Lunetikk's IT Wiki

I chose some policies just for a test: - Group1 gets a red background - Group2 has no rights to select “Systemcontrol” - Group3 is the only group with remotedesktoprights - Group4 has www.google.com for the startingpage (Internet Explorer) - Group5 will be connected to a network share which will be opened automatically.

- All will have a disabled firewall and when they login or out their profiles will be synchronized.

To set the red backgroundcolor I created a new share with the name wallpaper$. The “$” will make this share invisible in the local network. You can only reach it when you open it directly. In the directory you have to add a picture with a single red dot named “red.jpg”. In GroupPolicyAdministration under OU “Group1” you have to add a new Policy. Rightclick → edit opens the GroupPolicyEditor. Under Userconfiguration → Policies → Administrative Templates → Desktop you have to activate “Active Desktop” (enable HTML- and JPG as backgroundpicture) and Desktopbackground. In Desktopbackground you have to set the UNC-PATH \\dc\wallpaper$\red.jpg and as style “stretching”.

Back in the GroupPolicyAdministration you add an OU for “Group2”. In “edit” you can find the option to disable the Systemcontrol under Userconfiguration → Policies → Administrative Templates → Systemcontrol. There you have to enable “disable access to Systemcontrol”.

Next step you add a Policy for the “Group3” or “computers”. In this you have to add Computerkonfiguration → Policies → Windows-Options → Securitysettings → RestrictedGroups , the group “RDPUsers”.

To change the startpage of the browser for “Group4” you have to add another policy. There you go to Userconfiguration → Policies → Window-Options → Internet Explorer → URLs/Important URLs and set www.google.com as the startingpage.

For adding the share you have to write a small script. Just open a .txt file and add the following:

net use v: \\dc \vw-share /persistent:no
start explorer.exe "v:\"

Save this file as *.bat or *.cmd. Add a policy and under Userconfiguration → Policies → Windows-Options → Scripts → Login click on add and browse. Move the script to the defined folder (User-Scripts-Logon) and add.

To deactivate the firewall you need another script. Just as before open a .txtfile and add:

net stop "MpsSvc"

You have to add a policy under “computer”. In Computerconfiguration → Windows → Options → Scripts → Start you have do add and browse just like before and move the file to “Machine-Scripts-Startup”. Additionally you have to disable the service “MpsSvc” under Computerconfiguration → Options → Systemcontroloptions → Services.

At last you realise the profile synchronization. To do this you need another “share” with the name of the user under the share “profile$”. Rightclick → Options → tab Enabling → Cache you should select the option “No Data or Programms from the enabled directory should be availiable offline”. Now you have to edit the users once again. Rightclick an user, open Options and tab Profile. Add as Profilepath "\\dc\profile$\%username%". “%username%” is a wildcard to add the username automatically. This way you dont need to add the username manually.

⇒Continue with Trust