Windows Server 2008 Directory Services, Group Policy Preferences - More Control Panel Settings

Thursday Feb 11th 2010 by Marcin Policht

In Windows Server 2008, Group Policy Preferences simplifies client management to make it possible to reap the chief benefits of an Active Directory environment. The Control Panel Settings nodes in the Group Policy Management Editor makes this possible.

In our description of Group Policy Preferences characteristics, introduced recently as part of this series intended to provide comprehensive coverage of the most prominent features of Windows Server 2008 Active Directory, we have started reviewing functionality available via Control Panel Settings nodes in the Group Policy Management Editor (in both User and Computer Configuration nodes).

In this article, we will conclude our overview by presenting all remaining Control Panel-specific options.

Control Panel Settings\Network Options

Offers the ability to create, replace, update or delete Dial-Up Networking and Virtual Private Network connections (accessible via Network Connections applet in the Control Panel). In the case of the former, the configuration is straightforward and involves specifying a unique name and the corresponding phone number. The latter is more involved, with all available settings grouped into four tabs (in either case, you have an option of importing an existing entry from the local computer).

The first one, labeled VPN Connection, determines the desired action (Create, Update, Replace, or Delete), scope (User connection or All user connections), Connection name and its IP Address or DNS name (the choice is based on the state of the Use DNS name checkbox), dependencies (Dial another connection first), and graphical clues (Show icon in notification area when connected).

The Options tab controls dialing (displaying progress and assisting with authentication process) and redialing (applicable to scenarios in which a connection gets dropped) behavior. On the Security tab, you can choose either Typical (recommended settings) or opt for advanced options, where you can customize Data encryption requirements and choose the protocol utilized for Logon security. Using the Networking tab, you assign Type of VPN (Automatic, PPTP VPN, or L2TP IPSec VPN).

Note that you might run into an issue on Vista systems when using this extension, in which the resulting VPN connection is missing the binding to IPv4 or IPv6. In this case, make sure to deploy the Group Policy Preferences Client-Side Extension Hotfix Rollup described in the Knowledge Base article 974266. This also addresses a number of other shortcomings, including configuration of third-party printers, which will be discussed later in this article).

Control Panel Settings\Power Options

This is intended for managing power utilization settings. Its functionality is represented by three separate menu items labeled Power Options (Windows XP) and Power Scheme (Windows XP)), and Power Plan (Windows Vista and later), corresponding, respectively, to the Advanced and Power Schemes tabs of the Power Options applet (in Windows XP) and to the Power Options subnode of System and Maintenance node in Windows 7. Unfortunately, they do not seem to be working in Vista, so if this is the case, you might have to resort to the use of powercfg.exe command line utility). Those available under the Computer Configuration node affect behavior of the .DEFAULT profile, which applies when no user is logged on to the computer. Effectively, if you want to be able to manage power settings depending on a logged on account, you should define them as part of the User Configuration.

While the actual range of changes that can be controlled in this manner depends to some extent on capabilities of power management drivers on a target computer, they typically include the ability to Always show icon on the taskbar, Prompt for password when computer resumes from standby, and Enable hibernation. In addition, you might be able to control behavior triggered by events such as closing the lid on a portable computer and pressing the power or sleep buttons.

Within the New Power Scheme (Windows XP) Properties dialog box, you have an option to update, replace, or delete (but not to create a new custom) collection of settings that will trigger turning off monitor and disks, as well initiating system standby or hibernation after an arbitrary period of inactivity (for online and battery power). Here again, you will find that New Power Options, Power schemes and Settings for power scheme dialog entries have solid green or dashed red lines, indicating whether their values will be processed or ignored.

Control Panel Settings\Printers

These give you ability to manage (create, replace, update, or delete) shared, TCP/IP and locally attached printers. The first of these choices applies to printers defined on another computer functioning as a print server. When creating, updating, or replacing such printer, you are expected to specify the Share path. It is also possible in this case to set it as the default (or make such assignment conditional on the absence of a local printer) or map it to one of LPT ports.

TCP/IP Printer allows you to create, update, replace, or delete locally defined printer targeting a TCP/IP port on a remote print device. To carry out the first three of these actions, you must specify either its IP address or DNS name. You will also be expected to provide its local name and a path to its driver files (in the Printer path text box). As before, you have an option to set it as the default as well as assign Location and Comment parameters. Entries on the Port Settings tab include the protocol (TCP/IP Raw or LPR), Port Number, LPR Settings (if applicable), and SNMP parameters (Community Name and SNMP Device Index). Local Printer item is intended for installing a locally attached (via LPT, COM, or USB port) device.

Configuration options include Name, Port, Printer path (designating location of driver files), Location, and Comment (as before, the printer can be set as the default). This approach is superior to Group Policy-based Printer Deployment methodology that was introduced in Windows Server 2003 R2 (through schema extensions), both in terms of functionality (e.g., the ability to assign a default printer) and granularity (implemented via Common options in Group Policy Preferences).

Control Panel Settings\Regional Options

This is another user extension without its computer equivalent, matches content of Regional and Language Options (its Regional Options tab) and Customize Regional Options (Numbers, Currency, Time, and Date tabs) dialog boxes. As you can determine based on the presence of red dashed lines, all of these settings are by default ignored, so you will need to change their status by pressing F6 or F5 function keys (depending on whether you intend to alter a single one or all displayed on a current tab) for them to take effect.

