Manage user settings with IntelliMirror

IntelliMirror allows you to control such things as desktop settings and access to Control Panel items, which can enhance security and prevent users from inadvertently damaging their systems. Jim Boyce explains how it works.

Using IntelliMirror, you can control a wide variety of user settings through group policies. Windows 2000 offers a broad range of settings that allow you to restrict user actions, configure applications, define the user’s desktop, configure the Start menu and taskbar, and apply other change control options. Controlling settings through IntelliMirror allows you to restrict the changes a user can make to his or her system. By applying these restrictions, you not only enhance security but also reduce administrative overhead associated with repairing unwanted or inadvertent changes that users might make that damage their systems. Here, I will explore the ways you can manage user data and settings with IntelliMirror.

Other benefits of using IntelliMirror to control user settings
Configuring settings through IntelliMirror also improves disaster recovery. If the user’s entire work environment is defined by a group policy, you can easily and automatically restore that work environment by simply logging on to the domain. Group policy then configures the user’s system accordingly. This is also how you apply control over work environment settings for roaming users.

There are hundreds of policies you can apply to control user settings. However, I’ll explain only how to configure and apply the policies in general, and point you to specific groups of policies that will help you accomplish specific tasks.

Planning a course of action
First, decide which users you want to manage and which settings need to be managed. At this stage, you probably won’t be familiar with all the possible policies, so just develop a global concept for what you want to accomplish. You can refine your plan as you gain a better understanding of the available policies.

Next, turn your attention to the Active Directory structure. You might need to make adjustments in OUs or domains to provide a logical structure under which you’ll be able to control settings in a way that will benefit your users and simplify administration. Keep in mind that you can link the same GPO to different containers, which can reduce the number of GPOs you need to configure, assuming one GPO will accommodate users in different containers.

For example, you might be able to use the same GPO for four different OUs in the same domain. But why not apply that GPO at the domain level? You might have other OUs in the domain that need different policies. Linking the GPO to the OUs rather than the domain allows you to apply policy to those target OUs without affecting users in other OUs that require different policies.

Creating the GPOs
To create the GPO, open the Active Directory Users And Computers console, right-click the container where you want to apply the policies, and choose Properties. Click the Group Policy tab and either edit an existing GPO or create a new one. In the Group Policy editor, expand the User Configuration branch. You’ll be using the Windows Settings branch and the Administrative Templates branch to configure policies that control user settings.

To understand the settings that you can control for users through group policy, browse through the Group Policy editor. Each branch provides policy settings that control a specific application or type of setting. Here’s a quick overview of what each branch offers:
  • Windows Settings/Internet Explorer Maintenance lets you configure how Internet Explorer appears and functions for the user. You can configure cache settings, define default applications for e-mail and other data types, and customize the way Internet Explorer looks and functions.
  • Administrative Templates/Windows Components provides a wealth of policy settings that control NetMeeting, Internet Explorer, Windows Explorer, Microsoft Management Console, Task Scheduler, and the Windows Installer. For example, you might use the policies in the Internet Explorer/Internet Control Panel branch to prevent users from making changes to their Internet Explorer configuration. The Windows Explorer branch provides numerous settings to help you control the options users have in Explorer and other desktop elements. For example, you can remove the Map Network Drive command, hide the Manage command from My Computer’s context menu, prevent access to drives in My Computer, and apply many other restrictions to the Windows interface.
  • Administrative Templates/Start Menu & Taskbar contains several policy settings that control the Start menu and taskbar. For example, you can remove items from the Start menu, such as Documents, Network And Dial-Up Connections, the Run command, common program groups, and more. Removing items from the Start menu allows you to limit the types of actions a user can perform. This branch also contains policy settings that control the taskbar in other ways, such as disabling the taskbar’s context menu and preventing changes to the taskbar.
  • Administrative Templates/Desktop controls the user’s desktop. You can selectively remove icons such as My Documents and My Computer from the desktop, remove all icons, prevent the user from changing the path to My Documents, and choose from a handful of other settings. You can also prevent users from modifying taskbar toolbars, prevent users from using drag and drop with the toolbars, and configure Active Desktop and Active Directory settings through this branch.
  • Administrative Templates/Control Panel lets you configure the user’s system to hide the Control Panel or hide specific Control Panel applets. You can also disable the Add/Remove Programs object or selectively configure its contents and behavior. The branch also includes subbranches to specify screen saver and other display properties, to specify printers, to allow users to add or remove printers, and to allow or restrict language selection options for regional settings.
  • Administrative Templates/Network contains two subbranches that control network connections and offline files. The Network and Dial-Up Connections branch offers settings to prohibit specific actions related to network connections. The Offline Files branch contains settings that control the way offline files work for the user.
  • Administrative Templates/System. Use the System branch to control logon and logoff options, control security options such as the ability to change password or lock the computer, exclude directories from a roaming profile, and other global system properties. Use the Group Policy branch to specify group policy refresh intervals and other policies that determine how group policies are applied for the affected users.

There are many other policy settings—too many to cover here. Take some time to browse through the list of available policies, noting which ones you want to control for specific groups of users. You might consider building a database or spreadsheet of the policies as an aid to plan your deployment. Right-click a branch and choose Export List to create a tab- or comma-delimited file that you can import into your spreadsheet or database application.

Editor's Picks