-
Printers: set policy to automatically deploy printers, then allow logon to trigger the deployment and set a default printer
-
Computer Configuration – Policies – Windows Settings – Printer Connections – Path = \\printserver\{printer_name}
-
Computer Configuration – Policies – Windows Settings – Administrative Templates – All Settings – User Group Policy loopback processing mode = enabled (mode: merge)
-
User Configuration – Preferences – Control Panel Settings – Printers – Share Printer (name: \\printserver\{printer_name}) – update – Common – Item Level Targeting – computers in OU…
-
-
Printers: allow users to install drivers
-
Computer Configuration\Policies\Administrative Templates\System\Driver Installation\Allow non-administrators to install drivers for these devices setup classes >> Enabled >> Device class GUID of printers: {4d36e979-e325-11ce-bfc1-08002be10318}
-
User Configuration/Policies/Administrative Templates/Control Panel/Printers/Point and Print Restrictions
-
User can only P&P to these servers => Disabled
-
User can only P&P to machines in their forest => Enabled
-
When installing drivers for a new connection => Do not show warning or elevation prompt
-
When installing drivers for an existing connection => Do not show warning or elevation prompt
-
-
-
Allow users to change system time
-
Computer Configuration – Windows settings – security settings – local policy – user rights- change system time
-
-
Allow users to install software (Methods)
-
If PCs are Windows 7 Enterprise or above, use AppLocker in AD
-
If Network is protected by Enterprise Antivirus, use Endpoint Protection Manager
-
Local Administrators Option: create a group such as “LocalAdmins” >> add managers into that group >> Apply a new GP to correct OU >> Computer Configurations\Windows Settings\Security Settings\Restricted Groups >> add “Software Installers” as “Administrators” and “Remote Desktop Users”
-
If going the deployed software route: Users > Policy > Software Settings > Software installation then go New > Package… Select the Advanced option and then change the Deployment type to “Published”
-
-
Password Policy
-
Computer Configuration – Policies – Windows Settings – Security Settings
-
-
Disable some default Windows behaviors
-
Computer Configuration – Policies – Administrative Templates:
-
Don’t display the Getting Started welcome screen at logon – enabled
-
Disable showing the splash screen – enabled
-
Do not show First Use Dialog Boxes – Enabled
-
Prevent Quick Launch Toolbar Shortcut Creation – Enabled
-
Do not automatically start Windows Messenger – Enabled
-
Do not allow Windows Messenger to be run – Enabled
-
-
-
Lock Control Panel (more restrictive)
-
User Configuration > Administrative Templates > Control Panel > double-click “Prohibit access to Control Panel and PC settings” > Enabled > OK
-
-
Launch IE at startup with default Intranet
-
Lauch IE: User Configuration\Admin Templates\System\Logon\Run these Programs at logon > Enabled >Items to run at logon: click Show > value=iexplore.exe > OK > OK
-
Whitelist Intranet URL:
-
User Configuration\Preferences\Windows Settings\ > right-click Registry > New > Registry Item
-
Action: Update
-
Hive: HKEY_CURRENT_USER
-
Key Path: Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\{Intranet.net}\
-
Value name: http (and a second key for https)
-
Value type: REG_DWORD
-
Value data: 1 (base decimal)
-
-
Computer Configuration\Preferences\Windows Settings\Registry\http\Common
-
Stop processing items on this extension if an error occurs on this item No
-
Run in logged-on user’s security context (user policy option) No
-
Remove this item when it is no longer applied No
-
Apply once and do not reapply No
-
-
Repeat: Computer Configuration\Preferences\Windows Settings\Registry\https\General and Common
-
Repeat: User Configuration\Preferences\Windows Settings\Registry\{http|https}\{General|Common}
-
-
Set default home page of IE: User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > right-click “Disable changing home page settings” > Edit > Enabled > Home Page = {Intranet_url}
-
Categories: