Administration, Group Policy Objects, Group Policy Preferences, Uncategorized

Finding that GPO Setting

Even needed to find one group policy setting but couldn’t remember where it was? Have a look at the Group Policy Administrative Templates Catalog. Search everything from Microsoft, Citrix, Adobe and Chrome.

https://getadmx.com/

Advertisements
GPMC, Group Policy Objects, Group Policy Preferences, Registry, Windows 10

How to: Enable Windows 10 Biometrics (Facial and Fingerprint) Logon

Enable all of these policies and set the registry key to enable the Windows 10 facial and fingerprint logon feature.

Group Policy settings:

Computer Configuration\Administrative Templates\System\Logon

  • Turn on convenience PIN sign-in (Enabled)

Computer Configuration\Administrative Templates\Biometrics

  • Allow the use of biometrics (Enabled)
  • Allow users to log on using biometrics (Enabled)
  • Allow domain users to log on using biometrics (Enabled)

Computer Configuration\Administrative Templates\Biometrics\Facial Features

  • Use enhanced anti-spoofing when available (Disabled)

Computer Configuration\Administrative Templates\Windows Hello for Business

  • Use a hardware security device (Enable)
  • Use biometrics (Enabled)

Group Policy Preference settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
“AllowDomainPINLogon”=dword:00000001

 

Administration, Group Policy Preferences, Registry

Modify Performance Options and Visual Effects via Registry

Had a situation where I needed to modify the Visual Effects, under Performance Options, for a customer.

Create a Registry Item in Group Policy Preference under the User Configuration.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\VisualEffects

You have a number of options for the data value:

VisualFXSetting=dword:00000000 = Let Windows choose what’s best

VisualFXSetting=dword:00000001 = Adjust for best apperance

VisualFXSetting=dword:00000002 = Adjust for best performance

VisualFXSetting=dword:00000003 = Custom

Add the Apply once option and the end user can modify as required.

Administration, Group Policy Objects, Group Policy Preferences, Internet Explorer, Microsoft

Missing Internet Explorer Maintenance settings for Internet Explorer 11

Internet Explorer Maintenance settings have been deprecated in favour of Group Policy Preferences, Administrative Templates and the IE Administration Kit 11.

Because of this change, Internet Explorer Maintenance configured settings will no longer work on computers running Internet Explorer 10 or newer.

Have a look at these Microsoft article for more details:

Solutions:

Active Directory, Group Policy Objects, Group Policy Preferences, Windows 10

Windows 10 Group Policy Settings

Microsoft has released the latest Windows 10 Group Policy settings. As usual there is a handy spreadsheet with all the settings, plus new filtering capabilities that make find the new polices easier.

Download the spreadsheet: http://www.microsoft.com/en-us/download/details.aspx?id=25250

Get all the templates from any Windows 10 machine. They are located in the C:\Windows\PolicyDefinitions folder. Then copy them into your domain central store (C:\Windows\SYSVOL\sysvol\{domain}\Policies\PolicyDefinitions).

Active Directory, Administration, Group Policy Objects, Group Policy Preferences

Enabling Group Policy Logging and Tracing

Need to debug what is happening with your group policy preferences? Then enable the logging and tracing setting under:

Computer Configuration\Policies\Administrative Templates\System\Group Policy

Enable one or more of the preference client-side extensions.

Reboot the machine and logon.

The logs will be written to:

  • User trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\User.log
  • Computer trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Computer.log
  • Planning trace %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Planning.log

 

Administration, GPMC, Group Policy Objects, Group Policy Preferences

Group Policy Refresh Interval

Administrative Templates\System\Group Policy

By default, computer and user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes. In addition to background updates,

Group Policy for the computer is always updated when the system starts.

Group Policy for users is always updated when they log on.

You can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users’ work and increase network traffic, very short update intervals are not appropriate for most installations.

If the Disable background refresh of Group Policy policy is enabled, this policy is ignored.

Active Directory, GPMC, Group Policy Objects, Group Policy Preferences

Importing Multiple GPOs into a Domain

Importing Multiple GPOs into a Domain

The ImportAllGPOs.wsf sample creates new GPOs in a specified domain and imports settings into these new GPOs from a specified backup location. The script creates a new GPO and imports settings for the latest version of each backed-up GPO in the backup location. The names of the GPOs that were backed up are used for the new GPOs. The new GPOs are derived from a previous GPO backup. Therefore, if the previous GPOs still exist in the domain, they will be overwritten by the new GPOs. Any GPO settings that have been changed since the backup will be lost.

Usage:  ImportAllGPOs.wsf <BackupLocation> [/MigrationTable:<FilePath>] [Domain:<DNSDomainName>]
Example:  ImportAllGPOs.wsf f:\backup /MigrationTable:f:\Table1.xml

CScript.exe ImportAllGPOs.wsf G:\Temp\Prod /MigrationTable:G:\Prod.xml