Tag: gpo

  • How to Restrict Control Panel Access with Group Policy

    How to Restrict Control Panel Access with Group Policy

    This blog will examine how to restrict control panel access with group policy. You will learn how to disable the control panel access for specific users. I will also teach you how to select only specific control panel items.

    The control panel provides access to several different system settings. In a business network, you likely don’t want your users to be able to modify these settings. The good news is that you can use group policy to restrict access to the items in the control panel.

    Restrict Control Panel Access via Group Policy

    How to Disable Control Panel for Specific Users

    In this example, I will disable the control panel for all users in the Sales OU.
    Open the group policy management console.
    Go to the OU where you want to restrict control panel access. Right-click and choose “Create a GPO in this domain, and Link it here”

    Create a GPO in this domain and link it

    Type the GPO name. I will name it “Access Control Panel”

    New group policy name

    Right-click on the created GPO and select edit.

    Edit group policy object

    Browse to:

    User Configuration\Policies\Administrative Templates\Control Panel

    Double clicks to open the policy “Prohibit access to Control Panel and PC Settings”.

    Restrict control panel access with group policy

    Select Enabled to enable this policy and click on OK.

    Prohibit access to Control Panel and PC Settings

    I will log onto a computer and verify that access to the control panel is blocked.
    Type the command:

    gpupdate /force
    Gpupdate /force command

    I’m logged into the computer as a user in the Sales OU. When trying to access the control panel, the user receives the message below.

    Restrict control panel access via group policy

    If someone logs into a computer in a different OU, they still have access to the control panel.
    If you want to apply this policy to specific users in different OUs, you need to use group policy filtering.

    Show Only Specified Control Panel Items

    If you want users to have access to only specific control panel items, follow these instructions.
    On the group policy management console.
    Right-click on an OU and select “Create a GPO in this domain, and Link it here”

    Create a GPO in this domain and link it

    Give the GPO a name. “Limit Control Panel Items”.

    Create new GPO name

    Now, right-click on the created GPO and select edit.

    Edit group policy object

    Browse to:

    User Configuration\Policies\Administrative Templates\Control Panel

    Double-click to open the policy “Show only specified Control Panel items”.

    Show only specified control panel items

    Click on Enabled and click on the Show button.

    Show Only Specified Control Panel Items

    To display a control panel item, you must enter the control panel item’s canonical name.
    Refer to the Microsoft Canonical names of control panel items to see a full list of canonical names.

    I will allow access to devices and printers and Internet options.

    Devices and Printers

    Canonical name: Microsoft.DevicesAndPrinters
    GUID: {A8A91A66-3A7D-4424-8D24-04E180695C7A}
    Supported OS: Windows 7, Windows 8, Windows 8.1
    Module name: @%systemroot%\system32\DeviceCenter.dll,-1000

    Internet Options

    Canonical name: Microsoft.InternetOptions
    GUID: {A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}
    Supported OS: Windows Vista, Windows 7, Windows 8, Windows 8.1
    Module name: @C:\Windows\System32\inetcpl.cpl,-4312
    Pages

    I will then insert the canonical names into the GPO settings.

    List of allowed control panel items

    Click ok and OK again.
    Login to your computer and update the group policy with the below command.

    Gpupdate /force
    Gpupdate /force command

    When the user opens the control panel, they can only access the items listed in the GPO.
    In the below example, the user only has access to the devices and printers and internet options control panel items.

    Specified Control Panel Items
  • How to Map Network Drives via Group Policy

    How to Map Network Drives via Group Policy

    In this blog, you will learn how to map network drives via Group Policy in Windows Server 2022. How can I configure a GPO for mapping shared drives and automatically provide users with access when they log on? Providing users with access to shared folders can be beneficial. It allows you to control your IT infrastructure while allowing people to share the necessary resources.

    Map Network Drives via Group Policy

    Map a Department Network Drive

    I will map network drives with group policy for the Accounts department. I will use item-level targeting, so it only maps this drive for users in the Accounts organization unit.
    You could also use a Security Group to target a certain group of users. This will be mapped to a network share that only the HR department has access to.
    I have created two shared folders (Shared for Accounts department and Users for individuals).

    Open the users’ folder.

    Windows explorer new volume

    Right-click on a user, select properties and verify the permissions.

    Folder properties in Windows

    Active Directory Users and Computers

    We have created organization units (Account, etc.….) in the Active Directory users and computers. I am going to map a network drive for accounts departments. I have moved a user named user2 to the accounts organization unit.

    Active directory users and computers

    Open the Group Policy Management Console by searching in Windows.

    Search group policy management

    In the Group Policy Management Console, click on the group policy object and select Create a new GPO.

    Create new group policy object

    You can name the new GPO whatever you like; I’ve created a map network drive for all computer users.
    I can also add additional drive mappings to this GPO.

    New GPO name

    The new GPO is now created and linked, so it is time to configure the settings.

    Configure GPO Settings

    Right-click on the GPO (Map Network Drives) and select edit.

    Edit group policy objects

    Access User Configuration/Preferences/Windows Settings/Drive Mappings.
    Right-click Drive Maps, Select New and then Mapped Drive.

    Map network drives via GPO

    Configure Drive Mapping Properties

    General Tab Settings
    Action updates
    Locate the path to the shared/folder you want to map a drive.
    Select a drive letter
    Label as: This is optional, but may be beneficial for users.

    Configure map network drive via GPO

    Click on the Common Tab
    Select Run in the logged-on user’s security context.
    Select Item-level Targeting
    Click on the Targeting Button

    Map network drive targeting

    Select New Item
    Select Organization Unit

    targeting Map network drive

    Click on the three dots buttons.

    Map network drive targeting editor

    Select your OU, the one you want to use for this network drive mapping.

    Find custom search

    Click ok.

    Map network drive targeting

    Click the ok button to close the new drive properties.

    New map drive properties

    This completes the GPO settings.

    Group policy management editor

    This will be a user-based GPO, so make sure you link it to a location that will attract users. I have all my users separated into an OU called Accounts so that I can create and link the GPO there.

    Right-click on an Organization Unit and select the existing GPO.

    Group policy management

    Select a group policy object (Map Network Drives) and click ok.

    Link existing group policy objects

    Now you can see the GPO successfully linked.

    Group policy objects link enabled

    Log in with a user’s PC, and you can see the map drive not displayed.

    This PC

    Reboot User’s Computer to Process GPO

    I must reboot the user’s PC or run gpupdate /force.

    Gpupdate /force

    The next time a user from the accounts users logs in, they should be able to see a mapped drive.

    This PC mapped network drives

    In the active directory users and computers, now, any user I put in the HR folder can access this drive. If you don’t want to use an organizational unit, you can also target a group of users by using a Security group.

    Active directory users and computers

    Map a Network Drive Using Group Policy for Individual Users

    This example maps a drive for individuals, providing each user with a personal folder to save files.
    You can create a new GPO or add to an existing one, I have all my drive mappings available in one GPO.

    This example requires a folder to be created on a network share that matches the user’s login name. You will need to modify the NTFS permissions so that only the individual user has permission to access it.

    Create Roaming Profiles

    Roaming profiles allow users to log on to any computer in their organization and have all their personal files and settings available to that computer. This is a powerful feature that is easy to configure.
    Create a folder on your server’s local hard drive.
    Click the folder you created, scroll down, and click Properties.

    Select folder properties

    Open the sharing tab and click Advanced Sharing.
    Check the Share this Folder and click on Permissions.
    Select Everyone from Group or usernames and click Remove.
    Click Add and add a user to who you want to provide access.
    Click on the security tab and select edit.

    Folder properties security tab

    Select add

    Permissions for shared folder

    Enter a user and select click ok.

    Enter the object name to select

    Allow full control by checking the checkboxes and clicking OK.

    Permissions for share folder

    Active Directory Users and Computers

    Select all users who would like their roaming profile to be created. Right-click and click Properties.

    active directory users and computers

    Check the connect under the home folder and use a letter to map the network drive. Provide the network path of the folder you copied. It should be in the format \ServerName\FolderName\%username%. Click OK. You are creating a roaming profile for Active Directory users.

    Map network drive for user

    Click ok.

    Active directory domain services warning

    Now login with the user’s PC.

    Map network drive

    Please visit Microsoft to learn more about GPO.

    #MapNetworkDrive #GroupPolicy #WindowsServer2022 #gpo