A blog with focus on experiences with the Windows Client operating systems…
RSS icon Email icon Home icon

  • HOW TO: Handle user group policy settings in multiple OS environments

    Posted on December 22nd, 2011 By Andreas Stenhall + 1 comment

    This is a very common question and one that I would say all companies migrating to Windows 7 has experienced. The scenario is how do we handle user group policy settings when we have multiple operating systems such as Windows XP and Windows 7 or in the future also introduce Windows 8?

    First I strongly recommend that you do not reuse the user configuration for Windows XP for Windows 7. Group policies tend to grow over time and at most customers I have encountered a lot of rubbish in the old configuration. Starting over and migrating only what is needed minimize the risk for problem and makes the configuration slicker and more easy to manage in the long run.

    But how do we make sure that users get one configuration when they log in to for instance Windows XP and another configuration when they log in to a Windows 7 or Windows 8 machine? Well, let’s have a look at the options including pros and cons followed by recommendations from the field.

    1. Security group filtering

    • Pros:
      – Require no change in OU structure/move of users.
    • Cons:
      – Requires a lot of management and make it hard to administer.

    2. Separate users into a new and old OU

    • Pros:
      – Easy to do if you have very few users and no dependencies to other services or applications.
    • Cons:
      – Not a manageable solution in an environment with many users.
      – There are often apps or services that rely on the users being in a certain OU which is making it hard to move users without affecting other services.

    3. WMI filters

    • Pros:
      – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
      – A longterm investment in making it easy to introduce new operating system versions.
      – Quick determination (WMI is often known to be real slow but this particular query is not performance intensive).
    • Cons:
      – Need changes for existing environment, i.e. for instance Windows XP user configuration.
      – Could make group policies not being applied due to problems with WMI repository or related services.

    4. Loopback processing

    • Pros:
      – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
      – Very reliable solution.
    • Cons:
      – If not Replace mode is used you need to handle current configuration.
      – Might become a mess to troubleshoot and maintain if naming and config is not done consistent and clear.

    Recommendations from the field

    In my professional opinion the only real alternatives are WMI filters or loopback processing and sometimes I recommend WMI filters for separating user settings depending on what operating system they are logging in to and sometimes I recommend loopback processing. It depends on the environment and needs for the customer. Many times moving the user accounts around is not an alternative but consider that a very good alternative if possible to accomplish.

    How do I implement it in my environment?

    1. WMI filters

    In the Group Policy console you create multiple WMI filters for for instance Windows XP and Windows 7. You then set each WMI filter respectively on each GPO containing user settings for each operating system. NOTE: Always test it out before applying this configuration to your existing environment. Also note that this does not affect performance to any noticeable amount of time.

    Windows XP:

    SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.2%" AND ProductType ="1"

    Windows 7:

    SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType ="1"

    Windows 8:

    SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.2%" AND ProductType ="1"

    Basically the version is the OS version as we know it and the ProductType=1 means that it is a client operating system.

    So you will end with for instance one GPO named “User Configuration – Windows 7” which have the WMI filter for Windows 7 machines set and one GPO named “User Configuration – Windows XP” which have the WMI filter for Windows XP set.

    2. Loopback processing

    A prerequisite for using loopback processing is that you keep computers in separate OUs, for instance XP computer accounts in one OU and Windows 7 computer accounts in another OU.

    You then create GPO objects in the OU for Windows 7 in our example and configure the user settings there. As I think you should always separate Computer and User configuration GPO:s I would say that you in a Computer configuration policy in that same OU set this setting for the user settings to be applied when users log into Windows 7 machines:

    Policies – Computer configuration – Administrative templates – System – Group Policy and there set “User Group Policy loopback processing mode” to Replace or Merge, depending on what you want to achieve and how you want to handle your current configuration. Replace mode is recommended as you will have a hard time maintaining and troubleshooting the configuration otherwise.

    Done! When users log on to your Windows 7 machines they will get the user settings you have defined in the user configuration GPOs located in the Windows 7 machines OU in our example.

  • Beware of saved credentials

    Posted on February 2nd, 2010 By Andreas Stenhall + No comments

    Saved credentials can be a good thing, but many times they are not. The last couple of weeks I have become involved in a couple of cases where saved credentials in all from Windows XP to Windows 7 have been the cause of strange problems, primarily accessing file servers.

    The problems have been with accessing mapped network drives or browsing file servers, with various error messages. Even though Windows 7 sports the “new” credential manager, this feature has been there even in Windows XP. This means that you can add credentials for servers so that you won’t have to provide them when accessing resources on the network.

    The cause of the problem is for instance when a user change his or her password and the saved credential become obsolete, causing the user to have serious problems authenticating to the network resources.

    The settings for these saved credentials are as follows:

    Windows XP: Start “User Accounts” control panel, choose an account and then go to “Manage my network passwords”.
    Windows Vista: Start “User Accounts” control panel, choose an account and then go to “Manage your network passwords”.
    Windows 7: Search for and start the “Credential Manager” control panel.”

    Solve the problems accessing network resources by deleting the saved credentials once and for all!

  • New Remote Desktop Client 7.0 for Windows XP and Vista

    Posted on October 29th, 2009 By Andreas Stenhall + 1 comment

    Windows 7 already contain RDC version 7.0 but now Microsoft has released the 7.0 client for Windows XP and Windows Vista. Some of the benefits of using the RDC 7.0 connecting from Windows XP or Windows Vista are:

    • Windows Media Player Redirection.  This feature lets you play even a HD file on the remote machine without any lag as the video and audio is processed on the local machine.
    • True multi monitor support!
    • Performance improvements. This is alone a good reason to use the latest RDC 7.0 client.
    • Many more new features and improvements, read more at RDS blog.

    Note that the above features only work when you connect from Windows XP or Windows Vista with RDC 7.0 to a Windows 7 or Windows Server 2008 R2 machine.

     Download and more information at http://support.microsoft.com/kb/969084

  • Add users to local groups on the Windows clients easily

    Posted on May 27th, 2009 By Andreas Stenhall + No comments

    If you want to add domain users or groups to a local group on a Windows client machine automatically, this can be done using group policies. One reason could be to easily put groups or users to the local group Remote Desktop Users to allow them to log on via RDP. To control which users or groups you want to add create a new GPO in the domain and go to Computer configuration > (Policies) > Windows settings > Security settings > Restricted groups.

    Once there choose to add a group and in my example find the “Remote Desktop Users” group and after that add the user or group you want to add to the local machines which that particular group policy object applies to. More information about restricted groups can be found at http://support.microsoft.com/?id=810076

  • Control compatibility settings in IE8 using GPOs

    Posted on May 23rd, 2009 By Andreas Stenhall + 1 comment

    As Internet Explorer 8 render web pages in a new way than previous versions of Internet Explorer there is a good chance that one or more web pages you or your users regularly visit are broken or not displaying properly in IE8. Fortunately there is a compatibility mode in IE8 that makes web pages render as though they were displayed in IE7. This action is normally a manual one and the main problem here is that very few users are aware of this compatibility mode. To alleviate problems for the end users you can control the settings and compatibility list of web sites using group policy objects.

    Start the Group Policy manager and go to Computer configuration > Administrative templates > Windows Components > Internet Explorer > Compatibility view and there look for “Use Policy List of Internet Explorer 7 sites”. Add the URLs for the web sites that you want IE 8 to always render in IE7 mode.

  • Windows XP mode for Windows 7!

    Posted on April 25th, 2009 By Andreas Stenhall + No comments

    So it seams it isn’t a secret anymore that Windoyws 7 will get a feature (separate download) that using the latest Virtual PC technologies will make it possible to run applications in Windows XP directly integreated into the Windows 7  operating system. The feature is almost the same as MED-V which accomplishes basically the same thing, but The “Windows XP mode” has advantages like it is available for anyone running Windows 7 Professional, Enterprise or Ultimate SKUs.

    With this Microsoft can guarantee compatilibty in a way no one could ever expect. This also makes the step from Windows XP to Windows 7 much easier and now there cannot be any apps holiding anyone back from upgrading the clients to Windows 7.

    More information: Winsupersite