Prevent Windows from Reinstalling Group Policy Programs

While Group Policy software distribution is a quick and easy way to get software around a network, it isn’t without its problems. One such problem is when a computer is attached to a new domain. If your software distribution is the same, Windows will still reinstall the MSI packages.

The simplest way is to join export a registry key from a computer that is currently joined to the new domain, and then import it into the new system.

And here it is:

<code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt</code>

Adding Printers will Hang a Vista Logon to a Domain

When you’re setting up a Windows Vista system on your network for the first time, you might find that adding printers becomes an issue because the UAC prompt appears.

Unfortunately, if you do this with a logon script – then the logon will hang until the script timeout expires. Worse still, if you’re using Group Policy Preferences to set up the printer it will cause the logon to hang indefinitely.

If you’re experiencing this problem – then you need to make sure that the Trusted Printer settings are either configured correctly, or disabled so that printer installation behaves as it would in previous versions of Windows such as 2000 and XP.

Firstly, you’ll need to open the Group Policy Management console, and navigate to the OU which contains the user accounts that are likely to add printers and edit the policy.

Open User Settings >Administrative Templates > Control Panel > Printers.

To prevent Vista from ever prompting to install the printer drivers, simply disable the Point and Print Restrictions setting. If you need to control where printers can be installed from then you need to edit the Approved Servers setting instead.

If you’ve used group policy preferences, make sure that you’ve set the Run in logged-on user’s security context option.

Once configured, you should be able to log on with a user account that automatically adds the printer without a hitch.

Edit files with Notepad++ From Anywhere on your Network

Notepad++ is a very handy tool. It rocks.

What is annoying is that if you have it installed on a server, then you have to run NPP before opening the intended file that you want to edit.

Well, no more! Using the power of Group Policy Preferences (which also rocks).

First of all, install NPP onto your server but install it into a shared folder that you can access.

Next, open up Group Policy Management and edit the group policy that your user account is in (or those that you want to enable).

Open up User Configuration > Preferences > Windows Settings > Registry.

Crete a new registry setting:

Hive: HKEY_CURRENT_USER
Key Path: Software\Classes\*\Shell\Open in Notepad++\command
Default: ticked
Value type: REG_SZ
Value data: "\\server\share\notepad++.exe" "%1"

Then log onto a computer and right click on all of those files! Yey!

Stop ‘Computer’ appearing when you logon in Vista

I’ve had a problem lately whereby various roaming profiles have the Computer window appear when users log into Windows Vista.

I messed around with a load of settings to try and work out what it was – I thought that as the problem only manifests itself in Vista with the new profiles, maybe it’s mis-interpreting a group policy setting such as the ‘only show personal folders’ setting.

It took a while, but there was no such setting to make My Computer appear in either the Desktop settings or Start Menu and Taskbar.

The offending article is that nigh-on useless Welcome Center that Vista imposes on users when they log in for the first two times. It seems that if you have redirected folders enabled and have turned off the common options for the Start Menu, then the Welcome Center fails to run. What then compounds the problem is that instead of showing the Welcome Center, it shows the Computer window.

Windows Vista Welcome Center - A useful portal to your computer or just a pain the the backside?

Here’s the kicker, because you cannot see the Welcome Center, you cannot tick the box to tell it never to appear again.

A very simple Group Policy fix is actually found in User Configuration > Administrative Templates > Windows Components > Windows Explorer. Here you can find the option Do not display the Welcome Center at user logon.

Once enabled, the annoying Computer popup is no more.

Enabling Group Favourites on a Network

One of the tricky things about managing Favourites for users on a network is that it’s a nightmare to easily deal with the varied requirements of users.

Generally, you would set up favourites on a Windows network to do one of the following:

  • Leave them as they are. Users can add and remove their own favourite websites
  • Redirect favourites to a shared location with a registry hack – but users lose their personal favourites
  • Add favourites through Group Policy – but you need a network admin to do this whenever something needs to be added.

Now, there’s a groovier, sexier way to do it. You can finally have your cake and eat it. The best part (or worst part depending on your point of view) is – the solution has been there all along.

Before We Start

You’ll need:

  • A Windows-2000 based network with group policy enabled, and an Organsational Unit with user accounts inside.
  • The Group Policy Management Console installed on either the server or a workstation that you will use
  • Administrator Rights

You also need to ask yourself who will have the rights to add shared favourites. This is fairly important, so consider it sensibly.

Getting Started

First of all, log on to a server and run the Active Directory Users and Computers console.

Somewhere in the AD structure, create a new security group called ‘FavouriteManagers’. Next add the users who you want to allow to change favourites to this group. If you don’t mind who changes the favourites, you can skip this step.
1-addgroup.png
This is the group who will be allowed to add favourites to the users. Once you’re done here, and you are happy with the users who are set up in this group – we can set up the tool.

Setting Up the Group Policy to Allow Favourites to be Modified

Log onto your server / workstation as an administrator and do the following:

  1. Open up the Group Policy Management Console, and find the OU where the user accounts you want to control are.
  2. Right-click on the OU and select, Create and Link a GPO here… Call the new policy ManageFavourites.
    2a-addusers.png
  3. Now click on the new policy, and click on the Delegation tab. Click Add… and add the FavouriteManagers group to have edit access
    4a-addusers.png4-addusers.png
  4. Click on the Details tab, and select Computer Configuration Settings Disabled from the drop down list. This will ensure that the logon times are kept brief for users.
    5-compsettings.png
  5. Close the Group Policy Management Console.

Create the Change Favourites

  1. Open a new Microsoft Management Colsole (Start > Run > type mmc > click OK)
  2. Click File > Add/Remove Snap-in
  3. Click Add…
  4. Click Group Policy Object Editor and click Add
  5. Click Browse, then All, double-click on the ManageFavourites policy.
  6. Click Finish. Click Close.
  7. Click on the Extensions tab and select Group Policy Object Editor from the dropdown list.
  8. Untick the Add all extensions checkbox. Then deselect all but the Internet Explorer
    6-gpconfig.png
  9. Click OK.
  10. Expand the tree to User Configuration > Windows Settings > Internet Explorer Maintenance.
  11. Right-click on URLs and select New Window from Here
    7-gpnewwindow.png
  12. Close the Console Root window so that only the URL window is visible.
    8-urlwindow.png
  13. Click File > Options
  14. Give the console a title, I have called mine Favourite-o-matic. Under Console Mode, select User mode – limited access, single window. If you want to, you can change the icon to a more user friendly icon. I like the windows Favourite icon from shell32.
    9-usersettings.png10-changeicon.png
  15. Click OK to close the options dialog.
  16. Click File > Save and save the new console to a share where all of your Favourite Managers can access it. Set up the appropriate links on the start menu / desktop and you’re all done.

Using the Console

All you now need to do is let users know how to add favourites. You can do this by double-clicking on Favourites and Links, and typing links into the tool. You can also organise the favourites into folders to make them easier to manage.

8-urlwindow.png

The only caveat is that when you remove a link, it will not take the link from the user’s Favourites folder. This would still have to be deleted manually. Bear this in mind when you go nuts with all of your new favourite links.

Office 2007 Deployment Computer Startup Scripts

Now that MS Office 2007 is doing the rounds, I suppose it’s time to lookat some of its shortcomings.

It has a few when it comes to deployment. The biggest nuisance being deployment.

You have four options:

  • Install it on a PC manually (not great)
  • Deploy through group policy with no customisations
  • Use a deployment system such as SMS
  • Use a computer startup script

You may as well just say “no” to the first one. Anything more than a handful of PCs and you have a tedious task.

Group Policy has always been my method of choice. Most of my clients have less than 100 PCs, so Group Policy deployment is ideal. But as pointed out in the list, you cannot customise the installation with any defaults.

SMS is out. It’s not worth explaining to clients why it’s a good idea to buy software that makes my life easier. Even though the effort and management might simplify things somewhat.

So we’re stuck with computer startup scripts. Another method I hate – but if you want to control Office Deployments, then this is the way to do it. Thankfully, Aaron Parker has posted some startup scripts to help with this using the MSP method.

If you are using a network with WSUS, then updates become a non-issue, and I think that the only time to need to redeploy is if you decide to change the application packages that you want. At which point, you could check that executables of the programs exist or record your own registry entries that you can check for.

It’s not a great method (I’ve managed to avoid having to use ANY computer startup scripts in 2000-based networks) – but there’s no reason why it shouldn’t work. Especially if you make sure to use the quiet options in the Setup /admin tool.

Office, eh?