I realise this is has been around for a while now but until a few weeks ago I never really appreciated the Group Policy Preferences and the simplicity they offer.

Back in the days of Windows NT, Server 2000 and Server 2003 server administrators would create login scripts to perform a number of commands such as mapping network drives, installing printers, creating shortcuts and folders… I could go on but you get the idea. In Server 2008 Microsoft introduced the Group Policy Preferences to allow you to use Group Policy to natively configure a whole host of setting in Group Policy that would otherwise be a number of lines of batch/kix/vb script.

As you can see from the image to the left there are a vast number of options that can be configured for a user when they login.  For most of the items there are four options: Create, Delete, Update and Replace which will let you make changes to the Drive Mappings, Folders etc. The difference between Update and Replace can vary from item to item but my general understanding is that the Update will attempt to modify the existing item to match what is in the Preference whereas the Replace option will remove what is there and recreate the new object (smilar to a net use P: /DELETE /Y followed by net use P: \ServerUsers%USERNAME%)

Another benefit is that in a single GPO you can define a number of different Preferences and then filter these around Group Membership.

This should all work Out of the Box with Windows Vista and above so for any legacy clients and servers (Windows XP, Server 2003) you will need to download the appropriate updates from Microsoft http://support.microsoft.com/kb/943729.

All in all this should save time and administrative overhead when they are fully adopted. The only problem is getting the legacy scripts switched over to the new Preferences.

I had an issue with one of my clients this week and slow workstation start up times. Looking through the items that were running for all users at login was Roxio Drag2Disk as someone had not taken it out of the standard software image. The client didn’t use or need the software so I looked at a way to uninstall the various components without having to visit each machine individually (Yes we will be removing it from the image).

I thought it would be useful to get the script out there in case others need to accomplish the same task. If you want to use it just dump it somewhere central on your network (eg NETLOGON) and then run it as a startup script in a Group Policy Object

Script is below

Adobe Reader X Protected Mode

Posted by mattywhi | IT

I started to deploy Adobe Reader X to one of my clients the other day and found that users were unable to open files on shared drives mapped to our DFS. Searching through the web I found the following KB article from Adobe (http://kb2.adobe.com/cps/860/cpsid_86063.html)

Cannot open PDF files whose source is DFS or NFS: PDF files in shared locations on a distributed  or networked file system (DFS/NFS) cannot be opened. Attempting to open such a file results in an error opening this document. Access denied.”

Initially I thought I would have to remove Adobe from all the workstations however a quick look in the registry found the place where this has been set – HKEY_CURRENT_USERSoftwareAdobeAcrobat Reader10.0Privileged. To get around the problem I added the following to my login script to force the “bProtectedMode” value to 0

reg add “HKCUSoftwareAdobeAcrobat Reader10.0Privileged” /v bProtectedMode /t REG_DWORD /d 0 /f

This is definitely one to watch out for if rolling out Adobe Reader via GPO.