Windows XP Professional and Windows XP Media Center Edition (MCE) has Remote Desktop (RDP) service that allows the computer to be remotely connected, accessed and controlled from another computer or host. However, Windows XP machine only allows one concurrent remote desktop connection from a single user been connected to it with no multiple remote desktop sessions or connections support.

Whenever there is a remote user who user Remote Desktop Connection (RDC) client to connect to a Windows XP host, the local user is disconnected with the local console screen locked, with or without his or her permission. Remote Desktop, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for single user use only, no matter it’s local or remote user.

Here’s a hack to unlock the single user limitation and enable multiple concurrent remote desktop connection sessions support in Windows XP Professional and Media Center Edition, using a either a patched termserv.dll or old patched cracked termserv.dll build version version 5.1.2600.2055, so that unlimited users can simultaneously connect to a computer via Remote Desktop.

1. Download a copy of patched termsrv.dll (in ZIP file) which has the Remote Desktop connection limitation deactivated for your version of Windows XP:

   Windows XP RTM, SP1 and SP2: termsrv.dll (version 5.1.2600.2055)
   Windows XP SP2: termsrv.dll (version 5.1.2600.2180)
   Windows XP SP3: termsrv.dll (version 5.1.2600.5512)

   For information, the termsrv.dll patch normally has the following HEX code bits overwritten with following value:

   00022A17: 74 75
   00022A69: 7F 90
   00022A6A: 16 90

2. Restart the computer and boot info Safe Mode by pressing F8 during initial boot up and select Safe Mode. This step is only required if you’re currently running Windows Terminal Services or Remote Desktop service, and System File Protection has to be skipped and bypassed, else it will prompt the following error message to restore the original termsrv.dll.

   

3. Go to %windir%\System32 and make a backup copy (or rename) the termsrv.dll.
4. Rename or delete the termserv.dll in the %windir%\System32\dllcache folder.
5. Copy the downloaded termsrv.dll into %windir%\System32, %windir%\ServicePackFiles\i386 (if exist) and %windir%\System32\dllcache.
6. Then download and run the ts_multiple_sessions.bat (in ZIP file) to merge the registry value into registery, or you can run Registry Editor to manually add the following registry value:

   [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core]
   “EnableConcurrentSessions”=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   “EnableConcurrentSessions”=dword:00000001

   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   “AllowMultipleTSSessions”=dword:00000001

7. Click on Start Menu -> Run command and type gpedit.msc, follow by Enter to open up the Group Policy Editor.
8. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services.
9. Enable Limit Number of Connections and set the number of connections to 3 (or more). The setting allows more than one users to use the computer and logged on at the same time.
10. Ensure the Remote Desktop is enabled in System Properties’ Remote tab by selecting the radio button for Allow users to connect remotely to this computer.
11. Enable and turn on Fast User Switching in Control Panel -> User Accounts -> Change the way users log on or off.
12. Restart the computer normally.

Note that if you cannot replace or overwrite termserv.dll with access denied or file in use error, turn off the “Termine Services” in “Services” control panel of “Administrator Tools”. Besides, each connecting physical connections must have their own user account in the target host, and must authenticate with corresponding own user name and password credential.

To uninstall and revert back to original termsrv.dll, simply delete the patched version, and rename the backup copy back to “termsrv.dll”. You probably have to do it in Safe Mode if the Terminal Services is enabled and running.

If the Windows XP computer is connected to a domain on local networks, Windows will set the value of the regkey “AllowMultipleTSSessions” to “0″ every time the computer is restarted. To ensure that multiple or unlimited Remote Desktop connection sessions is allowed in AD domain environment, the value data for “AllowMultipleTSSessions” has to be set to “1″ on each system startup. To change the value, simply rerun the ts_multiple_sessions.bat every time the computer is started. Alternatively, put the ts_multiple_sessions.bat at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder so that it will be automatically run on first user with administrative privileges that logs on to the desktop. Another workaround is to install additional service or define a sub-key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry branch that run the registry batch file automatically on boot up, and this is useful if the computer won’t be logged on by anybody, but still requires the hack to allow unlimited Remote Desktop users to work.

Another issue is that if user closes the remote connection instead of logging off, when he or she tries to log back in, an error message related to TCP/IP event ID 4226 may occur. To resolve the issue, download and apply the Windows XP TCP/IP connection limit and Event ID 4226 patch, and set the connections to at least 50.

When attempting to connect or establish Remote Desktop connection to a remote Windows XP or Windows Vista computer in order to remotely logon to the machine, the log on may be rejected with Remote Desktop client returns one of the following error messages.

Your credentials did not work.

or,

Unable to log you on because of an account restriction.

or,

An authentication error has occurred.
The Local Security Authority cannot be contacted

Remote Computer: xxxxx

By default, Windows XP and Windows Vista does not allow nor permit user account without password set or user name with blank (null) password to connect and log in remotely via Remote Desktop Protocol (RDP).

The obvious resolution is definitely to create and set a password for the user account that requires to logon remotely to a computer via Remote Desktop, and it’s recommended for security reason too. However, user who for some reason such as for the purpose of convenient, and thus unable or cannot assign a password to the user account, can use the following workaround to allow user to login remotely via Remote Desktop Connection (RDP) client to Windows XP and Windows Vista PC.

How to Enable Remote Login via Blank Passwords using Local Security Policy or Group Policy Editor

The configuration to enable null (blank) passwords logon must be done on the host computer, i.e. the remote computer to remotely controlled. To configure the Remote Desktop host computer to accept user name with blank password, go to Control Panel -> Administrative Tools (Under System and Maintenance in Windows Vista) -> Local Security Policy. Alternatively, run GPEdit.msc (Group Policy Editor).

Then, expand Security Policies -> Local Securities -> Security Options (for user using Group Policy Editor or GPEdit.msc, expand Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options). Locate Accounts: Limit local account use of blank passwords to console logon only policy, and set its value to Disabled.

Once disabled, user account with blank or null passwords can now login remotely instead of just able to do so via local console.

How to Configure Blank Passwords Allowed for Remote Log On via Registry

Windows XP and Windows Vista stores the value of the policy set above in a registry key named “LimitBlankPasswordUse”. To unlock the limitation of cannot establish Remote Desktop logon with user account without a password, simply set the value data for LimitBlankPasswordUse to 0 (so that there is no limit on blank or null password use), as according to the code below. Alternatively, copy and paste the following text to a text file, and save with a .reg extension. Then run the .reg file to merge the value to registry.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa]
“LimitBlankPasswordUse”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
“LimitBlankPasswordUse”=dword:00000000

For convenient, two registry files have been created and available for free download, which will enable or disable usage of blank password (or absent of password) to login remotely. Download BlankPasswords.zip and run EnableBlankPasswords.reg to enable or DisableBlankPasswords.reg to disable remote login via blank password.

