Technology Policies/Network Printers

Network Assignment

To properly configure network printers initially on a windows network:

  1. Leave printers setup in DHCP
  2. Check DHCP server and use the MAC address information to establish a DHCP reservation. Remember to set the reservation in ‘all’ DHCP servers.
  3. Restart the network printer as necessary
  4. Add printer on server via TCP/IP address
  5. Deploy via Group Policy

Color Network Printers

  • Configure default color setting as “black & white” which will force the end users to choose color only when the want it.
Rationale: From experience, users will not elect to go through the extra steps required to select black & white when printing and e-mail or website, even when color is not necessary. However, these extra color pages can contribute significantly toward the number of annual color pages.
  • Color printing access: depending on the printer/MFP device, along with its drivers, there are several options to restrict color printing.
  1. Use the printer configuration for access control lists within the printer itself, which will then require a “code/password” on each client’s workstation to be setup.
  2. Create two different shared printers on the server, one of which is black & white only (color disabled) and then use windows ACL to determine who has access to which features

Technology Policies/Guest Users

We’re starting a new series on Monday called “Policy Monday” to help share common technology policies. This week we’ll start with Adding Guest Accounts to the Network.

The following is a general guideline for creating guest user accounts on Active Directory based Windows network.

  1. Create a new Guest Organizational Unit
  2. Create the guest account:
    1. If it is a role account (several temps performing the same job) then create a “role based” username
    2. If it is restricted to a single user for a short period of time, then create a “real name” based username
  3. Set the account expiry to something reasonable
  4. Set the change password on next logon and assist the user with their first logon to the desktop.

Group Policy and Internet Explorer 8

There are approximately 1300 Group Policies for managing Windows® Internet Explorer® 8. This TechNet article provides recommendations for the following important areas: security, performance, and compatibility with Internet Explorer 7 and Internet Explorer 6. This article also lists the 65 new Group Policies added in Internet Explorer 8.

New Group Policies added in Internet Explorer 8

The following table lists the new Group Policies in Internet Explorer 8.

Feature Policy setting name Scope Policy path
Accelerators Turn off Accelerators User, Machine Windows Components\Internet Explorer\Accelerators
Deploy non-default Accelerators User, Machine Windows Components\Internet Explorer\Accelerators
Deploy default Accelerators User, Machine Windows Components\Internet Explorer\Accelerators
Use Policy Accelerators User, Machine Windows Components\Internet Explorer\Accelerators
ActiveX® Turn off ActiveX Opt-In Prompt User, Machine Windows Components\Internet Explorer
Only use the ActiveX Installer Service for installation of ActiveX controls User, Machine Windows Components\Internet Explorer
Only allow approved domains to use ActiveX without prompt User, Machine Windows Components\Internet Explorer\Internet Control Panel\Security\PER ZONE
Disable Per-User Installation of ActiveX Controls User, Machine Windows Components\Internet Explorer
AJAX Turn off Cross Domain Request Object User, Machine Windows Components\Internet Explorer\Security Features
Turn off Cross Document Messaging User, Machine Windows Components\Internet Explorer\Security Features
Maximum number of connections per server (HTTP 1.0) User, Machine Windows Components\Internet Explorer\Security Features\AJAX
Maximum number of connections per server (HTTP 1.1) User, Machine Windows Components\Internet Explorer\Security Features\AJAX
Automatic Crash Recovery Turn off Automatic Crash Recovery Prompt User, Machine Windows Components\Internet Explorer
Turn off Reopen Last Browsing Session User, Machine Windows Components\Internet Explorer
Caret Browsing support Turn on Caret Browsing support User, Machine Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Compatibility View Turn on Internet Explorer 7 Standards Mode User, Machine Windows Components\Internet Explorer\Compatibility View
Turn off Compatibility View User, Machine Windows Components\Internet Explorer\Compatibility View
Turn on Internet Explorer Standards Mode for Local Intranet User, Machine Windows Components\Internet Explorer\Compatibility View
Use Policy List of Internet Explorer 7 Sites User, Machine Windows Components\Internet Explorer\Compatibility View
Turn off Compatibility View button User, Machine Windows Components\Internet Explorer\Compatibility View
Include updated Web site lists from Microsoft User, Machine Windows Components\Internet Explorer\Compatibility View
Data Execution Prevention Turn off Data Execution Prevention User, Machine Windows Components\Internet Explorer\Security Features
Data URI Support Turn off Data URI Support Machine Windows Components\Internet Explorer\Security Features
Delete Browsing History Prevent Deleting Web sites that the User has Visited User, Machine Windows Components\Internet Explorer\Delete Browsing History
Prevent Deleting Temporary Internet Files User, Machine Windows Components\Internet Explorer\Delete Browsing History
Prevent Deleting Cookies User, Machine Windows Components\Internet Explorer\Delete Browsing History
Prevent Deleting Favorites Site Data User, Machine Windows Components\Internet Explorer\Delete Browsing History
Prevent Deleting InPrivate Blocking data User, Machine Windows Components\Internet Explorer\Delete Browsing History
Configure Delete Browsing History on exit User, Machine Windows Components\Internet Explorer\Delete Browsing History
Developer Tools Turn off Developer Tools User, Machine Windows Components\Internet Explorer\Toolbars
Encryption support Turn off Encryption Support User, Machine Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Favorites Bar Turn off Favorites Bar User, Machine Windows Components\Internet Explorer
InPrivate Filtering Turn off InPrivate Filterting
InPrivate Filterting Turn off InPrivate Filterting User, Machine Windows Components\Internet Explorer\InPrivate
Do not collect InPrivate Filtering data User, Machine Windows Components\Internet Explorer\InPrivate
InPrivate Filtering threshold User, Machine Windows Components\Internet Explorer\InPrivate
Disable toolbars and extensions when InPrivate Filtering starts User, Machine Windows Components\Internet Explorer\InPrivate
Turn off InPrivate Browsing User, Machine Windows Components\Internet Explorer\InPrivate
HTTP 1.1 Use HTTP 1.1 User, Machine Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Use HTTP 1.1 through proxy connections User, Machine Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
New Tab behavior Configure new tab page default behavior User, Machine Windows Components\Internet Explorer
Printing Turn off printing menu User Windows Components\Internet Explorer\Browser Menu
RSS Feeds Turn on Basic feed authentication over HTTP User, Machine Windows Components\RSS Feeds
Search Provider Turn off suggestions for all user-installed providers User, Machine Windows Components\Internet Explorer
Turn off the activation of the quick pick menu User, Machine Windows Components\Internet Explorer
Turn off Windows Search AutoComplete User, Machine Windows Components\Internet Explorer\Internet Settings\AutoComplete
Secondary Home Pages Disable changing secondary home page settings User Windows Components\Internet Explorer
Security Turn off cross-site scripting filter User, Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\<multiple zones>
Turn on warn about Certificate Address Mismatch User, Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page
SmartScreen® Filter Prevent Bypassing SmartScreen Filter Warnings User, Machine Windows Components\Internet Explorer
Turn off Managing SmartScreen Filter User, Machine Windows Components\Internet Explorer
Use SmartScreen Filter User, Machine Windows Components\Internet Explorer\Internet Control Panel\Security Page\PER ZONE
Suggested Sites Turn on Suggested Sites User Windows Components\Internet Explorer
Tab Grouping Turn off Tab Grouping User Windows Components\Internet Explorer
Tab process growth Set tab process growth User, Machine Windows Components\Internet Explorer
Toolbars Lock all toolbars User, Machine Windows Components\Internet Explorer\Toolbars
Hide the command bar User, Machine Windows Components\Internet Explorer\Toolbars
Hide the status bar User, Machine Windows Components\Internet Explorer\Toolbars
Set location of Stop and Refresh buttons User, Machine Windows Components\Internet Explorer\Toolbars
Use large icons for command buttons User, Machine Windows Components\Internet Explorer\Toolbars
Customize command button labels User, Machine Windows Components\Internet Explorer\Toolbars
Web Slices Turn off the feed and Web Slices list User, Machine Windows Components\RSS Feeds
Turn off background sync for feeds and Web Slices User, Machine Windows Components\RSS Feeds
Turn off addition and removal of feeds and Web Slices User, Machine Windows Components\RSS Feeds
Turn off feed and Web Slices discovery User, Machine Windows Components\RSS Feeds

Disable Firefox Auto Update for Terminal Servers

Disable the auto-update feature in Firefox.

