Seven tips for using group policy in Windows 7

Current Job Listings

Windows 7 comes with a host of new features that greatly simplify everyday tasks. In a corporate environment, however, the last thing IT wants is for users to have free rein of these features once Windows 7 is deployed on their desktops.

Group Policy, the set of rules providing administrative control over users and computers in an Active Directory environment, enables IT to use the organization's existing Group Policy infrastructure to deploy security and desktop settings that ensure compliance with corporate standards.

One of the most robust configuration tools in the Windows infrastructure, Group Policy plays a major role in establishing a secure and compliant network environment, regulating everything from critical business processes and security settings to individual workstations and printers.

Here are seven tips that will help you get the most out of Group Policy to strengthen security, automate tasks and save money with Windows 7.

1. Use a Windows 7 management machine.

To make the most of the new Group Policy functionality you need to have one management machine running the Group Policy Management Console (GPMC). But GPMC is available only as part of a downloadable package called Remote Server Administration Toolkit (RSAT).

So, Step 1 in creating a Windows 7 management machine is to download RSAT and install the GPMC component. You can download RSAT here or search for the phrase "Remote Server Administration Tools for Windows 7." You will find both 32-bit and 64-bit versions of RSAT, so be sure to install the correct version for your architecture.

Once RSAT is installed, select Remote Server Administration Tools from inside Control Panel/Programs/Turn Windows Features on or off. Then, select "Group Policy Management Tools" to install the GPMC, and "Active Directory Administrative Center" to add AD users and computers and other AD-related tools. Once installed, GPMC is available by running GPMC.MSC from the command prompt, or finding it in the Start menu.

2. Use power policy settings and controls.

To lower your operational costs, use Group Policy to tweak settings that decrease the power consumption of your desktops and laptops. The smaller the power footprint, the more money you will save -- day after day, and year after year. You can find power-related policy settings at Computer Configuration/Policies/Administrative Templates/System/Power Management.You also can find Group Policy Preferences for Windows 7 Power Plans -- both for users and computers -- at Computer Configuration/Preferences/Control Panel Settings/ Power Options and User Configuration/Preferences/Control Panel Settings/Power Options.

The difference between Group Policy preferences and Group Policy power management settings is that users can undo preferences at any time, while policy is enforced by the system and can't be bypassed by users. In either case, you can immediately recoup some of your Windows 7 deployment costs when you implement Group Policy power management settings and/or Group Policy preferences.

3. Use Group Policy to lock out unwanted hardware

Preventing corporate data from walking away is a key security concern for administrators. USB flash drives, cameras and phones using flash media and other such hardware can put your network at risk, but can be locked out using Group Policy. Specific devices can be blacklisted, which ensures they cannot be used, or whitelisted, which means a particular device type is not permitted unless it's on an approved list.

You can find policy settings that enable you to perform hardware lockout at Computer Configuration/Policies/Administrative Templates/System/Device Installation/Device Installation Restrictions. The hardware lockout policy settings are valid for Windows Vista and onward, including Windows 7.

4.  The "Immediate Task" function doesn't yet work

While it would be nice to be able to use Group Policy to perform the same command on all your machines at the same time, the Group Policy engine itself is not immediate. The GPO on the domain controllers contains the "payload" of directions, and the client pulls Group Policy settings from that payload approximately once every 90 minutes.

While one of the payloads can be a new instruction called an "Immediate Task," this function does not appear to work in Windows 7 or Windows Server 2008/R2, which means the Immediate Task item type for Windows Vista and later is ignored by the target machine. This should be corrected in an upcoming hot fix or service pack.

Windows 7 and Windows Server 2008/R2 do appear to process Scheduled Task items correctly, however.

The good news is that Group Policy provides a uniform way to assign tasks to all of your machines. Instead of running from machine to machine, use Group Policy to take consistent, controlled actions based on a central policy.

5. Use PowerShell to deploy scripts

PowerShell has become increasingly popular with administrators, but until recently, there was no great in-the-box way to deliver PowerShell scripts to target machines. Now, however, Windows 7 and Windows Server 2008/R2 machines can accept them via Group Policy.

The Logon Properties dialog box is located at User Configuration/Policies/Windows Settings/Scripts (Logon/Logoff). Similar settings for the computer are found in computer Configuration/Policies/Windows Settings/Scripts (Startup/Shutdown).

PowerShell scripts can be used to copy files from the client to the server -- rounding up events in the event log and centrally managing them -- and for a variety of other reasons. You must output your results to a static location, however; don't keep anything important inside the PowerShell bubble.6. Use PowerShell to script Group Policy operations

You also can use PowerShell to script Group Policy operations that normally are available only within the GPMC. You may want to create a new GPO, restore the settings from an existing GPO or link that newly created GPO to an OU.

With the new PowerShell support built into Windows 7, you are almost there. First, start a new PowerShell session on your Windows 7 management machine, then type "import-module grouppolicy." You can then tack on "–verbose" to show which cmdlets the Group Policy PowerShell module can perform.

By using PowerShell to script your Group Policy operations, you can make sure repetitive tasks are performed correctly every time, without manual labor. Remember, however, that these cmdlets are only available with a Windows 7 or Windows Server 2008/R2 management machine.

7. Get application-level control with AppLocker

In addition to restricting undesirable hardware (tip No. 3), Group Policy also can be used to restrict undesirable software. The Windows default is to allow users to run any application without question, but you can protect your network from dangerous files with Microsoft's AppLocker, which is an evolutionary step beyond the previous restricting software, Windows XP's Software Restriction Policies, and raises the bar in several ways.

You can dictate which software will and will not run via "Publisher rule," which you can create by browsing to any file by a particular manufacturer (Publisher), and then choosing whether to allow or disallow software based on various criteria. You also can use it in whitelist mode, allowing only specifically named software to run. If it isn't on the list, it isn't allowed to run.AppLocker will work only if the target machine is Windows 7 or Windows Server 2008/R2. However, it is only available for the Enterprise and Ultimate versions of Windows 7 (and not the more cost-effective Professional version). It is not available, or expected to be backported, for Windows XP.

Don't forget that the power of Windows 7 makes it especially important to use a test environment to ensure your Group Policy Objects work the way you want before you roll them into production. Use a GPO administrative tool to create GPOs offline, try them out in the test lab, and then roll them into production once you are confident they work the way they should.

Moskowitz, Group Policy MVP, is a consultant to Quest Software. He runs, which offers tips, tricks, a community forum, and in-depth live and online training for addressing your team's toughest Group Policy questions. He is a regular speaker at IT conferences worldwide, and has authored or co-authored numerous books, including Group Policy: Fundamentals, Security and the Managed Desktop. Explore the book and free eChapters at

Read more about software in Network World's Software section.

This story, "Seven tips for using group policy in Windows 7" was originally published by Network World.

5 collaboration tools that enhance Microsoft Office
Shop Tech Products at Amazon