The trick works on both 32-bit and 64-bit operating systems.

The user interface of User Account Control (UAC) settings in Windows 7 has changed to reflect the move to make UAC less annoying, more user control and more user friendlier approach. In Windows 7, the UAC has a slider bar which allows users to configure and select which level of notification (and hence protection against unauthorized and malicious access) they want. With the fine-tuning of UAC, the wording ‘disable’ or ‘turn off’ is no longer available. So how can you disable UAC? Or at least, how can you turn off the notification prompt or pop-up so that they appear less regularly?

In fact, the steps to disable UAC is Windows 7 is similar to steps to disable UAC in Windows Vista, only with slight user interface change, and there is plenty of methods to turn off UAC too.

Method 1: Disable or Turn Off UAC (User Account Control) in Control Panel

1. To user Control Panel to disable UAC in Windows 7, there are several methods to access the User Account Control settings page:
   1. Go to Start Menu -> Control Panel -> User Accounts and Family Safety -> User Account.
   2. Go to Start Menu -> Control Panel -> System and Security -> Action Center.
   3. Click or right click on Flag icon in notification area (system tray), and then Open Action Center.
   4. Type “MsConfig” in Start Search to start System Configuration, then go to Tools tab, select Change UAC Settings, then click on Launch button.
2. Click on User Account Control settings link.

   

3. Slide the slider bar to the lowest value (towards Never Notify), with description showing Never notify me.

   

4. Click OK to make the change effective.
5. Restart the computer to turn off User Access Control.

Method 2: Disable UAC with Registry Editor (RegEdit)

1. Run Registry Editor (RegEdit).
2. Navigate to the following registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

3. Locate the following REG_DWORD value:

   EnableLUA

4. Set the value of EnableLUA to 0.
5. Optional step to suppress UAC consent prompt dialog, locate the following REG_DWORD value:

   ConsentPromptBehaviorAdmin

6. Set the value of ConsentPromptBehaviorAdmin to 0 (optional).
7. Exit from Registry Editor and restart the computer to turn off UAC.

Method 3: Turn Off UAC Using Group Policy

For Windows 7 Ultimate, Business or Enterprise edition which has Local Group Policy, or computer joined to domain and has Active Directory-based GPO, the group policy can be used to disable UAC for local computer or many computer across large networks at once.

1. Enter GPedit.msc in Start Search to run Local Group Policy editor. (Or gpmc.msc to run Group Policy Management Console for AD-based domain GPO editor).
2. Navigate to the following tree branch:

   Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

   In GPMC, browse to the required GPO which is linked to the domain or OU where the policy wants to apply.

3. Locate the following policy in the right pane:

   User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

   Set its value to Elevate without prompt.

4. Locate the following policy in the right pane:

   User Account Control: Detect application installations and prompt for elevation

   Set its value to Disabled.

5. Locate the following policy in the right pane:

   User Account Control: Run all administrators in Admin Approval Mode

   Set its value to Disabled.

6. Locate the following policy in the right pane:

   User Account Control: Only elevate UIAccess applications that are installed in secure locations

   Set its value to Disabled.

7. 

   Restart the computer when done.

Method 4: Using Command Prompt to Disable User Account Control

The command line option can also be used in batch script command file, i.e. .bat and .cmd files, providing greater convenient to advanced technical user. In actual, the commands,, which are also used to disable or enable UAC in Vista, are just doing the same thing as directly modifying the registry.

1. Open an elevated command prompt as administrator.
2. To disable the UAC, run the following commands:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

   and optionally, the following comand to suppress all elevation consent request and notification:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f

   Tip: To re-enable UAC, the command is:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

   and to turn on prompt for consent UI:

   %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f

Disable UAC may cause gadget not working in Windows 7. User who facing the issue can use another workaround to suppress User Account Control.

User Account Control (UAC) is a new security feature in Windows Vista that requires all users to log on and run in standard user privileges mode instead of as administrator with full administrative rights, thus prevent unauthorized or accidental changes that could destabilize the computers or allows virus and malware to exploit the system-level privileges provided to the local administrator to attack the network security, compromise computer safety and privacy, and damage files and settings in the network. However, in a lot of cases, administrator rights are needed by end-users to perform certain tasks such as install or update programs and perform typical system-level task. Beside, many software applications also need administrator privileges to run properly without conflicts, as they are designed to write to system locations during normal operation, and computer in locked-down state in which users operate in standard user mode severely limits user productivity.

In Windows Vista, as and when standard end-user requires administrator privileges to perform certain tasks such as attempting to install an application or write to registry, Windows Vista will prompt a UAC credential prompt to notify the user that a credential of administrator user account is needed for authorization or permission, thus reduce the chance user can accidentally make modifications to vista system files or settings and eliminate the ability for virus or malware to invoke administrator privileges without a user’s knowledge. Even for domain or local administrator, with UAC turns on and enable, most applications, components and processes will run with a limited privilege, but have “elevation potential” or Administrator Approval Mode where administrators must give consent through a User Account Control consent prompt.

User Account Control Administrator Credential Prompt

User Account Control Consent Prompt

However, these security clearance and prompting processes may felt by a lot of users as too troublesome, and sometime annoying especially when you’re the only single user who uses the computer, and has all the latest anti-virus and anti-spyware utilities installed and updated. User Account Control is enabled by default in Windows Vista, so you will have to turn off and disable the User Account Control. However, Microsoft recommends that users do not turn off UAC for security reason.

There are a few ways that you can use to turn off the UAC, but most home and personal users should find method to disable UAC via Control Panel easiest to do.

Method 1 – Using Control Panel

1. Click Start and then open Control Panel.
2. In the Control Panel, click User Accounts and Family Safety.
3. Click User Accounts.
4. Click Turn User Account Control on or off.

   

5. Clear the tick or check mark on the box beside the Use User Account Control (UAC) to help protect your computer option.

   

6. Click OK.
7. When prompted, restart the computer. Note that the changes will affect all users on the computer.
8. To enable the UAC, simply tick or select the checkbox again.

Method 2 – Using Control Panel on Single User

A similar method with method 1, but access to UAC via a user account.

1. Click Start and then open Control Panel.
2. In the Control Panel, click User Accounts and Family Safety.
3. Click on Add or remove user account option.

