In the previous installment of our series dedicated to the most prominent features available in Windows Server 2008 based Directory Services, we introduced the concept of Group Policy Preferences. In addition to describing their basic characteristics (focusing in particular on the aspects of their functionality that distinguish them from Group Policies), we also started discussing specifics of their implementation. So far, we have covered configuration options grouped under the
Windows Settings node in the Group Policy Management Editor interface.
Group Policy Preferences makes it possible to reap the biggest benefits of an Active Directory environment by simplifying client management. Control Panel Settings help facilitate this.
This article will focus on the other type, labeled
Control Panel Settings. As the name indicates, items in this category correspond to individual Control Panel applets and manage functionality they represent. The majority of them can be assigned via either User or Computer Configuration (similarly to Windows Settings), although there are several exceptions, which we will point out throughout the course of our presentation.
Control Panel Settings
These enable you to create, replace, update, or delete user and system connections (the latter is the only choice available via
Computer Configuration node) to data sources (leveraging variety of data providers) exposed via
Data Sources (ODBC) utility (accessible from
Administrative Tools menu). When creating a new entries, you might want to first configure them on the administrative computer (on which the Group Policy Preferences will be defined) using graphical interface of
Data Sources (ODBC) utility. This will allow you to select an existing Data Source Name, eliminating the need to type in its parameters. On the other hand, if you are creating an entry manually, keep in mind that the
Data Source Name field supports Preference variables, a listing you can display by pressing
If you decide to specify credentials to authenticate to data sources (rather than relying on Windows integrated authentication), note that they are stored in the 256-bit AES encrypted format in the corresponding Group Policy Preferences XML file (named, in this case,
DataSources.xml) residing within GPO-specific folder hierarchy under
SYSVOL share. While this provides reasonable degree of protection, it introduces maintenance overhead — assuming accounts are not assigned non-expiring passwords — so it is not generally recommended. More importantly, such an approach will fail when using MS SQL Driver (since its implementation does not permit hard-coded passwords) unless you modify the resulting XML file and manually remove
Control Panel Settings
These allow you to enable or disable a designated device class or type. This is accomplished by clicking on the command button appearing next to the
Device class entry in the
New Device Properties dialog box (in the Group Policy Management Editor), which triggers display of the
Select a Device Class or a Device window, mirroring in its appearance
Device Manager console.
The content reflects local hardware configuration. Unfortunately, this approach is fairly limited, since it relies on having an administrative computer (running Vista or a later operating system) with the same set of components as an intended target. To work around this limitation, you might try editing the resulting
Devices.xml file (residing in the
PreferencesDevices subfolder of a GPO-specific folder under
If you pursue this approach, you will need to determine the appropriate values of
deviceTypeID attributes by examining corresponding entries in that device’s
Properties dialog box in
Device Manager. They are, respectively, represented by
Class long name,
Display name or
Device class guide, and
Device Instance Path properties on a target computer. Alternatively, you might be able to extract relevant information from the device driver INF file. These values would then have to be entered manually in the file, while preserving correct XML syntax. You can then can find them on MSDN site. Keep in mind that this is not a Microsoft-supported procedure.
Control Panel Settings
These are available as part of both Computer and User Configuration. They define settings that control the appearance of Windows Explorer and file associations, which determine a program invoked when opening a file based on its extension. Three items are in the
New submenu, including
Folder Options (Windows XP),
Folder Options (Windows Vista) and
Open With. The first one is intended for Windows XP and Windows Server 2003 systems and, for the most part, it is identical to the content of the
View tab of
Folder Options Control Panel applet. The same applies to the second one, applicable to Vista and Windows Server 2008/2008 R2-based targets. This separation reflects changes in the graphical interface (such as preview handlers) and enhanced search functionality introduced in Vista. The third option
New Open With gives you ability to
Delete file associations.
When viewing content of the
Advanced tab of
New Folder Opions (Windows XP) and
New Folder Options (Windows Vista) dialog boxes, you will likely notice their entries are underlined with either solid green or dashed red lines. This is a visual clue, indicating whether they will be processed or ignored. The status of a checkbox next to each entry determines whether the corresponding setting will be enabled or disabled. If you want to change the default assignment, use the function keys in the following manner:
F5ensures all settings will be processed (which is designated by a green solid line under all entries)
F6ensures an individual, currently selected item will be processed (which is designated by a green solid line under this particular entry)
F7ensures all settings will be ignored (which is designated by a red dashed line under all entries)
F8ensures an individual, currently selected item will be ignored (which is designated by a red dashed line under this particular entry)
Control Panel Settings
This is one of few user extensions without its computer equivalent. It provides a way to manage Internet Explorer configuration. The list of available choices starts with versions 5 and 6, combined together into a single menu item in the Group Policy Management Editor. Preferences for IE 8 are available starting with Windows 7 (with Remote Server Administrative Tools installed) and Windows Server 2008 R2.
Like other options discussed here, the interface is straightforward, mirroring the
Internet Properties dialog box accessible via
Internet Options Control Panel applet. Some of its settings are grayed out and therefore not configurable via Group Policy Preferences. This restriction applies to listings of sites assigned to individual zones on the
Privacy settings on
Privacy tab — with the exception of
Pop-up Blocker, which you can enable starting with Internet Explorer 7, the entire content of
Content tab in Internet Explorer 5 and 6, and the assignment of Internet programs (
Unfortunately, here as well you might run into some problems when using Vista or Windows Server 2008 based Group Policy Management Editor. Refer to Knowledge Base article 970840 for details and the resolution.
Download Directory entries on the
General tab, entries on the
Security level for each zone), as well as
Connections tabs are subject to the rules that we described when discussing
Folder Options (in regard to ability to control which settings are processed and which are ignored). The only notable difference concerns visual clues on the
Advanced tabs, which take the form of green and red circles — rather than green solid and red dashed lines.
Control Panel Settings
Local Users and Groups
This facilitates local user and group administration. Since it exists in both User and Computer Configuration nodes, it permits you to control whether the intended action will be targeting a specific system or will be carried out following logons of a designated user. You can create, replace, update, and delete users and groups. Obviously, these actions are subject to the same restrictions as regular account management, so certain operations, such as attempts to delete built-in groups will simply fail. Remember, replacing an existing security principal will yield another one with a different SID, thus preventing you from retaining the same set of permissions. Unless this is the desired outcome, rely on updates instead.
In addition, you have ability to assign a new group name or description, as well as to add or remove its members (including deleting all of them). There is also an option to
Add the current user to a local group, providing an interesting solution in scenarios where elevated privileges must be granted temporarily to interactive users Note, however, that when implementing this approach via
User Configuration, the change does not take effect until the second logon.
For local user accounts, existing options give you the ability to perform such actions as renaming them, resetting their passwords (including forcing password change at next logon or preventing their changes altogether), as well as setting their expiration date and status (enabled or disabled). As mentioned before, credentials are stored in 256-bit AES encrypted format.
In the next installment of our series, we will present the remaining Group Policy Preferences Control Panel settings (including
Start Menu items).
Marcin Policht has been working in the technology field since 1994, primarily in the financial industry, specializing in enterprise-level administration and engineering. Among his personal accomplishments are several publications, including WMI Essentials for Automating Windows Management (SAMS Publishing), Windows Server 2003 Bible (Hungry Minds), Windows 2003 Active Directory (Sybex), and Building High Availability Windows Server 2003 Solutions (Addison Wesley). As a Microsoft MVP in Directory Services (since 2006), he has been focusing on the recent developments in identity management (in particular Active Directory), but also continuing to explore advancements in virtualization and clustering.