I accomplished this by first creating a file called mozilla.cfg in the C:\Program Files\Mozilla Firefox directory with the following contents:

// Disable Auto Updates
lockPref(”app.update.enabled”, false);
lockPref(”extensions.update.enabled”, false);

Those instruct Firefox to disable the auto update for the browser itself AND any add-in extensions.

Also you must edit C:\Program Files\Mozilla Firefox\greprefs edit the file all.js and add this to the bottom:

// Process mozilla.cfg in FireFox root directory.
pref(”general.config.obscure_value”, 0);
pref(”general.config.filename”, “mozilla.cfg”);

Without that last piece, Firefox won’t process the mozilla.cfg you created.

No reboot needed, and hopefully you’ll never run into this again.

SBS RWW ActiveX Control Error

A problem discovered by another technician for a client which  points to a possible problem with clients which use RWW to connect to their desktop computer at the office who are running Windows XP SP-3 with IE8 installed. The symptom is that when they click to see a list of computers that they can connect to, they see:

“This portion of the Remote Web Workplace requires the Microsoft
Remote Desktop ActiveX Control. Your browser’s security settings may
be preventing you from downloading ActiveX controls. Adjust these
settings and try to connect again.”

Be sure to check the following:

  • IE Compatibility Mode is enabled for the RWW site
  • The site is on the “trusted site” list
  • From the command line, type “regsvr32 mstscax.dll” to re-register the control

BitLocker to Go in Windows 7

Man lean on padlock. 3d rendered illustration.For the enterprise customer one of the greatest integrated features in Windows Vista was the new BitLocker technology. However it was limited to only encrypting the local hard drives. Now, in Windows 7, Microsoft has introduces BitLocker to Go, which is a form of BitLocker for mobile/removable media. It enables full drive encryption with either smartcard authentication or password protection. The password can be separate than your network logon credentials, and also can have their own password policies applied gia Group Policy. Even more, it is backward compatible with prior versions of Microsoft Windows, however the data is read-only. To write data to a BitLocker to Go disk, you must be running Windows 7.

And as with Encrypted File System (EFS) back in Windows 2000, you’ll need to carefully plan your data recovery system should a user forget their password. Just as with EFS you can utilize a recovery key, but you must configure and enforce this in advance. Otherwise, if you do not intentionally set this up the users can begin using BitLocker without a recovery key and risk loosing data if they forget their password for the drive. This is especially risky since you can enable your local computer to remember the password, so really the only time you’ll use the password is when attempting to access the drive from another system. From this standpoint, it may be a good idea to configure GPO now for the Windows 7 .admx files to prohibit BitLocker to Go until a formal policy can be established.

Enjoy!

Force workstation loggoff after inactivity

i found you!There are various situations where you may want a computer to automatically loggoff the user when they have been idle for a period of time. The most freqnet use for this is for shared workstations, such as on a production floor, or other open access area. In the past, a common method was to enable a “role based” user account, such as shipping or quality control. This logon was known to all users of the specific workstation.

There is, however a tool available which is basically a screen saver hack, provided by Microsoft, which, when enabled, will log off the user instead of displaying a screen saver. This effectively permits multiple users to share the same system throughout the day, while retaining seperate, secret passwords – without hindering the other user when they forget to log off. Now it is still a better practice to actually log off, but this is a great fail safe alternative: WinExit.scr – you can find it at: http://support.microsoft.com/kb/314999

“Extra Registry Settings” under Group Policy Management Console

i found you!After running a resultant set of policy (RSOP) within the Microsoft Group Policy Management Console, you may see a some settings which are listed under “Extra Registry Settings”. The primary cause for this is that the currently loaded set of ADM files for the GPMC do not match the version which was used to create the Group Policy. Frequently this is because the policy was configured on a different workstation than the one you are using to view the RSOP. Simply download the latest GPO ADM files from Microsoft’s website and apply them to the GPMC to have them show properly.

On the topic of Group Policy, don’t forget about the handy GPO Policy Reference worksheet found here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en

Enjoy!

Powered by WordPress.com.

Up ↑