   

4. Click to select any user account.
5. Click Go to the main User Account page.
6. Click Change security settings under “Make changes to your user account” section.

   

7. Clear the tick or check mark on the box beside the Use User Account Control (UAC) to help protect your computer option.

   

8. Click OK.
9. When prompted, restart the computer. Note that the changes will affect all users on the computer.
10. To enable the UAC, simply tick or select the checkbox again.

Method 3 – Using Registry Editor

1. Run Registry Editor by typing “regedit” in Start Search or command prompt.
2. In Registry Editor, navigate to the following registry key:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
   CurrentVersion\Policies\System

3. Locate the following DWORD registry subkey in the right pane:

   EnableLUA

4. Right click and choose modify or double click on EnableLUA to modify the setting. On valud prompt, set the new value to 0.
5. Exit from Registry Editor.
6. Restart the computer.
7. To enable the UAC again, simply change back the value of EnableLUA to 1.

Method 4 – Using MsConfig System Configuration

1. Run MsConfig from Run option.
2. In System Configuration window, click on the Tools tab.
3. Scroll down and locate “Disable UAP” or “Disable UAC” option item. Click on that line.

   

4. Click the Launch button.
5. A command prompt window will open and automatically execute and run certain process to disable UAC.
6. Close CMD window when done.
7. Close Msconfig.
8. Restart computer for changes to apply and effective.
9. To re-enable UAC, simply select “Enable UAP” or “Enable UAC” instead of “Disable UAP” or “Disable UAC”, and then click on Launch button.

Method 5 – Using Group Policy

If you’re an IT administrator or system administrator that manages many Windows Vista computers or clients across your computer, group policy can be an effective and easy to mass enable or disable a group of computers. To disable UAC, both Local Group Policy or Active Directory GPO can be used.

1. Click Start -> Run.
2. Type gpedit.msc and click OK to open the Group Policy Editor.

   Note: If you’re using Active Directory Domain GPO which controls many computers, open Group Policy Management Console by click on Start -> Run, then type gpmc.msc and click OK from a Windows Vista computer that is a member of the AD domain. In the Group Policy Management Console (GPMC) window, browse to the respective GPO which is linked and enabled to the OU (organization unit) or domain where the Vista computers are located, then edit it.

3. Navigate and browse to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options.
4. In the right details pane, locate the User Access Control policies.
5. Right click each of the following policies and configure or change the value as indicated below after the dash (-):

   * User Account Control: Detect application installations and prompt for elevation – Disabled
   * User Account Control: Behavior of the elevation prompt for standard users – No prompt
   * User Account Control: Run all administrators in Admin Approval Mode – Disabled

6. Restart the computer.

Method 6 – TweakUAC

TweakUAC allows users to easily turn on or turn off UAC with a single click, or put UAC into silent mode where all admin users will be auto escalate when needed.

This article has been updated and reposted to Tip and Trick.

Note: After disable and turn off UAC, a little red X shield icon of Windows Security Center comes out in the notification area.

Registry Editor, a main registry editing tool equipped in all versions and editions of Windows operating system, can be disabled, blocked and locked to prevent the RegEdit from been ran or executed by users in order to protect important system registry. Other possibility of Registry Editor been disabled is caused by virus or worm such as W32/Brontok-C.

When Registry Editor is disabled, user unable and cannot open or run Registry Editor anymore. Any attempt to run RegEdit.exe will return the error “Registry editing has been disabled by your administrator”. Hence it’s impossible to remove the restriction on Registry Editor usage by using the Registry Editor itself. However, it’s possible to use various workaround to directly edit the registry to remove the policy that blocks Registry Editor usage.

Enable Registry Editor using Local Group Policy Editor

For user using Windows XP Professional, Windows Vista Ultimate, Windows Server 2003 or 2008 with Local Group Policy Editor and has access to an administrative user account, user can change the registry editor options in the Local Group Policy Editor.

1. Click on Start -> Run (or Start Search in Windows Vista).
2. Enter GPEdit.msc and then press Enter.
3. Navigate to the following location:

   User Configuration -> Administrative Templates -> System

4. In the Settings pane, locate the Prevent access to registry editing tools option, and then double-click on it to open the settings dialog.
5. Select Disabled or Not Configured.
6. Click on OK button.
7. Try to run RegEdit.exe, and if required (still blocking yet), restart the computer.

VBS Script to Enable or Disable Registry Editor

Doug Knox has created a .vbs VB script that able to toggle between enable or disable the Registry Editor. Right click to download and save the regtools.vbs into a folder. Then double click on the VBS file to run it.

The regtools.vbs VB script file will check for the appropriate value related to disabling/enabling of Registry Editor. If the registry key is not found, the key will be created to disable Registry Editor. If the value was found, it will be toggled to its opposite state and you will be informed that you need to log off and log back on or restart your computer. All change by the script is made in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.

UnHookExec.inf by Symantec to Reset Registry Values to Default Settings

In many cases, disabling of Registry Editor is caused by virus, worm or Trojan, which attempts to stop user from fixing any changes to the registry, which normally affects changes to one or more of the shell\open\command keys. For example, exefile\shell\open\command key is changed, the virus, worm or Trojan threat will run each time that system run any .exe file. As such, Symantec create a .inf script tool to reset these registry values to their default settings.

WARNING: The UnHookExec.inf will reset registry keys and values related to BAT, COM, EXE, PIF, REG and SCR extensions, beside re-enabling the Registry Editor. Hence, users who just want to re-enable the Registry Editor has to manually modify the .inf file to remove the unnecessary commands.

Download the file UnHookExec.inf and save it to your Windows desktop.

Right-click the UnHookExec.inf file and click install. Action will be taken immediately. No display, nor any notice or boxes will appear before or after running. Try to run RegEdit.exe again, restart and reboot PC if it’s still blocked.

How can I install the Remote Desktop Connection 5.2 client by use of GPO (Group Policy Objects)?

RDP (Remote Desktop Protocol) client is the client-side component of the Terminal Server connection. In order to allow a client to connect to a TS, the client needs to install the RDP client on their machine.

The RDP client can be installed by use of one of 3 methods:

• Local manual installation

• Login script initiated script

• Group Policy initiated installation

In this article we will focus on the 3rd option. Naturally, the steps described here will also work for any other software installation, as long as it is packaged as an .MSI file.

System requirements

In order to install (anything) via GPO you will need the following:

• Active Directory in place (Windows 2000/2003 AD)

• Client machines that are part of the domain

• Client machines running W2K and beyond.

• Proper administrative rights

Note: In case you cannot install the RDP client on the computer you’re working at (in situations where you don’t have the necessary rights for example) you can still connect to the TS by using the Remote Desktop Web Connection component. Read Download Remote Desktop Web Connection for Windows Server 2003 and Install Remote Desktop Web Connection on Windows Server 2003 for more info.

Obtaining the RDP client installation file

One of the best TS clients is the Microsoft RDP client (others exist, but we won’t discuss them here). The RDP client was first introduced in Windows XP (version 5.1), and was later upgraded (version 5.2 in SP2 and Windows Server 2003). Last year RDP client was upgraded to the latest version -

(Note the new Security tab and the version number)

You can get the new RDP version from any Windows Server 2003 SP1 installation – Look for it in the %systemroot%system32clientstsclient folder.

If you don’t have a Windows Server 2003 computer accessible, you can also download the file from the Microsoft’s site (Download RDP 5.2 (Old Version)), but after downloading it you will need to extract its content.

Extract the msrdpcli.msi file from the archive

As said above, after obtaining the file called msrdpcli.exe from Microsoft’s website you will now need to extract the files from it. In order to do so you should install some 3rd-party extracting tool such as WinZip or WinRAR.

Lamer note: You do NOT need to perform the following action if the file you’ve obtained is already named msrdpcli.msi.

Navigate to the folder where you’ve placed the msrdpcli.exe file, and right-click it:

Choose either the WinZip or the WinRAR context menu and select the command that’ll extract the files from the archive.

You will find a few files that were extracted from the archive. We do not need them for this guide, however you do need to copy the one file called msrdpcli.msi. The file’s size and attributes may vary as there are at least 3 versions of the RDP client. The latest version that can be freely downloaded from Microsoft’s site is v5.2.3790.0. This version’s size is 922kb.

In case you’ve copied the msrdpcli.msi file directly from the %systemroot%system32clientstsclient folder on a Post SP1 Windows Server 2003 computer, the file’s version will be v5.2.3790.1830 and its size will be 959kb. This is currently the latest version available, and it can also be obtained from the Download RDP 5.2 page.

Whatever version you’re using, just copy it. We will need it in a second.

Creating the installation point

You will need to create a network share and place the msrdpcli.msi file in it. You could do so on one of your servers (you could use one of your Domain Controllers, depending on the number of clients on your network).

Let’s assume you’re using one server called zeus and that the network share you’ll create will be located on that server. Let’s assume that server is also a Domain Controller.

1. Open Windows Explorer, navigate to one of your partitions, create a folder (I’ll call it RDP Client, just for the purpose of this article).
2. Right-click that folder and choose Sharing and Security.

3. Give the share a name. It’s best to use a short name of less than 8 characters, but you can use any name you want. You can also add a $ sign after the name in order to hide the share from curious eyes (note that this however won’t protect the share’s content, it will only hide it from unknowing users). I’ve named the share RDP_Client$.

4. Grant the Everyone group Read access for the share. On Windows Server 2003 this is the default. You do not need more than that in order for the users to be able to install the software.
5. Click Ok all the way out.
6. Check to see if the share is accessible from the network by typing ’servernamesharename (in our case – ‘zeusRDP_Client$). If the share opens in a new window, we’re set.
7. Needless to say, you need to paste the msrdpcli.msi file in that share, duh…

Note that in some cases, with a large network containing many users, one installation point won’t be enough. You will then need to use some load balancing method such as DFS (Distributed File System) and replicas of the content inside, but that’s for a different article.

Choosing computer account or user account-based installation

The next decision you need to make is whether to install the software on the computers based on the computer’s account location, or based upon the user’s account location. For example, if in your AD infrastructure you have an OU called Workstations OU, and, OU called Sales OU and a third one called IT OU:

Lets say you decided to configure the software to be installed on all the users in the Sales OU. Then the GPO will need to be linked to the Sales OU, and the software will need to be configured on the User Configuration part of that GPO:

You will now link this GPO to the Sales OU (or to the IT OU, or to both, depending on your choice). If you choose this option, the software can be installed in one of two methods:

• Published – Which means that it won’t be actually installed, the user will need to manually install it from the Add/Remove Programs applet in the Control Panel.
• Assigned – Which means the software will “seam” to be installed, it will show in the Programs folder on the Start menu, but it won’t actually do anything. The first time a user clicks the shortcut, it will automatically be installed.

However, if you choose to install the software for all the computers in the company, and these computers have their computer accounts in the Workstations OU, then you will need to configure the software installation on the Computer Configuration part of that GPO:

As a “bonus” of this option you will also get the added value of installing the software as a mandatory installation to the computer, and it will be installed during the computer’s booting, right before the CTRL-ALT-DEL screen appears. That means that software installed to the Computer Configuration part of the GPO can only be Assigned, and not Published, as with the Users Configuration option. However, unlike the Assigned option in the User Configuration, the software will fully install itself and not “wait” for the first use of it by the user.

You will then have to link this GPO to the Workstations OU.

Creating or editing the Group Policy Object (GPO)

You will now need to decide what scope will your GPO cover. For example, will you need to install the software for ALL your users/computers, or just for some of them, according to some internal company logic. Based upon your design you will need to either edit an existing GPO, or create and edit a new one. This GPO will need to be linked to the right OU, or to the entire domain or site, depending on your design. I will not go into this area in this article, perhaps in a future one.

Lets say you need to create a new GPO and want to link the new GPO to the Sales OU:

1. Open Group Policy Management Console (GPMC). You don’t have GPMC yet? Bad boy! Read Download GPMC for more info.
2. Expand the domain tree, right-click Group Policy Objects, and choose New.

3. Enter a descriptive name for the new GPO, press Ok.

4. Right-click the new GPO and select Edit.

5. In the new GPO editor window select either the Computer Configuration part of the GPO or the User Configuration part of the GPO, depending on the choice you made in the previous step. Expand it, go to Software Settings > Software Installation. Right-Click Software Installation and choose New > Package.

(I chose the User Configuration option)

6. In the Open window, make sure you manually type in the full network path (UNC path) to the installation point (to remind you, in our case it’s ‘zeusRDP_Client$). Do NOT make the mistake of browsing to the local location of the file, you MUST provide the network path to the share.

This is where the msrdpcli.msi file is supposed to be waiting for you. Click to select the file, then click Open.

7. In the Deploy Software window click on the right choice based on the decision you made in the previous step. I chose Assigned.

8. The new installation package will appear on the right pane.

That’s it, you’re done.

Now, in order for the new installation to work, you’ll need to wait for AD replication to finish (depending on the size of your AD infrastructure, this can take anywhere from a few seconds to a day or two, but assuming you’re using 2 or 3 DCs, this’ll take a minute or less).

Next, ask your user(s) to reboot their computer. In some cases a refresh of the GPO (gpupdate /force) and/or a logoff will be enough, but we need to make sure.

Ask the user to look for a window saying “Software installation” right before the CTRL-ALT-DEL window appears (in case of a Computer-based installation), or right after it (in case of a User-based installation). Ask them to look for the program in the Start menu.

If something doesn’t work right, you can begin to troubleshoot by looking at replication issues, permissions, GPO inheritance and filtering, and at event ids. But that’s for a different article.

Raise your hand if you’re using Windows XP in your corporate environment and make use of a VPN client to connect back to your network resources when you’re off campus. Does your company leverage any type of manual folder redirection for your My Documents folder to point to a network location? If so, how many of you struggle with accessing your home directory (e.g. My Documents) when you’re working away from the office. This is a very common complaint amongst the information worker. The issue is, when you go home, logon to your laptop, connect to the VPN, and click on your My Documents, you don’t have access to your data. My wife complains to me, “Why can’t I access my home drive?!” This is because when you logon to your machine, you’re not connected to the corporate network. A workaround is either knowing the UNC on the network you can browse to access your data. While this can be annoying for some, but an annoyance anyway, there are solutions out there that can help.

My first piece of advice is to eliminate the use of the VPN client altogether. There are technologies out there that can provide a more , Cisco’s AnyConnect or Microsoft’s Direct Access solution. Depending on customer requirements, you’ll need to examine the clientessVPN solutions that are out on the market.

As part of your Windows 7 Deployment Project, you may consider leveraging group policies to create a more secure and managed desktop environment. Folder redirection is one of the policies you might want to consider. Generally speaking most organizations have a User Data Policy, which dictates where user data should be stored. In the corporate environment it is a very good idea to backup user data to a network location such as  SharePoint, Network Share, Home Directory, etc. Alternatively, the use of external devices such as USB, external hard disk, etc. can be used. Folder redirection policy is a great way to ensure that as a user logs on, their documents are pointed to a network location.

When creating a new User Account in Active Directory Users & Computers (ADUC), you have the ability to create a Home Folder to point to a network location. One of the most common scenarios is to map a Drive Letter to point to a specific UNC on a filer where you would like to store the user’s My Documents folder.

Additionally, iff your intention is to implement Windows RE into your deployment solution, Documents Folder Redirection is a critical piece of the ability to self restore a PC. If the user’s primary source data is not kept on a Network Share, when the System Image Restore process is initiated, there is some potential for the loss of all local data.

Configuring Folder Redirection Policy in Windows 7

Step by Step

1)      In the GPMC, right-click the OU on which you want to apply Folder Redirection (at the time of this writing the policy is configured on Test OU – Test – Users) , and choose “Create a GPO in this domain, and Link it here.”

2)      Name the GPO, say, “Win 7 Documents Folder Redirection”

3)      Right-click on the policy and choose Edit.

4)      Drill down to Folder Redirection: Select User Configuration – Policies – Windows Settings – Folder Redirection

5)      Go to the Documents folder, right-click and choose Properties.

6)      On the Target tab make the Setting set to Basic – Redirect everyone’s folder to the same location.

7)      The Target folder location is set to Redirect to the following location

8)      The Root Path is set to %HomeShare%\My Documents

9)      Click Apply

Enjoy!

Rich

1. What kind of administrative tasks can be accomplished through a GPO?
2. What are the two default GPOs created when Active Directory is installed?
3. What are the two main categories of a Group Policy
4. What are the configuration categories available in both the User configuration and Computer configuration sections of a GPO ?
5. Describe the process of how group policy is implemented when a computer is started and a user logs on.
6. What is an administrative template?
7. What are the configuration categories of administrative templates?
8. How can scripts simplify administrative tasks?
9. What is the folder redirection feature of Group policy? Why is it useful?
10. What folders can be redirected?
11. What is the order GPOs are applied in?
12. What is inheritance?
13. What options goes a GPO give you to enforce or limit inheritance?
14. What tools can you use to troubleshoot Group Policy problems?
15. What are the four main phases of software deployment that can be achieved through Group Policy?
16. Explain the difference between publishing and assigning applications through Group policy.

Group Policies are a powerful tool for a Windows system administrator as they allow the administrator to manage computer and user accounts. It basically can be used to allow or disallow certain features and options of the operating system. Group Policies are usually used in corporate environments but also in organizations, schools and even in some homes.

Enter gpedit.msc into a run box or the start menu search form to start the Group Policy Editor. This will open up the Local Computer Policy view which is separated into computer configuration and user configuration. It would take a long time to browser through all the menus and submenus offered in the editor.

That’s why Microsoft has created an Excel spreadsheet that can be used as a reference for the Group Policy Settings in Windows and Windows Server which makes it a lot easier to locate the settings of interest.

Overview
Using column filters, you can filter the information in these spreadsheets by operating system, component, or computer or user configuration. You can also search for information by using text or keywords.

These spreadsheets include the following categories of security policy settings: Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy), Local Policies (Audit Policy, User Rights Assignment, and Security Options), Event Log, Restricted Groups, System Services, Registry, and File System policy settings. These spreadsheets do not include security settings that exist outside of the Security Settings extension (scecli.dll), such as Wireless Network extension, Public Key Policies, or Software Restriction Policies.

* Group Policy Settings Reference for Windows Server 2008 R2 and Windows 7: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 R2 and Windows 7. The policy settings included in this spreadsheet cover Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista with SP1, Windows Server 2003 with SP2 and earlier service packs, Windows XP Professional with SP2 and earlier service packs, and Windows 2000 with SP4 and earlier service packs.
* Group Policy Settings Reference for Windows Server 2008 and Windows Vista Service Pack 1: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Server 2008 and Windows Vista with Service Pack 1 (SP1). The policy settings included in this spreadsheet cover Windows Server 2008, Windows Vista with SP1, Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
* Group Policy Settings Reference for Windows Vista: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template files (.admx/.adml) delivered with Windows Vista with no service packs installed. The policy settings included in this spreadsheet cover Windows Vista, Microsoft Windows Server 2003, Windows XP Professional with SP2 or earlier service packs, and Windows 2000 with SP4 or earlier service packs.
* Group Policy Settings Reference for Windows Server 2003 Service Pack 2: This spreadsheet lists the policy settings for computer and user configurations included in the Administrative template (.adm) files and Security Settings that shipped with Windows Server 2003 with SP2. The policy settings included in this spreadsheet cover Microsoft Windows Server 2003 with SP2 or earlier service packs, Windows XP Professional with SP3 or earlier service packs, and Microsoft Windows 2000 with SP4 or earlier service packs.

