Category Archives: Group Policy

How to configure an Open With preference group policy item

بسم الله الرحمن الرحيم

What is the use from open with item in group policy preference?

The Open With preference item allows you to create, configure, and delete an Open With association with a specific file name extension.

Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand User Configuration – Preferences – Control Panel Settings.
Right-click the Folder Options node, point to New, and select Open With.

In the New Open With Properties dialog box.

Action provides a choice of four actions:

– Create Create a new Open With association. If a file name extension in the Open With item exists within the user’s profile, then the new association is not created.

– Delete Remove an existing Open With association. An association exists when the file name extension in the Open With item exists within the user’s profile. No action is performed if the association does not exist.

– Replace Delete and recreate an Open With association. The net result of the Replace action overwrite all existing settings associated with the Open With association. If the Open With association does not exist, then the Replace action creates a new Open With association.

– Update Modify an Open With association. The action differs from Replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the Open With association does not exist, then the Update action creates a new Open With association.

Open With settings:

– File name extension Type the extension of the file to associate with the specified application. Press F3 to display a list of variables from which you can select.

Note: You do not need to insert the period before the file name extension.

– Associated Program Type the path and name of the application you want to associate with the file name extension. Alternatively, you can click Browse (…) and select the application. Press F3 to display a list of variables from which you can select.

Note: Even if the app is not installed on the server where you’re editing policy, you can manually type in the full path to the .exe as it would exist on the client. Or, you can install the Remote Server Administration Tools (RSAT) on one of your Win7 machines where the app is installed and edit the GPO from there.

– Set as default Select this check box to make the associated application the default application Windows uses to open the file name extension.

Reference:

http://technet.microsoft.com/en-us/library/cc732272.aspx

http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/7c8b7f12-510a-435a-8053-856123cdb20d/

Posted in Group Policy, HOW TO ?

Group policy search tool (GPS)

Dec 15

Posted by Mohamed Abd Elhamid

بسم الله الرحمن الرحيم

GPS is a online group policy search tool for Microsoft Active Directory Group Policy Settings.

You are unsure whether a policy for your setting exists. you have ever tried to find the registry setting for a specific group policy setting.

With the help of Group Policy Search you can easily find existing Group Policies and find the registry setting for a specific group policy

Group Policy Search will give you what you need. Try it Here

GPS page overview

You can change the display and search language

You can change Tree view (policy view or Registry view)

You can filter the search to specific products and/or versions

You can share using the one-click copy feature in the copy menu

You can add a Search Provider and a Search Accelerator for your Internet Explorer or a Search Connector for your Windows 7

Reference:

http://social.technet.microsoft.com/wiki/contents/articles/how-to-find-the-group-policy-you-need.aspx#comment-11774

Posted in Group Policy, Tips and Tricks, Tools

1 Comment

Tags: cloud applications, cloudapp, find group policy, GPS, group Policy, group policy search, group policy tools, online group policy search tool, online search tool, search tool

How to Prevent Authenticated Users from joining Workstations to a Domain

Nov 9

Posted by Mohamed Abd Elhamid

بسم الله الرحمن الرحيم

I asked myself what is benefit from this option “by default, Windows Server allows authenticated users to join 10 machine accounts to the domain”. But I didn’t get an answer

Administrator can control it with two ways:

1-By Adsiedit:

Start – Administrative Tools – ADSI Edit
Right click Domain Name – Properties
Attribute Editor Tab – ms-DS-MachineAccountQuota – Click Edit – set to 0 –press ok

Note:

That users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation.

2-By Group Policy:

Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand Computer Configuration – Policies – Windows Settings – Security Settings – User Rights Assignment
From right pane right click on Add workgroup to domain – Properties – Add User or Group or remove unwanted user or group

Posted in Group Policy, HOW TO ?

4 Comments

Tags: Add workgroup to domain, Adsiedit, Authenticated Users, ms-DS-MachineAccountQuota

How to configure AppLocker Group Policy to prevent software from running

Oct 23

Posted by Mohamed Abd Elhamid

بسم الله الرحمن الرحيم

Firstly: What is AppLocker?

AppLocker is a set of Group Policy settings that evolved from Software Restriction Policies, to restrict which applications can run on a corporate network, including the ability to restrict based on the application’s version number or publisher.

Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand Computer Configuration – Policies – Windows Settings – Security Settings – Application Control Policies – AppLocker .
In right pane click on Configure rule enforcement

Note:

Executable rules: .exe, .com
Windows Installer rules: .msi, .msp
Scripts rules: .ps1, .bat, .cmd, .vbs, .js

Under Executable rules check configured box and select Enforce rules then click ok
In left pane under AppLocker right click on Executable Rules then select Create New Rule
Select Deny and select what user or group will prevent.

Note:

Publisher rules: This condition identifies an application based on its digital signature and extended attributes. The digital signature contains information about the company that created the application (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the application is part of and the version number of the application.

Path rules: This condition identifies an application by its location in the file system of the computer or on the network.

File hash: This condition identifies an application which is not digitally signed can be restricted by a file hash rule instead of a publisher rule.

Select Publisher and click Next

Click browse then select executable file example.exe
Choose any options from prevent with any publisher, publisher, product name, file name and file version then click Next.

Read it and click Next
Click Create
You will now be prompted to create some default rules that ensure that you don’t accidently stop Windows from working. Click “Yes” to this if you don’t already have these rules created.

Note:

If you want to apply this role on computer administrator then right-click on the BUILTIN\Administrators rule and click Delete

Now we will active the Application Identity service to enable AppLocker on the computers

In the same Group Policy Object you were just editing Computer Configuration – Policies – Windows Settings – Security Settings – System Services
Right click Application Identity service then properties
Check Define this policy setting box and Automatic then OK.

Now when users try run program he will get this

Reference:

http://www.grouppolicy.biz/2010/04/how-to-configure-applocker-group-policy-in-windows-7-to-block-third-party-browsers/comment-page-1/#comment-3615

http://www.windows7library.com/blog/security/applocker-part-2-understanding-applocker-rules/

Posted in Group Policy, HOW TO ?

9 Comments

Tags: Application Identity service, AppLocker, File hash:, group Policy, Path rules:, prevent software, Publisher rules, Software Restriction

How to force proxy settings via group policy

Oct 20

Posted by Mohamed Abd Elhamid

بسم الله الرحمن الرحيم

This article describes how to force proxy settings via group policy.

Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand User configuration – Policies – Windows Settings – Internet Explorer Maintenance – Connection.
In right Pane Proxy Settings.

For some security reasons maybe administrator need to prevent end users from change their proxy settings

You can do it with group policy follow this steps:

Click Start – All programs – Administrative Tools – Group Policy Management.
Create or Edit Group Policy Objects.
Expand Computer Configuration – Administrative Templates – Windows Components – Internet Explorer – Internet Control Panel
In right Pane Disable the Connections page (Enabled)