Group Policy, Y'all

If you’re using the default settings, Group Policy refreshes on computers and servers (but not Domain Controllers) every 90 minutes with a random offset of 0 to 30 minutes.  But, what if that schedule doesn’t work in your environment?  Then you change it Group Policy!

Continue reading…

If you support computer labs or any other environment where lots of different people log into your computers daily, you’ve probably had to deal with user profiles that need to be deleted.  The good news is that there is a setting in Group Policy that take care of that for you.

In your GPO, go to Computer Configuration > Policies > Administrative Templates > System > User Profiles > Delete user profiles older than a specified number of days on system restart.  Click Enabled and set the number of days you want to wait before deleting old profiles.

There are two things you’ll need to keep in mind:  First off, the deletion process happens on reboot.  Assuming you’re patching regularly, this shouldn’t be a problem unless you’re dealing with a really high volume of logins and have this set to a very low number.  Second, I’ve had a few situations where the user’s profile was deleted, but the C:\Users\username folder stayed behind.  The next time the user logged into the computer, they got a new profile folder at C:\Users\username.domain.

If you’re using BitLocker, you need to be backing up the TPM ownwer password.  By default, Windows does not back up this information when you encrypt a computer with BitLocker.  Should you need to make changes to the TPM device, you’ll need this password. Continue reading…

Following our last tip, today’s Group Policy Quick Tip is about adding additional security to Remote Desktop sessions on your computers.  Normally, an RDP session is established before authentication takes place.  Enabling Network Level Authentication (NLA) allows authentication to take place before the RDP session is established.

Why would you want to set this policy?

• Using NLA secures your Remote Desktop sessions by requiring that remote client authenticate earlier.  A number of recent RDP exploits (and I’m sure future ones) were preventable if you had NLA enabled.

Where is the policy located?

• Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security > Require user authentication for remote connections by using Network Level Authentication

Configurable Options

• Enabled – Only clients that support Network Level Authentication will be able to connect to RDS on the local system.
• Disabled – Network Level Authentication is not required.

Supported Operating Systems/Software

• Windows Vista and up

Gotchas and Other Considerations

• Your RDP client must support the RDP 6.0 protocol.  Any Windows 7, Vista, or XP SP3 box should work.  The latest RDP client for Mac will work also.

Welcome to the first of what will [hopefully] be an ongoing feature here at GPYall.com!  After troubleshooting a Group Policy problem for someone (completely and totally unrelated to Remote Desktop), the person I was helping told me how he just kept forgetting to set this one setting for new PC’s.  A rather long discussion ensued about creating PC images, checklists, automated OS deployment, etc.  While we were talking, I realized that I take a lot of the settings that I typically put into my Computer and User policies for granted.  There are so many ‘set it and forget it’ settings that you literally set once and never think about again.  Today’s tip is for one of those setting that you should set and forget:  enabling Remote Desktop in Group Policy. Continue reading…