Archive for Group Policy

Apply Windows Visual Effects Automatically

In this post we will be discussing the Windows visual effects under the performance settings and how to automatically apply them. Windows performance settings allow you to tweak the visual aspect of your desktop to either improve it visually or speed up its performance. If you aren’t aware of these options, click right on Computer and select Properties, click Advanced Setting, under the Performance section select the settings button as shown below.

Q1. Why would you want to change these setting?

A1. In my case I use these setting to increase the performance of a VDI session over high latency Internet links. Disabling these options reduces how much is refreshed on the screen when receiving a PCOIP connection from VDI remotly.

Q2. Why would you want to automaitly set these options?

A2. As mentioned, VDI is my main use for these options and unfotunanlty you cannot pre define these option on on a per desktop basis. These options are reflecedt on a per user basis meaning if i login to a machine and turn off all visual effects options the log out. The next person that logs in will also have to set these options as there are defined in the users local profile. unfortunanly redirected profiles do not carry these options.

As with a VDI enviroment you cannot expect every user that logs on to modify there own settings for best performance, i needed a way to automate this. To do so i created two registry files that apply the correct setting on logon and log off. Sadly not all optiosn apply from a simgle execution of thye script.

The way i managed to do this was by creating a batch scprit to pull the registry files from a file share and apply them through a login script assigned in group policy. Simple but effective.

 

Registry files: Download Here

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects] “VisualFXSetting”=dword:00000003

[HKEY_CURRENT_USER\Control Panel\Desktop] “UserPreferencesMask”=hex:90,12,01,80,10,00,00,00

[HKEY_CURRENT_USER\Control Panel\Desktop] “DragFullWindows”=”0″

[HKEY_CURRENT_USER\Control Panel\Desktop] “FontSmoothing”=”0″

[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics] “MinAnimate”=”0″

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] “NoDispCPL”=-

 

Batch script: Download Here

REGEDIT.EXE  /S  \\yourfileserver\share\VisualFX.reg

 

How to apply: Once you have you batch script and registry file, place them on a file share where all users have atleast read access. Enter group policy manager for your domain and create a new GPO. Edit the GPO and navigate to the following:

User Configuration  > Windows Settings > Scripts (Logon/logoff). Double clike this item and click Add then enter the path to the batch script including its extention. See below for me detail.

I would rcomment adding this as both a logon and logoff script to minimise the number of logins a user has to perform. With both logon and logoff set, a single login / logout will fully apply the changes.

Thanks for reading and remember to lookout for future posts on perfromance tweaking.

 

Desktop Lockdown for Windows

There are a couple of different ways of locking down the desktop on a windows operating systems but the one this guide will be focusing on it by way of permission passed enforcement via a GPO. With help from the image below, the following steps will help you achieve this lock down method:

1. Create a new GPO and link to an OU that the client computers are contain in

2. Edit the GPO and under Computer Configration > Windows Settings > Security Settings then File System, click right and select New

3. Within the file path enter %UserProfile%\Desktop this will automatically resolve the users profile name saving you from adding each users profile path manually.

4. Press OK and select remove all security groups and users from the permissions menu and add the user security group or names you want this restriction to apply to. Set the permissions for the group of user to only have Read access and also add an administrative group with full control.

5. Within the Security Policy Settings windows, select the option forReplace existing permissions on all subfolders then click OK. This is the policy now configured.

6. Return to the Group Policy Management Console and set the security settings of the policy to either Authenticated User for define the security group you want this policy to apply to.