bloggingIT

I’ve had a problem lately whereby various roaming profiles have the Computer window appear when users log into Windows Vista.

I messed around with a load of settings to try and work out what it was - I thought that as the problem only manifests itself in Vista with the new profiles, maybe it’s mis-interpreting a group policy setting such as the ‘only show personal folders’ setting.

It took a while, but there was no such settin to make My Computer appear in either the Desktop settings or Start Menu and Taskbar.

The offending article is that nigh-on useless Welcome Center that Vista imposes on users when they log in for the first two times. It seems that if you have redirected folders enabled and have turned off the common options for the Start Menu, then the Welcome Center fails to run. What then compounds the problem is that instead of showing the Welcome Center, it shows the Computer window.

Here’s the kicker, because you cannot see the Welcome Center, you cannot tick the box to tell it never to appear again.

A very simple Group Policy fix is actually found in User Configuration > Administrative Templates > Windows Components > Windows Explorer. Here you can find an option to disable the Welcome Center when a user logs in.

Once enabled, the annoying Computer popup is no more.

One of the tricky things about managing Favourites for users on a network is that it’s a nightmare to easily deal with the varied requirements of users.

Generally, you would set up favourites on a Windows network to do one of the following:

• Leave them as they are. Users can add and remove their own favourite websites
• Redirect favourites to a shared location with a registry hack – but users lose their personal favourites
• Add favourites through Group Policy – but you need a network admin to do this whenever something needs to be added.

Now, there’s a groovier, sexier way to do it. You can finally have your cake and eat it. The best part (or worst part depending on your point of view) is – the solution has been there all along.

Before We Start

You’ll need:

• A Windows-2000 based network with group policy enabled, and an Organsational Unit with user accounts inside.
• The Group Policy Management Console installed on either the server or a workstation that you will use
• Administrator Rights

You also need to ask yourself who will have the rights to add shared favourites. This is fairly important, so consider it sensibly.

Getting Started

First of all, log on to a server and run the Active Directory Users and Computers console.

Somewhere in the AD structure, create a new security group called ‘FavouriteManagers’. Next add the users who you want to allow to change favourites to this group. If you don’t mind who changes the favourites, you can skip this step.

This is the group who will be allowed to add favourites to the users. Once you’re done here, and you are happy with the users who are set up in this group – we can set up the tool.

Setting Up the Group Policy to Allow Favourites to be Modified

Log onto your server / workstation as an administrator and do the following:

1. Open up the Group Policy Management Console, and find the OU where the user accounts you want to control are.
2. Right-click on the OU and select, Create and Link a GPO here… Call the new policy ManageFavourites.
   
3. Now click on the new policy, and click on the Delegation tab. Click Add… and add the FavouriteManagers group to have edit access
   
4. Click on the Details tab, and select Computer Configuration Settings Disabled from the drop down list. This will ensure that the logon times are kept brief for users.
   
5. Close the Group Policy Management Console.

Create the Change Favourites

1. Open a new Microsoft Management Colsole (Start > Run > type mmc > click OK)
2. Click File > Add/Remove Snap-in
3. Click Add…
4. Click Group Policy Object Editor and click Add
5. Click Browse, then All, double-click on the ManageFavourites policy.
6. Click Finish. Click Close.
7. Click on the Extensions tab and select Group Policy Object Editor from the dropdown list.
8. Untick the Add all extensions checkbox. Then deselect all but the Internet Explorer
   
9. Click OK.
10. Expand the tree to User Configuration > Windows Settings > Internet Explorer Maintenance.
    
11. Right-click on URLs and select New Window from Here
    
12. Close the Console Root window so that only the URL window is visible.
    
13. Click File > Options
14. Give the console a title, I have called mine Favourite-o-matic. Under Console Mode, select User mode – limited access, single window. If you want to, you can change the icon to a more user friendly icon. I like the windows Favourite icon from shell32.
    
15. Click OK to close the options dialog.
16. Click File > Save and save the new console to a share where all of your Favourite Managers can access it. Set up the appropriate links on the start menu / desktop and you’re all done.

Using the Console

All you now need to do is let users know how to add favourites. You can do this by double-clicking on Favourites and Links, and typing links into the tool. You can also organise the favourites into folders to make them easier to manage.

The only caveat is that when you remove a link, it will not take the link from the user’s Favourites folder. This would still have to be deleted manually. Bear this in mind when you go nuts with all of your new favourite links.

Now that MS Office 2007 is doing the rounds, I suppose it’s time to lookat some of its shortcomings.

It has a few when it comes to deployment. The biggest nuisance being deployment.

You have four options:

• Install it on a PC manually (not great)
• Deploy through group policy with no customisations
• Use a deployment system such as SMS
• Use a computer startup script

You may as well just say “no” to the first one. Anything more than a handful of PCs and you have a tedious task.

Group Policy has always been my method of choice. Most of my clients have less than 100 PCs, so Group Policy deployment is ideal. But as pointed out in the list, you cannot customise the installation with any defaults.

SMS is out. It’s not worth explaining to clients why it’s a good idea to buy software that makes my life easier. Even though the effort and management might simplify things somewhat.

So we’re stuck with computer startup scripts. Another method I hate - but if you want to control Office Deployments, then this is the way to do it. Thankfully, Aaron Parker has posted some startup scripts to help with this using the MSP method.

If you are using a network with WSUS, then updates become a non-issue, and I think that the only time to need to redeploy is if you decide to change the application packages that you want. At which point, you could check that executables of the programs exist or record your own registry entries that you can check for.

It’s not a great method (I’ve managed to avoid having to use ANY computer startup scripts in 2000-based networks) - but there’s no reason why it shouldn’t work. Especially if you make sure to use the quiet options in the Setup /admin tool.

Office, eh?

Microsoft have posted a KB article to manually create ADM and ADMX files which will allow you to manage the search providers in Internet Explorer 7’s Search Box.

This can be very useful for admins who only want certain sites to be searchable across their domain (such as an intranet!)

After when deploying Internet Explorer 7 around your site through a service such as WSUS, there are immediate considertaions that have to be dealt with. The main one being configuring settings for IE7.

It is possible to download the Internet Explorer Administration Toolkit (IEAK), but when dealing with IE7 that has been installed on computers automatically - that’s not what you want to hear.

After installing IE7 on one of our servers, I went to the group policy to see if there were any new settings. As such, the important ones didn’t seem to exist:

• Configure the phishing filter
• Disable the ‘First run’ Page

Obviously, there are a number of settings that administrators would want to take control of.

Thankfully, there are two ways of getting these settings in group policy. The first is to simply install Windows Vista as a workstation and use the Group Policy Management Console (GPMC.MSC) which is bundled with Vista. This has all of the IE settings.

If you don’t have a Vista system, you can download an up-to-date MSI of the Administrative Templates for Internet Explorer 7 for Windows. This will install the inetres.adm file in the specified folder.

To apply it to the machine you are working on (pre-Vista, of course), copy the ADM file to %systemroot%\inf. Run gpedit.msc and navigate to User Configuration > Administrative Templates > Windows Components > Internet Explorer.

Some of the useful settings are:

• Prevent Performance of First Run Customized settings to disable the first run page
• Turn of Managing Phishing filter to enable the phishing filter and configure its actions
• Turn on the menu bar by default to stop people asking you where the menu bar is
• Prevent Participation in the Customer Experience Improvement Program, another default from the first run page
• Moving the menu bar above the navigation bar to put the menu bar in its proper place, above the address bar

Using the group policy configuration is a much more practical way of configuring IE7 than the registry hacks that I’ve seen floating around where people are struggling to find the group policy settings for IE7.

There are there! Honest!

Sometimes, there’s usually a dodgy network card that doesn’t seem to want to work too nicely in Windows XP on a domain.

The typical situation is that Group Policy fails to load when logging on or starting up. This can cause a lot of grief, and I usually find that this registry key does the trick:

http://support.microsoft.com/kb/239924/en-us

Once applied, the network card may take a while (about 10 seconds) to prepare network connections. If this is the case, then you should find that the system is now working properly. Horah!