Control Panel Settings\Scheduled Tasks

This facilitates the creation of scheduled tasks on target computers as part of either Computer or User Configuration, thus providing a convenient alternative to at and schtasks.exe command line utilities introduced in Windows XP. It offers four submenu choices (branching from the New context-sensitive menu item), labeled Scheduled Task, Immediate Task (Windows XP), Scheduled Task (Windows Vista and later) and Immediate Task (Windows Vista and later), although the latter two are available only starting with Windows 7 and Windows Server 2008 R2.

The immediate ones allow you to trigger an arbitrary action as soon as the Client Side Extensions are activated due to Group Policy being applied or refreshed (which is the reason for the absence of Schedule tab in the New Immediate Task dialog box). Scheduled Task (Windows XP) interface provides the same set of configuration settings as the Scheduled Task Wizard (invoked by double-clicking on Add Scheduled Task icon in the Scheduled Tasks window accessible via Accessories/Systems Tools menu). From here, you can designate the action type (Create, Update, Replace, or Delete), an arbitrary Name, an executable or batch file to be executed (along with its arguments), Start In folder, security context (via Run as checkbox and credentials you type into User Name and Password textboxes), schedule (allowing you to designate whether the task will be run daily, weekly, monthly, once, at system startup, at logon, or when idle), as well as a number of associated settings, dealing with such specifics as actions to be performed when the task completes, or dependencies on the computer's idle status and its power source.

New Immediate Task (Windows XP) has practically identical configuration options, with obvious exceptions of those that are not applicable due to its nature, such as, ability to disable it — Enabled (scheduled task runs a a specified time) checkbox is missing on the Task tab, schedule it (no Schedule tab), or Delete the task if it is not scheduled to run again on the Settings (redundant, since the task is always deleted after its completion).

Interface presented via Scheduled Task (Windows Vista and later) and its Immediate Task (Windows Vista and later) counterpart is more complex, reflecting new automation features introduced in Vista and Windows Server 2008 (as well as resolves the issue introduced in the Windows XP-specific implementation that required providing a password when executing tasks in the security context of an interactively logged on user). New Task (Windows Vista and later) Properties dialog box is divided into six tabs. General allows you to assign a name and description to a task, specify its Security options (with %LogonDomain%\%LogonUser% designating an interactively logged on user as the default), including ability to execute it independently of whether the user is logged on or not (as well as to Run with highest privileges or hide it). By using options on the Triggers tab you can specify conditions (such as an arbitrary schedule, user logon, computer startup, idle state, specific event, creation or modification of the task, lock or unlock of a target computer, or connection to or disconnection from a user session) that will prompt task execution. Entries on the Action tab constitute individual activities (e.g. start of a program, sending of an e-mail, or displaying a message) that will be carried out as part of task execution. Conditions determine set of requirements that need to be satisfied before the task can be launched. This can include, minimum amount of time during which the target computer has been idle, or its power status (sleep or hibernation, battery vs. AC power) and network connectivity. Finally, Settings tab contains any additional options affecting behavior of the task (such as ability to invoke it on demand, its duration limits, or restart and concurrency settings).

When defining a Windows XP tasks, if you specify Run as credentials (or, in case of Vista-based tasks, if you decide to let them Run whether user is logged on or not and clear the Do not store password. The task will only have access to local resource checkbox), they are stored in the corresponding XML file protected by 256-bit AES encryption. Otherwise, the task uses either Local System account or currently logged on user (depending on whether it is defined as part of Computer or User Configuration). Unfortunately, in Windows XP (and Windows Server 2003), the latter of these options incorrectly defaults to a local account, which is bound to fail (unless such user with matching name and password happens to exist). To remediate this issue, you need to resort to designating the Run as account (by leveraging Group Policy Preferences System Defined Variables %LogonDomain%\%LogonUser%, which you can view by pressing F3 key while cursor appears in the UserName textbox). However, this workaround requires the latest version of Group Policy Management Console included in Windows 7 Remote Server Administration Tools or Windows Server 2008 R2 (Vista and Windows Server 2008 do not allow the associated Password textbox to be blank).

Control Panel Settings\Services

One of two Computer Configuration extensions (besides Network Shares, which we discussed in our previous article) without its user equivalent. It allows you to apply configuration changes to existing Windows services, including setting their Startup (Automatic, Manual, or Disabled), Service action (Start service, Stop service, Restart service, or Restart service if required), Wait timeout if service is locked, Log on as account (as before, encrypted credentials you choose are stored in the Group Policy Preferences-based XML file under SYSVOL share), as well as Recovery options (grouped together on a separate tab), defining a desired response to the first, second, and subsequent failures of the service.

Control Panel Settings\Start Menu - another User Configuration

These extensions, without a computer equivalent, allow you to specify content of the Start Menu on either Windows XP or Vista and later operating systems. Although each has its own interface presented by the Group Policy Management Editor, both contain roughly the same set of options. The primary difference results from the fact that Windows XP settings are divided into three tabs (General, Advanced and Classic), while Vista combines the first two into one (General). In either case, you have an option to choose Start Menu icon size, specify whether recently accessed documents and programs should be listed, or customize Classic view of Start menu.

This concludes our overview of Group Policy Preferences settings that correspond to features available in operating systems they manage. In our next article, we will look into specifics of functionality implemented by Common options. We will focus on the item-level targeting and also discuss deployment and troubleshooting topics.

Follow ServerWatch on Twitter

Mobile Site | Full Site