This spreadsheet includes separate worksheets for each of the .adm files and the security policy settings that shipped in Windows XP SP3, a consolidated worksheet for easy searching, and an Update History worksheet that lists policy settings that have been added since the Windows Server 2003 operating systems were released.

The spreadsheet can be downloaded directly from the Microsoft website.

Technorati : Group Policy, Security, Windows
Del.icio.us : Group Policy, Security, Windows
Zooomr : Group Policy, Security, Windows
Flickr : Group Policy, Security, Windows

If your environment consists of users that are local admins on the machine, this is something you should really try to get away from. Running in full administrative mode in a Windows environment is probably one of the most dangerous things that can be done from an security standpoint. One of the luxury’s of User Account Control is that it allows you to elevate privileges when needed. One of the many advantages of deploying Windows 7 is that standard users can do more then what they could do previously with Windows XP. A very common computing task for the everyday worker is installing a Network Printers. I don’t know about you, but, the last thing I want to have to do is call the IT Service Desk to assist me with this effort. Ugh!

In Windows 7, as a standard user, you’re not able to do this without making a few changes to the supporting infrastructure first. There is a computer policy you can deploy to Win7 clients in your environment.

Step by Step

1. In the GPMC, right-click the OU on which you want to apply the Windows 7 Printer Policy, and choose “Create a GPO in this domain, and link it here.”
2. Name the GPO something appropriate, “Windows 7 Printers”
3. Right-click on the new GPO, and choose Edit from the shortcut menu to open the Group Policy Management Editor.
4. Drill down to Printers by choosing Computer Configuration_Policies_Administrative Templates: Policy definition. Click Printers and double click on Point and Print Restrictions.
5. Enable the Policy
6. Disable the “Users can only point and print to these servers”
7. Enable the “Users can only point and print to machines in their forest”
8. Do not show warning or elevation prompt for both “When installing drivers for a new connection” and “When updating drivers for an existing connection.”

Here is a snippet of the Computer Configuration Policy:

Note: If you want to restrict this policy specifically for Windows 7 machines, use the following WMI filter:

Query looks like this: “Select * from WIN32_OperatingSystem where Version=’6.1.7600″ and ProductType=1″

Group policy and Active Directory are very important in any organization with more than a few computers.  When I loaded Windows 7 on my work PC one of the first tasks I had to do was install the Group Policy Management client (GPMC) and the AD tools such as Active Directory Users and Computers MMC.  The two tools that I need to manage our domain based group policies and AD accounts.  Installing the tools is a little more complicated than a typical download and setup so let’s get started.

First, you need to download the Remote System Administration Tools (RSAT) for Windows 7 fromMicrosoft Downloads. Make sure you download the correct version for your bit version of Windows 7.

x86fre_GRMRSAT_MSU.msu for the 32-bit version of Windows 7.

amd64fre_GRMRSATX_MSU.msu for the 64-bit version of Windows 7.

After you have the file downloaded, double-click on it and click Yes on the Windows Update Standalone Installer screen shown below.

Click I Accept on the license screen and the components will now be installed after a few minutes. Once installed, you will need to turn on the features that were just added.  The install you downloaded did not install the features on your computer, it just added the features to the local repository of Windows features you can turn on or off.

Next, click on the Start Button and type in Turn Windows features on or off and hit Enter.  Scroll through the list and locate Remote Server Administration Tools.  First let’s install the Group Policy Management Client by expanding Remote Server Administration Tools, Feature Administration Tools and then check Group Policy Management Tools.

Now for the Active Directory tools: Under Remote Server Administration Tools expand Role Administration Tools, AD DS and AD LDS Tools, AD DS Tools and check Active Directory Administrative Center and AD DS Snap-ins and Command-line Tools.

Finally, click OK and the new features will be installed.

Now you can run the Group Policy Management client by clicking on the Start Button and typing in gpmc.msc and then hit Enter.  For Active Directory Users and Computers type in dsa.msc and hit Enter.

Having only used Terminal Services sparingly in the past as a means to run single applications made available to remote desktop clients or to make websites available to thin clients, I had to create a terminal server that provided a desktop of icons that provide access to applications, email and web for laptops accessing via corporate VPN. The laptops are light and have only the OS and anti-virus installed so would be reliant on the capabilities of the terminal server.

Previously, as we had been deploying an .rdp icon that is configured to access an app or webpage now we were making a TS fully available for access which meant that we had to use group policy to lock it down.

To do this I created an Organisational Unit in Active Directory called Terminal Server Lockdown and added the Windows 2008 Terminal Server as a member of the newly created OU.

Next, I enabled Group Policy on the OU (Right click then Properties) and selected Group Policy.

I created a new local group policy object and called it Terminal Server Lockdown.

Finally, I edited the group policy here used the settings that Microsoft recommends in their ‘Locking Down Windows Server 2003 Terminal Server Sessions’ document that is available here:

http://download.microsoft.com/download/d/8/b/d8b21533-a5bf-4d46-8878-ebbf834fc6f7/Win2003_Teminal_Server_Lockdown.doc

Some of the recommended settings may cause some problems but this depends on your environment and how tightly you want to lock down TS sessions. After testing and adding further restrictions this solution is very effective.

The following information is useful when installing or upgrading to Notes on a Windows client.

• When installing Notes you must be logged in as an administrative user or as a non-administrative user with elevated privileges. To install as a non-administrative user, an administrator should first run the Group Policy Editor (gpedit.msc) and set install privileges to "Always Install Elevated" as below. Once these settings have been made, non-administrative users can then install, open, and use Notes.

