How to share printers via Group Policy (GPO)

One great advantage of using Active Directory Domain Services is the possibility to share a printer in just a few clicks with a group of computers or users.

Since Windows Server 2012 isn’t even necessary to create a Group Policy Object (GPO), Windows will do the job for us speeding up the process.

We are going to show how you can share an existing (installed) printer to an AD Group of Computers.

First of all, install the Print and Document Services role:

Then open the Print Management panel from the Server Manager:

From the Print Management panel select the printer, right-click and select Manage Sharing:

Check Share this printer and List in the directory, then click Apply:

Select the printer, right-click and select Deploy with Group Policy:

Click Browse:

Navigate through the organizational unit that needs to access the printer and Create a New Group Policy Object:

Name the policy then click Ok:

Check The computer that this GPO applies to and click Add:

The configuration is finished, you just have to click Apply:

How to deploy a Registry Key via Group Policy

System administrators often need to deploy one or more Registry Keys in business environment. Customized software or hardware need particular configurations and companies usually have solutions tailored to their needs.

Whatever the reason is, a Group Policy is the best way to deploy a Registry Key in an Active Domain Directory Services.

The configuration is quite simple and quick.

Open the Group Policy Management panel and create a new Group Policy Object:

Give it a name:

Go to the Settings tab. Right-click on Computer Configuration or User Configuration and select Edit:

You can deploy the Registry Key on per-computer or per-user basis. We chose a per-computer model. Select New Registry Item from the dropdown menu:

Now you need to specify the Registry Key you want to update, replace, create or delete:

Click Ok and the Registry Key will be deployed:

How to deploy (and/or remove) software packages via GPO in Windows 2012

One of the greatest advantages of having an Active Directory Domain is the possibility to deploy software packages via GPO (Group Policy Object). Software deployment is crucial in business environments to save time and money.

Microsoft not only gives us a simple way to deploy software, but also provides a quick solution to uninstall it when we don’t need it anymore.

Open the Group Policy Management panel and create a new GPO:

Give it a name:

Let’s edit this policy:

Navigate through the path Computer Configuration\Policies\Software Settings and right-clickSoftware installation. Select New –> Package:

Specify a network path (the domain users must be able to access the file) containing the package you want to deploy:

We are setting up a Computer Configuration policy, so we can only assign the application and notpublish it. Assigned applications will be installed at the first reboot or policy update while published applications will be available for the users to be installed or removed. For this reason, you can only publish application to users. The Advanced option simply make us able to edit the application deployment Properties:

Default settings are fine:

Deplyment set up:

To remove the application, right-click on it and select Remove:

You can choose to remove the software or simply forbid new installations:

How to enforce Device Restrictions with a GPO in Windows 2012

Now it’s time to restrict devices. Device restrictions can improve the security of a business network and limit potential headaches to the IT staff.

It’s also really easy to enforce a device restriction GPO.

Open the Server Manager and launch the Group Policy Management:

Create a new GPO:

Edit the policy:

Navigate to the path Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions:

Enable Allow administrators to override Device Installation Restriction policies:

Then enable Prevent installation of devices not described by other policy settings:

The configuration is complete. You can use different schemes to restrict specific devices or category of devices. Microsoft lets us restrict specific drivers or device IDs, you can also restrict only removable devices.

How to Prevent Users from Connecting to a USB Storage Device by Group Policy

To prevent users from connecting to USB storage devices by group policy

 If a USB storage device is already installed on the computer:

1.  Click Start –  All programs  – Administrative Tools – Group Policy Management.
2. Create or Edit Group Policy Objects
3. Expand Computer Configuration – Preferences – Windows Settings.
4. Right click Registry – New – Registry Item.
5. General Tab.

• Action : Update
• Hive : HKEY_LOCAL_MACHINE
• Key path : SYSTEM\CurrentControlSet\Services\UsbStor
• Value name : Start
• Value type : REG_DWORD
• Value data : 00000004

Notes: You can apply this method on User Configration too.

If a USB storage device is not already installed on the computer:

1. Click Start –  All programs  – Administrative Tools – Group Policy Managment.
2. Create or Edit Group Policy Objects
3. Expand Computer Configuration – Police – Windows Settings – Security Settings .
4. Right click File System– Add file or folder.
5. Browse to this file

• %SystemRoot%\Inf\Usbstor.pnf
• assign the user or the group and the local SYSTEM account Deny permissions.

6. Browse to this file too.

• %SystemRoot%\Inf\Usbstor.inf
• assign the user or the group and the local SYSTEM account Deny permissions.

      

Active Directory: how to restrict sites in IE 10 and IE 11 with a Group Policy

Site restrictions are common in business networks. Mangers and entrepreneurs want to limit potential distractions and Microsoft offers a range of solutions to achieve the objective. An usual practice is to adopt a proxy server but you can enforce site restrictions on Internet Explorer – even the latest versions – using a simple Active Directory Group Policy.

In this tutorial we’ll take advantage of the Content Advisor functionalities of Internet Explorer, a feature Microsoft hid in IE 10 and IE 11.

The first step is to download and install the Internet Explorer Administration Kit (IEAK). We’ll use it to create a configuration executable for IE.

Run IEAK:

Choose a shared folder (accessible by the restricted users) where to save the package:

Select the target platform:

Select the target language:

Check Configuration-only package:

Clear All then check Security Zones and Content Ratings:

Synchronize your version of IE with the latest available and click Next:

Check Import the current Content Ratings settings then click Modify Settings:

We’re now in the Content Advisor configurator. Unrestrict all the ICRA3 categories:

In the Approved Sites tab you can restrict the sites. Specify a domain and click Never, it will appear in the list below:

In the General tab check Users can see websites that have no ratings then click Create password:

Specify the supervisor password:

You’re ready to generate the .msi package:

The executable is ready, now we need to install it on the client machines. Open the Group Policy Management panel and create a new policy:

Configure the Security Filter:

From the Settings tab right-click on User Configuration and select Edit:

Add a new software package:

Select the .msi file:

Choose the deployment method:

The Group Policy is ready:

Activate the Group Policy:

After a reboot the client machines won’t be able to access Facebook, Twitter and Pinterest: