Group Policy Preferences + Preference Item-Level Targeting + Security Groups = One Big Mess

Microsoft. While Group Policy Preferences, when they work, work wonders, when they do not work or the UI breaks them, I lose all confidence.

USE CASE: we recently deployed PaperCut across our multi-function printers (MFPs). [PaperCut, BTW, is an excellent product, especially for Healthcare and HIPAA compliant environments.] Globally I pushed the default, PaperCut virtual printer to all PCs. Users can print to the virtual and then then fetch their print jobs securely on any MFP across campus running the PaperCut embedded application.

However, we had certain user AND computer exceptions to the default printer; e.g. local USB printers or Terminal Services/RemoteApp servers. Loopback merging can get complex rather quickly (another good, quick refresher here). Group Policy Preferences Item-Level Targeting is a better solution. Read about it here from Microsoft directly.

In my default printer example, the intent is to exclude users and computers. To make it easy to manage, I created a Security Group name “PaperCut-NonDefault” that contained both users and computers I wanted to exclude. I then set “Targeting…” on the PaperCut preference.
PaperCut-Printer

In the Targeting Editor I created the following logic:PaperCut-Targeting

Now, up until this point, every seemed very straight-forward and yet the Targeting refused to work properly. If I added the users and computers directly into the Targeting Editor, I was able to get it working perfectly. The moment I used a Security Group, everything broke.

After sleeping on the problem, I finally came across this wonderful post. In short, do not use the “…” button to select your Security Group. Re-read that. In other words, do not use the DOMAIN\SECURITY_GROUP convention; just use the Security Group name only (as I have highlighted in the screenshot above). Based on the comments it appears that Microsoft has a hotfix which may solve the issue but I chose to fix it by dropping the “DOMAIN\”. Also note that I have two “Items” both calling the “PaperCut-NonDefault” Security Group. Targeting Security Group “Items” can only apply to either a computer or user; not both in one item. By having two items, I have one for users, one for computers.

With this subtle but critical change in place, the default printer Targeting works very effectively excluding certain users and computers. To make it even easier for our users, I added a second printer preference that ONLY applied to those in the “PaperCut-NonDefault” group which adds the PaperCut printer but does not set it as default. In other words, even users who do not want PaperCut as their default printer, they still get the PaperCut printer as an option.PaperCut-Targeting-NonDefault

Enjoy. When Targeting works, its effective and powerful. Here are 10 things Group Policy Preferences can do better than your current script!

“Set Up Internet Explorer 11” Bypass with GPO or Registry

This took too long to Google the answer.  Most information is out-of-date with IE8/IE9 solutions.  It is basically a duplicate of this post from Andres Cheah.

The goal is to bypass this dialogue box:
set-up-ie-11

Our users are easily confused.

Using Group Policy Editor

  1. Use gpedit.msc or launch the Group Policy Editor.
    Note: In an Active Directory environment, open gpmc.msc and either edit an existing GPO, or create a new one and link it to the domain level, or to an OU of your choice.
    Refer to “Group Policy for Beginners” from Microsoft for the basics.
  2. In the left pane, expand User Configuration > Administrative Templates > Windows Components > Internet Explorer.
  3. On the right pane, double-click on “Prevent running First Run wizard”. A new settings window will open up.
    prevent-first-run-ie-11
  4. Set the value to “Enable”.
  5. In the options section you must choose one of the two options from the drop-down menu:
    1. Go directly to “Welcome To IE” page.  This configures IE to skip the Welcome screen and and go to the “Welcome to Internet Explorer” page directly.
    2. Go directly to home page.  This configures IE to skip the Welcome screen and go directly to your home page.  This is the option we chose.  You can combo this up with this post from ServerFault to also push a desired homepage to users.
      You need to choose one of the two, otherwise the configuration will not work.

For those who really want to dig into how IE11 is handling the policy, I later came across this post from chentiangemalc where it details how the policy is applied and the associated ADMX.  It also explains why much of the internet is outdated in the older “Prevent performance of First Run Customize Settings” that were used in IE8 and IE9 (e.g. here, here and here).