  From the Policy Group Editor [gpedit.msc] policy setting:

  1. Click Computer Configuration – Administrative Templates – Windows Components – Windows Installer > Always Install Elevated.
  2. Click User Configuration – Administrative Templates – Windows Components – Windows Installer – Always Install Elevated.
• Notes installation on Windows^® supports Windows XP and Windows Vista. For Windows Vista, the User Account Control (UAC) setting should be ON.
• You can install Notes on Windows in a single user or multi-user environment.
• If you plan to use Notes shared login, do not select "Client Single Logon Feature" during installation.
• When installing Notes using the Windows Allclient kit, feature panel installation options are available for installing or upgrading the Domino Designer and Domino Administrator clients.
• For recommended memory, see the "Software requirements" section of the release notes or tech notes.
• A summary panel displays the disk space footprint for what is being installed. Install also needs additional temporary disk space. The temporary disk space required is almost as large as the footprint. If you do not have enough space for the footprint and temporary space, the installer will stop you from continuing.
• Shut down all applications before installing Notes.
• If you have installed a Notes Beta version, uninstall it before installing this Notes version.
• On Windows Vista, you cannot upgrade a Notes installation that was installed with UAC turned OFF to a Notes installation that has UAC turned ON. You must first uninstall, set UAC ON, then run the current Notes installer.
• Shared network installation is not supported for Notes standard configuration.
• Installation and use of Notes on a USB drive is not supported for Notes standard configuration.
• Notes roaming user does not support switching a user ID, as noted in the user interface response and the Lotus Notes Support Site.
• At initial release, Notes is available in US English only. Additional language kits are made available for Notes shortly after initial release. See the language kit topics in this guide.
• The installation path cannot contain special characters such as # or $.
• Only one instance of Notes should be installed on a client workstation at any given time.
• If installation does not complete successfully, uninstall Notes and reinstall. If uninstall is not successful, see "Cleaning a previous or partial Notes installation from your client."
• The Notes installer does not support upgrade from single user to multi-user, however it is possible to perform such an upgrade using a manual technique. For information about upgrading from a single user to a multi-user Notes installation, see the "Upgrading from a single user to a multi-user Notes installation" topic in this guide.
• Only one instance of Notes should be installed on a client workstation at any given time.
• Once you click "Install" on the Notes installation panel, allow the installation to complete. Ending the Notes installation process prematurely can leave files in an unstable state, and may also leave empty folders and miscellaneous files on your system. If you experience problems installing Notes after exiting a Notes installation prior to its completion, see "Cleaning a previous or partial Notes installation from the client".

Source…

Read at source…

Nice YouTube video.  Works for Vista or Server 2008.  Click here.

A great introduction video to GP Backup and Restore.

Did you know Vista and Win7 have a built in way to manage which hardware devices can and cannot be put on your network? Want to banish iPODS and USB sticks? Check out this demonstration.

At a Glance:

• Updated RSAT filters
• Automated GPO handling with Windows PowerShell
• Tabless interface for ADM and ADMX
• Built-in Starter GPOs and new policy settings

Read at source…

The biggest change to group policies since Windows 2000 comes to Windows courtesy of a Microsoft purchase of a company called Desktop Standard. Among several excellent enhancements to group policies comes Group Policy Preferences (GPPs). GPPs allow group policy objects to control a whole new set of Windows settings using Active Directory based GPOs. Along with dozens of new policy settings, GPPs introduce several new concepts to GPOs, namely multiple setting actions, item level targeting and one time application of settings. Each of these individually would make this new mechanism worth a look, but the combination is one of the most powerful tools available to Windows system administrators, and it’s all included in Windows at no additional cost.

Requirements

Before we dig into what GPPs can control and how they control it, let’s go over the requirements for using GPPs. The popular misconception is that GPPs require a significant investment in upgrading the domain, DCs or the entire network to Windows 2008/R2 and Vista/Windows 7. The truth is that the requirements are significantly lower than that. There are two sets of requirements related to using GPPs, the requirements to edit a GPO and to apply a GPO:

• Editing a GPO with GPPs requires a system running Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ or Windows 7. Therefore, introducing a single machine running any of these operating systems to a network would allow GPOs using GPPs to be created.
• Applying a GPO with GPPs is supported on the  above mentioned operating systems (Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ and Windows 7) but also on Windows XP SP 2+ and Windows 2003 SP2+. In order to use GPPs on Windows XP SP2, Windows 2003 and Vista RTM, the new Client Side Extensions (CSEs) for GPPs must be downloaded and installed. The updated CSEs are included in Windows XP SP3 and Vista SP1.

You’ll notice that there are no requirements for your domain controllers and or other server operating systems!!!

Significant Features

GPPs introduce several unique new features that expand and enhance the usage of group policies and can be used for all GPPs:

• Item level targeting

This feature, available on the Common tab, allows the construction of a multipart conditional statement that must be met before the setting is applied. Since the condition only applies to one setting, a single GPO can have settings that are applied to different users and computers. The condition parameters include items such as:

• Computer Name
• CPU Speed
• Disk Space
• Domain
• Environment Variable
• IP Address Range
• Operating System
• Organizational Unit
• RAM
• Site
• and User

Also available are conditions that query specific registry keys, files, LDAP objects and WMI properties.

• Apply once

Another feature that can be found on the Common tab and therefore used for the large majority of GPPs, is represented by a checkbox labeled ‘Apply once and do not reapply’. Using this setting allows the administrator to implement a default setting but allow users to modify the setting. This ‘soft’ application of GPO settings is a powerful tool for system administrators.

• Modification actions

Found on the default and left-most tab of most GPPs is the Action pulldown. This setting provides granular control for the type of action used when applying the setting and contains the following options:

• Create – This action will create a new object as specified. If an object exists, no action will be taken.
• Replace – If the specific object exists, it will be removed and a new one created with the specified settings. If the object doesn’t exist, it will be created. This setting is similar to traditional GPOs and force a configuration regardless of existing settings.
• Update – If the specific object exists, it will be updated with any specified settings. Other settings will not be distributed. If the object doesn’t exist, it will be created.
• Delete – This action will search for the specific object and delete it.

GPP Extensions

Of the approximately 20 new setting areas (or extensions) introduced with GPP, the majority provide a new, easier method of configuring settings that historically required complex scripts, third party utilities or were not possible at all.

The following extensions can be used to replace tasks traditionally completed with scripts or batch files:

• Drive maps
• Printers
• Environment
• Files
• Registry
• Shortcuts
• Local Users and Groups

Whereas the following extensions present functionality that is new to GPOs:

• Start Menu
• Folder Options
• Power Options
• Data Sources
• Network Shares

The features, functions and elements described here are just examples of the new options available with GPPs. A review of the preferences sections within the GPO will quickly allow any administrator to find settings that address their own issues and optimize systems management in their organization.

hopefully this introduction helps readers understand GPPs a little better and leads some to leverage these very capable tools. If you have found a cool use for GPPs, please comment and share.

Using Group Policy Editor – for Windows XP Professional

* Click Start, Run, type gpedit.msc and click OK.

