User Manual for centralized Group Policy Management System Configuration

Almost every enterprise has a standardized configuration to set up a new computer, which is often established in image files and deployed accordingly. Although this method is effective, the standard configuration of the enterprise changes over time. Some group policy settings can help us deploy standardized configurations on each computer, because this allows the change part to be implemented in a unified manner, make sure that each computer runs the current standard configuration.

Recommended topics: management tools in the hands of Windows Group Policy System Administrators

Disadvantages of image-based configuration

When deploying a computer, the Administrator first installs the Windows operating system on a computer and then performs manual fine-tuning on the system. Use SYSPREP to remove private information from the computer in the operating system, such as SID or computer name), and then make the hard drive of the computer into an image and deploy it to another computer.

When the image is started for the first time, Windows runs a small installation that includes basic configuration issues because the image is generic. Providing a response file for Windows may save this process. However, remember that the answer file is usually used for automatic installation, and the problem is hidden here if we have made custom settings in the image file.

Windows provides hundreds of different settings for configuration. Although some of these settings are global, others are for users and apply to the user configuration file level.

For example, you have changed the power management settings and disabled the sidebar of Windows Vista before deploying a computer using images. Then you use Sysprep to standardize the machine, create an image, and deploy it on another computer. When a user logs on to the computer for the first time, the custom power management settings are still valid, but the Windows Sidebar is enabled by default. This is because the configuration on the Windows Sidebar is based on the user configuration file level. When a new user logs on for the first time, a new configuration file is created, which applies the default settings for Windows.

Another problem with image-based configuration is that the standard configuration may change over time: the current configuration may be quite different from the configuration one year ago.

Because of this, do not manually configure your computer before running Sysprep. On the contrary, we should use computer's local security policies for configuration.

Use local security policies

I found that many administrators seldom use the local security policy, because the configuration of a user when logging on to the network is overwritten. However, local security policies are still useful. For beginners, group policies include local security policies) can be customized in almost all aspects of Windows. For example, Microsoft provides a management template to customize Office settings.

Specifically, the Local Security Policy aims to protect computers without access to the network. Therefore, even if a user logs on to the local computer, creating a local security policy ensures that it is a standard configuration. Of course, local security policies are only configured for computers and cannot be centrally managed. As time changes, your computer's Local Security Policy configuration will eventually become obsolete.

Fortunately, group policies are hierarchical. The Group Policy object GPO based on the network layer can provide the same settings as the Local Security Policy, and the Local Security Policy has the lowest priority when there is a conflict between them. This means that if the setting of a policy is out of date, we can update the setting from the Group Policy at the network layer to overwrite the setting of the Local Security Policy.

All of these make us have to raise a very important question: if the Local Security Policy is overwritten by the Group Policy on the network when logging on to the network, why bother using them, what's more, they will eventually become obsolete?

When your standard configurations change, only a few settings change in a specific period of time. It is rare for an enterprise to change all group policy settings overnight. With this in mind, we assume that a computer has an outdated Local Security Policy, while the Group Policy at the network layer remains up-to-date. If someone logs on locally, the Local Security Policy still provides a certain degree of protection and maintains the standard configuration during its installation. This is usually much better than maintaining the default settings for Windows.

This also leads to debate: Since manual setting with Sysprep images can achieve the same purpose, if there is no force setting for the network-Level Group Policy, manual setting will still be effective, so why do we need to establish a local security policy?

The reason is that the Local Security Policy can be set in one place. When the image of Sysprep is out of date, it needs to be changed. You can only modify the Local Security Policy to match the current standard configuration, instead of manually modifying its settings in multiple different places in the system.

In short, although you can manually configure the Sysprep image, it is best to implement configuration changes through group policy settings as long as possible.