In Active Directory environments, Group Policy settings can be used to centrally manage Internet Explorer 10. Here’s how.
Internet Explorer 10 management with Group Policy settings is easy when you’ve used this technology before to manage Windows and many of its other built-in programs. However, when this is the first time you use Group Policy, the Group Policy Object hierarchy might seem overwhelming and the distribution method might feel counter-intuitive. So let’s start there.
Group Policy Basics
Group Policy scoping
Group Policy is a centralized management technology to manage settings on computers, based on the place of the computer account and/or user account in the Active Directory hierarchy. This hierarchy is determined by Active Directory domain membership, Active Directory site membership and membership of a hierarchy of Organizational Units (OUs). Group Policy Objects, containing Group Policy settings can be applied to these building blocks to determine their scope.
The Group Policy setting to set the proxy address can be set to the domain to allow users on all computers in the domain to access the Internet using the same proxy server. In environments with multiple geographic sites, using Active Directory sites as the scope allows users to automatically use the right proxy for the geographic site they’re in. When you want to allow PCs to access the Internet using the proxy server, but not the Domain Controllers, you could scope settings using Organizational Units (OUs).
When these scopes are not granular enough for your environment, you can resort to WMI Filters to apply settings, only when a user account or computer account meets the filter. Note, that WMI Filters add considerably to startup and logon times, so using them is not recommended.
Group Policy hierarchy
When you first start with Group Policy, the hierarchy is unlike anything you’ve seen thus far:
Group Policy Hierarchy in the Group Policy Management Editor
However, there is a logic behind it. First of all, there is a top-level distinction between Computer Configuration and User Configuration. This divides exactly what you’d feel it would; By default, Computer Configuration applies to computer accounts, where User Configuration applies to user accounts. Then, there’s the three nodes, each of these configurations consists of: Software Settings, Windows Settings and Administrative Templates:
- Software Settings
in the Software Settings node, you can assign and publish software packages to either users or computers.
- Windows Settings
the Windows Settings node contains settings that apply to all Windows systems, independent of their SKU or version. Here you’ll find Folder Redirection, Auditing, User Rights Assignments and scripts.
- Administrative Templates
the Administrative Templates node is a graphical representation of the combination of all the Administrative Templates (*.adm and *.admx files) in the PolicyDefinitions folder in either the Windows folder of the local computer or the Netlogon folder on the Domain Controllers in your environment.
The PolicyDefinitions folder in Netlogon does not exist by default, but you can manually create it be copying the PolicyDefinitions folder from C:\Windows. This way, you’d create what’s called a Central Store for Group Policy Administrative Template files.
Managing Internet Explorer 10 with Group Policy Settings
As you’d expect, Group Policy settings for Internet Explorer are located in the Windows Components node underneath the Administrative Templates node of a Group Policy Object.
The Internet Explorer template (inetres.admx) contains several subnodes and sixty-two settings in the computer configuration and eighty-three settings in the user configuration node. The subnodes also contain settings. 55 settings of the 62 computer configuration settings and 72 of the 83 user configuration settings apply to Internet Explorer 10 on Windows 8, Windows RT and Windows Server 2012.
The six steps to successfully deploy Group Policy settings
To make the most out of Internet Explorer management with Grout Policy settings, careful planning is essential.
1. Business Requirements
First, you need to determine the business requirements for managing Internet Explorer. These might include security enforcement, backward compatibility, automatic proxy configuration and home page management. In this step you need to get clear which settings need to apply to what group of computers and/or users. It’s a good idea to document the choices made by senior management.
If the business requires some settings to be applied only once, instead of with every boot, logon or background refresh, use Group Policy Preferences for these settings.
2. Active Directory structure
When you know the business requirements, you can create the Active Directory hierarchy to apply Group Policy Objects to. You can create Organizational Units (OUs) and Active Directory Sites to apply on these levels. Alternatively, you can create a Group Policy Object at the domain-level and overrule them for specific Organizational Units (OUs).
Group Policy Objects get applied in a specific order. First, the local Group Policy settings get applied, then the Group Policy settings at the Active Directory Site-level. Then the Group Policies for the Domain get applied and finally, the settings per Organizational Unit (OU) get applied per Organizational Unit (OU) in the hierarchy, starting with the top-most Organizational Unit (OU). The last applied setting is the setting that sticks.
3. Creating Group Policy Objects
Simultaneously to creating the Active Directory structure, you can start by creating the Group Policy Objects containing the Internet Explorer settings.
You can create Group Policy Objects within the Group Policy Management Console (gpmc.msc). The Group Policy Management Console is automatically installed on Domain Controllers. It can be installed on Windows Server from the Add Features page in Windows Server Manager and can be installed on Windows Vista, Windows 7 and Windows 8 as part of the Remote Server Administration Tools (RSAT).
In the Group Policy Management Console, right-click the Group Policy Objects node underneath the domain name in the left pane and select New from the context menu. Name the new Group Policy Object according to your Group Policy Object naming scheme. Then right-click it and select Edit… from the context menu.
The Internet Explorer-related settings can be found in the Internet Explorer node, underneath the Windows Components node in the Administrative Templates of both the Computer Configuration and the User Configuration.
If you can’t find the Group Policy setting you want, use the Group Policy Reference, a Microsoft Excel document containing all the Group Policy settings, or use the Group Policy Search (GPS) website at gps.cloudapp.net.
When you’re done configuring settings in the Group Policy Object, simply close the Group Policy Management Editor.
4. Testing Group Policies
Now, you can start to test your Group Policy settings.
When you have a test environment, now is a good time to use it. Alternatively you can test Group Policy settings by applying them to either your test sub-Organizational Units or by applying them with a WMI filter to include only the test machine(s) and test user accounts.
A great feature in the Group Policy Management Console (gpmc.msc) can also be of use in this step: The Group Policy Modeling Wizard. With this wizard you can simulate a policy deployment for planning and testing purposes.
5. Apply Group Policies
When you’ve tested the settings thoroughly, it’s time to set them loose on your colleagues and their computers. A pilot group can help you gather feedback, before you apply Group Policy Objects to end users. Now is also a good time to document the settings in the Group Policy Objects.
6. Review Group Policies on a regular basis
Even though your Internet Explorer-related settings are backed by your superiors, it’s always a good thing to review your Group Policies on a regular basis. Go talk to colleagues and see what they might need to cope with.
The next part in series will cover Internet Explorer 10 Group Policy Preferences.