In our description of Group Policy Preferences characteristics, introduced recently as part of this series intended to provide comprehensive coverage of the most prominent features of Windows Server 2008 Active Directory, we have started reviewing functionality available via Control Panel Settings
nodes in the Group Policy Management Editor (in both User
and Computer Configuration
nodes).
In Windows Server 2008, Group Policy Preferences simplifies client management to make it possible to reap the chief benefits of an Active Directory environment. The Control Panel Settings nodes in the Group Policy Management Editor makes this possible.
In this article, we will conclude our overview by presenting all remaining Control Panel-specific options.
Control Panel Settings
Network Options
Offers the ability to create, replace, update or delete Dial-Up Networking and Virtual Private Network connections (accessible via Network Connections
applet in the Control Panel). In the case of the former, the configuration is straightforward and involves specifying a unique name and the corresponding phone number. The latter is more involved, with all available settings grouped into four tabs (in either case, you have an option of importing an existing entry from the local computer).
The first one, labeled VPN Connection
, determines the desired action (Create
, Update
, Replace
, or Delete
), scope (User connection
or All user connections
), Connection name
and its IP Address
or DNS name
(the choice is based on the state of the Use DNS name
checkbox), dependencies (Dial another connection first
), and graphical clues (Show icon in notification area when connected
).
The Options
tab controls dialing (displaying progress and assisting with authentication process) and redialing (applicable to scenarios in which a connection gets dropped) behavior. On the Security
tab, you can choose either Typical (recommended settings)
or opt for advanced options, where you can customize Data encryption
requirements and choose the protocol utilized for Logon security
. Using the Networking
tab, you assign Type of VPN
(Automatic
, PPTP VPN
, or L2TP IPSec VPN
).
Note that you might run into an issue on Vista systems when using this extension, in which the resulting VPN connection is missing the binding to IPv4 or IPv6. In this case, make sure to deploy the Group Policy Preferences Client-Side Extension Hotfix Rollup described in the Knowledge Base article 974266. This also addresses a number of other shortcomings, including configuration of third-party printers, which will be discussed later in this article).
Control Panel Settings
Power Options
This is intended for managing power utilization settings. Its functionality is represented by three separate menu items labeled Power Options (Windows XP)
and Power Scheme (Windows XP)
), and Power Plan (Windows Vista and later)
, corresponding, respectively, to the Advanced
and Power Schemes
tabs of the Power Options
applet (in Windows XP) and to the Power Options
subnode of System and Maintenance
node in Windows 7. Unfortunately, they do not seem to be working in Vista, so if this is the case, you might have to resort to the use of powercfg.exe
command line utility). Those available under the Computer Configuration
node affect behavior of the .DEFAULT
profile, which applies when no user is logged on to the computer. Effectively, if you want to be able to manage power settings depending on a logged on account, you should define them as part of the User Configuration
.
While the actual range of changes that can be controlled in this manner depends
to some extent on capabilities of power management drivers on a target computer,
they typically include the ability to Always show icon on the taskbar
, Prompt
, and
for password when computer resumes from standbyEnable hibernation
.
In addition, you might be able to control behavior triggered by events such
as closing the lid on a portable computer and pressing the power or sleep buttons.
Within the New Power Scheme (Windows XP) Properties
dialog box,
you have an option to update, replace, or delete (but not to create a new custom)
collection of settings that will trigger turning off monitor and disks, as well
initiating system standby or hibernation after an arbitrary period of inactivity
(for online and battery power). Here again, you will find that New Power
,
OptionsPower schemes
and Settings for power scheme
dialog
entries have solid green or dashed red lines, indicating whether their values
will be processed or ignored.
Control Panel Settings
Printers
These give you ability to manage (create, replace, update, or delete) shared,
TCP/IP and locally attached printers. The first of these choices applies to printers
defined on another computer functioning as a print server. When creating, updating,
or replacing such printer, you are expected to specify the Share path
.
It is also possible in this case to set it as the default (or make such assignment
conditional on the absence of a local printer) or map it to one of LPT ports.
TCP/IP Printer
allows you to create, update, replace, or delete
locally defined printer targeting a TCP/IP port on a remote print device. To
carry out the first three of these actions, you must specify either its IP address
or DNS name. You will also be expected to provide its local name and a path to
its driver files (in the Printer path
text box). As before, you
have an option to set it as the default as well as assign Location
and Comment
parameters.
Entries on the Port Settings
tab include the protocol (TCP/IP
or
RawLPR
), Port Number
, LPR Settings
(if
applicable), and SNMP parameters (Community Name
and SNMP
).
Device IndexLocal Printer
item is intended for installing
a locally attached (via LPT, COM, or USB port) device.
Configuration options include Name
, Port
, Printer
(designating location of driver files),
pathLocation
, and Comment
(as
before, the printer can be set as the default). This approach is superior to
Group Policy-based Printer Deployment methodology that was introduced in Windows
Server 2003 R2 (through schema extensions), both in terms of functionality (e.g.,
the ability to assign a default printer) and granularity (implemented via Common
options in Group Policy Preferences).
Control Panel Settings
Regional Options
This is another user extension without its computer equivalent, matches content of Regional and Language Options
(its Regional Options
tab) and Customize Regional Options
(Numbers
, Currency
, Time
, and Date
tabs) dialog boxes. As you can determine based on the presence of red dashed lines, all of these settings are by default ignored, so you will need to change their status by pressing F6
or F5
function keys (depending on whether you intend to alter a single one or all displayed on a current tab) for them to take effect.
Control Panel Settings
Scheduled Tasks
This facilitates the creation of scheduled tasks on target computers as part
of either Computer or User Configuration, thus providing a convenient alternative
to at
and schtasks.exe
command line utilities introduced
in Windows XP. It offers four submenu choices (branching from the New
context-sensitive
menu item), labeled Scheduled Task
, Immediate Task (Windows
,
XP)Scheduled Task (Windows Vista and later)
and Immediate
, although the latter two are available
Task (Windows Vista and later)
only starting with Windows 7 and Windows Server 2008 R2.
The immediate ones allow you to trigger an arbitrary action as soon as the Client
Side Extensions are activated due to Group Policy being applied or refreshed
(which is the reason for the absence of Schedule
tab in the New
dialog box).
Immediate TaskScheduled Task (Windows XP)
interface
provides the same set of configuration settings as the Scheduled Task Wizard
(invoked
by double-clicking on Add Scheduled Task
icon in the Scheduled
window accessible via
TasksAccessories/Systems Tools
menu).
From here, you can designate the action type (Create
, Update
, Replace
,
or Delete
), an arbitrary Name
, an executable or batch
file to be executed (along with its arguments), Start In
folder,
security context (via Run as
checkbox and credentials you type into User
and
NamePassword
textboxes), schedule (allowing you to designate
whether the task will be run daily, weekly, monthly, once, at system startup,
at logon, or when idle), as well as a number of associated settings, dealing
with such specifics as actions to be performed when the task completes, or dependencies
on the computer’s idle status and its power source.
New Immediate Task (Windows XP)
has practically identical configuration
options, with obvious exceptions of those that are not applicable due to its
nature,
such as, ability to disable it — Enabled (scheduled task runs a a specified
, schedule it (no
time) checkbox is missing on the Task
tabSchedule
tab),
or Delete the task if it is not scheduled to run again
on the Settings
(redundant,
since the task is always deleted after its completion).
Interface presented via Scheduled Task (Windows Vista and later)
and
its Immediate Task (Windows Vista and later)
counterpart is more
complex, reflecting new automation features introduced in Vista and Windows
Server 2008 (as well as resolves the issue introduced in the Windows XP-specific
implementation that required providing a password when executing tasks in the
security context of an interactively logged on user). New Task (Windows
dialog box is divided into six tabs.
Vista and later) PropertiesGeneral
allows
you to assign a name and description to a task, specify its Security
(with
options%LogonDomain%%LogonUser%
designating an
interactively logged on user as the default), including ability to execute
it independently of whether the user is logged on or not (as well as to Run
or hide it). By using options on the
with highest privilegesTriggers
tab
you can specify conditions (such as an arbitrary schedule, user logon, computer
startup, idle state, specific event, creation or modification of the task,
lock or unlock of a target computer, or connection to or disconnection from
a user session) that will prompt task execution. Entries on the Action
tab
constitute individual activities (e.g. start of a program, sending of an e-mail,
or displaying a message) that will be carried out as part of task execution. Conditions
determine
set of requirements that need to be satisfied before the task can be launched.
This can include, minimum amount of time during which the target computer has
been idle, or its power status (sleep or hibernation, battery vs. AC power)
and network connectivity. Finally, Settings
tab contains any additional
options affecting behavior of the task (such as ability to invoke it on demand,
its duration limits, or restart and concurrency settings).
When defining a Windows XP tasks, if you specify Run as
credentials (or, in case of Vista-based tasks, if you decide to let them Run whether user is logged on or not
and clear the Do not store password. The task will only have access to local resource
checkbox), they are stored in the corresponding XML file protected by 256-bit AES encryption. Otherwise, the task uses either Local System account or currently logged on user (depending on whether it is defined as part of Computer
or User Configuration
). Unfortunately, in Windows XP (and Windows Server 2003), the latter of these options incorrectly defaults to a local account, which is bound to fail (unless such user with matching name and password happens to exist). To remediate this issue, you need to resort to designating the Run as
account (by leveraging Group Policy Preferences System Defined Variables %LogonDomain%%LogonUser%
, which you can view by pressing F3
key while cursor appears in the UserName
textbox). However, this workaround requires the latest version of Group Policy Management Console included in Windows 7 Remote Server Administration Tools or Windows Server 2008 R2 (Vista and Windows Server 2008 do not allow the associated Password
textbox to be blank).
Control Panel Settings
Services
One of two Computer Configuration
extensions (besides Network Shares
, which we discussed in our previous article) without its user equivalent. It allows you to apply configuration changes to existing Windows services, including setting their Startup
(Automatic
, Manual
, or Disabled
), Service action
(Start service
, Stop service
, Restart service
, or Restart service if required
), Wait timeout if service is locked
, Log on as
account (as before, encrypted credentials you choose are stored in the Group Policy Preferences-based XML file under SYSVOL
share), as well as Recovery
options (grouped together on a separate tab), defining a desired response to the first, second, and subsequent failures of the service.
Control Panel Settings
Start Menu
– another User Configuration
These extensions, without a computer equivalent, allow you to specify content of the Start Menu on either Windows XP or Vista and later operating systems. Although each has its own interface presented by the Group Policy Management Editor, both contain roughly the same set of options. The primary difference results from the fact that Windows XP settings are divided into three tabs (General
, Advanced
and Classic
), while Vista combines the first two into one (General
). In either case, you have an option to choose Start Menu icon size, specify whether recently accessed documents and programs should be listed, or customize Classic
view of Start menu.
This concludes our overview of Group Policy Preferences settings that correspond to features available in operating systems they manage. In our next article, we will look into specifics of functionality implemented by Common
options. We will focus on the item-level targeting and also discuss deployment and troubleshooting topics.