GuidesWindows Server 2008 Directory Services, Group Policy Preferences - More Control Panel...

Windows Server 2008 Directory Services, Group Policy Preferences – More Control Panel Settings

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

In our description of Group Policy Preferences characteristics, introduced recently as part of this series intended to provide comprehensive coverage of the most prominent features of Windows Server 2008 Active Directory, we have started reviewing functionality available via Control Panel Settings nodes in the Group Policy Management Editor (in both User and Computer Configuration nodes).

In Windows Server 2008, Group Policy Preferences simplifies client management to make it possible to reap the chief benefits of an Active Directory environment. The Control Panel Settings nodes in the Group Policy Management Editor makes this possible.

In this article, we will conclude our overview by presenting all remaining Control Panel-specific options.

Control Panel SettingsNetwork Options

Offers the ability to create, replace, update or delete Dial-Up Networking and Virtual Private Network connections (accessible via Network Connections applet in the Control Panel). In the case of the former, the configuration is straightforward and involves specifying a unique name and the corresponding phone number. The latter is more involved, with all available settings grouped into four tabs (in either case, you have an option of importing an existing entry from the local computer).

The first one, labeled VPN Connection, determines the desired action (Create, Update, Replace, or Delete), scope (User connection or All user connections), Connection name and its IP Address or DNS name (the choice is based on the state of the Use DNS name checkbox), dependencies (Dial another connection first), and graphical clues (Show icon in notification area when connected).

The Options tab controls dialing (displaying progress and assisting with authentication process) and redialing (applicable to scenarios in which a connection gets dropped) behavior. On the Security tab, you can choose either Typical (recommended settings) or opt for advanced options, where you can customize Data encryption requirements and choose the protocol utilized for Logon security. Using the Networking tab, you assign Type of VPN (Automatic, PPTP VPN, or L2TP IPSec VPN).

Note that you might run into an issue on Vista systems when using this extension, in which the resulting VPN connection is missing the binding to IPv4 or IPv6. In this case, make sure to deploy the Group Policy Preferences Client-Side Extension Hotfix Rollup described in the Knowledge Base article 974266. This also addresses a number of other shortcomings, including configuration of third-party printers, which will be discussed later in this article).

Control Panel SettingsPower Options

This is intended for managing power utilization settings. Its functionality is represented by three separate menu items labeled Power Options (Windows XP) and Power Scheme (Windows XP)), and Power Plan (Windows Vista and later), corresponding, respectively, to the Advanced and Power Schemes tabs of the Power Options applet (in Windows XP) and to the Power Options subnode of System and Maintenance node in Windows 7. Unfortunately, they do not seem to be working in Vista, so if this is the case, you might have to resort to the use of powercfg.exe command line utility). Those available under the Computer Configuration node affect behavior of the .DEFAULT profile, which applies when no user is logged on to the computer. Effectively, if you want to be able to manage power settings depending on a logged on account, you should define them as part of the User Configuration.

While the actual range of changes that can be controlled in this manner depends
to some extent on capabilities of power management drivers on a target computer,
they typically include the ability to Always show icon on the taskbar, Prompt
for password when computer resumes from standby
, and Enable hibernation.
In addition, you might be able to control behavior triggered by events such
as closing the lid on a portable computer and pressing the power or sleep buttons.

Within the New Power Scheme (Windows XP) Properties dialog box,
you have an option to update, replace, or delete (but not to create a new custom)
collection of settings that will trigger turning off monitor and disks, as well
initiating system standby or hibernation after an arbitrary period of inactivity
(for online and battery power). Here again, you will find that New Power
, Power schemes and Settings for power scheme dialog
entries have solid green or dashed red lines, indicating whether their values
will be processed or ignored.

Control Panel SettingsPrinters

These give you ability to manage (create, replace, update, or delete) shared,
TCP/IP and locally attached printers. The first of these choices applies to printers
defined on another computer functioning as a print server. When creating, updating,
or replacing such printer, you are expected to specify the Share path.
It is also possible in this case to set it as the default (or make such assignment
conditional on the absence of a local printer) or map it to one of LPT ports.

TCP/IP Printer allows you to create, update, replace, or delete
locally defined printer targeting a TCP/IP port on a remote print device. To
carry out the first three of these actions, you must specify either its IP address
or DNS name. You will also be expected to provide its local name and a path to
its driver files (in the Printer path text box). As before, you
have an option to set it as the default as well as assign Location and Comment parameters.
Entries on the Port Settings tab include the protocol (TCP/IP
or LPR), Port Number, LPR Settings (if
applicable), and SNMP parameters (Community Name and SNMP
Device Index
). Local Printer item is intended for installing
a locally attached (via LPT, COM, or USB port) device.

Configuration options include Name, Port, Printer
(designating location of driver files), Location, and Comment (as
before, the printer can be set as the default). This approach is superior to
Group Policy-based Printer Deployment methodology that was introduced in Windows
Server 2003 R2 (through schema extensions), both in terms of functionality (e.g.,
the ability to assign a default printer) and granularity (implemented via Common
options in Group Policy Preferences).

Control Panel SettingsRegional Options

This is another user extension without its computer equivalent, matches content of Regional and Language Options (its Regional Options tab) and Customize Regional Options (Numbers, Currency, Time, and Date tabs) dialog boxes. As you can determine based on the presence of red dashed lines, all of these settings are by default ignored, so you will need to change their status by pressing F6 or F5 function keys (depending on whether you intend to alter a single one or all displayed on a current tab) for them to take effect.

