Tag: Computer Configuration
Add the Administrators security group to roaming user profiles
This policy setting adds the Administrator security group to the roaming user profile share. Once an administrator has configured a user’s roaming profile the profile will be created at the user’s next login. The profile is created at the location that is specified by the administrator. For the Windows XP Professional and Windows 2000 Professional operating systems the default file permissions for the newly generated profile are full control or read and write access for the user and no file access for the administrators group. By configuring this policy setting you can alter this behavior. If you enable this policy setting the administrator group is also given full control to the user’s profile folder. If you disable or do not configure this policy setting only the user is given full control of their user profile and the administrators group has no file system access to this folder. Note: If the policy setting is enabled after the profile is created the policy setting has no effect. Note: The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time. Note: In the default case administrators have no file access to the user’s profile but they may still take ownership of this folder to grant themselves file permissions. Note: The behavior when this policy setting is enabled is exactly the same behavior as in Windows NT 4. 0.
Do not check for user ownership of Roaming Profile Folders
This policy setting disables the more secure default setting for the user’s roaming user profile folder. After an administrator has configured a user’s roaming profile the profile will be created at the user’s next login. The profile is created at the location that is specified by the administrator. For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1 operating systems the default file permissions for the newly generated profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions if the profile folder already exists. For Windows Server 2003 family Windows 2000 Professional SP4 and Windows XP SP1 the default behavior is to check the folder for the correct permissions if the profile folder already exists and not copy files to or from the roaming folder if the permissions are not correct. By configuring this policy setting you can alter this behavior. If you enable this policy setting Windows will not check the permissions for the folder in the case where the folder exists. If you disable or do not configure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder Windows will not copy files to or from the roaming folder. The user will be shown an error message and an entry will be written to the event log. The user’s cached profile will be used or a temporary profile issued if no cached profile exists. Note: The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time. Note: The behavior when this policy setting is enabled is exactly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional.
Delete cached copies of roaming profiles
This policy setting determines whether Windows keeps a copy of a user’s roaming profile on the local computer’s hard drive when the user logs off. Roaming profiles reside on a network server. By default when users with roaming profiles log off the system also saves a copy of their roaming profile on the hard drive of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load. If you enable this policy setting any local copies of the user’s roaming profile are deleted when the user logs off. The roaming profile still remains on the network server that stores it. If you disable or do not configure this policy setting Windows keeps a copy of a user’s roaming profile on the local computer’s hard drive when the user logs off. Important: Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link the system requires a local copy of the user’s roaming profile.
Disable detection of slow network connections
This policy setting disables the detection of slow network connections. Slow link detection measures the speed of the connection between a user’s computer and the remote server that stores the roaming user profile. When the system detects a slow link the related policy settings in this folder tell the computer how to respond. If you enable this policy setting the system does not detect slow connections or recognize any connections as being slow. As a result the system does not respond to slow connections to user profiles and it ignores the policy settings that tell the system how to respond to a slow connection. If you disable this policy setting or do not configure it slow link detection is enabled. The system measures the speed of the connection between the user’s computer and profile server. If the connection is slow (as defined by the “Slow network connection timeout for user profiles” policy setting) the system applies the other policy settings set in this folder to determine how to proceed. By default when the connection is slow the system loads the local copy of the user profile.
Prompt user when a slow network connection is detected
This policy setting provides users with the ability to download their roaming profile even when a slow network connection with their roaming profile server is detected. If you enable this policy setting users will be allowed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is detected. In operating systems earlier than Microsoft Windows Vista a dialog box will be shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote copy of the user profile. In Microsoft Windows Vista a check box appears on the logon screen and the user must choose whether to download the remote user profile before Windows detects the network connection speed. If you disable or do not configure this policy setting the system does not consult the user. Instead the system uses the local copy of the user profile. If you have enabled the “Wait for remote user profile” policy setting the system downloads the remote copy of the user profile without consulting the user. In Microsoft Windows Vista the system will ignore the user choice made on the logon screen. Note: This policy setting and related policy settings in this folder define the system’s response when roaming user profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earlier than Microsoft Windows Vista use the “Timeout for dialog boxes” policy setting. Important: If the “Do not detect slow network connections” setting is enabled this policy setting is ignored. Also if the “Delete cached copies of roaming profiles” policy setting is enabled there is no local copy of the roaming profile to load when the system detects a slow connection.
Leave Windows Installer and Group Policy Software Installation Data
This policy setting determines whether the system retains a roaming user’s Windows Installer and Group Policy based software installation data on their profile deletion. By default Windows deletes all information related to a roaming user (which includes the user’s settings data Windows Installer related data and the like) when their profile is deleted. As a result the next time a roaming user whose profile was previously deleted on that client logs on they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. If you enable this policy setting Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. If you disable or do not configure this policy setting Windows will delete the entire profile for roaming users including the Windows Installer and Group Policy software installation data when those profiles are deleted. Note: If this policy setting is enabled for a machine local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users’ profiles on the machine.
Ignore the local list of blocked TPM commands
This policy setting allows you to enforce or ignore the computer’s local list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting Windows will ignore the computer’s local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. The local list of blocked TPM commands is configured outside of Group Policy by running “tpm. msc” or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. If you disable or do not configure this policy setting Windows will block the TPM commands found in the local list in addition to commands in the Group Policy and default lists of blocked TPM commands.
Standard User Lockout Duration
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than this duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm. msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured a default value of 480 minutes (8 hours) is used.
Turn off Tablet PC touch input
Turn off Tablet PC touch inputTurns off touch input which allows the user to interact with their computer using their finger. If you enable this setting the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap the touch pointer and other touch-specific features. If you disable this setting the user can produce input with touch by using gestures the touch pointer and other-touch specific features. If you do not configure this setting touch input is on by default. Note: Changes to this setting will not take effect until the user logs off.
Turn off Touch Panning
Turn off Panning Turns off touch panning which allows users pan inside windows by touch. On a compatible PC with a touch digitizer by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. If you enable this setting the user will not be able to pan windows by touch. If you disable this setting the user can pan windows by touch. If you do not configure this setting Touch Panning is on by default. Note: Changes to this setting will not take effect until the user logs off.