MyPCHealth

Group Policy Essentials

I have recently developed a Windows 7 Group policy for our network. Unfortunately i have to say it was an absolute nightmare. But i hope this page will make some of the nightmare settings to lock down windows 7 easier for you to deploy as i spent stupid amounts of hours sorting it out.

The Items that i found most difficulty in sorting when developing my group policy where the following::

• Remove the network icon from the navigation pane in explorer.
• Remove the Libraries Folders from the navigation pan in explorer
• Remove the uninstall or change a program button from the explorer menu
• Stop Win 7 prompting for privileges to install a network printer

Remove the Libraries icon from the navigation pane in windows explorer.

To remove the lirbaries icon that sits in the navigation pane in windows explorer you need to change a registry setting on the computer. The key we need to look at is the following :

HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder

With the item called "Attributes" of type REG_DWORD. To make the item disappear we need to change the items attribute to b090010d and if you want it to be shown (default) the hexidecimal number needs to be b080010d. Unfortuantely this is not quite as straight forward as just changing it because the permissions to the this key require a high level of access. So deploy this setting from a group policy we need to make 2 changes, the permissions to the key and the setting itself.

Changing the permissions of the key in group policy.

• On your server, open up group policy management
• Create a new policy under the organisation unit you wish it to deploy to. (this will be at computer level not user)
• Expand Computer Configuration - Policies - Windows Settings - Security Settings and then highlight Registry
• Right click on the right hand windows and click add key (see below)

• A new window will appear and you need to expand down to the following key HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder and click OK (shown below).

• A new window will appear that allows you to set the securty of this key, I would suggest giving admininstrators and the system full control by ticking the full control box. Click apply and then ok. Below is a screen shot

You should have now given the computer access to this key and it will now allow you to change it by using the registry settings in group policy. If you dont give permissions to the key it will not allow it to be change and the libraries will not be hidden.

Hide Library icon in Windows Explorer navigation pane

• On your server, open up group policy management
• Create a new policy under the organisation unit you wish it to deploy to. (this will be at computer level not user) or use the policy you created above.
• In the right hand menu, right click and then move the mouse onto new and then click Registry Item.

• Enter the required details into the new window that appears. As shown below. Use the ... button to browse to the key :HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder\Attributes and remember the values are b090010d for it to be hidden and b080010d for it to be shown. (see below)

• Click ok. All should be done. The machines may require a reboot for the settings to take effect.

Remove Libraries Icon using VBScript

Please see below for some vbscript that will remove the library icon from the navigation pane. This has been tested locally on a windows machine. If you wish to deploy across a network i would suggest further testing until you are sure you are happy with the results.

Code

'FIRST SECTION MAKE SURE PERMISSIONS ON REGISTRY KEY ARE ALLOWED

' Create temp file with the script that regini.exe will use
'
set oFSO = CreateObject("Scripting.FileSystemObject")
strFileName = oFSO.GetTempName
set oFile = oFSO.CreateTextFile(strFileName)
oFile.WriteLine "HKEY_CLASSES_ROOT\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder [1 5 7 11 17]"
oFile.Close

' Change registry permissions with regini.exe
'
set oShell = CreateObject("WScript.Shell")
oShell.Run "regini " & strFileName, 8, true

' Delete temp file
'
oFSO.DeleteFile strFileName

'SECOND SECTION SET CORRECT REGISTRY SETTING

const HKEY_CLASSES_ROOT = &H80000000
dim strKeypath

Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & "." & "\root\default:StdRegProv")

'Set path to registry key and dword value
strKeyPath = "CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder"
strValueName = "Attributes"

'Change Value needed to hide library ... 2962227469 to hide , 2961178893 to reveal
oReg.SetDWORDValue HKEY_CLASSES_ROOT,strKeyPath,strValueName,2962227469