Control Panel SettingsScheduled Tasks

This facilitates the creation of scheduled tasks on target computers as part
of either Computer or User Configuration, thus providing a convenient alternative
to at and schtasks.exe command line utilities introduced
in Windows XP. It offers four submenu choices (branching from the New context-sensitive
menu item), labeled Scheduled Task, Immediate Task (Windows
, Scheduled Task (Windows Vista and later) and Immediate
Task (Windows Vista and later)
, although the latter two are available
only starting with Windows 7 and Windows Server 2008 R2.

The immediate ones allow you to trigger an arbitrary action as soon as the Client
Side Extensions are activated due to Group Policy being applied or refreshed
(which is the reason for the absence of Schedule tab in the New
Immediate Task
dialog box). Scheduled Task (Windows XP) interface
provides the same set of configuration settings as the Scheduled Task Wizard (invoked
by double-clicking on Add Scheduled Task icon in the Scheduled
window accessible via Accessories/Systems Tools menu).
From here, you can designate the action type (Create, Update, Replace,
or Delete), an arbitrary Name, an executable or batch
file to be executed (along with its arguments), Start In folder,
security context (via Run as checkbox and credentials you type into User
and Password textboxes), schedule (allowing you to designate
whether the task will be run daily, weekly, monthly, once, at system startup,
at logon, or when idle), as well as a number of associated settings, dealing
with such specifics as actions to be performed when the task completes, or dependencies
on the computer’s idle status and its power source.

New Immediate Task (Windows XP) has practically identical configuration
options, with obvious exceptions of those that are not applicable due to its
such as, ability to disable it — Enabled (scheduled task runs a a specified
time) checkbox is missing on the Task tab
, schedule it (no Schedule tab),
or Delete the task if it is not scheduled to run again on the Settings (redundant,
since the task is always deleted after its completion).

Interface presented via Scheduled Task (Windows Vista and later) and
its Immediate Task (Windows Vista and later) counterpart is more
complex, reflecting new automation features introduced in Vista and Windows
Server 2008 (as well as resolves the issue introduced in the Windows XP-specific
implementation that required providing a password when executing tasks in the
security context of an interactively logged on user). New Task (Windows
Vista and later) Properties
dialog box is divided into six tabs. General allows
you to assign a name and description to a task, specify its Security
(with %LogonDomain%%LogonUser% designating an
interactively logged on user as the default), including ability to execute
it independently of whether the user is logged on or not (as well as to Run
with highest privileges
or hide it). By using options on the Triggers tab
you can specify conditions (such as an arbitrary schedule, user logon, computer
startup, idle state, specific event, creation or modification of the task,
lock or unlock of a target computer, or connection to or disconnection from
a user session) that will prompt task execution. Entries on the Action tab
constitute individual activities (e.g. start of a program, sending of an e-mail,
or displaying a message) that will be carried out as part of task execution. Conditions determine
set of requirements that need to be satisfied before the task can be launched.
This can include, minimum amount of time during which the target computer has
been idle, or its power status (sleep or hibernation, battery vs. AC power)
and network connectivity. Finally, Settings tab contains any additional
options affecting behavior of the task (such as ability to invoke it on demand,
its duration limits, or restart and concurrency settings).

When defining a Windows XP tasks, if you specify Run as credentials (or, in case of Vista-based tasks, if you decide to let them Run whether user is logged on or not and clear the Do not store password. The task will only have access to local resource checkbox), they are stored in the corresponding XML file protected by 256-bit AES encryption. Otherwise, the task uses either Local System account or currently logged on user (depending on whether it is defined as part of Computer or User Configuration). Unfortunately, in Windows XP (and Windows Server 2003), the latter of these options incorrectly defaults to a local account, which is bound to fail (unless such user with matching name and password happens to exist). To remediate this issue, you need to resort to designating the Run as account (by leveraging Group Policy Preferences System Defined Variables %LogonDomain%%LogonUser%, which you can view by pressing F3 key while cursor appears in the UserName textbox). However, this workaround requires the latest version of Group Policy Management Console included in Windows 7 Remote Server Administration Tools or Windows Server 2008 R2 (Vista and Windows Server 2008 do not allow the associated Password textbox to be blank).

Control Panel SettingsServices

One of two Computer Configuration extensions (besides Network Shares, which we discussed in our previous article) without its user equivalent. It allows you to apply configuration changes to existing Windows services, including setting their Startup (Automatic, Manual, or Disabled), Service action (Start service, Stop service, Restart service, or Restart service if required), Wait timeout if service is locked, Log on as account (as before, encrypted credentials you choose are stored in the Group Policy Preferences-based XML file under SYSVOL share), as well as Recovery options (grouped together on a separate tab), defining a desired response to the first, second, and subsequent failures of the service.

Control Panel SettingsStart Menu – another User Configuration

These extensions, without a computer equivalent, allow you to specify content of the Start Menu on either Windows XP or Vista and later operating systems. Although each has its own interface presented by the Group Policy Management Editor, both contain roughly the same set of options. The primary difference results from the fact that Windows XP settings are divided into three tabs (General, Advanced and Classic), while Vista combines the first two into one (General). In either case, you have an option to choose Start Menu icon size, specify whether recently accessed documents and programs should be listed, or customize Classic view of Start menu.

This concludes our overview of Group Policy Preferences settings that correspond to features available in operating systems they manage. In our next article, we will look into specifics of functionality implemented by Common options. We will focus on the item-level targeting and also discuss deployment and troubleshooting topics.

Follow ServerWatch on Twitter

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories