Thursday, 14 May 2009

A Big GPO Day

Today I spent a lot of time working on and testing Group Policy Objects. It was rewarding for the following achievements:

  • We had a situation where our staff users, who had no policy for MMP snap-ins applied, still could not open those snap-ins while they were logged in as a local administrator of their own laptop. This one has gone on for years and I don’t know why it ever happened. It has to be some weird tattooing thing from the old NT4 type domain that was running on a Samba server, once upon a time, about three or four years ago. A bit of GPO explicitly disabling the setting that restricts MMC snapins has finally fixed that.
  • Many of our staff computers had a default installation of IE that was locked down for pupil computers using the IEAK, back in the days of IE6. With updates to IE7 and IE8, the lockdown was still in effect. A GPO was set up to explicitly disable the lockdown features on a per-user basis in User Settings\Policies\Administrative Templates\Windows Components\Internet Explorer. And it worked. No more complaints about not being able to create Favorites, or in my case, being unable to configure the tabbed browsing options. At the same time I set a few security options to maximise protection.
  • I even managed to get GPO Preferences to set my default printer in Vista after putting up forever with Send To OneNote being the default printer whenever I logged in. This started to work after I installed a local instance of the same printer. This confirms that the real issue that Vista has with network printer deployment is that half the time it simply will not download and install the drivers properly off the print server. We have to figure out another way of deploying drivers, which I already found a problem with on the very first Vista computers being used by staff other than myself, who found that their per-user printer preferences would not install the drivers from the shared printer on the server. That said, remotely logging in to my computer from another desktop still gets OneNote as the default printer of that remote session.
  • The one that I couldn’t fix was Windows Update settings. There was a GPO and there was nothing wrong with it, it turned out. Basically I’ve got two problems: a selfupdate tree that can’t be accessed by clients, and the clients, whether selfupdated or not, that won’t report back to the server. Not reporting back is a really big issue and the answer doesn’t seem to be that simple. But I will have a small play with the GPO settings to try to eliminate some options.

It is important for us and every other school in NZ to get up to speed with Vista because Microsoft is phasing out mainstream support for XP and this means software will no longer be supported to run on it. Software suppliers will switch to only testing for compatibility with Vista and Seven and then you won’t be able to get any information on resolving problems running things on XP. A big matter is to get Vista running properly on computers that pupils will use, and at the end of this year we have to look seriously at replacing as many as possible of our older computers because XP is all they can run.