* The Navigate to this location:

Click on:

> User Configuration

> Administrative Templates

> System

> Ctrl+Alt+Delete Options

> Remove Task Manager

* Then double click the Remove Task Manager in the choices, and select the option (ENABLE)

* Click Ok. Now Try Right Clicking in the Windows Taskbar and see if the ‘Task Manager’ is grayed. If it is grayed and not clickable then good job.

Traditionally printer connections have been deployed to users with scripting, like batch (net use) and Kixtart (AddPrinterConnection).

I would now like to show how printer connections can be deployed using Group Policy. Today we have 2 possible solutions for natively deploy printers using Group Policy without the need for any scripting:

1) Group Policy Preferences – available in Windows Server 2008 and later

2) Print Management – available in Windows Server 2003 R2 and later

Using Group Policy Preferences to deploy printers are described in an earlier blog post, available here. Therefore, I won`t explain any further details regarding this.

I will focus on the Print Management which has a powerful “Deploy with Group Policy” feature.

Configure printer deployment on

print servers

To use the “Deploy with Group Policy” feature, you need to install the “Print Management Component” feature from “Add/Remove Windows Components” in Windows Server 2003 R2. In Windows Server 2008/2008 R2 you need to install the “Print Server”-role from the “Add Roles Wizard”.

When installed, you`ll find “Print Management” under “Administrative tools” on the Start menu:

The following screenshots are taken from Windows Server 2008 R2.

When you open the Print Management Console you will see an overview of Custom Filters, Print Server and Deployed Printers:

You may add additional filters and print servers to the console, which you can read more about in the links in the bottom of this post. For now, we`ll focus on the printer deployment part.

Right-click the printer you want to deploy, and select “Deploy with Group Policy”:

Select “Browse” to choose a Group Policy Object where the printer connection will be deployed. Select “per user” and/or “per machine” and press “Add”. Then click “OK”:

You should now receive a message stating that the deployment operation was successful. Click “OK”:

The printer will now be deployed to client computers.

Behind the scenes

To understand how the print deployment feature works, we`ll activate the “Advanced Features” option on the “View”-menu in “Active Directory Users and Computers”:

Open the “Group Policy Management Console”, go to the Group Policy Object you deployed the printer to, and select “Details”:

Note the “Unique ID” (GUID).

Back in ADUC, expand “System” and then “Policies”:

This is where the actual Group Policy Objects in Active Directory are stored, in addition to \\domain.local\sysvol\policies.

Find and expand the Group Policy Object you deployed the printer to. You will now see “PushedPrinterConnections” under the “Machine” and “User” nodes:

When looking at “PushedPrinterConnections” under the “User” node, we see an entry of type “msPrint-ConnectionPolicy”:

When we go into “Properties” on the “msPrint-ConnectionPolicy” and go to “Attribute Editor”, we can see that this represents the printer connection we added:

Deployment to client computers

Client computers running Windows Vista and later have native support for the new printer connection policies, and will work “out-of-the-box” when printer connections are added to a Group Policy.

Client computers running Windows 2000 and Windows XP doesn`t support the the new printer connection policies natively. To resolve this, there are a utility called “pushprinterconnections.exe” which must be added to a logonscript in Group Policy. This utility will check the computer and user Group Policy Objects and add any printer connections defined.

This utility have 1 parameter: –log. This is useful when troubleshooting problems, and I would recommend you to use this parameter. As you can see, the utility should not be run manually from the command line:

Here is an example of the utility added to a logon-script in a Group Policy Object:

The log-files are named “ppcUser.log” and “ppcComputer.log”. These are located in the %temp% directory:

Here is an example output of the logfile:

In Windows 2000 and Windows XP, no other feedback than these log-files are provided.

In Windows Vista/Windows Server 2008 and later, the following feedback are shown during logon:

In addition, any failures are logged to the “Application”-log with Source “SpoolerSpoolss”.

Special considerations

Windows 2000 supports only “per machine” deployments when using the pushprinterconnections.exe utility.

The pushprinterconnections.exe utility won`t catch “per user” connection policies when using “User Group Policy loopback processing”. You must link the GPO containing the “per user” connection policies to an Organizational Unit where the users reside.

Use ACL`s  on the printer objects on the print servers to publish the printers based on group membership. By using this approach, all printer connections may be defined in the same Group Policy Object.

My recommendations

As I said in the introduction to this post, printer connections have traditionally been deployed to users with scripting. Since there are native ways to accomplish this using Group Policy, this would be my recommendation.

Considerations for using the “Deploy with Group Policy” feature in the print server role:

-the print administrator would have an overview over all printers which are deployed with the Print Management Group Policy feature in the Print Management console
-printers can be administered in an individual GPO like GP Preferences with the Print Management console. To do so, open Group Policy Editor, expand Computer Configuration/User Configuration->Policies->Windows Settings->Deployed Printers
-it requires that pushprinterconnections.exe are run on Windows XP and Windows Server 2003 clients
-it is available with Windows XP/Windows Server 2003 R2 and later (backwards compatible to Windows 2000 Professional/2000 Server)
-it requires Windows Server 2003 Client Access Licenses (CALs)

Considerations for using Group Policy Preferences:

-it can handle more different printer types (local, TCP/IP, and shared instead of only “shared”)
-it has several additional options (deleting all existing connections, setting default printer, etc.)
-it can save a lot of GPOs because you can have many printer objects in one GPO and use “Item Level Targeting” to address each printer individually (e.g. clients in a specific IP-range, per group or even per user)
-it is easy to automate the process of adding printer objects to a GPO using Windows PowerShell, since the GP Preferences settings are store in XML-files
-it requires that Group Policy Client Side Extenstions are deployed on Windows XP and Windows Server 2003 clients
-it is available with Windows Vista/Windows Server 2008 and later (backwards compatible to Windows XP/2003 Server)
-it requires Windows Server 2008 Client Access Licenses (CALs)

Resource links

Step-by-Step Guide for Print Management
(Applies To: Windows Server 2003 R2)

Print Management Step-by-Step Guide
Applies To: Windows Server 2008

Print Management
(Applies To: Windows 7, Windows Server 2008 R2, Windows Vista)

Deploy the PushPrinterConnections.exe Utility

Hi Everyone,

We want to let you know that there is a correction to the link to download

“Group Policy Settings added to Windows 2008”.

So if you are looking for it the link is here

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=18c90c80-8b0a-4906-a4f5-ff24cc2030fb

Apologies if you have had trouble finding it