Tag Archives: GPO

Disable Windows 10 First Sign-in Animation

  1. Run the Local Group Policy Editor (Start > type gpedit.msc)
  2. Navigate to Computer Configuration > Administrative Templates > System

  3. Select Logon

  4. Double-click Show first sign-in animation
  5. In the Show first sign-in animation windowselect Disabled and click OK
  6. Close the Local Group Policy Editor

GPO Disable Password Expiration or Password Complexity

Big Fat Warning:  Don’t do this.

How to disable password expiration

  1. Load Local Group Policy Editor (Start –> Type gpedit.msc –> Enter)
  2. Expand sections: Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Account Policies –> Password Policy
  3. Set Maximum password age to 0 to completely disable passwords from expiring.

How to disable password complexity

  1. Load Local Group Policy Editor (Start –> Type gpedit.msc –> Enter)
  2. Expand sections: Local Computer Policy –> Computer Configuration –> Windows Settings –> Security Settings –> Account Policies –> Password Policy
  3. Set Password must meet complexity requirements to Disabled to completely disable password complexity requirements.

Playing with Local Group Policy Objects

I’m working on locking down a Windows 7 Embedded thin client lately and have a need to restrict some Internet Explorer settings. I have to do this on a handful of thin clients.

The first thing I do is create a Local Group Policy for NON ADMINISTRATORS.

This is important because I do not want my administrator account to be all screwed up and locked down when I need to connect for administrative work.

I also export the settings so that I can apply them to other computers as needed.  Initially, I will be imaging the units so they’ll all get the same policy, but management in the future will simply be by applying the Local GPOs instead of wasting time deploying a new image.

Create Local Group Policy – Non Administrators

  1. Start > mmc.exe
  2. File > Add/Remove Snapin
  3. Choose Group Policy Object Editor, click Add >
  4. Click Browse > Users tab
  5. Select Non-Administrators (or a specific user you plan to only apply a GPO to)
  6. Click OK > Finish > OK
  7. File > Save As… > “Local GPO – Non Admin.msc” (or whatever you like)

Configure Policies

In the left pane, I drill through Local Computer\Non-Administrators > User Configuration > Administrative Templates >  Windows Components > Internet Explorer

I configured a lot of the Internet Explorer policies for this Group Policy.

After I’m done I want to save these changes for reference in the future.  To do this I use gpresult to produce an HTML report.

Save Group Policy Settings Report

From a command line, I run the following command.  Note that I use “User” as my user since that is the only non-administrator account on this system.  You will need to substitute with your own criteria.

gpresult /USER User /h grouppolicysettings.html

Now I have an excellent report that has detailed information what policies are applied to the User account and even descriptions of the policies.

2014-05-20_131615

 

Tip – Convert Group Policy Result Report to Excel Spreadsheet

If you export the report to XML using /x filename.xml, you can use a nice VBScript to convert the XML to an Excel Spreadsheet as well.  Get the VBScript if you’re interested. Script is from this MS TechNet Article.

Exporting and Importing Local Group Policies

So there are a few tools out there that can Export and Import Group Policies.  Windows doesn’t do this natively but there is an Accellerator Solution available called Microsoft Security Compliance Manager (SCM) that has LocalGPO application in it.  LocalGPO tool allows you to backup and restore Local Group Policy Objects.  Cool, eh?

Get Microsoft Security Compliance Manager, which includes LocalGPO, from:  http://technet.microsoft.com/en-us/library/cc677002.aspx

 

Export Local GPO for “User”

  1. Configure a single User setting in the Local Policy of the computer
  2. Use LocalGPO to export a GPO Backup or GPOPack
    1. LocalGPO /Path:"C:\GPO backups" /Export
  3. Copy the “registry.pol” file from “c:\Windows\System32\GroupPolicyUsers\<SID>\User” (you should only see one if “User” is the only local user with an MLGPO)
  4. Paste the “registry.pol” file over the ..\User\registry.pol inside the GPO Backup or GPOPack created in Step #2

You will then have a GPO Backup or GPOPack with *all* the settings originally configured for “User” in MLGPO.

Restore Local GPO

You can then apply this GPO Backup or GPOPack using the MLGPO option to configure other users the same as User.

LocalGPO /MLGPO:User /Path:"C:\GPO Backups"

Disable Address Bar in IE8

Working on some thinstations with XP/IE8 today and needed to implement removal of Address/NavBar and could not find it in the GPO.  Came across someone who created the magic and I will share this information.

NOTE: There is an extra line feed at the bottom; make sure you include this in your file. =)

Create a new file in notepad and save the following as DisableIENav.adm, for example…

class user

category IESettings

policy "disable/hide IE command bar"
keyname "softwarepoliciesmicrosoftinternet explorertoolbarsrestrictions"
explain "here is the explaination"
valuename "NoCommandBar"
valueon numeric 1
valueoff numeric 0
end policy

policy "disable/hide IE nav bar"
keyname "SoftwarePoliciesMicrosoftInternet ExplorerToolbarsRestrictions"
explain "here is the explaination"
valuename "NoNavBar"
valueon numeric 1
valueoff numeric 0
end policy

end category