SYSVOL share. While this provides reasonable degree of protection, it introduces maintenance overhead — assuming accounts are not assigned non-expiring passwords — so it is not generally recommended. More importantly, such an approach will fail when using MS SQL Driver (since its implementation does not permit hard-coded passwords) unless you modify the resulting XML file and manually remove username and cpassword attributes.

Control Panel SettingsDevices

These allow you to enable or disable a designated device class or type. This is accomplished by clicking on the command button appearing next to the Device class entry in the New Device Properties dialog box (in the Group Policy Management Editor), which triggers display of the Select a Device Class or a Device window, mirroring in its appearance Device Manager console.

The content reflects local hardware configuration. Unfortunately, this approach is fairly limited, since it relies on having an administrative computer (running Vista or a later operating system) with the same set of components as an intended target. To work around this limitation, you might try editing the resulting Devices.xml file (residing in the Machine or User PreferencesDevices subfolder of a GPO-specific folder under SYSVOL/domain_name/Policies).

If you pursue this approach, you will need to determine the appropriate values of deviceClass, deviceType, deviceClassGUID, and deviceTypeID attributes by examining corresponding entries in that device's Properties dialog box in Device Manager. They are, respectively, represented by Class long name, Display name or Friendly name, Device class guide, and Device Instance Path properties on a target computer. Alternatively, you might be able to extract relevant information from the device driver INF file. These values would then have to be entered manually in the file, while preserving correct XML syntax. You can then can find them on MSDN site. Keep in mind that this is not a Microsoft-supported procedure.

Control Panel SettingsFolder Options

These are available as part of both Computer and User Configuration. They define settings that control the appearance of Windows Explorer and file associations, which determine a program invoked when opening a file based on its extension. Three items are in the New submenu, including Folder Options (Windows XP), Folder Options (Windows Vista) and Open With. The first one is intended for Windows XP and Windows Server 2003 systems and, for the most part, it is identical to the content of the View tab of Folder Options Control Panel applet. The same applies to the second one, applicable to Vista and Windows Server 2008/2008 R2-based targets. This separation reflects changes in the graphical interface (such as preview handlers) and enhanced search functionality introduced in Vista. The third option New Open With gives you ability to Create, Replace Update, or Delete file associations.

When viewing content of the Advanced tab of New Folder Opions (Windows XP) and New Folder Options (Windows Vista) dialog boxes, you will likely notice their entries are underlined with either solid green or dashed red lines. This is a visual clue, indicating whether they will be processed or ignored. The status of a checkbox next to each entry determines whether the corresponding setting will be enabled or disabled. If you want to change the default assignment, use the function keys in the following manner:

  • F5 ensures all settings will be processed (which is designated by a green solid line under all entries)
  • F6 ensures an individual, currently selected item will be processed (which is designated by a green solid line under this particular entry)
  • F7 ensures all settings will be ignored (which is designated by a red dashed line under all entries)
  • F8 ensures an individual, currently selected item will be ignored (which is designated by a red dashed line under this particular entry)

Control Panel SettingsInternet Settings

This is one of few user extensions without its computer equivalent. It provides a way to manage Internet Explorer configuration. The list of available choices starts with versions 5 and 6, combined together into a single menu item in the Group Policy Management Editor. Preferences for IE 8 are available starting with Windows 7 (with Remote Server Administrative Tools installed) and Windows Server 2008 R2.

Like other options discussed here, the interface is straightforward, mirroring the Internet Properties dialog box accessible via Internet Options Control Panel applet. Some of its settings are grayed out and therefore not configurable via Group Policy Preferences. This restriction applies to listings of sites assigned to individual zones on the Security tab, Privacy settings on Privacy tab — with the exception of Pop-up Blocker, which you can enable starting with Internet Explorer 7, the entire content of Content tab in Internet Explorer 5 and 6, and the assignment of Internet programs (Programs tab).

Unfortunately, here as well you might run into some problems when using Vista or Windows Server 2008 based Group Policy Management Editor. Refer to Knowledge Base article 970840 for details and the resolution.

Note that Home, Search, Support, and Download Directory entries on the General tab, entries on the Security (Security level for each zone), as well as Advanced, and Connections tabs are subject to the rules that we described when discussing Folder Options (in regard to ability to control which settings are processed and which are ignored). The only notable difference concerns visual clues on the Security and Advanced tabs, which take the form of green and red circles — rather than green solid and red dashed lines.

Control Panel SettingsLocal Users and Groups

This facilitates local user and group administration. Since it exists in both User and Computer Configuration nodes, it permits you to control whether the intended action will be targeting a specific system or will be carried out following logons of a designated user. You can create, replace, update, and delete users and groups. Obviously, these actions are subject to the same restrictions as regular account management, so certain operations, such as attempts to delete built-in groups will simply fail. Remember, replacing an existing security principal will yield another one with a different SID, thus preventing you from retaining the same set of permissions. Unless this is the desired outcome, rely on updates instead.

In addition, you have ability to assign a new group name or description, as well as to add or remove its members (including deleting all of them). There is also an option to Add the current user to a local group, providing an interesting solution in scenarios where elevated privileges must be granted temporarily to interactive users Note, however, that when implementing this approach via User Configuration, the change does not take effect until the second logon.

For local user accounts, existing options give you the ability to perform such actions as renaming them, resetting their passwords (including forcing password change at next logon or preventing their changes altogether), as well as setting their expiration date and status (enabled or disabled). As mentioned before, credentials are stored in 256-bit AES encrypted format.

In the next installment of our series, we will present the remaining Group Policy Preferences Control Panel settings (including Network Options, Power Options, Printers, Regional Options, Scheduled Tasks, Services, and Start Menu items).

Marcin Policht has been working in the technology field since 1994, primarily in the financial industry, specializing in enterprise-level administration and engineering. Among his personal accomplishments are several publications, including WMI Essentials for Automating Windows Management (SAMS Publishing), Windows Server 2003 Bible (Hungry Minds), Windows 2003 Active Directory (Sybex), and Building High Availability Windows Server 2003 Solutions (Addison Wesley). As a Microsoft MVP in Directory Services (since 2006), he has been focusing on the recent developments in identity management (in particular Active Directory), but also continuing to explore advancements in virtualization and clustering.

Follow ServerWatch on Twitter

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved