0% found this document useful (0 votes)

27 views144 pages

Windows Domain and Workgroup Planning Guide EPDOC X250 en 515A

The document is a planning guide for implementing Microsoft Windows domain controllers specifically for Experion systems. It covers various aspects such as the structure of Windows domains, domain controllers, Active Directory, Group Policy, and security considerations. Additionally, it includes prerequisites, intended audience, and related documents for effective integration into corporate IT environments.

Uploaded by

Andres Orozco

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

27 views144 pages

Windows Domain and Workgroup Planning Guide EPDOC X250 en 515A

Uploaded by

Andres Orozco

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 144

EXPERION PKS

RELEASE 515

Windows Domain and Workgroup Planning Guide

EPDOC-X250-en-515A
November 2019
Disclaimer
This document contains Honeywell proprietary information. Information contained herein is to be used
solely for the purpose submitted, and no part of this document or its contents shall be reproduced,
published, or disclosed to a third party without the express permission of Honeywell International Sàrl.
While this information is presented in good faith and believed to be accurate, Honeywell disclaims the
implied warranties of merchantability and fitness for a purpose and makes no express warranties
except as may be stated in its written agreement with and for its customer.
In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The
information and specifications in this document are subject to change without notice.
Copyright 2019 - Honeywell International Sàrl

-2-
Contents 3
Chapter 1 - About this document 7
1.1 Revision History 7
1.2 Intended audience 7
1.3 Prerequisite skills 7
1.4 Related documents 7
Chapter 2 - Planning a Windows domain/workgroup 9
2.1 Overview of Windows domain 9
2.2 Overview of a Windows workgroup 10
2.3 Overview of a domain controller 10
2.4 Overview of a Read-only Domain Controller 11
2.5 Overview of a peer domain controller 11
2.5.1 Multiple domain controllers in a domain 12

2.6 Overview of Active Directory and its components 13

2.6.1 Overview of Forests 13
2.6.2 Overview of domain trees 14
2.6.3 Overview of Organizational Units 15
2.6.4 Using a single domain with multiple OUs 16
2.6.5 TPS domains as Organizational Units 16
2.6.6 Overview of sites 16
2.6.7 Active directory replications 17
2.6.8 Functional levels in Active Directory 17

2.7 Overview of Group Policy 19

2.7.1 Computer configuration settings 20
2.7.2 User configuration settings 20
2.7.3 Controlling the scope of GPOs 21
2.7.4 Experion Group Policy descriptions 21
2.7.5 Interoperability of group policy objects 22

2.8 Domain users, computers, and groups 22

2.8.1 Computer account 22
2.8.2 Groups 22
2.8.3 Group scope 23

2.9 Support for DNS 23

2.9.1 DNS deployment 24
2.9.2 DNS integration with Active Directory 24

-3-
2.9.3 DNS naming conventions 24
2.9.4 DNS tools 25

2.10 Domain controllers in an Experion FTE network 25

2.10.1 Domain controller placement 25
2.10.2 Domain controller as a non-FTE node in an FTE community 25

2.11 Supported Experion releases 25

2.12 Hardware and software requirements 27
2.12.1 Choosing the right operating system for a domain controller 27
2.12.2 System requirements for a domain controller 27

Chapter 3 - Integrating computers into a Windows domain 29

3.1 Creating mutually trusted domains 29
3.2 Associating Windows domain account groups with the local
account groups on a computer 29
3.2.1 Prerequisites 30
3.2.2 To link the Windows domain account groups to the Windows local account groups 30

Chapter 4 - Creating Windows Workgroup users and groups 31

Chapter 5 - Security policies configured as part of Experion
installation 33
Chapter 6 - Reviewing security templates in
domain/workgroup environment 47
6.1 To review security templates in domain/workgroup environment 47
Chapter 7 - Setting up time synchronization 49
7.1 Time synchronization in a domain 49
7.1.1 Setting Up PDC to Sync with an External Source 49

7.2 Time synchronization in a virtual environment 50

Chapter 8 - Securing the operating system 51
8.1 Creating and assigning login scripts 51
8.1.1 Station command line options 51
8.1.2 Locking station in full screen mode and disabling menus 51
8.1.3 Creating a Station startup batch file 52
8.1.4 Assigning logon scripts to domain groups and users using group policy 53
8.1.5 Assigning logon scripts to individual domain accounts 54
8.1.6 Assigning logon scripts to local accounts 54

8.2 Removing access to Windows Explorer and the Task Manager 54

8.2.1 To remove access to Windows Explorer and Task Manager 55

-4-
8.3 Setting up automatic logon 57
8.3.1 Setting up automatic logon in a domain 58
8.3.2 Setting up automatic logon in a workgroup 58

8.4 Preventing operator shutdown 58

8.5 Disabling the lock computer option 59
8.6 Disable Link-Local Multicast Name Resoultion (LLMNR) and
NetBIOS over TCP/IO (NetBT) 61
Chapter 9 - Enabling or disabling USB-connected storage
devices on Experion systems 63
9.1 Introduction 63
9.2 Enabling and disabling USB removable storage devices 63
9.2.1 To disable USB removable storage devices locally on a machine 63
9.2.2 To disable USB removable storage devices via group policy on a domain
controller for an OU 64

Chapter 10 - Managing domains 65

10.1 Managing domain group policy 65
10.1.1 To copy a group policy 66
10.1.2 Move a group policy from the default domain to OUs 66

10.2 Renaming a domain controller 66

10.3 Removing a domain controller 67
Chapter 11 - Advanced Domain administration 69
11.1 Managing security 69
11.2 DNS Recommendations for large FTE networks 69
11.2.1 Overview 69
11.2.2 Recommendation 69

Chapter 12 - Appendix 71
12.1 Experion domain group policy settings 71
12.2 Workstation security settings 124
12.2.1 Security Model specific permissions 124
12.2.2 Local policy settings 129

-5-
CHAPTER

1 ABOUT THIS DOCUMENT

This guide includes high-level planning and design topics for implementing Microsoft Windows domain
controllers for Experion.

1.1 Revision History

Revision Date Description

A November 2019 Initial release of the document.

1.2 Intended audience

l Customers who want to integrate their process domains into their corporate hierarchy and IT staffs
who support them.
l Projects group and Services group.

1.3 Prerequisite skills

It is assumed that you are familiar with the operation of Experion system software and the plant
processes which Experion controls, Microsoft Windows operating systems, Windows domains and
domain controllers, and network administration tasks.

1.4 Related documents

l Windows Domain and Workgroup Implementation Guide
l /Windows Domain Implementation Guide for Windows Server 2016 / Windows Domain
Implementation Guide for Windows Server 2012 R2 / Windows Domain Implementation Guide for
Windows Server 2016.
l Experion Software Change Notice
l Experion Migration Planning Guide
l Server and Client Planning Guide
l Server and Client Planning Guide
l Getting Started with Experion Software Guide
l For information related to secure communication, refer to the Secure Communications User’s
Guide

-7-
CHAPTER

2 PLANNING A W INDOWS
DOMAIN/WORKGROUP

l Overview of Windows domain

l Overview of a Windows workgroup
l Overview of a domain controller
l Overview of a Read-only Domain Controller
l Overview of a peer domain controller
l Overview of Active Directory and its components
l Overview of Group Policy
l Domain users, computers, and groups
l Support for DNS
l Domain controllers in an Experion FTE network
l Supported Experion releases
l Hardware and software requirements

2.1 Overview of Windows domain

A Windows domain is a logical group of computers that are managed by a central database that is
used for controlling user access and resource access. The central database is known as Active
Directory. Active Directory uses a structured database as the basis for describing both the logical and
physical design of the network in a hierarchical format. Active Directory contains information about the
users and resources that are controlled in the domain. This design allows administrators to define user
security permissions and resource access rights.
Each domain has at least one server running as a domain controller, which holds the database for the
domain. The domain controller is used for managing all security-related aspects between users and
resources and centralizes security and administration. Both Windows computers and non-Windows
computers can be part of the domain.
A Windows domain can be used by any size organization and its design allows a single domain to be
used for managing multiple physical locations that could be located anywhere across the world.
The following figure shows a typical Windows domain.

-9-
Chapter 2 - Planning a Windows domain/workgroup

ATTENTION
For detailed description about the Windows domain concepts, refer to the following Microsoft
documentation.
l http://www.microsoft.com/windowsserver2008/en/us/ad-main.aspx
l http://technet.microsoft.com/en-us/library/cc780336(WS.10).aspx

2.2 Overview of a Windows workgroup

A Windows workgroup is a group of standalone computers in a peer-to-peer network. Each computer in
the workgroup uses its own local accounts database to authenticate resource access. The computers in
a workgroup also do not have a common authentication process. The default networking environment
for a clean windows load is workgroup.
In general, a workgroup environment is appropriate for networks with a small number of computers
(say, less than 10), all located in the same general area. The computers in a workgroup are considered
peers because they are all equal and share resources among each other without requiring a server.
Since the workgroup does not share a common security and resource database, users and resources
must be defined on each computer. This increases administration overhead since common user
accounts must be created on every computer that holds a resource that the user account requires
access to. Resources can be shared across the workgroup but this requires common user accounts that
have the same password.
The main disadvantages of workgroups are as follows:
l User accounts must be created and managed on each machine separately. (For more streamlined
usage, it is suggested that you use the same account and password on all systems and update
them at the same time.)
l The low security protocol used for authentication between nodes.
2.3 Overview of a domain controller
The domain controller is a server machine that performs the following operations.

- 10 -
Chapter 2 - Planning a Windows domain/workgroup

l Runs on a Microsoft Windows server operating system.

l Stores the read-write copy of the Active Directory database and the security information of a
particular domain.
l Manages communication between the users and the domains including:
o User account control
o Resource control

l Performs centralized management of computer settings and restrictions in the form of Group Policy.

You must setup at least one domain controller in every Windows domain. The following figure shows
the domain controller in a Windows domain.

2.4 Overview of a Read-only Domain Controller

With Microsoft Windows Server 2008 Standard, Microsoft introduced the concept of a Read-only
Domain Controller (RODC). An RODC is a server that performs most of the functions of a domain
controller, except that the Active Directory database is read-only and is only updated from a writable
domain controller. Administrative tasks like policy creation/installation and user and group creation
cannot be performed on the RODC. The domain controller security package cannot be installed on an
RODC.
For example, RODC is used in sites that have remote access with poor physical security. If someone
tries to compromise the RODC and make changes (such as elevate themselves as administrators) do
not succeed, as they can only access the AD in the state it was in at the time of discovery. Hence, they
cannot replicate the changes in the main DCs.
Adding an RODC to the PCN can preserve security and/or administrative purposes while providing a
local source of authentication for performance and reliability reasons.
The following are the advantages of RODC.
l With the RODC local to the PCN, link speeds and firewall traversals to remote domain controllers do
not affect performance.
l If the PCN becomes isolated from the IT network where the normal domain controller resides,
access to the PCN is not impacted.
2.5 Overview of a peer domain controller
A domain can have more than one domain controller. The forest root domain controller and bridgehead
servers are the commonly used peer domain controllers.
Forest root domain controllers are used when multiple different domains roll-up in a single large domain
and protection of some common critical functions is required.

- 11 -
Chapter 2 - Planning a Windows domain/workgroup

Bridgehead controllers are used in situations where we have a single domain that passes over low
bandwidth lines (that is for offshore connections).
Multiple domain controllers in a domain provide the following benefits.
l Improves availability and reliability of network services
l Provides fault tolerance
l Balances load of existing domain controllers
l Provides additional infrastructure support to sites
l Improves performance by allowing the user to connect to a domain controller when logging on to
the network
l Provides continuous functioning of the domain (when one of the domain controllers fail or must be
disconnected, the other domain controller becomes the active domain controller)

A peer domain controller can be setup using one of the following ways.
l Over the network
l By restoring a backup of an existing domain controller

The domain controller backup can be stored on a tape, hard drive, or any other backup media. Before
setting up a peer domain controller, go through the checklist in the following Microsoft documentation.
http://technet.microsoft.com/en-us/library/cc759620(WS.10).aspx
l Multiple domain controllers in a domain

2.5.1 Multiple domain controllers in a domain

A domain can have multiple domain controllers. Multiple domain controllers in a domain provide the
following benefits.
l Improves the availability and reliability of the domain by allowing the domain to continue operation
by ensuring that at least one domain controller is operational and available to the process control
network.
l Improves the performance by sharing the load across multiple domain controllers.

When there are multiple domain controllers in a domain, all domain controllers are peers. All domain
controllers in a domain have read/write copies of the domain database. You can setup an additional
domain controller (peer domain controller) through the Active Directory installation wizard in one of the
following ways.
l Over the network
l By restoring a backup of an existing domain controller

Although all domain controllers in a domain are peers, some domain operations require a single
domain controller to perform a specific function. To perform these specific functions, domain controllers
are assigned specialized roles known as Flexible Single Master Operations (FSMO) roles.
The domain controller FSMO roles are as follows:
l Schema master
l Domain naming master
l Primary domain controller (PDC) emulator
l Infrastructure master
l Relative ID (RID) master

- 12 -
Chapter 2 - Planning a Windows domain/workgroup

The Global Catalog (GC) server is another domain controller role. This role can be configured on
multiple domain controllers in a domain. There is at least one GC server per domain. The first domain
controller in the forest automatically holds all five FSMO roles and is a GC server. When peer domain
controllers are introduced into the domain, the FSMO roles can be redistributed to different domain
controllers.

Refer to the following Microsoft documentation for more information on domain controller roles.
http://technet.microsoft.com/en-us/library/cc786438(WS.10).aspx

2.6 Overview of Active Directory and its components

The computers in a Windows domain share a database called the Active Directory. The database is
centralized, organized, and accessible to the resources of the domain. The domain controller stores the
resource information and the security settings of an organization in the Active Directory. The Active
Directory is a directory service that performs the following functions.
l As a directory, it stores information about users and resources
l As a service or services, it provides access to manipulate the resources

The Active Directory manages all elements of the network, including computers, groups, users,
domains, security policies, and other type of user-defined objects. An Active Directory can also be
considered as a distributed database that can have enterprise scope if configured. An Active Directory
provides distributed security, user, group, and computer management dynamic name services.
Active Directory allows administrators to organize objects of a network (such as users, computers, and
devices) into a hierarchical collection of containers known as the logical structure. The following are the
logical components of an Active Directory.
l Domain trees
l Forests
l Domains
l Organizational Units (OUs)
l Site Objects

ATTENTION
Honeywell recommends that you apply this file system security model to protect against
unauthorized file access. This is important if you plan to use SafeView or any application that
employs a browse window. For implementation design guidance/help contact your Honeywell
representative.

l Overview of Forests
l Overview of domain trees
l Overview of Organizational Units
l Using a single domain with multiple OUs
l TPS domains as Organizational Units
l Overview of sites
l Active directory replications
l Functional levels in Active Directory
2.6.1 Overview of Forests
Forests are defined as.

- 13 -
Chapter 2 - Planning a Windows domain/workgroup

l Collection of domain controllers that trust each other

l Units of replication
l Security boundaries
l Units of delegation

The first domain controller in a domain is the forest root. A forest does not require multiple trees, but can
have other trees with a non-contiguous name space. Forests act independently of each other but can
trust each other.

ATTENTION
For information about forests, refer “What are forests?” in the following Microsoft documentation –
http://technet.microsoft.com/en-us/library/cc759073(WS.10).aspx#w2k3tr_logic_what_ovkc

The following are the characteristics of a child domain in a forest structure.

l Can be non-contiguous with the root domain
l Each domain tree operates independently
l Belongs to the same network

The following figure shows the non-contiguous namespace of a forest structure.

2.6.2 Overview of domain trees

A domain tree is a collection of domains that share a contiguous namespace. The tree structure starts
with a single root domain and branches out into child domains. The first Active Directory domain
created becomes the root of the domain tree structure. The other domains created later become the
child domains.
The name of the tree is always the DNS name of the root domain. The child domains are always in the
same DNS name space as the root domain. Note that the domain controllers in the child domains are
not peer domain controllers of the domain controllers in the root domain.
The following figure shows the contiguous namespace of a tree structure:

- 14 -
Chapter 2 - Planning a Windows domain/workgroup

The main reason for creating multiple domains is the management of the domain structure. Most
settings are bound by the domain security boundary like password policies. In addition, all child
domains have transitive trusts with other domains in the same tree.
The following are additional reasons for creating multiple domains in a network.
l To manage different organizations or to provide unit identities
l To enforce different security settings and password policies
l To control Active Directory replication
l To decentralize administration

2.6.3 Overview of Organizational Units

An Organizational Unit(OU) is an Active Directory container. You can place domain objects like users,
groups, computers, and other OUs in an OU. An OU cannot contain objects from other domains. The
domain for any organization can enlarge and becomes difficult to manage. Using OUs, you can
breakdown a very large domain into smaller units to ease management.
You can arrange the OUs hierarchically in a tree-like structure. An organization can divide a large
domain into OUs based on their department. For example, within a company, an OU can be created for
each Site. An organization can extend the hierarchy of OUs, as required by the organization’s hierarchy
within a domain. The OUs created in a domain helps to reduce the number of domains required for a
network.

- 15 -
Chapter 2 - Planning a Windows domain/workgroup

OUs can be used for delegating administrative control over objects contained in them to a subset of
users in Active Directory. For instance, the domain administrator needs to designate one person in each
department as the official Password Change Administrator. This reduces the administrative load. The
domain administrator can delegate the authority to modify users' passwords to each user over only their
respective OU. OUs can also be used for easy administration by grouping like objects together, which
can then be used for applying security settings contained in Group Policy Objects.

ATTENTION
For more information about OUs, refer the following Microsoft documentation –
http://technet.microsoft.com/en-us/library/cc759073(WS.10).aspx

2.6.4 Using a single domain with multiple OUs

Honeywell recommends that you use a single domain with multiple OUs. The OUs created in the
domain are visible to System Management and the Experion Network Tree. OUs provide a means for
logical grouping of domain objects that have a similar function.

2.6.5 TPS domains as Organizational Units

TPS domains are created as OUs. The Active Directory Users and Computers snap-in Microsoft
Windows Server 2003 (32-bit), Microsoft Windows Server 2008 Standard, , Microsoft Windows Server
2012, Microsoft Windows Server 2012 R2, and Microsoft Windows Server 2016 which is used for
administering domains, can be modified to designate an OU as a TPS domain.

ATTENTION
Experion Clusters follow the same basic practice and ensures compatibility with TPS.

2.6.6 Overview of sites

Sites represent the physical structure of your network, while domains represent the logical structure of
your organization.

- 16 -
Chapter 2 - Planning a Windows domain/workgroup

In Active Directory, a site is a set of computers that are well connected by a high-speed network, such as
a Local Area Network (LAN). All computers within the same site typically reside in the same building, or
on the same campus network. A single site consists of one or more Internet Protocol (IP) subnets.
Subnets are subdivisions of an IP network, with each subnet possessing its own unique network
address. Use of sites allows administrators greater control of domain replication traffic across the entire
domain. In addition, Group Policy Objects can also be applied to the site.
Refer to the following Microsoft documentation for more information.http://technet.microsoft.com/en-
us/library/cc782048(WS.10).aspx
2.6.7 Active directory replications
Active Directory replication is the means by which changes to directory data are transferred between
domain controllers in an Active Directory forest. The Active Directory replication model defines
mechanisms to transfer directory updates automatically between domain controllers, thereby providing
a seamless replication solution for the Active Directory database.
For more information, refer to the following Microsoft documentation.
Active Directory Replication Model Technical Reference –
http://technet.microsoft.com/en-us/library/cc737314(WS.10).aspx
2.6.8 Functional levels in Active Directory
Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest
capabilities and also determines which Windows Server operating systems you can run on domain
controllers in the domain or forest. This is essential for efficient Active Directory replication and domain
renaming activities.
Fpr more details refer https://technet.microsoft.com/library/understanding-active-directory-functional-
levels(v=ws.10).aspx.

ATTENTION
l Experion requires functional level Windows Server 2008 or higher.
l Functional levels define a set of operating systems only for the domain controllers in a
domain or a forest. It does not define the client operating systems in a domain or a forest.
l Before raising the functional level for a domain, or a forest, assess your requirements
appropriately. Once raised, you cannot lower the functional level for a domain or a forest.

Domain functional level

Setting the functional level for a domain enables features that affect the entire domain and that domain
only. If all domain controllers in a domain are running , and the functional level is set to , all domain-
wide features are available.
l A domain controller cannot support a higher level than its own release. For example, a Windows
Server 2003 domain controller cannot be set to a Windows Server 2008 domain functional level.
l The domain functional level determines the domain and/or active directory capabilities or behaviors
available from the domain controller.
l All domain controllers in a domain must be at the same domain functional level.

Forest functional level

Setting the functional level for a forest enables features across all the domains within a forest. If all
domain controllers in a forest are running and the functional level is set to , all forest-wide features are
available.

- 17 -
Chapter 2 - Planning a Windows domain/workgroup

TIP
l For more information about functional levels in a forest or a domain, refer to the following
Microsoft documentation.
http://technet.microsoft.com/en-us/library/cc738038(WS.10).aspx
l For information on how to raise functional levels in a forest or a domain, refer to the
following Microsoft documentation.
http://technet.microsoft.com/en-us/library/cc787290(WS.10).aspx

Ideally, all the servers in a domain must run the same or latest version of the operating system. Each
domain has capabilities/features associated with it. These capabilities/features depend on the Microsoft
Windows Server operating system running on all the domain controllers in that domain or forest. Until
all domain controllers are at that version or higher version, you cannot use those capabilities/features.
The mixed mode and native mode helps to raise the functional level of a domain or forest.
Mixed mode: allows a domain controller running previous versions of Microsoft operating systems to co-
exist in a domain/forest. The mixed mode is used when you do not want to upgrade all the domain
controllers to the latest version of Microsoft Windows server operating system, but still want some of the
features offered by the latest version in your domain or forest.
For example, consider an organization where all the domain controllers in a domain or forest run on
Microsoft Windows 2008 Server operating system. Upgrading some domain controllers to Windows
2008 R2 Server or Windows 2012 Server, while maintaining some domain controllers on Windows
Server 2008, enables the organization to take advantage of the latest functionality; even though all
domain controllers are not running Windows Server 2008 R2 or Windows 2012 Server. This implies that
the domain/forest is in the mixed mode of operation.
Native mode allows a domain controller to run only one version of operating system in a domain/forest.
It does not support interoperability with the previous version of operating system. Active Directory must
be configured in native mode.
For example, in a domain or forest if all the domain controllers in a domain are running Windows 2008
R2 Server or Windows 2012 Server and does not support the interoperability with Windows 2008, then
it is said to be in the native mode. Since domain/forest functional levels of Windows Server 2008 R2
and higher versions do not support Windows Server 2008 domain controllers, it implies that these
domain functional levels are "native".

ATTENTION
The forest level needs to be at least Windows Server 2003 level to support a read-only domain
controller. The read-only domain controller must be running at least Microsoft Windows Server
2008 operating system.

Refer to the recommended functional level of the domain table in the section Raising the functional
level of the domain of the Windows Domain Implementation Guide for Windows Server 2008 R2.

TIP
For more information on mixed mode and native mode, refer to the following Microsoft
documentation.

- 18 -
Chapter 2 - Planning a Windows domain/workgroup

l http://technet.microsoft.com/en-us/library/cc787290(v=ws.10).aspx
l http://technet.microsoft.com/en-us/library/aa996524(v=EXCHG.65).aspx
l http://technet.microsoft.com/en-us/library/cc738670(WS.10).aspx
l http://technet.microsoft.com/en-us/library/bb632431.aspx

2.7 Overview of Group Policy

Overview of Group Policy
Group Policy is an infrastructure used for delivering and applying one or more configurations/policy
settings to the users and the computers within an Active Directory environment. The Group Policy
Objects (GPOs) contain the Group Policy settings. You can link GPOs in a domain to sites, domains, or
OUs.
For example, software agents such as those from Acronis® Backup and Recovery™ 10 are distributed
using policies. This prevents the use of USB sticks for a central roll-out of Experion Backup and Restore.
Thus, installation is allowed through control settings or boot script.
An organization can have different types of users. For example, you want to deliver and maintain a
customized desktop configuration for different types of users, such as operators who do not require
access to Internet Explorer, but Engineers and Administrators need access to Internet Explorer. Group
Policy helps in applying a customized configuration to a group of users.
The following figure shows the customized group policies assigned to the OUs within a domain.

You can infer the following from the preceding figure.

l The Admin Policy is applied to the Administration OU.
l The Engineering Policy is applied to the Engineering OU.
l The Operations Policy is applied to the Operations OU.
l The Hardware Engineering Policy and the Engineering Policy are applied to the Hardware
Engineering OU.

The members in each OU receive the Group Policy assigned to their respective OU.
When you link GPOs to sites, domains, or OUs, the GPO links affect users and computers in the
following ways.
l GPOs are applied to the domain object by the closest linked GPO in the domain hierarchy.
o Site>Domain>OU>Domain Object, meaning if there were linked GPOs that conflicted with
each other at each level, the GPO applied is at the OU level.

l A GPO linked to a domain applies to all users and computers in the domain. By default, any domain

- 19 -
Chapter 2 - Planning a Windows domain/workgroup

object in an OU will have the domain GPO applied.

o The policies linked at the domain level are not applicable to child domains.

l The scope of a GPO can also be controlled. For more information, refer to the topic Controlling the
scope of GPOs.

Group Policy includes the following types of policy settings.

l Computer configuration settings
l User configuration settings
l Controlling the scope of GPOs
l Experion Group Policy descriptions
l Interoperability of group policy objects

2.7.1 Computer configuration settings

The computer configuration settings contain policy settings that affect computers, regardless of who
logs on to the computers. The following are the computer-related policies specified in the computer
configuration settings.
l Operating system behavior
l Desktop behavior
l Application settings
l Security settings
l Assigned software applications
l Computer startup and shutdown scripts

Computer-related policy settings are applied.

l When the machine is restarted
l During a periodic refresh of the Group Policy

ATTENTION
The Administrator can also apply the computer-related policy settings manually.

2.7.2 User configuration settings

The User configuration settings contain policy settings that affect users, regardless of which computer
they log on to.
The following are the user-related policies specified in the user configuration settings.
l Operating system related settings
l Desktop settings
l Application settings

- 20 -
Chapter 2 - Planning a Windows domain/workgroup

l Security settings
l Assigned and published software applications
l User logon and logoff scripts
l Folder redirection options

User-related policy settings are applied in the following scenarios.

l When the users log on to the computer
l During the periodic refresh of the Group Policy

ATTENTION
The Administrator can also apply the user-related policy settings manually.

The Group Policy Management Console is used for viewing and editing the Group Policy Settings. The
settings under ‘Computer Configuration’ are applied to all computers that have this Group Policy
enforced on them. The settings under ‘User Configuration’ are applied to all users that have this Group
Policy enforced on them.

ATTENTION
l A GPO with settings limited to computer configuration does not have any effect when it is
applied to a user.
l A GPO with settings limited to user configuration does not have any effect when it is
applied to a computer.

2.7.3 Controlling the scope of GPOs

GPOs are applied to users and computers. To apply a GPO to a user or computer, you must first link the
GPO with a domain, an OU, or a site. You can control the scope of GPOs in the following ways.
l Change the default order in which GPOs are processed (by changing the GPO link order)
l Block a GPO inheritance (by disabling a GPO link or by enforcing (previously known as no override)
a GPO)
l Security and WMI filtering (for applying greater precision)
l Loopback processing (applying a consistent set of policies to any user logging on to a computer)

For more information, refer to the following Microsoft documentation.

http://technet.microsoft.com/en-us/library/cc786768(WS.10).aspx

2.7.4 Experion Group Policy descriptions

The following table lists the Group Policy Objects (GPOs) that the Experion – High Security Domain
Controller package creates in Active Directory, and the corresponding Global Group that is used for
"filtering" the scope of the group object.

- 21 -
Chapter 2 - Planning a Windows domain/workgroup

Group Policy Filter (Global

Description
Name Group)
Honeywell
A minimally restricted user environment. This account is typically used
Product DCS
for day-to-day DCS administrative tasks for Windows 7/2008 (Windows
Administrator Administrators
XP/2003 for Experion R3xx).
Role
Honeywell A restricted user environment that allows members to perform relevant
Engineering Engineers process control activities. Administrative actions in the Windows 7/2008
Role (Windows XP/2003 for Experion R3xx) environment are limited.
Operators,
A very restricted user environment that permits members of this group to
Supervisors,
Honeywell run only allowed applications. Typically, members of this group have a
View only
Operational specified logon script that automatically starts relevant applications.
users, ACK
Roles Usage of the Microsoft Internet Explorer browser is limited to intranet or
view only
local applications.
users

For more information on Group Policy, refer to Creating a Group Policy and Managing Group/domain
policy in this guide.
2.7.5 Interoperability of group policy objects

ATTENTION
Policy applied to the domain should match the highest version of the Experion/TPS release you
intend to run/support in the domain.

The group policy objects installed for Experion are interoperable with earlier releases of Experion and
TPS. They cannot coexist with policies from earlier releases in the same domain. The policies replace
earlier policy files to provide equivalent settings on earlier releases and enhanced security on
Experion. In addition, note that there are only three Experion Group Policies. For more information, refer
to the section Experion Group Policy descriptions.

2.8 Domain users, computers, and groups

l Computer account
l Groups
l Group scope

2.8.1 Computer account

Every computer that is part of the domain has a specific computer account. This account is created
automatically when a computer is added to the domain. However, this account can also be created
before the computer joins the domain. The computer account provides the following:
l Authenticates the computer to access the network
l Audits the computer’s access to the network and the domain resources

2.8.2 Groups
A group is an Active Directory container object. The group can contain users, contacts, computers, and
other groups. The following are the two different types of groups.

- 22 -
Chapter 2 - Planning a Windows domain/workgroup

l Distribution groups
l Security groups

Distribution groups
Distribution groups have only one function that is creating e-mail distribution lists. Distribution groups
can be used with e-mail applications (like Microsoft Exchange) to send e-mail to the members of the
group. Changing group membership follows the same process as security groups. Distribution groups
cannot be used to apply security.

ATTENTION
Honeywell does not recommend the usage of e-mail on the process control domain used by
Experion and TPS.

Security groups
Security groups are an essential component of the relationship between users and resources. Security
groups perform the following functions.
l Manages user and computer access to the shared resources on the domain
l Filters Group Policy settings

Security groups can contain users, computers, and other groups. Using security groups simplifies
security administration by letting you assign permissions to the group rather than assigning permissions
to the individual users. When you add a new user to the group, the user receives all access permissions
assigned to the security group.

2.8.3 Group scope

Every security group or distribution group has a defined scope, which determines to what extent the
group is applied. The following are the different scopes that can be applied to a group.
l Universal – indicates that a group can be assigned permissions in any domain or any trusted forest.
l Global – indicates that a group can be assigned permissions in any domain.
l Domain local – indicates that a group can be assigned permissions within the same domain.

For more information about group scope, refer to the following Microsoft website link.
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx

2.9 Support for DNS

DNS as a name resolution service
Domain Name System (DNS) is the default name resolution service in a Windows network. It is part of
the TCP/IP protocol suite and all TCP/IP network connections by default, are configured with the IP
address of one or more DNS Servers.
For more information on DNS, refer to the following Microsoft documentation.
What is DNS? – http://technet.microsoft.com/en-us/library/cc787921(WS.10).aspx

- 23 -
Chapter 2 - Planning a Windows domain/workgroup

l DNS deployment
l DNS integration with Active Directory
l DNS naming conventions
l DNS tools

2.9.1 DNS deployment

DNS can be deployed in two ways – with Active Directory support and without Active Directory support. It
is deployed without Active Directory support if you want to host information outside of the domain
environment. For domains in Experion, DNS must be deployed with Active Directory support. When
deployed with Active Directory, the Active Directory directory service uses DNS as its domain controller
location mechanism. For example, when an Active Directory user logs in to a domain, the user’s
computer uses DNS to locate a domain controller in the Active Directory domain.
For more information on how DNS works, refer to the following Microsoft documentation.
http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspx

2.9.2 DNS integration with Active Directory

Active Directory uses DNS as a domain controller locator and uses DNS domain naming system in the
architecture of Active Directory domains. Active Directory depends on the following components of
DNS.
l Domain controller locator (Locator)
l Active Directory domain names in DNS
l Active Directory DNS objects

For more information on DNS integration with Active Directory, refer to the following Microsoft
documentation.
l How DNS support for Active Directory works: http://technet.microsoft.com/en-us/library/cc759550
(WS.10).aspx
l DNS integration: http://technet.microsoft.com/en-us/library/cc785656(WS.10).aspx

2.9.3 DNS naming conventions

The following are some of the DNS requirements for Active Directory hierarchy.
l A node in the DNS hierarchy must be a domain or a computer
l A child domain cannot have more than one parent domain
l Two child domains of a parent domain cannot have identical names

For more information on DNS naming conventions, refer to the following Microsoft documentation.
http://technet.microsoft.com/en-us/library/cc978006.aspx

ATTENTION
Domain names must have a domain designator like .com, .org, or .local. Domain names without
domain designators will cause name resolution issues on the network.

- 24 -
Chapter 2 - Planning a Windows domain/workgroup

2.9.4 DNS tools

A variety of tools is associated with DNS for use with Active Directory. The DNS management
application and the command line utilities nslookup and ipconfig are some of the examples. For more
information, refer to the following Microsoft documentation.
l DNS tools and settings – http://technet.microsoft.com/en-us/library/cc775464(WS.10).aspx
l DNS support for Active Directory tools and settings – http://technet.microsoft.com/en-
us/library/cc738266(WS.10).aspx

2.10 Domain controllers in an Experion FTE network

2.10.1 Domain controller placement

In Experion, FTE network, the domain controller can be an FTE node or a non-FTE node. A domain
controller can be placed on level 2 or on level 3 depending on your site network requirements. For
example, if you have PHD integrated with Experion, you can have one domain controller as an FTE
node at level 2 and another domain controller as a non-FTE node at level 3.
Another example is when domain controllers are used in multiple communities and if each community
has a domain controller, it is a better practice to have the redundant domain controller at level 3 instead
of only at level 2.

ATTENTION
Ensure that the following considerations are met while setting up domain controllers in an FTE
network.
l Install FTE drivers on the domain controllers. To install FTE drivers on the domain
controllers, there are some additional hardware considerations that must be met. For
more information, refer to the Experion Software Installation User's Guide and Experion
FTE Installation and Service Guide.
l Use Honeywell qualified Experion Server platforms for configuring domain controllers.

l For a basic overview of FTE, refer to the Experion FTE Overview and Implementation Guide.
l For domain controller topology diagrams, refer to the Network and Security Planning Guide.
l Refer to the Experion FTE Installation and Service Guide, for information on FTE installation on a
domain controller.

2.10.2 Domain controller as a non-FTE node in an FTE community

When connecting multiple non-FTE domain controllers in the same FTE community, the domain
controllers themselves must be connected to different legs of the FTE network tree. An example of this
is, connecting one non-FTE domain controller to the yellow network and another non-FTE domain
controller to the green network.

2.11 Supported Experion releases

Choosing the operating system for a domain controller depends on your organization requirements.
The following table lists the supported Experion releases qualified to use for configuring domain
controllers in a domain.

- 25 -
Chapter 2 - Planning a Windows domain/workgroup

Domain Controller compatibility with Experion

In the following table, the letters listed in each box represent the Experion components that can be
installed with the respective Experion release on that Domain Controller Operating System version.

Experion Release DC Operating System /

used for DC Domain Functional
installation Level
Windows Windows Windows Windows
Windows Server
Windows Server 2008 Server 2008 Server Server 2012 Server
2003/2003 R2
R2 2012 R2 2016
Experion PKS
A+C, B, D A+C, D A+C*, D A+C*
R400.1, R400.2
Experion PKS
A+C, B, D A+C, D A+C, D A+C
R400.3 and later
Experion PKS A, B, C, D,
A, B, C, D A, B, C, D, E A, B, C, D, E
R410.X E
Experion PKS A, B, C, D,
A, B, C, D A, B, C, D, E A, B, C, D, E
R430.X E
Experion PKS A, B, C, D, A, B, C, D,
A, B, C, D, E A, B, C, D, E
R431.X E E
A, B,
Experion PKS A, B, C, D, A, B, C, D,
A, B, C, E A, B, C, D, E C, D,
R510.X E E
E
A, B,
Experion PKS A, B, C, D, A, B, C, D,
A, B, C, E A, B, C, D, E C, D,
R510.X E E
E

l * – Requires patch
l A – DC security (required on one writable DC, not allowed on RODC)
l A+C – R400 DC Security including TPS Domain Console Configuration (required on at least one
writable DC, not allowed on RODC)
l B – FTE
l C – TPS Domain Console Configuration (optional on all writable DCs, not allowed on RODC)
(included in DC Security in R400.x)
l D – System Management
l E – USB Enable/Disable (R410 and later only)

Following are the rules related to the Experion components installed on a Domain Controller:
l If multiple versions of Experion coexist in a domain, the version of the Experion components
installed on the Domain Controller must be equal to or greater than the latest version of Experion
running in the domain (including point releases).
l If TPS and Experion coexist in a domain, the version of the Experion components installed on the
Domain Controller must be equal to or greater than the latest version of Experion running in the
domain (including point releases).
l The domain functional level of the domain (which is less than or equal to the Domain Controller
Server Operating System version) is restricted to the combinations above that indicate support for A
or A+C. For example, R431.1 supports Windows Server 2008 as the Domain Controller (indicated
by “A” in the R431.1/WS2008 box), however it does not support that Domain Controller being
configured as Windows Server 2003 Domain functional level (there is no an A in the
R431.1/WS2003 box).

Windows client compatibility issues

- 26 -
Chapter 2 - Planning a Windows domain/workgroup

Microsoft also imposes some rules related to client operating systems joined to a domain of certain
functional levels, as indicated in the following table.

Windows Domain
Clients
Function Level
Server 2008 Server Server 2012 Server
Server 2003 Server 2008
R2 2012 R2 2016
Windows XP/Server
Y*** Y Y Y N N
2003
Windows Vista/Server
Y* Y Y Y Y Y
2008
Windows 7 Y** Y Y Y Y Y
Server 2008 R2 Y** Y* Y Y Y Y
Windows 8/Server 2012 Y** Y** Y* Y Y Y
Windows 8.1/Server
Y** Y** Y** Y* Y Y
2012 R2
Windows 10/Server
Y** Y** Y** Y** Y** Y
2016

l Y – Supported
l N – Deprecated (SMB 1.0)
l Y* – Supported but requires GPO update
l Y** – Supported but requires GPO Update and some features in client may not be supported
l Y*** – Supported but not recommended.

2.12 Hardware and software requirements

l Choosing the right operating system for a domain controller
l System requirements for a domain controller

2.12.1 Choosing the right operating system for a domain controller

Choosing the operating system for a domain controller depends on your organization requirements.

2.12.2 System requirements for a domain controller

Component Microsoft Windows Server (2008 through 2016)

l Minimum – 1.4 GHz (x64)
Computer and processor
l Recommended – 2GHz or faster
l Minimum – 512 MB
Memory l Recommended – 2GB or greater
l Maximum – 32GB
l Minimum – GB
Hard disk
l Recommended – GB or more

- 27 -
Chapter 2 - Planning a Windows domain/workgroup

ATTENTION
In virtual environments Honeywell recommends that you have at least one DC on each network
level serviced by the virtual environment, this would include a domain controller on level 2.5 and
each level 2 network. If the entire domain is hosted on virtual machines, you must ensure that the
virtual domain is always availability. Refer to the latest version of the following documents on
http://www.honeywellprocess.com for the hardware and software requirements of VM.
l HPS Virtualization Specification
l Virtualization Planning and Implementation Guide

Ensure that at least one domain controller is in real environment.

- 28 -
CHAPTER

3 INTEGRATING COMPUTERS INTO A

W INDOWS DOMAIN

This section describes the tasks for integrating computers into an existing Windows domain.
This section does not describe how to create a Windows domain. For security-related guidelines about
Windows domains andExperion, refer to the Experion Network and Security Planning Guide.
l Creating mutually trusted domains
l Associating Windows domain account groups with the local account groups on a computer

3.1 Creating mutually trusted domains

Mutually trusting domains are created by configuring the primary domain controllers on two connected
domains to trust the partner domain. To set up mutually trusting domains, each domain must trust the
other domain and each domain must know what other domains trust it. The process for defining these
relationships is to create a trusted domain and to create a trusting domain. A trusted domain is a
domain that is trusted by the domain that is being configured. A trusting domain is a domain that trusts
the domain that is being configured.
Configuring mutually trusting domains is required only if the CDA-SP service (ACE) is on a different
domain to an OPC server. Mutually trusting domains are created by configuring the domain controllers
on two connected domains to trust the partner domain.
To set up mutually trusting domains, ensure that both domain controllers are configured using the
appropriate procedure.

ATTENTION
Creating a trust between two domains requires name resolution to be setup so that both
domains can resolve the other domain name. An example of this is setting up a secondary DNS
zone for the other domain.
If you are setting mutually trusted domains to support a control configuration such as the CDA-
SP service (ACE) on a different domain to an OPC server, consult your nearest Honeywell
representatives for additional configration requirements.

3.2 Associating Windows domain account groups with the

local account groups on a computer
You only need to perform this procedure if you use domains. This procedure links Windows domain
account groups with local account groups for computers participating in a domain and the Honeywell
High Security Policy.

- 29 -
Chapter 3 - Integrating computers into a Windows domain

3.2.1 Prerequisites
l The computer must already be added to the domain.
l Perform this procedure on every computer in the domain where you want to implement the High
Security Policy.

3.2.2 To link the Windows domain account groups to the Windows

local account groups
1. Log on as a user with administrative privileges.
2. For Windows 7 through 2008 R2, click Start > All Programs > Honeywell Experion PKS > System
Management > Link Domain Groups.
The User Account Control dialog box appears.
3. For Windows 10 through 2016, click Start > Honeywell Experion Tools > All Honeywell Tools. In
the Explore Window > open System Management > Link Domain Groups.
The User Account Control dialog box appears.
4. Click OK.
A dialog box appears displaying the success of the Link Domain Groups command.
5. Perform the following based on the success of running the Link Domain Groups command.
l If there are no errors, click OK to acknowledge the success message.
l If errors are indicated, select the Details checkbox.
Information about the problems encountered appears.

After running the Link Domain Groups command, the Windows domain account groups are
linked to the local account groups as follows.

Windows domain account group Linked to local account group

DCS Administrators Product Administrators
Engineers Local Engineers
Supervisors Local Supervisors
Operators Local Operators
Ack View Only Usage Local Ack View Only Users
View Only Users Local View Only Users
DCS Domain Servers Local Servers
SecureComms Administrators Local SecureComms Administrators

- 30 -
CHAPTER

4 CREATING W INDOWS W ORKGROUP

USERS AND GROUPS

ATTENTION
Any accounts that need to access other computers must have the same user name and
password on all computers. For more information about creating Windows Workgroup users and
groups, refer to the following Microsoft documentation.

http://technet.microsoft.com/en-us/library/cc775771(WS.10).aspx

- 31 -
CHAPTER

5 SECURITY POLICIES CONFIGURED AS PART

OF EXPERION INSTALLATION

Category Policy Value

Local Network security: Configure Enabled
Policies encryption types allowed for
Kerberos
Local Network security: Force logoff Enabled
Policies when logon hours expire
Local Network security: LAN Send NTLMv2 response only. Refuse LM&NTLM
Policies Manager authentication level
Local Network security: Minimum Enabled
Policies session security for NTLM SSP
based (including secure RPC)
clients
Local Network security: Minimum Enabled
Policies session security for NTLM SSP
based (including secure RPC)
servers
Local Shutdown: Allow system to be Disabled
Policies shut down without having to
log on
Local User Account Control: Enabled
Policies Behavior of the elevation
prompt for administrators in
Admin Approval Mode
Local User Account Control: Automatically deny elevation requests
Policies Behavior of the elevation
prompt for standard users
Local User Account Control: Switch Enabled
Policies to the secure desktop when
prompting for elevation
Local User Account Control: Enabled
Policies Virtualize file and registry write
failures to per-user locations
Windows Windows Firewall: Domain: On (recommended)
Firewall Firewall state
Windows Windows Firewall: Domain: Block (default)
Firewall Inbound connections
Windows Windows Firewall: Domain: Allow (default)
Firewall Outbound connections
Windows Windows Firewall: Domain: No
Firewall Settings: Display a notification
Windows Windows Firewall: Domain: Yes (default)
Firewall Settings: Apply local firewall
rules
Windows Windows Firewall: Domain: Yes (default)
Firewall Settings: Apply local
connection security rules
Windows Windows Firewall: Domain: %SYSTEMROOT%\System32\logfiles\firewall\domainfw.log
Firewall Logging: Name
Windows Windows Firewall: Domain: 16,384 KB or greater
Firewall Logging: Size limit (KB)

- 43 -
Chapter 5 - Security policies configured as part of Experion installation

Category Policy Value

Windows Windows Firewall: Domain: Yes
Firewall Logging: Log dropped packets
Windows Windows Firewall: Domain: Yes
Firewall Logging: Log successful
connections
Windows Windows Firewall: Private: On (recommended)
Firewall Firewall state
Windows Windows Firewall: Private: Block (default)
Firewall Inbound connections
Windows Windows Firewall: Private: Allow (default)
Firewall Outbound connections
Windows Windows Firewall: Private: No
Firewall Settings: Display a notification
Windows Windows Firewall: Private: Yes (default)
Firewall Settings: Apply local firewall
rules
Windows Windows Firewall: Private: Yes (default)
Firewall Settings: Apply local
connection security rules
Windows Windows Firewall: Private: %SYSTEMROOT%\System32\logfiles\firewall\privatefw.log
Firewall Logging: Name
Windows Windows Firewall: Private: 16,384 KB or greater
Firewall Logging: Size limit (KB)
Windows Windows Firewall: Private: Yes
Firewall Logging: Log dropped packets
Windows Windows Firewall: Private: Yes
Firewall Logging: Log successful
connections
Windows Windows Firewall: Public: On (recommended)
Firewall Firewall state
Windows Windows Firewall: Public: Block (default)
Firewall Inbound connections
Windows Windows Firewall: Public: Allow (default)
Firewall Outbound connections
Windows Windows Firewall: Public: Yes
Firewall Settings: Display a notification
Windows Windows Firewall: Public: No
Firewall Settings: Apply local firewall
rules
Windows Windows Firewall: Public: No
Firewall Settings: Apply local
connection security rules
Windows Windows Firewall: Public: %SYSTEMROOT%\System32\logfiles\firewall\publicfw.log
Firewall Logging: Name
Windows Windows Firewall: Public: 16,384 KB or greater
Firewall Logging: Size limit (KB)

- 44 -
Chapter 5 - Security policies configured as part of Experion installation

- 45 -
CHAPTER

6 REVIEWING SECURITY TEMPLATES IN

DOMAIN/WORKGROUP ENVIRONMENT

6.1 To review security templates in domain/workgroup

environment
1. Choose Start > Run, type mmc and click OK.
The Microsoft Management Console opens.
2. If the User Account Control dialog box appears, click Yes.
3. Choose File > Add/Remove Snap-in.
The Add/Remove Snap-in dialog box opens.
4. Click Add.
The Add Standalone Snap-in dialog box opens.
5. Select Security Templates and click Add.
6. Click OK.
The Security Templates snap-in is added to the console.
7. In the navigation pane, right-click Security Templates, and select New Template Search Path.
8. In the Browse For Folder dialog box, navigate to Desktop > Computer > Local Disk (C:) >
Windows > Security > Templates, select Templates, and then click OK.
9. In the navigation pane, expand C:\Windows\security\templates and select
honeywellws.
10. Review the setting in the right pane.

- 47 -
CHAPTER

7 SETTING UP TIME SYNCHRONIZATION

l Time synchronization in a domain

l Time synchronization in a virtual environment

7.1 Time synchronization in a domain

The Active Directory domain is time sensitive and any time differences between domain controllers and
client nodes could affect the authentication process of users and resource access. When a member
server is promoted as the first domain controller in the domain, that server automatically receives all of
the FSMO roles. The PDC emulator role controls time on the domain and the server holding that role
becomes the authoritative time source on the domain. Any authentication process on any resource on
the domain must have a clock setting that is within 5 minutes of the PDC emulator role holder. If the
time difference between the machine clock and the PDC emulator role holder clock is greater than 5
minutes, the authentication process fails. Once there is peer domain controller in the domain, the PDC
emulator role can be moved to any domain controller in the domain. By default, the PDC emulator role
holder will use its local clock as the time source for the domain. The time source for the PDC emulator
can be changed to use an external source such as hardware clock (GPS clock) or an internet time
server.
In the Experion network, once a computer joins the domain, it will use the PDC role holder as the
authoritative time source. If the computer had SNTP setup run on it while in a workgroup the SNTP
setup settings may need to be cleared before SNTP time functions correctly on the computer.
For more information on configuring a time source for the forest, refer to the article at the following link.
http://technet.microsoft.com/en-us/library/cc794823(WS.10).aspx

TIP
For more information about time synchronization and SNTP setup, refer to the Supplementary
Installation Tasks Guide.

l Setting Up PDC to Sync with an External Source

7.1.1 Setting Up PDC to Sync with an External Source

1. Identify a NTP Source.

NOTE
NTP Source could be a NTP Server at your site by name or IP address.

Example:

- 49 -
Chapter 7 - Setting up time synchronization

NOTE
The address of “10.0.1.10” is provided as an example. Please substitute with the IP or
name of an addressable NTP Server on your network.

a. Open Administrative Command Prompt on DC holding FSMO PDC role.

b. w32tm.exe /config /manualpeerlist: 10.0.1.10 / syncfromflags:manual /reliable: YES /update
c. w32tm.exe /config /update
d. net stop w32time
e. net start w32time
2. After setting up PDC with time source, and adding nodes to a domain, all other nodes should run
NTPSetup/NTP Config as instruction in the Supplementary Installation Tasks Guide.

7.2 Time synchronization in a virtual environment

With ExperionRelease 510, virtualization deployment is supported for Experion and domain controllers.
When a domain controller is a virtual machine, its local clock is no longer accurate. When the PDC role
holder is running in a virtual machine, this behavior could cause clock drift and invalidate access to
network resources. For sites that virtualize the domain controller that holds the PDC role, the following
steps must be performed on the PDC role holder.
l Do not synchronize the PDC role holder time with the vmhost.
l Force the PDC role holder to synchronize the time with an external time source either a GPS device
or an internet time source. Refer to the following VMware white paper for instructions for this
process.
http://www.vmware.com/files/pdf/Virtualizing_Windows_Active_Directory.pdf

ATTENTION
When creating a virtual domain controller, do not convert a physical domain controller to a virtual
domain controller.

TIP
For more information about time synchronization in a virtual environment, refer to the
Virtualization Planning and Implementation Guide.

- 50 -
CHAPTER

8 SECURING THE OPERATING SYSTEM

l Creating and assigning login scripts

l Removing access to Windows Explorer and the Task Manager
l Setting up automatic logon
l Preventing operator shutdown
l Disabling the lock computer option

8.1 Creating and assigning login scripts

l Station command line options
l Locking station in full screen mode and disabling menus
l Creating a Station startup batch file
l Assigning logon scripts to domain groups and users using group policy
l Assigning logon scripts to individual domain accounts
l Assigning logon scripts to local accounts

8.1.1 Station command line options

The following command line options may be added to the command to start the Station application in
batch files or in shortcuts to tailor the environment that Station runs in.
The syntax for Station.exe is as follows:
station.exe [-stn <path to .stn file>] [-s[f][l][x][s][c]]

Parameter Description
Path to the Station.stn file. Do not include the path if the Station.stn file is in the same
stn
location as the Station.exe file.
-s Startup switches
Disables window resizing so that Station can only operate in full screen mode and is
f
always on top.
Disables window resizing so that Station can only operate in full screen mode and is
l
always on the bottom
x Disables the Exit menu choice
s Disables the Setup menu choice
c Disables the Connect menu choice

8.1.2 Locking station in full screen mode and disabling menus

You can restrict access to non-Station software on a computer by changing the Station command line.
Changing the Station command line allows you to do the following:

- 51 -
Chapter 8 - Securing the operating system

l Lock the Station window in full screen so that users cannot resize the window or access operating
system functions and non-Station applications.
l Disable the Exit menu choice so users cannot close down this Station.
l Disable the Setup menu choice so that users cannot change the connection or display settings for
this Station.
l Disable the Connect menu choice so that the users cannot attempt to connect to a different server
and disconnect from the current server.

By default, access to Intranet and Internet sites are disabled on Station. For information on enabling full
or restricted access via Station's SafeBrowse feature, refer to the section “Customizing Station - Web
Access tab, Connection properties” in the Server and Client Configuration Guide.

8.1.3 Creating a Station startup batch file

For operators to access Station on a secure computer, create a batch file that enables the Station to
start automatically when the operator logs on to the computer.

To create the batch file

1. For domain account scripts, log on to the domain controller with a domain administrator account.
2. Use a text editor such as Notepad, to create the following batch file.

ATTENTION
If you use Signon Manager and Electronic Signatures, you must use the –sl option so
that Station is in full-screen mode but always on the bottom so that the Signon Manager
and Electronic Signatures dialog boxes appear on top of Station.

rem Run signon.exe only if you are using Sigon Manager

cd /d "%hwinstallpath%\Signon Manager"

start signon.exe
rem *******************************************
rem change to station directory
rem *******************************************

cd /d "%hwinstallpath%\Experion PKS\Client\Station"

rem *******************************************
rem the following line need only be included
rem if you are on the Server PC
rem and also using automatic logon.
rem It delays Station startup to let the
rem Server start completely first.
rem *******************************************
sleep 70
rem *******************************************
rem start station with "full screen lock" and always on top
rem and all 'Station" menu options inactive.
rem stnsetup.stn is optional, delete if not
rem required.
rem *******************************************
start station.exe "%HwProgramData%\Experion PKS\Client\Station\stnsetup.stn" -sslxc

- 52 -
Chapter 8 - Securing the operating system

WARNING
Do not add a network path to the ‘path’ environment variable.

3. Save the file according to the locations specified in one of the following sections.
l Assigning logon scripts to domain groups and users using group policy.
l Assigning logon scripts to individual domain accounts.
l Assigning logon scripts to local accounts.

8.1.4 Assigning logon scripts to domain groups and users using

group policy
This procedure demonstrates how to assign the Operator_Start.bat logon script to all domain users that
are members of the Operators global group.
For a Microsoft Windows Server 2003 domain controller, the Group Policy Management Console must
be installed first. On Microsoft Windows Server 2008/, it is installed by default.

To assign logon scripts to domain groups and users using group policy

1. Log on to the domain controller using a domain administrator account.

2. Place the Operator_Start.bat script in the following path — %SystemRoot%\SYSVOL\<Domain
name>\Scripts.
3. Choose Start > Windows Administrative Tools > Group Policy Management.
4. Click Yes on the User Account Control dialog box.
5. In the left pane (navigation pane), expand the tree, right-click Group Policy Objects under the
required domain, and then click New.
6. Type the new policy name as Operator Startup Policy, and then click OK.
7. Right-click the new policy in the navigation pane, and then click Edit.
8. In the navigation pane of the Group Policy Management Editor, expand User Configuration >
Policies > Windows Settings, and then click Scripts (Logon/Logoff).
9. In the right pane, double-click Logon.
10. In the Logon Properties dialog box, click Add.
11. In the Script Name field, type Operator_Start.bat and type required script parameters in the Script
Parameters field, then click OK.
12. In the Logon Properties dialog box, click OK.
13. Close the Group Policy Object Editor window.
14. In the right pane of the Group Policy Management window, click the Details tab and in the GPO
Status list, select Computer Configuration Settings Disabled.
15. In the navigation pane, drag the new policy to the domain (or OU) to which this policy should apply
to.
16. If you want to link the GPO to the selected location, click OK.
17. In the navigation pane, expand Group Policy Objects > Operator Startup Policy .
18. In the right pane, remove the users/groups listed under the Security Filtering, and then click Add to
add the required groups (or individual users).
19. When the group policies are next pushed to the computers in the domain, this startup script applies
to all operator logon.

- 53 -
Chapter 8 - Securing the operating system

8.1.5 Assigning logon scripts to individual domain accounts

Perform the following steps to specify the batch file as a logon script for domain accounts.
1. Log on to the domain controller using a domain administrator account.
2. Choose Start > Windows System > Control Panel > System and Maintenance > Administrative
Tools > Active Directory Users and Computers.
3. Place the Operator_Start.bat script in %SystemRoot%\SYSVOL\<Domain name>\scripts.
4. In the tree view, select Users to display the list of users in the domain.
5. Right-click the account name to which the Logon Script must be assigned, and then click
Properties.
6. On the Profile tab, type Operator_Start.bat in the Logon script box.
7. Click OK.
8. Close Active Directory Users and Computers.

8.1.6 Assigning logon scripts to local accounts

Assigning logon scripts to local accounts

1. Log on to the local machine using a domain or local administrator account.

2. If the local computer does not have a NetLogon share, create a directory to be used for the share
(for example %SystemRoot%\NetLogon), and share the directory using the name “NetLogon”.
3. Place the Operator_start.bat file in\\<computername>\NetLogon, or use the local directory
path that is shared as NetLogon.
4. Choose Start > Windows System > Control Panel > System and Maintenance > Administrative
Tools > Computer Management.
5. Select Local Users and Groups > Users.
6. Double-click the user account that you want to modify.
The Properties dialog box is displayed.
7. Click the Profile tab, and in Logon Script box, type Operator_Start.bat.
8. Click Apply.
9. Click OK to close the Properties dialog box.
10. Close Computer Management.

8.2 Removing access to Windows Explorer and the Task

Manager
This procedure applies to computers in a workgroup environment. In a domain environment, this is
automatically taken care through the Honeywell Operational Roles GPO settings.
You can prevent operators from accessing applications through Task Manager, Windows Explorer, and
Internet Explorer by removing access to Task Manager, Windows Explorer, and Internet Explorer.

- 54 -
Chapter 8 - Securing the operating system

8.2.1 To remove access to Windows Explorer and Task Manager

For Windows 7operating system

1. In Windows Explorer, navigate to the %windir%\System32 directory.

2. Perform the following steps only if your operating system is Windows 7 or Windows Server 2008.
a. Right-click taskmgr.exe, choose Properties and click the Security tab.
b. In the Security tab, click Advanced.
The Advanced Security Settings dialog box appears.
c. In the Advanced Security Settings dialog box, click the Owner tab.
d. Click Edit.
e. Click Yes/Continue if the User Account Control dialog box appears.
f. In the Change owner to list, select Administrators, and click OK.
g. Click OK in the Security tab.
The Windows Security dialog box appears with the following message:

h. Click OK in the Windows Security dialog box.

i. Click OK to close the Properties dialog box.
3. Right-click taskmgr.exe, choose Properties and click the Security tab.
4. In the Security tab, click Edit.
5. Click Yes/Continue if the User Account Control dialog box appears.
6. In the Security tab, click Add.
The Select Users, Computers, or Groups dialog box appears.
7. Click Advanced.
The Common Queries tab appears within the Select Users, Computers, Service Accounts, or
Groups dialog box.
8. Click Find Now.
The Search Results section displays a list of users and groups in the domain.
9. Select the user or the group for which you want to remove/restrict access to Task Manager.
10. If there are additional groups or users that must be restricted, hold down the CTRL key while
clicking each additional user/group.
11. Click OK in the Common Queries tab.
12. Click OK in the Select Users, Computers, or Groups dialog box.
The selected user(s) and group(s) are listed in the Security tab, in the Group or user names
section.

- 55 -
Chapter 8 - Securing the operating system

13. For each user or group that you added to the Group or user names section, perform the following:
a. Click the name in the Group or user names list.
b. In the Permissions for dialog box, click the checkbox in the Deny column next to Read &
Execute/Allow.
14. When all necessary users/groups are denied the access to execute, click OK.
a. On some operating systems, the Windows Security dialog box appears with the following
message:

b. Click Yes in the Windows Security dialog box.

c. Click Yes, if the same message appears.
15. Click OK to close the Properties dialog box.
16. Repeat the above steps for Windows Explorer.
a. Choose Start > Run, and type %windir%
The Windows folder appears.
b. Locate explorer.exe, and continue with step 1.
17. Repeat the above steps for Internet Explorer.
a. Choose Start > Run, and type %programfiles%
The Program Files folder appears.
b. In the Internet Explorer folder, locate iexplore.exe, and continue with step 1.

For Windows 10 operating system

1. In Windows Explorer, navigate to the %windir%\System32 directory.

2. Perform the following steps only if your operating system is Windows 10 or Windows Server 2016.
a. Right-click taskmgr.exe, choose Properties and click the Security tab.
b. In the Security tab, click Advanced.
The Advanced Security Settings dialog box appears.
c. In the Advanced Security Settings dialog box, click Change next to Owner.
The Select Users, Computers, or Groups dialog box appears.
d. Click Advanced.
The Common Queries tab appears within the Select Users, Computers, Service Accounts, or
Groups dialog box.
e. Click Find Now and select Adminstators and click OK.
f. Click Apply.
The Windows Security dialog box appears.
g. Click OK in the Windows Security dialog box.
h. Click OK to close the Properties dialog box.

- 56 -
Chapter 8 - Securing the operating system

3. Right-click taskmgr.exe, choose Properties and click the Security tab.

4. In the Security tab, click Edit.
5. Click Yes/Continue if the User Account Control dialog box appears.
6. In the Security tab, click Add.
The Select Users, Computers, or Groups dialog box appears.
7. Click Advanced.
The Common Queries tab appears within the Select Users, Computers, Service Accounts, or
Groups dialog box.
8. Click Find Now.
The Search Results section displays a list of users and groups in the domain.
9. Select the user or the group for which you want to remove/restrict access to Task Manager.
10. If there are additional groups or users that must be restricted, hold down the CTRL key while
clicking each additional user/group.
11. Click OK in the Common Queries tab.
12. Click OK in the Select Users, Computers, or Groups dialog box.
The selected user(s) and group(s) are listed in the Security tab, in the Group or user names
section.
13. For each user or group that you added to the Group or user names section, perform the following:
a. Click the name in the Group or user names list.
b. In the Permissions for dialog box, click the checkbox in the Deny column next to Read &
Execute/Allow.
14. When all necessary users/groups are denied the access to execute, click OK.
a. On some operating systems, the Windows Security dialog box appears.
b. Click Yes in the Windows Security dialog box.
c. Click Yes, if the same message appears.
15. Click OK to close the Properties dialog box.
16. Repeat the above steps for Windows Explorer.
a. Choose Start > Run, and type %windir%
The Windows folder appears.
b. Locate explorer.exe, and continue with step 1.
17. Repeat the above steps for Internet Explorer.
a. Choose Start > Run, and type %programfiles%
The Program Files folder appears.
b. In the Internet Explorer folder, locate iexplore.exe, and continue with step 1.
8.3 Setting up automatic logon
If you want Windows to start automatically without the operator entering a Windows password, you can
set up automatic logon. If you set up automatic logon, the computer always logs on with the same user
name and password.

ATTENTION
l Computers must be configured individually for auto-logon in a domain or workgroup.
l Automatic logon can be useful in a Plant environment but you must use it with a very
restrictive user account. It should not be used with user accounts with administrative
privileges.

- 57 -
Chapter 8 - Securing the operating system

l If you set up automatic logon for a computer, to log on as an Administrator, you need to
press the Shift key to prevent automatic logon.
l After following the procedures for automatic logon, automatic logon is set the first time
after any restart. To get the computer to automatic logon after each restart and each
logoff, you must set the registry value of ForceAutoLogon = 1 in the same key.

l Setting up automatic logon in a domain

l Setting up automatic logon in a workgroup
8.3.1 Setting up automatic logon in a domain

CAUTION
l Editing Windows registry can cause serious problems, if modified incorrectly. To recover
from the problem, you might have to reinstall the operating system. As a best practice,
ensure that you take a back up of the Windows registry before making any changes.
l This mechanism of changing the password is a security risk since a clear text password
would be visible in the registry entry.

To set up an automatic logon in a domain or workgroup, edit the following registry entries.
l HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key:
l DefaultUserName = the user account name
l DefaultPassword = the password for that account
l DefaultDomainName = computer name for local accounts or domain name for domain accounts
l AutoAdminLogon = 1

8.3.2 Setting up automatic logon in a workgroup

1. Choose Start > Run.
2. In the Run dialog box, type control userpasswords2, and then click OK.
3. Select the user account, and then clear the Users must enter a user name and password to use
this computer check box.
4. Click Apply.
5. In the Automatically Log On dialog box, enter the password for the selected account and confirm to
add the password to the system.
6. In the Automatically Log On dialog box, click OK.
7. In the User Accounts dialog box, click OK.
8. Edit the registry, refer to section 8.3.1 Setting up automatic logon in a domain.
9. If automatic logon does not work when Windows is restarted, it is because the password was
entered incorrectly. Repeat the above steps to correct the issue after the account and password are
checked for correctness.

8.4 Preventing operator shutdown

This procedure applies to computers in a workgroup environment. In a domain environment, this is
automatically taken care through the Honeywell Operational Roles GPO settings.

- 58 -
Chapter 8 - Securing the operating system

Product Administrators, Engineers, and Supervisors can shut down a computer in several ways.
l From the Start menu.
l By pressing CTRL+ALT+DEL.
l At the logon screen.

To prevent Product Administrators, Engineers and Supervisors from shutting down the computer, you
must change the local policies and edit the registry.
To change the local policies to prevent shut down by selected users on Windows 7 operating system:
1. Choose Start > Windows System > Control Panel > System and Maintenance > Administrative
Tools > Local Security Policy.
2. In the navigation pane, choose Local Policies > Security Options.
3. Select Local Policies > User Rights Assignment.
4. Double-click Shutdown the system.
The Shut down the system Properties dialog box opens. Typical settings will include
Administrators, Backup Operators, Product Administrators, Local Supervisors, and Local
Engineers.
5. Remove any users or groups that must not be able to shut down the system.
6. Add any additional users or groups that must able to shut down the system.
7. Click OK to close the Shut down the system Properties dialog box.
8. Close the Local Security Policy window.

To change the local policies to prevent shut down by selected users on Windows 10 operating
system:
1. Choose Start > Windows Administrative Tools > Local Security Policy.
2. Select Local Policies > User Rights Assignment.
3. Double-click Shutdown the system.
The Shut down the system Properties dialog box opens. Typical settings will include
Administrators, Backup Operators, Product Administrators, Local Supervisors, and Local
Engineers.
4. Remove any users or groups that must not be able to shut down the system.
5. Add any additional users or groups that must able to shut down the system.
6. Click OK to close the Shut down the system Properties dialog box.
7. Close the Local Security Policy window.

To prevent shut down from logon screen:

1. Choose Start > Windows Administrative Tools > Local Security Policy.
2. In the navigation pane, select Local Policies > Security Options.
3. In the right pane, double-click Shutdown: Allow system to be shut down without having to log on.
4. Select Disabled and click OK.
5. Close the Local Security Policy window.

8.5 Disabling the lock computer option

This procedure applies to computers in a workgroup environment. In a domain environment, this is
automatically taken care through the Honeywell Operational Roles GPO settings.
Product Administrators, Engineers and Supervisors can lock a computer in several ways.

- 59 -
Chapter 8 - Securing the operating system

l From the Start menu.

l By pressing CTRL+ALT+DEL.
l At the logon screen.

For Windows 7 operating system

To prevent Product Administrators, Engineers and Supervisors from locking the computer, you need to
change the local policies and edit the registry.
1. Choose Start > Run, type mmc and click OK.
2. On the User Account Control dialog box, click Yes.
3. In the Console Root window, select File > Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, select Group Policy Object Editor, click Add.
5. In the Select Group Policy Object dialog box, click Finish.
6. In the Add or Remove Snap-ins dialog box, click OK.
7. In the Console Root windows navigation pane, select Local Computer Policy > User Configuration
> Administrative Templates > System > Ctrl + Alt + Del Options.
8. In the right pane, double-click Remove Lock Computer.
9. In the Remove Lock Computer dialog box, click Enabled, and then click Apply.
10. Press CTRL+ALT+DEL to verify that Lock Computer option is disabled. Click Cancel.
11. Click OK to close the Disable Lock Computer Properties dialog box.

For Windows 10 operating system

- 60 -
Chapter 8 - Securing the operating system

8.6 Disable Link-Local Multicast Name Resoultion (LLMNR)

and NetBIOS over TCP/IO (NetBT)
Due to known security vulnerabilities with Link-Local Multicast Name Resolution (LLMNR) and NetBIOS
over TCP/IO (NetBT) components, it is recommended to disable these two components.

ATTENTION
You can disable these two components only if DNS Server is configured in your network. If DNS
Server is not configured, then disabling these two components will fail Computer name to IP
resolution, which impact Experion functions.

To disable LLMNR.
1. Click Start
2. Type gpedit.msc in the text box
3. Navigate to
Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS
Client
4. In the DNS Client Folder, double click on Turn Off Multicast Name Resolution and set it to
Enabled.

To disable NetBT.
1. Open Control Panel
2. Under Network and Internet, click View network status and tasks
3. Click Change adapter settings
4. Right-click “<Honeywell FTE Adapter>” and then click “Properties”
5. Double-click on “Internet Protocol Version 4 (TCP/IPv4)”, click “Advanced” then click on the
“WINS” (Windows Internet Name Service) tab
6. Click on “Disable NetBIOS over TCP/IP"
7. Click Ok.

- 61 -
CHAPTER

9 ENABLING OR DISABLING USB-

CONNECTED STORAGE DEVICES ON
EXPERION SYSTEMS

l Introduction
l Installation of USB Storage Enable Disable feature using Experion PKS Installation media
l Managing the USB Storage Enable Disable feature

9.1 Introduction
An administrator can enable or disable the use of USB-connected storage devices, such as flash
drive, floppy disk, CD/DVD on the Experion systems in domain or workgroup environments. However,
use of other types of USB devices such as keyboards, mouse, finger print readers, and smart cards are
not affected.

9.2 Enabling and disabling USB removable storage devices

9.2.1 To disable USB removable storage devices locally on a

machine
1. Log on to your computer as an account that is a member of the “Administrators” group.
2. To open Local Group Policy Editor, click the Start button, type mmc gpedit.msc, and press
ENTER.
3. In the Group Policy Object Editor navigation pane, double click Computer Configuration to
expand it , if it is not already expanded.
4. Then expand Administrative Templates, expand System, click on Removable Storage Access.
5. In the details pane on the right, right-click the item All Removable Storage classes: Deny all
access, and then click Edit.
6. The policy dialog box appears with the current settings.
7. Click Disabled to turn the policy setting off (allowing USB devices) or Enabled to turn the policy on
(blocking access to USB devices).
8. Click OK to save the setting and return to Group Policy Object Editor.

- 63 -
Chapter 9 - Enabling or disabling USB-connected storage devices on Experion systems

NOTE
If you prefer to block one or more execution(s), such as read or write access rather than providing
all access. Use one of the following settings instead at step 5:
l Removable Disks: Deny execute access
l Removable Disks: Deny read access
l Removable Disks: Deny write access

Restart the computer for the change to take affect.

9.2.2 To disable USB removable storage devices via group policy on

a domain controller for an OU
1. Log on to your domain controller as an account that is a member of the “Administrators” group.
2. To open Group Policy Management, click the Start button, type mmc gpmc.msc, and press ENTER.
3. Expand the domain in the navigation pane and find the Group Policy Objects node, right click on it
and choose New.
4. In the New GPO dialog, enter Disable Removable Storage Policy as the Name.
5. In the Group Policy Management navigation pane, find this new Group Policy Object, right click on
it and choose Edit.
6. In the Group Policy Management Editor, in the navigation pane, double click Computer
Configuration to expand it, if it is not already expanded.
7. Then expand Policies, expand Administrative Templates, then expand System, click on
Removable Storage Access.
8. In the details pane on the right, right-click the item All Removable Storage classes: Deny all
access, and click Edit.
9. The policy dialog box appears with the current settings.
10. Click Enabled to turn the policy on (blocking access to USB devices).
11. Click OK to save the setting and return to Group Policy Management Editor.
12. Close the Group Policy Management Editor and return to the Group Policy Management window.
13. In the navigation pane, right click on the OU that contains machines to apply this policy on and
choose Link an Existing GPO… , from the Select GPO dialog, choose the Disable Removable
Storage, and click OK.
14. In the details pane for the OU in previous step, go to Linked Group Policy Objects tab, right click on
Disable Removable Storage Policy and toggle the value for Enforced so that the column shows
Yes to block access to USB devices or No to allow access to USB devices.

By default this change should take effect on machines in the OU within 2 hours, alternately from a
command prompt or PowerShell window on the domain controller, run as an administrator to execute
the following command and push the change out immediately:
gpupdate /force

- 64 -
CHAPTER

10 MANAGING DOMAINS

l Managing domain group policy

l Renaming a domain controller
l Removing a domain controller

10.1 Managing domain group policy

Overview
The Group Policy Management Console (GPMC) is the primary tool that Microsoft provides for
managing group policies. This tool is an optional feature on Microsoft Windows Server 2008 and , and
is a free download from Microsoft for Microsoft Windows Server 2003, Microsoft Windows 10 Enterprise
2016 LTSB (x64), and Microsoft Windows XP. Detailed information about using GPMC is available
from Microsoft at http://technet.microsoft.com/en-us/library/cc783034(WS.10).aspx.
Edit a Group Policy

ATTENTION
You must not modify theExperion group policies, as each update to Experion overwrites these
policies, eliminating any changes you have made. To change policy settings, create a new
Group Policy Object (GPO), add only the settings you need to change, and link the policy such
that the new settings override the Experion setting. Warning: Be cautious while overriding
Experion policy settings as it may affect the operation of Experion.
To edit a group policy, choose Administrative Tools > Group Policy Management, locate the
policy to be edited under Forest > Domains ><<your domain>>Group Policy Objects, and then
right-click and select Edit.
For more information, refer to the following Microsoft documentation-
http://technet.microsoft.com/en-us/library/cc759123(WS.10).aspx.

Copy a group policy

A copy operation is used for transferring settings from an existing Group Policy object in Active
Directory into a new GPO. The new GPO is given a Globally Unique Identifier (GUID) and is unlinked.
You can copy GPOs in the same domain, another domain in the same forest, or a domain in another
forest. However, if you want to copy GPOs across domains, ensure that trust is mutually established
between the domains. You can use the GPMC to copy GPOs. To understand more about copying
GPOs, refer to the following Microsoft documentation — http://technet.microsoft.com/en-
us/library/cc785936(WS.10).aspx.

- 65 -
Chapter 10 - Managing domains

10.1.1 To copy a group policy

1. Open Administrative Tools > Group Policy Management.
2. Find the policy to be copied under Forest > Domains > <<your domain>> Group Policy Objects ,
right-click and select Copy.
3. Right-click Group Policy Objects, click Paste, and then rename the copied policy as appropriate.
For more information on copying a group policy, refer to the following Microsoft documentation:
http://technet.microsoft.com/en-us/library/cc758287(WS.10).aspx

10.1.2 Move a group policy from the default domain to OUs

1. Open Administrative Tools > Group Policy Management, find the policy to be moved under Forest
> Domains > [your domain].
2. To unlink the GPO from the domain, right-click the GPO under the domain and choose Delete.

ATTENTION
When unlinking a GPO, do NOT delete the object from the Group Policy Objects, as this
deletes the GPO. Deleting the GPO from under the domain (or an OU) deletes the link to
the object, and not the object itself.

3. Link the GPO to the OU as follows:

a. Right-click the OU to which the policy should be linked, and then click Link and Existing
GPO.
b. In the Select GPO dialog box, select the policy to link and click OK.

TIP
For more information about working with group policies, refer to the following Microsoft
documentation.
http://technet.microsoft.com/en-us/library/cc783034(WS.10).aspx

10.2 Renaming a domain controller

You can rename a domain controller for the following reasons.
l To restructure your network for organizational and business needs
l To make management and administrative control easier

Renaming must be done without interruptions to the domain controller. The recommended practice for
renaming a domain controller without interruption to clients is to use the Netdom tool. However, there
would be a temporary interruption when the domain controller is restarted after a rename.

TIP
For more information about renaming a domain controller, refer to the following Microsoft
documentation:
http://technet.microsoft.com/en-us/library/cc782761(WS.10).aspx

- 66 -
Chapter 10 - Managing domains

10.3 Removing a domain controller

Removing a domain controller implies removing the domain controller role on the server and removing
the domain controller from the domain. This task is referred to as demoting a domain controller. For
detailed instructions about demoting a domain controller, refer to the section “Demoting a domain
controller” in the Windows Domain Implementation Guide for your installed OS version.
For more information about demoting a domain controller, refer to the following Microsoft documentation
at http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx

CAUTION
l If the domain has only one domain controller, removing a domain leads to permanent
loss of data (like User, Groups, and Accounts) contained in the domain. Hence, exercise
caution before taking up this activity.
l As long as the domain has multiple domain controllers, no data loss should happen.
Before performing this task, ensure the following:
o If this domain controller is a GC server, ensure that another GC server is
available to the users.
o Transfer any of the operation master roles held by the domain controller to
another domain controller.

- 67 -
CHAPTER

11 ADVANCED DOMAIN ADMINISTRATION

l Managing security
l DNS Recommendations for large FTE networks

11.1 Managing security

TIP
Refer to the chapter, “Configuring System Security” in the Experion Server and Client
Configuration Guide. Additionally, you can refer to the Appendix in this document.

11.2 DNS Recommendations for large FTE networks

l Overview
l Recommendation

11.2.1 Overview
There are numerous DNS design strategies based on the location and layout of network resources.
This section only addresses the network design recommendations for large FTE networks. In small
network implementations, having one or two domain controllers running DNS will satisfy most of the
network design goals. When implementing a large FTE network, especially with multiple level 2 FTE
communities that communicate with a common level 3 network, the layout of DNS could affect name
resolution across the entire network.

11.2.2 Recommendation
In a large FTE network, the major design goal is to minimize network traffic that needs to be routed to
the level 3 network while at the same time ensuring name resolution to the local network in which the
domain controller resides. To help minimize DNS traffic, there should be at least one domain controller
running DNS on each level 2 FTE community and at least one domain controller running DNS on the
level 3 network.
The preferred DNS server on each domain controller should be its local IP address. The alternate DNS
server on each domain controller in each level 2 FTE community should be the IP address of the level
3 domain controller that is running DNS.
The computer nodes on each level 2 FTE community should have their preferred DNS server and their
alternate DNS server set to the same IP addresses as the domain controller for that level 2 FTE
community. This will isolate the majority of DNS traffic and domain authentication to the local domain
controller in each level 2 FTE community.

- 69 -
Chapter 11 - Advanced Domain administration

Another configuration aspect that needs to be addressed is that of reverse lookup zone configuration for
this type of network design. It is assumed that each level 2 FTE community and the level 3 network will
have different IP networks. To ensure that reverse lookup (PTR) records are created for each host in
each IP network, the initial reverse lookup zone should be larger than the single IP network.
In the following network example, all of the IP networks share a common network identifier, in this case
172.21.x.x. In this situation, the reverse lookup zone should reference 172.21 as the network ID when
creating the reverse lookup zone. This will allow all of the level 2 and level 3 hosts to be contained in a
single reverse lookup zone.

Level Network
3 172.21.1.x
2 172.21.2.x
2 172.21.3.x

Consider 2 Domain Controllers are hosting DNS. Domain Controller 1 has an IP Address 10.0.1.3 and
Domain Controller 2 has an IP Address 10.0.1.4.
Using the cross registration pattern:
l Domain Controller 1 (10.0.1.3) DNS configuration should have a preferred of 10.0.1.4, and alternate
of 127.0.0.1.
l Domain Controller 2 (10.0.1.4) DNS configuration should have a preferred of 10.0.1.3, and alternate
of 127.0.0.1.

- 70 -
CHAPTER

12 APPENDIX

l Experion domain group policy settings

l Workstation security settings

12.1 Experion domain group policy settings

Policy settings related to Operating Applicable
Operating System Affected operating Description
releasesPath::Setting roles system
Microsoft
Windows
XP
/Microsoft
Windows Disables all Control Panel programs and prevents
Server Control.exe (the program file for Control Panel) from
2003 (32- starting.
bit),
Microsoft This setting also removes Control Panel from the
\Control Panel::Prohibit Operational Windows Start menu and Control Panel folder from Windows
access to the Control Pane Roles Vista Explorer.
/Microsoft
Windows If users try to select a Control Panel item from the
Server Properties item on a shortcut menu, a message
2008 appears explaining that a setting prevents the
Standard, action.
Microsoft
Windows 7
Profession
al (32-bit)/
Prevents users from using Add or Remove
Programs to configure installed services.
This setting removes the "Set up services" section of
the Add/Remove Windows Components page. The
Microsoft "Set up services" section lists system services that
Windows have not been configured and offers users easy
\Control Panel\Add or XP access to the configuration tools.
Remove Programs::Go Operational /Microsoft If you disable this setting or do not configure it, "Set
directly to Components Roles Windows up services" appears only when there are no
Wizard Server configured system services. If you enable this
2003 (32- setting, "Set up services" never appears.
bit)
This setting does not prevent users from using other
methods to configure services.
Note: When "Set up services" does not appear,
clicking the Add/Remove Windows Components

- 71 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
button starts the Windows Component Wizard
immediately. This is because, the only option
remaining on the Add/Remove Windows
Components page starts the wizard, that option is
selected automatically, and the page is bypassed.
To remove "Set up services" and prevent the
Windows Component Wizard from starting, enable
the "Hide Add/Remove Windows Components
page" setting. If the "Hide Add/Remove Windows
Components page" setting is enabled, this setting is
ignored.
Removes the Add New Programs button from the
Add or Remove Programs bar. As a result, users
Microsoft cannot view or change the attached page.
Windows
XP The Add New Programs button lets users install
\Control Panel\Add or programs published or assigned by a system
Operational /Microsoft
Remove Programs::Hide administrator.
Roles Windows
Add New Programs page
Server If you disable this setting or do not configure it, the
2003 (32- Add New Programs button is available to all users.
bit)
This setting does not prevent users from using other
tools and methods to install programs.
Removes the Add/Remove Windows Components
button from the Add or Remove Programs bar. As a
result, users cannot view or change the associated
page.
The Add/Remove Windows Components button lets
Microsoft users configure installed services and use the
Windows Windows Component Wizard to add, remove, and
\Control Panel\Add or XP configure components of Windows from the
Remove Programs::Hide Operational /Microsoft installation files.
Add/Remove Windows Roles Windows
Components page Server If you disable this setting or do not configure it, the
2003 (32- Add/Remove Windows Components button is
bit) available to all users.
This setting does not prevent users from using other
tools and methods to configure services, add, or
remove program components. However, this setting
blocks user access to the Windows Component
Wizard.
Removes the Change or Remove Programs button
from the Add or Remove Programs bar. As a result,
Microsoft users cannot view or change the attached page.
Windows The Change or Remove Programs button lets users
\Control Panel\Add or XP uninstall, repair, add, or remove features of installed
Remove Programs::Hide Operational /Microsoft programs.
Change or Remove Roles Windows
Programs page Server If you disable this setting or do not configure it, the
2003 (32- Change or Remove Programs page is available to
bit) all users.
This setting does not prevent users from using other
tools and methods to delete or uninstall programs.

- 72 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Removes the "Add a program from CD-ROM or
floppy disk" section from the Add New Programs
page. This prevents users from using Add or
Remove Programs to install programs from
removable media.

Microsoft If you disable this setting or do not configure it, the

Windows "Add a program from CD-ROM or floppy disk" option
\Control Panel\Add or is available to all users.
XP
Remove Programs::"Hide
Operational /Microsoft This setting does not prevent users from using other
the ""Add a program from
Roles Windows tools and methods to add or remove program
CD-ROM or floppy disk""
Server components.
option"
2003 (32-
bit) Note: If the "Hide Add New Programs page" setting
is enabled, this setting is ignored. In addition, if the
"Prevent removable media source for any install"
setting (located in User Configuration\Administrative
Templates\Windows Components\Windows
Installer) is enabled, users cannot add programs
from removable media, regardless of this setting.
Removes the "Add programs from Microsoft" section
from the Add New Programs page. This setting
Microsoft prevents users from using Add or Remove Programs
Windows to connect to Windows Update.
\Control Panel\Add or XP
Remove Programs::"Hide Operational /Microsoft If you disable this setting or do not configure it, "Add
the ""Add programs from Roles Windows programs from Microsoft" is available to all users.
Microsoft"" option" Server This setting does not prevent users from using other
2003 (32- tools and methods to connect to Windows Update.
bit)
Note: If the "Hide Add New Programs page" setting
is enabled, this setting is ignored.
Prevents users from viewing or installing published
programs.
This setting removes the "Add programs from your
network" section from the Add New Programs page.
The "Add programs from your network" section lists
published programs and provides an easy way to
install them.
Microsoft Published programs are those programs that the
Windows system administrator has explicitly made available
\Control Panel\Add or XP to the user with a tool such as Windows Installer.
Remove Programs::"Hide Operational /Microsoft Typically, system administrators publish programs to
the ""Add programs from Roles Windows notify users that the programs are available, to
your network"" option" Server recommend their use, or to enable users to install
2003 (32- them without having to search for installation files.
bit)
If you enable this setting, users cannot tell which
programs have been published by the system
administrator, and they cannot use Add or Remove
Programs to install published programs. However,
they can still install programs by using other
methods, and view and install assigned (partially
installed) programs that are offered on the desktop
or on the Start menu.

- 73 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
If you disable this setting or do not configure it, "Add
programs from your network" is available to all
users.
Note: If the "Hide Add New Programs page" setting
is enabled, this setting is ignored.
Prevents users from using Add or Remove
Programs.
This setting removes Add or Remove Programs from
Control Panel and removes the Add or Remove
Programs item from menus.
Microsoft Add or Remove Programs lets users install,
Windows uninstall, repair, add, and remove features and
XP components of Windows and a wide variety of
\Control Panel\Add or
Operational /Microsoft Windows programs. Programs published or
Remove Programs::Remove
Roles Windows assigned to the user appear in Add or Remove
Add or Remove Programs
Server Programs.
2003 (32-
bit) If you disable this setting or do not configure it, Add
or Remove Programs is available to all users.
When enabled, this setting takes precedence over
the other settings in this folder.
This setting does not prevent users from using other
tools and methods to install or uninstall programs.
Removes links to the Support Info dialog box from
programs on the Change or Remove Programs
page.
Programs listed on the Change or Remove
Programs page can include a "Click here for support
Microsoft information" hyperlink. When clicked, the hyperlink
Windows opens a dialog box that displays troubleshooting
XP information, including a link to the installation files
\Control Panel\Add or
Operational /Microsoft and data that users need to obtain product support,
Remove Programs::Remove
Roles Windows such as the Product ID and version number of the
Support Information
Server program. The dialog box also includes a hyperlink to
2003 (32- support information on the Internet, such as the
bit) Microsoft Product Support Services Web page.
If you disable this setting or do not configure it, the
Support Info hyperlink appears.
Note: Not all programs provide a support
information hyperlink.
Microsoft Disables Display in Control Panel.
Windows
XP If you enable this setting, Display in Control Panel
/Microsoft does not run. When users try to start Display, a
Windows message appears explaining that a setting prevents
\Control
Operational Server the action.
Panel\Display::Disable the
Roles 2003 (32-
Display Control Panel Also, see the "Prohibit access to the Control Panel"
bit), (User Configuration\Administrative
Microsoft Templates\Control Panel) and "Remove programs
Windows on Settings menu" (User
Vista Configuration\Administrative Templates\Start Menu

- 74 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
/Microsoft
Windows
Server & Taskbar) settings.
2008
Standard
Microsoft
Windows
XP Removes the Appearance and Themes tabs from
/Microsoft Display in Control Panel.
Windows
Server When this setting is enabled, it removes the desktop
2003 (32- color selection option from the Desktop tab.
\Control Panel\Display::Hide
Operational bit), This setting prevents users from using Control Panel
Appearance and Themes
Roles Microsoft to change the colors or color scheme of the desktop
tab
Windows and windows.
Vista
/Microsoft If this setting is disabled or not configured, the
Windows Appearance and Themes tabs are available in
Server Display in Control Panel.
2008
Standard
Microsoft
Windows
XP
/Microsoft
Windows Removes the Desktop tab from Display in Control
Server Panel.
2003 (32-
This setting prevents users from using Control Panel
\Control Panel\Display::Hide Operational bit),
to change the pattern and wallpaper on the desktop.
Desktop tab Roles Microsoft
Windows Enabling this setting also prevents the user from
Vista customizing the desktop by changing icons or
/Microsoft adding new Web content through Control Panel.
Windows
Server
2008
Standard
Microsoft
Windows
XP
/Microsoft
Windows
Server Removes the Screen Saver tab from Display in
2003 (32- Control Panel.
\Control Panel\Display::Hide Operational bit),
Screen Saver tab Roles Microsoft This setting prevents users from using Control Panel
Windows to add, configure, or change the screen saver on the
Vista computer.
/Microsoft
Windows
Server
2008
Standard
\Control Panel\Display::Hide Operational Microsoft Removes the Settings tab from Display in Control
Settings tab Roles Panel.

- 75 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows
XP
/Microsoft
Windows
Server
2003 (32-
bit),
Microsoft
Windows This setting prevents users from using Control Panel
Vista to add, configure, or change the display settings on
/Microsoft the computer.
Windows
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Prevents users from adding or changing the
background design of the desktop.
Microsoft By default, users can use the Desktop tab of Display
Windows in Control Panel to add a background design
XP (wallpaper) to their desktop.
/Microsoft
Windows If you enable this setting, the Desktop tab still
Server appears, but all options on the tab are disabled.
2003 (32-
\Control To remove the Desktop tab, use the "Hide Desktop
Operational bit),
Panel\Display::Prevent tab" setting.
Roles Microsoft
changing wallpaper
Windows To specify wallpaper for a group, use the "Desktop
Vista Wallpaper" setting.
/Microsoft
Windows Note: You must also enable the "Desktop
Server Wallpaper" setting to prevent users from changing
2008 the desktop wallpaper. Refer to KB article: Q327998
Standard for more information.
Also, see the "Allow only bitmapped wallpaper"
setting.

Microsoft Enables desktop screen savers.

Windows If you disable this setting, screen savers do not run.
XP In addition, this setting disables the Screen Saver
/Microsoft section of the Screen Saver tab in Display in Control
Windows Panel. As a result, users cannot change the screen
Server saver options.
2003 (32-
\Control Operational If you do not configure it, this setting has no effect on
bit),
Panel\Display::Screen Roles is the system.
Microsoft
Saver disabled
Windows If you enable it, a screen saver runs, provided the
Vista following two conditions hold: First, a valid
/Microsoft screensaver on the client is specified through the
Windows "Screensaver executable name" setting or through
Server Control Panel on the client computer. Second, the
2008 screensaver timeout is set to a nonzero value
Standard through the setting or Control Panel.

- 76 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Also, see the "Hide Screen Saver tab" setting.
Microsoft
Windows
\Control Prevents users from changing the visual style of the
XP
Panel\Display\Desktop windows and buttons displayed on their screens.
Operational /Microsoft
Themes::Prevent selection When enabled, this setting disables the "Windows
Roles Windows
of windows and buttons and buttons" drop-down list on the Appearance tab
Server
styles in Display Properties.
2003 (32-
bit)
Prevents users from changing the size of the font in
Microsoft the windows and buttons displayed on their screens.
Windows
\Control XP If this setting is enabled, the "Font size" drop-down
Panel\Display\Desktop Operational /Microsoft list on the Appearance tab in Display Properties is
Themes::Prohibit selection Roles Windows disabled.
of font size Server
2003 (32- If you disable or do not configure this setting, a user
bit) may change the font size using the "Font size" drop-
down list on the Appearance tab.
Microsoft This setting forces the theme color to be the default
Windows color scheme.
\Control XP
If you enable this setting, a user cannot change the
Panel\Display\Desktop Operational /Microsoft
color scheme of the current desktop theme.
Themes::Prohibit Theme Roles Windows
color selection Server If you disable or do not configure this setting, a user
2003 (32- may change the color scheme of the current desktop
bit) theme.
Microsoft
This setting effects the Themes tab that controls the
Windows
overall appearance of windows.
XP
/Microsoft It is accessed through the Display icon in Control
Windows Panel.
Server
\Control 2003 (32- Using the options under the Themes tab, users can
Panel\Display\Desktop Operational bit), configure the theme for their desktop.
Themes::Remove Theme Roles Microsoft If you enable this setting, it removes the Themes tab.
option Windows
Vista If you disable or do not configure this setting, there is
/Microsoft no effect.
Windows
Note: If you enable this setting but do not set a
Server
theme, the theme defaults to whatever the user
2008
previously set.
Standard
Microsoft Enables desktop screen savers.
Windows If you disable this setting, screen savers do not run.
XP In addition, this setting disables the Screen Saver
/Microsoft section of the Screen Saver dialog in the
Windows Personalization or Display Control Panel. As a
\Control Operational Server
result, users cannot change the screen saver
Panel\Personalization::Ena Roles is 2003 (32- options.
ble screen saver disabled bit),
Microsoft If you do not configure it, this setting has no effect on
Windows the system.
Vista
If you enable it, a screen saver runs, provided the
/Microsoft
following two conditions hold: First, a valid screen

- 77 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows saver on the client is specified through the "Screen
Server Saver executable name" setting or through Control
2008 Panel on the client computer. Second, the screen
Standard, saver timeout is set to a nonzero value through the
Microsoft setting or Control Panel.
Windows 7
Profession Also, see the "Prevent changing Screen Saver"
al (32-bit)/ setting.
Microsoft
Windows
XP
/Microsoft
Windows
Server This setting forces the theme color scheme to be the
2003 (32- default color scheme.
bit), If you enable this setting, a user cannot change the
Microsoft color scheme of the current desktop theme.
\Control
Operational Windows
Panel\Personalization::Prev If you disable or do not configure this setting, a user
Roles Vista
ent changing color scheme may change the color scheme of the current desktop
/Microsoft
Windows theme.
Server For Windows 7 and later, use the "Prevent changing
2008 window color and appearance" setting.
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Prevents users from adding or changing the
Windows
background design of the desktop.
XP
/Microsoft By default, users can use the Desktop Background
Windows page in the Personalization or Display Control
Server Panel to add a background design (wallpaper) to
2003 (32- their desktop.
bit),
\Control Microsoft If you enable this setting, none of the Desktop
Panel\Personalization::Prev Operational Windows Background settings can be changed by the user.
ent changing desktop Roles Vista To specify wallpaper for a group, use the "Desktop
background /Microsoft Wallpaper" setting.
Windows
Server Note: You must also enable the "Desktop
2008 Wallpaper" setting to prevent users from changing
Standard, the desktop wallpaper. Refer to KB article: Q327998
Microsoft for more information.
Windows 7
Also, see the "Allow only bitmapped wallpaper"
Profession
setting.
al (32-bit)/
Microsoft Prevents users from changing the desktop icons.
Windows
XP By default, users can use the Desktop Icon Settings
\Control
Operational /Microsoft dialog in the Personalization or Display Control
Panel\Personalization::Prev
Roles Windows Panel to show, hide, or change the desktop icons.
ent changing desktop icons
Server
If you enable this setting, none of the desktop icons
2003 (32-
can be changed by the user.

- 78 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
bit),
Microsoft
Windows
Vista
/Microsoft
Windows
For systems prior to Windows Vista, this setting also
Server
hides the Desktop tab in the Display Control Panel
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Prevents users from changing the mouse pointers.
\Control Microsoft By default, users can use the Pointers tab in the
Panel\Personalization::Prev Operational Windows 7 Mouse Control Panel to add, remove, or change the
ent changing mouse Roles Profession mouse pointers.
pointers al (32-bit)/
If you enable this setting, none of the mouse pointer
scheme settings can be changed by the user
Microsoft
Windows
XP
/Microsoft
Windows
Server
2003 (32-
bit), Prevents the Screen Saver dialog from opening in
Microsoft the Personalization or Display Control Panel.
\Control
Operational Windows This setting prevents users from using Control Panel
Panel\Personalization::Prev
Roles Vista to add, configure, or change the screen saver on the
ent changing screen saver
/Microsoft computer. It does not prevent a screen saver from
Windows running
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Prevents users from changing the sound scheme.
Microsoft By default, users can use the Sounds tab in the
\Control
Operational Windows 7 Sound Control Panel to add, remove, or change the
Panel\Personalization::Prev
Roles Profession system Sound Scheme.
ent changing sounds
al (32-bit)/
If you enable this setting, none of the Sound
Scheme settings can be changed by the user
Microsoft This setting disables the theme gallery in the
Windows Personalization Control Panel.
XP
\Control If you enable this setting, users cannot change or
Operational /Microsoft
Panel\Personalization::Prev save a theme. Elements of a theme such as the
Roles Windows
ent changing theme desktop background, window color, sounds, and
Server
2003 (32- screen saver can still be changed (unless policies
bit) are set to turn them off).

- 79 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
If you disable or do not configure this setting, there is
no effect.
Note: If you enable this setting but do not specify a
theme using the "load a specific theme" setting, the
theme defaults to whatever the user previously set
or the system default
Prevents users or applications from changing the
visual style of the windows and buttons displayed on
Microsoft their screens.
Windows
When enabled on Windows XP, this setting disables
\Control XP
the "Windows and buttons" drop-down list on the
Panel\Personalization::Prev Operational /Microsoft
Appearance tab in Display Properties.
ent changing visual style for Roles Windows
windows and buttons Server When enabled on Windows XP and later systems,
2003 (32- this setting prevents users and applications from
bit) changing the visual style through the command line.
Also, a user may not apply a different visual style
when changing themes
Microsoft
Windows
XP Disables the Window Color page in the
/Microsoft Personalization Control Panel, or the Color Scheme
Windows dialog in the Display Control Panel on systems
Server where the Personalization feature is not available.
2003 (32-
bit), This setting prevents users from using Control Panel
\Control Microsoft to change the glass color, system colors, or color
Panel\Personalization::Prev Operational Windows scheme of the desktop and windows.
ent changing window color Roles Vista If this setting is disabled or not configured, the
and appearance /Microsoft Window Color page or Color Scheme dialog is
Windows available in the Personalization or Display Control
Server Panel.
2008
Standard, For systems prior to Windows Vista, this setting
Microsoft hides the Appearance and Themes tabs in the in
Windows 7 Display in Control Panel
Profession
al (32-bit)/
Prevents users from changing the size of the font in
Microsoft the windows and buttons displayed on their screens.
Windows
\Control XP If this setting is enabled, the "Font size" drop-down
Panel\Personalization::Proh Operational /Microsoft list on the Appearance tab in Display Properties is
ibit selection of visual style Roles Windows disabled.
font size Server
2003 (32- If you disable or do not configure this setting, a user
bit) may change the font size using the "Font size" drop-
down list on the Appearance tab
Microsoft Allows users to use the Add Printer Wizard to search
Windows the network for shared printers.
XP
\Control If you enable this setting or do not configure it, when
Operational /Microsoft
Panel\Printers::Browse the users choose to add a network printer by selecting
Roles Windows
network to find printers the "A network printer, or a printer attached to
Server
another computer" radio button on Add Printer
2003 (32-
Wizard's page 2, and also check the "Connect to this

- 80 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
printer (or to browse for a printer, select this option
bit), and click Next)" radio button on Add Printer Wizard's
Microsoft page 3, and do not specify a printer name in the
Windows adjacent "Name" edit box, then Add Printer Wizard
Vista displays the list of shared printers on the network
/Microsoft and invites to choose a printer from the shown list.
Windows
If you disable this setting, the network printer browse
Server
page is removed from within the Add Printer Wizard,
2008
and users cannot search the network but must type
Standard,
a printer name.
Microsoft
Windows 7 Note: This setting affects the Add Printer Wizard
Profession only. It does not prevent users from using other
al (32-bit)/ programs to search for shared printers or to connect
to network printers.
Prevents users from using familiar methods to add
local and network printers.
This setting removes the Add Printer option from the
Microsoft Start menu. (To find the Add Printer option, click
Windows Start, click Printers, and then click Add Printer.) This
XP setting also removes Add Printer from the Printers
/Microsoft folder in Control Panel.
Windows In addition, users cannot add printers by dragging a
Server printer icon into the Printers folder. If they try, a
2003 (32- message appears explaining that the setting
bit), prevents the action.
Microsoft
\Control
Operational Windows However, this setting does not prevent users from
Panel\Printers::Prevent
Roles Vista using the Add Hardware Wizard to add a printer. Nor
addition of printers
/Microsoft does it prevent users from running other programs to
Windows add printers.
Server
2008 This setting does not delete printers that users have
Standard, already added. However, if users have not added a
Microsoft printer when this setting is applied, they cannot print.
Windows 7 Note: You can use printer permissions to restrict the
Profession use of printers without specifying a setting. In the
al (32-bit)/ Printers folder, right-click a printer, click Properties,
and then click the Security tab.
If this policy is disabled, or not configured, users can
add printers using the methods described above
Microsoft Prevents users from deleting local and network
Windows printers.
XP
/Microsoft If a user tries to delete a printer, such as by using the
Windows Delete option in Printers in Control Panel, a
\Control Server message appears explaining that a setting prevents
Operational 2003 (32- the action.
Panel\Printers::Prevent
Roles bit),
deletion of printers This setting does not prevent users from running
Microsoft
other programs to delete a printer.
Windows
Vista If this policy is disabled, or not configured, users can
/Microsoft delete printers using the methods described
Windows previously

- 81 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Prevents users from viewing or installing published
programs from the network.
This setting prevents users from accessing the "Get
Programs" page from the Programs Control Panel in
Category View, Programs and Features in Classic
View and the "Install a program from the network"
task. The "Get Programs" page lists published
programs and provides an easy way to install them.
Published programs are those programs that the
Microsoft system administrator has explicitly made available
Windows to the user with a tool such as Windows Installer.
Vista Typically, system administrators publish programs to
/Microsoft notify users of their availability, to recommend their
Windows use, or to enable users to install them without having
\Control
Operational Server to search for installation files.
Panel\Programs::"Hide ""Get
Roles 2008
Programs"" page" If this setting is enabled, users cannot view the
Standard,
Microsoft programs that have been published by the system
Windows 7 administrator, and they cannot use the "Get
Profession Programs" page to install published programs.
al (32-bit)/ Enabling this feature does not prevent users from
installing programs by using other methods. Users
will still be able to view and installed assigned
(partially installed) programs that are offered on the
desktop or on the Start menu.
If this setting is disabled or is not configured, the
"Install a program from the network" task to the "Get
Programs" page will be available to all users.
Note: If the "Hide Programs Control Panel" setting is
enabled, this setting is ignored
This setting prevents users from accessing "Installed
Microsoft Updates" page from the "View installed updates"
Windows task.
Vista "Installed Updates," allows users to view and
/Microsoft uninstall updates currently installed on the
Windows computer. The updates are often downloaded
\Control
Operational Server directly from Windows Update or from various
Panel\Programs::"Hide
Roles 2008 program publishers.
""Installed Updates"" page"
Standard,
Microsoft If this setting is disabled or not configured, the "View
Windows 7 installed updates" task and the "Installed Updates"
Profession page will be available to all users.
al (32-bit)/ This setting does not prevent users from using other
tools and methods to install or uninstall programs
\Control Operational Microsoft This setting prevents users from accessing
Panel\Programs::"Hide Roles "Programs and Features" to view, uninstall, change,

- 82 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
or repair programs that are currently installed on the
Windows computer.
Vista
/Microsoft If this setting is disabled or not configured,
Windows "Programs and Features" will be available to all
Server users.
""Programs and Features""
2008
page" This setting does not prevent users from using other
Standard,
Microsoft tools and methods to view or uninstall programs. It
Windows 7 also does not prevent users from linking to related
Profession Programs Control Panel Features including
al (32-bit)/ Windows Features, Get Programs, or Windows
Marketplace
This setting removes the Set Program Access and
Defaults page from the Programs Control Panel. As
a result, users cannot view or change the associated
Microsoft page.
Windows The Set Program Access and Computer Defaults
Vista page allows administrators to specify default
/Microsoft programs for certain activities, such as Web
\Control Windows browsing or sending e-mail, as well as specify the
Panel\Programs::"Hide ""Set Operational Server programs that are accessible from the Start menu,
Program Access and Roles 2008 desktop, and other locations.
Computer Defaults"" page" Standard,
Microsoft If this setting is disabled or not configured, the Set
Windows 7 Program Access and Defaults button is available to
Profession all users.
al (32-bit)/ This setting does not prevent users from using other
tools and methods to change program access or
defaults. This setting does not prevent the Default
Programs icon from appearing on the Start menu
This setting prevents users from accessing the "Turn
Microsoft Windows features on or off" task from the Programs
Windows Control Panel in Category View, Programs and
Vista Features in Classic View, and Get Programs. As a
/Microsoft result, users cannot view, enable, or disable various
Windows Windows features and services.
\Control
Operational Server
Panel\Programs::Hide
Roles 2008 If this setting is disabled or is not configured, the
"Windows Features"
Standard, "Turn Windows features on or off" task will be
Microsoft available to all users.
Windows 7
Profession This setting does not prevent users from using other
al (32-bit)/ tools and methods to configure services or enable or
disable program components
Microsoft This setting prevents users from access the "Get
Windows new programs from Windows Marketplace" task from
Vista the Programs Control Panel in Category View,
/Microsoft Programs and Features in Classic View, and Get
Windows Programs.
\Control
Operational Server
Panel\Programs::Hide Windows Marketplace allows users to purchase
Roles 2008
"Windows Marketplace" and/or download various programs to their computer
Standard,
for installation.
Microsoft
Windows 7 Enabling this feature does not prevent users from
Profession navigating to Windows Marketplace using other
al (32-bit)/ methods.

- 83 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
If this feature is disabled or is not configured, the
"Get new programs from Windows Marketplace" task
link will be available to all users.
Note: If the "Hide Programs control Panel" setting is
enabled, this setting is ignored
This setting prevents users from using the Programs
Control Panel in Category View and Programs and
Features in Classic View.
The Programs Control Panel allows users to
Microsoft uninstall, change, and repair programs, enable and
Windows disable Windows Features, set program defaults,
Vista view installed updates, and purchase software from
/Microsoft Windows Marketplace. Programs published or
Windows assigned to the user by the system administrator
\Control
Operational Server also appear in the Programs Control Panel.
Panel\Programs::Hide the
Roles 2008
Programs Control Panel
Standard, If this setting is disabled or not configured, the
Microsoft Programs Control Panel in Category View and
Windows 7 Programs and Features in Classic View will be
Profession available to all users.
al (32-bit)/
When enabled, this setting takes precedence over
the other settings in this folder.
This setting does not prevent users from using other
tools and methods to install or uninstall programs.
This policy removes the Administrative options from
the Regional and Language Options control panel.
Administrative options include interfaces for setting
Microsoft system locale and copying settings to the default
Windows user. This policy does not, however, prevent an
Vista administrator or another application from changing
/Microsoft these values programmatically.
\Control Panel\Regional
Windows The policy is used only to simplify the Regional
and Language
Operational Server Options control panel.
Options::Hide Regional and
Roles 2008
Language Options
Standard, If the policy is Enabled, then the user will not be able
administrative options
Microsoft to see the Administrative options.
Windows 7
Profession If the policy is Disabled or Not Configured, then the
al (32-bit)/ user will see the Administrative options.
Note that even if a user can see the Administrative
options, other policies may prevent them from
modifying the values.
Microsoft This policy removes the option to change the user's
Windows geographical location (GeoID) from the Language
Vista and Regional Options control panel. This does not,
/Microsoft however, prevent the user or an application from
\Control Panel\Regional Windows changing the GeoID programmatically.
and Language Operational Server
Options::Hide the Roles 2008 The policy is used only to simplify the Regional
geographic location option Standard, Options control panel.
Microsoft
Windows 7 If the policy is Enabled, then the user will not see the
Profession option to change the user geographical location
al (32-bit)/ (GeoID).

- 84 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
If the policy is Disabled or Not Configured, then the
user will see the option for changing the user
location (GeoID).
Note that even if a user can see the GeoID Option,
the "Disallow changing of geographical location"
option may prevent them from actually changing
their current geographical location.
This policy removes the option to change the user's
menus and dialogs (UI) language from the
Language and Regional Options control panel. This
Microsoft does not, however, prevent the user or an
Windows application from changing the UI language
Vista programmatically.
/Microsoft The policy is used only to simplify the Regional
\Control Panel\Regional Windows Options control panel.
and Language Operational Server
Options::Hide the select Roles 2008 If the policy is Enabled, then the user will not see the
language group options Standard, option for changing the UI language.
Microsoft
Windows 7 If the policy is Disabled or Not Configured, then the
Profession user will see the option for changing the UI
al (32-bit)/ language.
Note that even if a user can see the option to
change the UI language, other policies may prevent
them from changing their UI language.
This policy removes the regional formats interface
Microsoft from the Regional and Language Options control
Windows panel. This does not, however, prevent the user or
Vista an application from changing their user locale or
/Microsoft user overrides programmatically.
\Control Panel\Regional
Windows
and Language The policy is only used to simplify the Regional
Operational Server
Options::Hide user locale Options control panel.
Roles 2008
selection and customization
Standard, If the policy is Enabled, then the user will not see the
options
Microsoft regional formats options.
Windows 7
Profession If the policy is Disabled or Not Configured, then the
al (32-bit)/ user will see the regional formats options for
changing and customizing the user locale.
Remote shared folders are not added to Network
Locations whenever you open a document in the
Microsoft shared folder.
Windows
\Desktop::Do not add shares XP If you disable this setting or do not configure it, when
of recently opened Operational /Microsoft you open a document in a remote shared folder, the
documents to Network Roles Windows system adds a connection to the shared folder to
Locations Server Network Locations.
2003 (32-
bit) If you enable this setting, shared folders are not
added to Network Locations automatically when you
open a document in the shared folder.
Microsoft Prevents users from saving certain changes to the
Windows desktop.
\Desktop::Don't save Operational
XP
settings at exit Roles If you enable this setting, users can change the
/Microsoft
desktop, but some changes, such as the position of

- 85 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows
Server
2003 (32-
bit),
Microsoft
Windows
Vista
open windows or the size and position of the
/Microsoft
taskbar, are not saved when users log off. However,
Windows
shortcuts placed on the desktop are always saved
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
XP
/Microsoft Removes icons, shortcuts, and other default and
Windows user-defined items from the desktop, including
Server Briefcase, Recycle Bin, Computer, and Network
2003 (32- Locations.
bit),
Microsoft Removing icons and shortcuts does not prevent the
\Desktop::Hide and disable Operational Windows user from using another method to start the
all items on the desktop Roles Vista programs or opening the items they represent.
/Microsoft
Windows Also, see "Items displayed in Places Bar" in User
Server Configuration\Administrative Templates\Windows
2008 Components\Common Open File Dialog to remove
Standard, the Desktop icon from the Places Bar. This will help
Microsoft prevent users from saving data to the Desktop
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
XP
/Microsoft
Windows
Server
2003 (32-
bit),
Microsoft Removes the Internet Explorer icon from the desktop
\Desktop::Hide Internet Operational Windows and from the Quick Launch bar on the taskbar.
Explorer icon on desktop Roles Vista This setting does not prevent the user from starting
/Microsoft Internet Explorer by using other methods
Windows
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/

- 86 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Microsoft
Windows
XP
/Microsoft
Windows
Server Removes the Network Locations icon from the
2003 (32- desktop.
bit),
Microsoft This setting only affects the desktop icon. It does not
\Desktop::Hide Network Operational Windows prevent users from connecting to the network or
Locations icon on desktop Roles Vista browsing for shared computers on the network.
/Microsoft
Windows Note: In operating systems earlier than Microsoft
Server Windows Vista, this policy applies to the My Network
2008 Places icon
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft Prevents users from manipulating desktop toolbars.
Windows
XP If you enable this setting, users cannot add or
/Microsoft remove toolbars from the desktop. In addition, users
Windows cannot drag toolbars on to or off of docked toolbars.
Server
Note: If users have added or removed toolbars, this
2003 (32-
setting prevents them from restoring the default
bit),
configuration.
\Desktop::"Prevent adding, Microsoft
dragging, dropping and Operational Windows
closing the Taskbar's Roles Vista
toolbars" /Microsoft TIP
Windows To view the toolbars that can be added to
Server the desktop, right-click a docked toolbar
2008 (such as the taskbar beside the Start
Standard, button), and point to "Toolbars."
Microsoft
Windows 7 Also, see the "Prohibit adjusting desktop
Profession toolbars" setting
al (32-bit)/
Microsoft
Windows
XP Prevents users from adjusting the length of desktop
/Microsoft toolbars. In addition, users cannot reposition items
Windows or toolbars on docked toolbars.
Operational Server
Roles, 2003 (32- This setting does not prevent users from adding or
Engineerin bit), removing toolbars on the desktop.
\Desktop::Prohibit adjusting
g Role, and Microsoft
desktop toolbars Note: If users have adjusted their toolbars, this
Product Windows
Administrat setting prevents them from restoring the default
Vista
or Role configuration.
/Microsoft
Windows Also, see the "Prevent adding, dragging, dropping
Server and closing the Taskbar's toolbars" setting.
2008
Standard,

- 87 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
XP
/Microsoft
Windows
Server Prevents users from changing the path to their
2003 (32- profile folders.
bit),
Microsoft By default, a user can change the location of their
\Desktop::Prohibit User from
Operational Windows individual profile folders like Documents, Music etc.
manually redirecting Profile
Roles Vista by typing a new path in the Locations tab of the
Folders
/Microsoft folder's Properties dialog box.
Windows
Server If you enable this setting, users are unable to type a
2008 new location in the Target box
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
If you enable this setting, Computer is hidden on the
desktop, the new Start menu, the Explorer folder tree
pane, and the Explorer Web views. If the user
manages to navigate to Computer, the folder will be
empty.
If you enable this setting, Computer is hidden on the
desktop, the new Start menu, the Explorer folder tree
pane, and the Explorer Web views. If the user
Microsoft manages to navigate to Computer, the folder will be
Windows empty
XP
\Desktop::Remove If you disable this setting, Computer is displayed as
Operational /Microsoft
Computer icon on the usual, appearing as normal on the desktop, Start
Roles Windows
desktop menu, folder tree pane, and Web views, unless
Server
restricted by another setting.
2003 (32-
bit) If you do not configure this setting, the default is to
display Computer as usual.
Note: In operating systems earlier than Microsoft
Windows Vista, this policy applies to the My
Computer icon. Hiding Computer and its contents
does not hide the contents of the child folders of
Computer. For example, if the users navigate into
one of their hard drives, they see all of their folders
and files there, even if this setting is enabled.
Microsoft Removes most occurrences of the My Documents
Windows icon.
\Desktop::Remove My
Operational XP This setting removes the My Documents icon from
Documents icon on the
Roles /Microsoft the desktop, from Windows Explorer, from programs
desktop
Windows that use the Windows Explorer windows, and from
Server the standard Open dialog box.

- 88 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
This setting does not prevent the user from using
other methods to gain access to the contents of the
My Documents folder.
2003 (32- This setting does not remove the My Documents
bit) icon from the Start menu. To do so, use the "Remove
My Documents icon from Start Menu" setting.
Note: To make changes to this setting effective, you
must log off from and log back on to Windows.
Removes the Properties option from the Recycle Bin
Microsoft shortcut menu.
Windows
If you enable this setting, the Properties option will
XP
\Desktop::Remove not be present when the user right-clicks on Recycle
Operational /Microsoft
Properties from the Recycle Bin or opens Recycle Bin and then clicks File.
Roles Windows
Bin context menu Likewise, Alt-Enter does nothing when Recycle Bin
Server
is selected.
2003 (32-
bit) If you disable or do not configure this setting, the
Properties option is displayed as usual.
Prevents users from using the Desktop Cleanup
Wizard.
If you enable this setting, the Desktop Cleanup
Microsoft wizard does not automatically run on a user’s
Windows workstation every 60 days. The user will also not be
XP able to access the Desktop Cleanup Wizard.
\Desktop::Remove the Operational /Microsoft If you disable this setting or do not configure it, the
Desktop Cleanup Wizard Roles Windows default behavior of the Desktop Clean Wizard
Server running every 60 days occurs.
2003 (32-
bit) Note: When this setting is not enabled, users can
run the Desktop Cleanup Wizard, or have it run
automatically every 60 days from Display, by
clicking the Desktop tab and then clicking the
Customize Desktop button.
Hides the Active Directory folder in Network
Locations.
The Active Directory folder displays Active Directory
objects in a browse window.
If you enable this setting, the Active Directory folder
\Desktop\Active
Operational does not appear in the Network Locations folder.
Directory::Hide Active
Roles
Directory folder If you disable this setting or do not configure it, the
Active Directory folder appears in the Network
Locations folder.
This setting is designed to let users search Active
Directory but not tempt them to casually browse
Active Directory.
Operational Microsoft Disables Active Desktop and prevents users from
Roles, Windows enabling it.
\Desktop\Desktop::Disable Engineerin XP
This setting prevents users from trying to enable or
Active Desktop g Role and /Microsoft
disable Active Desktop while a policy controls it.
Product Windows
Administrat Server If you disable this setting or do not configure it,

- 89 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Active Desktop is disabled by default, but users can
enable it.
Note: If both the "Enable Active Desktop" setting and
the "Disable Active Desktop" setting are enabled,
2003 (32- the "Disable Active Desktop" setting is ignored. If the
or Role
bit) "Turn on Classic Shell" setting (in User
Configuration\Administrative Templates\Windows
Components\Windows Explorer) is enabled, Active
Desktop is disabled, and both these policies are
ignored.
Prevents the user from enabling or disabling Active
Desktop or changing the Active Desktop
Microsoft configuration.
Operational
Windows
Roles, This is a comprehensive setting that locks down the
XP
Engineerin configuration you establish by using other policies in
\Desktop\Desktop::Prohibit /Microsoft
g Role and this folder. This setting removes the Web tab from
changes Windows
Product Display in Control Panel. As a result, users cannot
Server
Administrat enable or disable Active Desktop. If Active Desktop
2003 (32-
or Role is already enabled, users cannot add, remove, or
bit)
edit Web content or disable, lock, or synchronize
Active Desktop components.
Determines whether users can use the New
Connection Wizard, which creates new network
connections.
If you enable this setting (and enable the "Enable
Network Connections settings for Administrators"
setting), the Make New Connection icon does not
appear in the Start Menu on in the Network
Connections folder. As a result, users (including
administrators) cannot start the New Connection
Wizard.

Microsoft Important: If the "Enable Network Connections

Windows settings for Administrators" is disabled or not
\Network\Network XP configured, this setting will not apply to
Connections::Prohibit Operational /Microsoft administrators on post-Windows 2000 computers.
access to the New Roles Windows If you disable this setting or do not configure it, the
Connection Wizard Server Make New Connection icon appears in the Start
2003 (32- menu and in the Network Connections folder for all
bit) users. Clicking the Make New Connection icon
starts the New Connection Wizard.
Note: Changing this setting from Enabled to Not
Configured does not restore the Make New
Connection icon until the user logs off or on. When
other changes to this setting are applied, the icon
does not appear or disappear in the Network
Connections folder until the folder is refreshed.
This setting does not prevent users from using other
programs, such as Internet Explorer, to bypass this
setting.
\Network\Windows Connect
Operational Microsoft This policy setting prohibits access to Windows
Now::Prohibit Access of the Windows Connect Now (WCN) wizards. If this policy setting is
Roles
Windows Connect Now

- 90 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Vista enabled, the wizards are disabled and users will
/Microsoft have no access to any of the wizard tasks. All the
Windows configuration related tasks, including ‘Set up a
Server wireless router or access point’ and ‘Add a wireless
2008 device’, will be disabled. If this policy is disabled or
wizards
Standard, not configured, users will have access to the wizard
Microsoft tasks; including ‘Set up a wireless router or access
Windows 7 point’ and ‘Add a wireless device’. The default for
Profession this policy setting allows users to access all WCN
al (32-bit)/ wizards.
This policy only applies to the classic version of the
start menu and does not affect the new style start
menu.
Adds the "Log Off <username>" item to the Start
menu and prevents users from removing it.

Microsoft If you enable this setting, the Log Off <username>

Windows item appears in the Start menu. This setting also
XP removes the Display Logoff item from Start Menu
/Microsoft Options. As a result, users cannot remove the Log
Windows Off <username> item from the Start Menu.
Operational
Server If you disable this setting or do not configure it, users
Roles,
2003 (32- can use the Display Logoff item to add and remove
\Start Menu and Engineerin
bit), the Log Off item.
Taskbar::Add Logoff to the g Role and
Microsoft
Start Menu Product This setting affects the Start menu only. It does not
Windows
Administrat affect the Log Off item on the Windows Security
Vista
or Role dialog box that appears when you press
/Microsoft
Windows Ctrl+Alt+Del.
Server
Note: To add or remove the Log Off item on a
2008
computer, click Start, click Settings, click Taskbar
Standard
and Start Menu, click the Start Menu Options tab,
and then, in the Start Menu Settings box, click
Display Logoff.

Also, see "Remove Logoff" in User

Configuration\Administrative
Templates\System\Logon/Logoff.
Set the default action of the power button on the
Start menu.
If you enable this setting, the Start Menu will set the
Operational power button to the chosen action, and not let the
Roles, user change this action.
Engineerin Microsoft
\Start Menu and If you set the button to either Sleep or Hibernate,
g Role, and Windows 7
Taskbar::Change Start and that state is not
Product Profession
Menu power button
Administrat al (32-bit)/ supported on a computer, then the button will fall
or Role are back to Shut Down.
logged off
If you disable or do not configure this setting, the
Start Menu power button will be set to Shut Down by
default, and the user can change this setting to
another action.

- 91 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Clear history of recently opened documents on exit.
If you enable this setting, the system deletes
shortcuts to recently used document files when the
user logs off. As a result, the Recent Items menu on
the Start menu is always empty when the user logs
on. In addition, recently and frequently used items in
the Jump Lists off of programs in the Start Menu and
Microsoft Taskbar will be cleared when the user logs off.
Windows
If you disable or do not configure this setting, the
XP
system retains document shortcuts, and when a user
/Microsoft
logs on, the Recent Items menu and the Jump Lists
Windows
appear just as it did when the user logged off.
Server
2003 (32- Note: The system saves document shortcuts in the
bit), user profile in the System-
\Start Menu and Microsoft drive\Users\User-name\Recent folder.
Taskbar::Clear history of Operational Windows
recently opened documents Roles Vista Also, see the "Remove Recent Items menu from
on exit /Microsoft Start Menu" and "Do not keep history of recently
Windows opened documents" policies in this folder. The
Server system only uses this setting when neither of these
2008 related settings are selected.
Standard,
This setting does not clear the list of recent files that
Microsoft
Windows programs display at the bottom of the File
Windows 7
menu. See the "Do not keep history of recently
Profession
opened documents" setting.
al (32-bit)/
This policy setting also does not hide document
shortcuts displayed in the Open dialog box. See the
"Hide the dropdown list of recent files" setting.
This policy also does not clear items that the user
may have pinned to the Jump Lists, or Tasks that the
application has provided for their menu. See the "Do
not allow pinning items in Jump Lists" setting.
If you enable this setting, users cannot pin files,
folders, websites, or other items to their Jump Lists
in the Start Menu and Taskbar. Users also cannot
Microsoft unpin existing items pinned to their Jump Lists.
\Start Menu and
Operational Windows 7 Existing items already pinned to their Jump Lists will
Taskbar::Do not allow
Roles Profession continue to show.
pinning items in Jump Lists
al (32-bit)/ If you disable this setting or do not configure it, users
can pin files, folders, websites, and other items to a
program's Jump List so that the items is always
present in this menu.
Microsoft Prevents the operating system and installed
Windows programs from creating and displaying shortcuts to
XP recently opened documents.
\Start Menu and /Microsoft
Taskbar::Do not keep Operational Windows If you enable this setting, the system and Windows
history of recently opened Roles Server programs do not create shortcuts to documents
documents 2003 (32- opened while the setting is in effect. In addition, they
bit), retain but do not display existing document
Microsoft shortcuts. The system empties the Recent Items
Windows menu on the Start menu, and Windows programs do

- 92 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
not display shortcuts at the bottom of the File menu.
In addition, the Jump Lists off of programs in the
Start Menu and Taskbar do not show lists of recently
or frequently used files, folders, or websites.
If you disable or do not configure this setting, the
system will store and display shortcuts to recently
and frequently used files, folders, and websites.
Note: The system saves document shortcuts in the
user profile in the System-
drive\Users\User-name\Recent folder.
Also, see the "Remove Recent Items menu from
Start Menu" and "Clear history of recently opened
Vista documents on exit" policies in this folder.
/Microsoft
Windows If you enable this setting but do not enable the
Server "Remove Recent Items menu from Start Menu"
2008 setting, the Recent Items menu appears on the Start
Standard, menu, but it is empty.
Microsoft
If you enable this setting, but then later disable it or
Windows 7
set it to Not Configured, the document shortcuts
Profession
saved before the setting was enabled reappear in
al (32-bit)/
the Recent Items menu and program File menus,
and Jump Lists.
This setting does not hide or prevent the user from
pinning files, folders, or websites to the Jump Lists.
See the "Do not allow pinning items in Jump Lists"
setting. This policy also does not hide Tasks that the
application has provided for their Jump List. This
setting does not hide document shortcuts displayed
in the Open dialog box. See the "Hide the dropdown
list of recent files" setting.
Note:It is a requirement for third-party applications
with Windows 2000 or later certification to adhere to
this setting.
Microsoft
Windows Prevents the user from making any changes to the
Vista taskbar settings through the Taskbar Properties
/Microsoft dialog.
Windows
\Start Menu and If you enable this setting the user cannot access the
Operational Server
Taskbar::Lock all taskbar taskbar control panel. The user is also unable to
Roles 2008
settings resize, move or rearrange toolbars on their taskbar.
Standard,
Microsoft If you disable or do not configure this setting the
Windows 7 user will be able to set any taskbar setting that is not
Profession disallowed by another policy setting.
al (32-bit)/
Microsoft Removes the Taskbar and Start Menu item from
Windows Settings on the Start menu. This setting also
\Start Menu and Operational
XP prevents the user from opening the Taskbar
Taskbar::Prevent changes Roles and
/Microsoft Properties dialog box.
to Taskbar and Start Menu Engineerin
Windows
Settings g Role If the user right-clicks the taskbar and then clicks
Server
Properties, a message appears explaining that a

- 93 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
2003 (32-
bit),
Microsoft
Windows
Vista
/Microsoft
Windows
setting prevents the action.
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
This setting affects the taskbar buttons used to
switch between running programs.

Microsoft Taskbar grouping consolidates similar applications

Windows when there is no room on the taskbar. It kicks in
Operational XP when the user's taskbar is full.
\Start Menu and
Roles and /Microsoft If you enable this setting, it prevents the taskbar from
Taskbar::Prevent grouping
Engineerin Windows grouping items that share the same program name.
of taskbar items
g Role Server By default, this setting is always enabled.
2003 (32-
bit) If you disable or do not configure it, items on the
taskbar that share the same program are grouped
together. The users have the option to disable
grouping if they choose.
Microsoft
Windows Prevents users from adding or removing toolbars.
Vista
/Microsoft If you enable this policy setting the user will not be
Operational Windows allowed to add or remove any toolbars to the
\Start Menu and
Roles and Server taskbar. Applications will not be able to add toolbars
Taskbar::Prevent users from
Engineerin 2008 either.
adding or removing toolbars
g Role Standard,
Microsoft If you disable or do not configure this policy setting,
Windows 7 the users and applications will be able to add
Profession toolbars to the taskbar.
al (32-bit)/
Microsoft
Windows Prevents users from moving taskbar to another
Vista screen dock location.
/Microsoft
If you enable this policy setting the user will not be
\Start Menu and Operational Windows
able to drag their taskbar to another side of the
Taskbar::Prevent users from Roles and Server
monitor(s).
moving taskbar to another Engineerin 2008
screen dock location g Role Standard, If you disable or do not configure this policy setting
Microsoft the user may be able to drag their taskbar to other
Windows 7 sides of the monitor unless disallowed by another
Profession policy setting.
al (32-bit)/
Operational Microsoft Prevents users from rearranging toolbars.
\Start Menu and
Roles and Windows
Taskbar::Prevent users from If you enable this setting the user will not be able to
Engineerin Vista
rearranging toolbars drag or drop toolbars to the taskbar.
g Role

- 94 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
/Microsoft
Windows
Server
2008 If you disable or do not configure this policy setting,
Standard, users will be able to rearrange the toolbars on the
Microsoft taskbar.
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
Vista Prevent users from resizing the taskbar.
/Microsoft
Operational Windows If you enable this policy setting the user will not be
\Start Menu and
Roles and Server able to resize their taskbar to be any other size.
Taskbar::Prevent users from
Engineerin 2008
resizing the taskbar If you disable or do not configure this policy setting,
g Role Standard,
Microsoft the user will be able to resize their taskbar to be any
Windows 7 other size unless disallowed by another setting.
Profession
al (32-bit)/
Microsoft
Windows
XP
/Microsoft
Windows
Server
2003 (32-
bit), Hides the menus that appear when you right-click
\Start Menu and Microsoft the taskbar and items on the taskbar, such as the
Taskbar::Remove access to Operational Windows Start button, the clock, and the taskbar buttons.
the context menus for the Roles Vista This setting does not prevent users from using other
taskbar /Microsoft methods to issue the commands that appear on
Windows these menus.
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Windows If you enable this setting, the "All Programs" item is
\Start Menu and XP removed from the simple Start menu.
Taskbar::Remove All Operational /Microsoft
Programs list from the Start Roles Windows If you disable this setting or do not configure it, the
menu Server "All Programs" item remains on the simple Start
2003 (32- menu.
bit)
Microsoft
This policy setting prevents users from performing
\Start Menu and Windows
the following commands from the Start menu or
Taskbar::"Remove and XP
Operational Windows Security screen: Shut Down, Restart,
prevent access to the Shut /Microsoft
Roles Sleep, and Hibernate. This policy setting does not
Down, Restart, Sleep, and Windows
prevent users from running Windows-based
Hibernate commands" Server
programs that perform these functions.

- 95 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
If you enable this policy setting, the Power button
and the Shut Down, Restart, Sleep, and Hibernate
2003 (32- commands are removed from the Start menu. The
bit), Power button is also removed from the Windows
Microsoft Security screen, which appears when you press
Windows CTRL+ALT+DELETE.
Vista
/Microsoft If you disable or do not configure this policy setting,
Windows the Power button and the Shut Down, Restart,
Server Sleep, and Hibernate commands are available on
2008 the Start menu. The Power button on the Windows
Standard, Security screen is also available.
Microsoft
Windows 7 Note: Third-party programs certified as compatible
Profession with Microsoft Windows Vista, Windows XP SP2,
al (32-bit)/ Windows XP SP1, Windows XP, or Windows 2000
Professional are required to support this policy
setting.
Hides pop-up text on the Start menu and in the
notification area.
When you hold the cursor over an item on the Start
menu or in the notification area, the system displays
Microsoft pop-up text providing additional information about
Windows the object.
XP
\Start Menu and If you enable this setting, some of this pop-up text is
Operational /Microsoft
Taskbar::Remove Balloon not displayed. The pop-up text affected by this
Roles Windows
Tips on Start Menu items setting includes "Click here to begin" on the Start
Server
2003 (32- button, "Where have all my programs gone" on the
bit) Start menu, and "Where have my icons gone" in the
notification area.
If you disable this setting or do not configure it, all
pop-up text is displayed on the Start menu and in
the notification area.
Microsoft
Windows
XP Removes items in the All Users profile from the
/Microsoft Programs menu on the Start menu.
Windows
Server By default, the Programs menu contains items from
2003 (32- the All Users profile and items from the user's profile.
bit), If you enable this setting, only items in the user's
\Start Menu and Microsoft profile appear in the Programs menu.
Taskbar::Remove common Operational Windows
program groups from Start Roles Vista
Menu /Microsoft TIP
Windows
Server To see the Program menu items in the All
2008 Users profile, on the system drive, go to
Standard, ProgramData\Microsoft\Windo
Microsoft ws\Start Menu\Programs.
Windows 7
Profession
al (32-bit)/
\Start Menu and Operational Microsoft Removes the Default Programs link from the Start
Taskbar::Remove Default Roles and Windows menu.

- 96 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Clicking the Default Programs link from the Start
menu opens the Default Programs control panel and
XP provides administrators the ability to specify default
/Microsoft programs for certain activities, such as Web
Programs link from the Start Engineerin Windows browsing or sending e-mail, as well as which
menu. g Role Server programs are accessible from the Start menu,
2003 (32- desktop, and other locations.
bit) Note: This setting does not prevent the Set Default
Programs for This Computer option from appearing
in the Default Programs control panel.
Microsoft
Windows
XP
/Microsoft
Windows
Server Removes the Documents icon from the Start menu
2003 (32- and its submenus.
bit), This setting only removes the icon. It does not
\Start Menu and Microsoft prevent the user from using other methods to gain
Taskbar::Remove Operational Windows access to the contents of the Documents folder.
Documents icon from Start Roles Vista
Menu /Microsoft Note: To make changes to this setting effective, you
Windows must log off and then log on.
Server Also, see the "Remove Documents icon on the
2008 desktop" setting.
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
\Start Menu and Operational Microsoft
Taskbar::Remove Roles and Windows 7 If you enable this policy the start menu will not show
Downloads link from Start Engineerin Profession a link to the Downloads folder.
Menu g Role al (32-bit)/
Microsoft
Windows
XP Prevents users from using the drag-and-drop
/Microsoft method to reorder or remove items on the Start
Windows menu. In addition, it removes shortcut menus from
Server the Start menu.
2003 (32- If you disable this setting or do not configure it, users
bit), can remove or reorder Start menu items by dragging
\Start Menu and Operational Microsoft and dropping the item. They can display shortcut
Taskbar::Remove drag-and- Roles and Windows menus by right-clicking a Start menu item.
drop and context menus on Engineerin Vista
the Start Menu g Role /Microsoft This setting does not prevent users from using other
Windows methods of customizing the Start menu or
Server performing the tasks available from the shortcut
2008 menus.
Standard, Also, see the "Prevent changes to Taskbar and Start
Microsoft Menu Settings" and the "Remove access to the
Windows 7 context menus for taskbar" settings.
Profession
al (32-bit)/

- 97 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Prevents users from adding the Favorites menu to
the Start menu or classic Start menu.
If you enable this setting, the Display Favorites item
Microsoft does not appear in the Advanced Start menu
Windows options box.
XP
/Microsoft If you disable or do not configure this setting, the
Windows Display Favorite item is available.
Server Note: The Favorites menu does not appear on the
2003 (32- Start menu by default. To display the Favorites
bit), menu, right-click Start, click Properties, and then
Microsoft click Customize. If you are using Start menu, click
\Start Menu and
Operational Windows the Advanced tab, and then, under Start menu items,
Taskbar::Remove Favorites
Roles Vista click the Favorites menu. If you are using the classic
menu from Start Menu
/Microsoft Start menu, click Display Favorites under Advanced
Windows Start menu options.
Server
2008 The items that appear in the Favorites menu when
Standard, you install Windows are preconfigured by the
Microsoft system to appeal to most users. However, users can
Windows 7 add and remove items from this menu, and system
Profession administrators can create a customized Favorites
al (32-bit)/ menu for a user group.
This setting only affects the Start menu. The
Favorites item still appears in Windows Explorer and
in Internet Explorer.
Microsoft
Windows
XP
/Microsoft
Windows
Server
2003 (32-
bit), If you enable this setting, the frequently used
\Start Menu and Microsoft programs list is removed from the Start menu.
Taskbar::Remove frequent Operational Windows
programs list from the Start Roles Vista If you disable this setting or do not configure it, the
Menu /Microsoft frequently used programs list remains on the simple
Windows Start menu.
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Operational If you enable this policy the start menu will not show
Roles, a link to the Games folder.
Microsoft
\Start Menu and Engineerin
Windows 7 If you disable or do not configure this policy, the start
Taskbar::Remove Games g Role, and
Profession menu will show a link to the Games folder, unless
link from Start Menu Product
al (32-bit)/ the user chooses to remove it in the start menu
Administrat
or Role control panel.
\Start Menu and Operational Microsoft
Removes the Help command from the Start menu.
Taskbar::Remove Help Roles

- 98 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows
XP
/Microsoft
Windows
Server
2003 (32-
bit),
Microsoft
Windows This setting only affects the Start menu. It does not
menu from Start Menu Vista remove the Help menu from Windows Explorer and
/Microsoft does not prevent users from running Help.
Windows
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Operational If you enable this policy the Start menu will not show
Roles, a link to Homegroup. It also removes the homegroup
\Start Menu and Microsoft item from the Start Menu options. As a result, users
Engineerin
Taskbar::Remove Windows 7 cannot add the homegroup link to the Start Menu.
g Role, and
Homegroup link from Start Profession
Product
Menu al (32-bit)/ If you disable or do not configure this policy, users
Administrat can use the Start Menu options to add or remove the
or Role homegroup link from the Start Menu.
Microsoft
Windows Prevents users from connecting to the Windows
XP Update Web site.
/Microsoft
Windows This setting blocks user access to the Windows
Server Update Web site at
2003 (32- http://windowsupdate.microsoft.com. In addition, the
Operational setting removes the Windows Update hyperlink from
bit),
Roles, the Start menu and from the Tools menu in Internet
Microsoft
\Start Menu and Engineerin Explorer.
Windows
Taskbar::Remove links and g Role, and
Vista Windows Update, the online extension of Windows,
access to Windows Update Product
/Microsoft offers software updates to keep a user’s system up-
Administrat
Windows to-date. The Windows Update Product Catalog
or Role
Server determines any system files, security fixes, and
2008 Microsoft updates that user’s need and shows the
Standard, newest versions available for download.
Microsoft
Windows 7 Also, see the "Hide the "Add programs from
Profession Microsoft" option" setting.
al (32-bit)/
Microsoft
Operational Windows
Roles, XP
\Start Menu and Engineerin /Microsoft
Taskbar::Remove Music g Role, and Windows Removes the Music icon from the Start Menu.
icon from Start Menu Product Server
Administrat 2003 (32-
or Role bit),
Microsoft

- 99 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows
Vista
/Microsoft
Windows
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/

Microsoft Prevents users from running Network Connections.

Windows This setting prevents the Network Connections
XP folder from opening. This setting also removes
/Microsoft Network Connections from Settings on the Start
Windows menu.
Operational
Server
Roles, Network Connections still appears in Control Panel
\Start Menu and 2003 (32-
Engineerin and in Windows Explorer, but if users try to start it, a
Taskbar::Remove Network bit),
g Role, and message appears explaining that a setting prevents
Connections from Start Microsoft
Product the action.
Menu Windows
Administrat
Vista Also, see the "Disable programs on Settings menu"
or Role
/Microsoft and "Disable Control Panel" settings and the
Windows settings in the Network Connections folder
Server (Computer Configuration and User
2008 Configuration\Administrative
Standard Templates\Network\Network Connections).
Microsoft
Windows
XP
/Microsoft
Windows
Server
2003 (32-
bit),
Microsoft
\Start Menu and
Operational Windows
Taskbar::Remove Network Removes the Network icon from the Start Menu.
Roles . Vista
icon from Start Menu
/Microsoft
Windows
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Operational
Windows
Roles,
XP
\Start Menu and Engineerin
/Microsoft
Taskbar::Remove Pictures g Role, and Removes the Pictures icon from the Start Menu.
Windows
icon from Start Menu Product
Server
Administrat
2003 (32-
or Role

- 100 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
bit),
Microsoft
Windows
Vista
/Microsoft
Windows
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
If you enable this setting, pinned programs are
Microsoft prevented from being shown on the Taskbar. Users
\Start Menu and
Operational Windows 7 cannot pin programs to the Taskbar.
Taskbar::Remove pinned
Roles . Profession If you disable this setting or do not configure it, users
programs from the Taskbar
al (32-bit)/ can pin programs so that the program shortcuts stay
on the Taskbar.
Microsoft
Windows
XP
/Microsoft
Windows If you enable this setting, the "Pinned Programs" list
Server is removed from the Start menu. Users cannot pin
2003 (32- programs to the Start menu.
bit),
\Start Menu and Microsoft In Windows XP and Windows Vista, the Internet and
Taskbar::Remove pinned Operational Windows email checkboxes are removed from the 'Customize
programs list from the Start Roles . Vista Start Menu' dialog.
Menu /Microsoft
Windows If you disable this setting or do not configure it, the
Server "Pinned Programs" list remains on the Start menu.
2008 Users can pin and unpin programs in the Start
Standard, Menu.
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft Prevents Control Panel, Printers, and Network
Windows Connections from running.
XP
/Microsoft This setting removes the Control Panel, Printers,
Windows and Network and Connection folders from Settings
Server on the Start menu, and from Computer and Windows
Operational 2003 (32- Explorer. It also prevents the programs represented
\Start Menu and by these folders (such as Control.exe) from running.
Roles and bit),
Taskbar::Remove programs
Engineerin Microsoft However, users can still start Control Panel items by
on Settings menu Windows
g Role . using other methods, such as right-clicking the
Vista
desktop to start Display or right-clicking Computer to
/Microsoft
start System.
Windows
Server Also, see the "Disable Control Panel," "Disable
2008 Display in Control Panel," and "Remove Network
Standard, Connections from Start Menu" settings.

- 101 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Microsoft
Windows 7
Profession
al (32-bit)/
Removes the Recent Items menu from the Start
menu. Removes the Documents menu from the
classic Start menu.
The Recent Items menu contains links to the non-
program files that users have most recently opened.
It appears so that users can easily reopen their
Microsoft
documents.
Windows
XP If you enable this setting, the system saves
/Microsoft document shortcuts but does not display the Recent
Windows Items menu in the Start Menu, and users cannot turn
Server the menu on.
2003 (32-
bit), If you later disable the setting, so that the Recent
Microsoft Items menu appears in the Start Menu, the
\Start Menu and document shortcuts saved before the setting was
Operational Windows
Taskbar::Remove Recent enabled and while it was in effect, appear in the
Roles . Vista
Items menu from Start Menu Recent Items menu.
/Microsoft
Windows When the setting is disabled, the Recent Items menu
Server appears in the Start Menu, and users cannot remove
2008 it.
Standard,
Microsoft If the setting is not configured, users can turn the
Windows 7 Recent Items menu on and off.
Profession
Note: This setting does not prevent Windows
al (32-bit)/
programs from displaying shortcuts to recently
opened documents. See the "Do not keep history of
recently opened documents" setting.
This setting also does not hide document shortcuts
displayed in the Open dialog box. See the "Hide the
dropdown list of recent files" setting.
Operational
Roles,
Microsoft
\Start Menu and Engineerin
Windows 7 If you enable this policy the start menu will not show
Taskbar::Remove Recorded g Role, and
Profession a link to the Recorded TV library.
TV link from Start Menu Product
al (32-bit)/
Administrat
or Role .
Microsoft Allows you to remove the Run command from the
Windows Start menu, Internet Explorer, and Task Manager.
XP If you enable this setting, the following changes
/Microsoft occur.
Windows
\Start Menu and 1. The Run command is removed from the Start
Operational Server
Taskbar::Remove Run 2003 (32- menu.
Roles
menu from Start Menu bit), 2. The New Task (Run) command is removed
Microsoft from Task Manager.
Windows
Vista 3. The user will be blocked from entering the
/Microsoft following into the Internet Explorer Address
Bar:

- 102 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system

Windows l A UNC path:\\<server>\<share>

Server l Accessing local drives: e.g., C:
2008 l Accessing local folders: e.g., \temp>
Standard,
Microsoft Also, users with extended keyboards will no longer
Windows 7 be able to display the Run dialog box by pressing
Profession the Application key (the key with the Windows logo)
al (32-bit)/ + R.
Microsoft
Windows If you enable this policy, the "See all results" link will
Vista not be shown when the user performs a search in
\Start Menu and the start menu search box.
Operational /Microsoft
Taskbar::Remove Search
Roles Windows If you disable or do not configure this policy, the
Computer link
Server "See all results" link will be shown when the user
2008 performs a search in the start menu search box.
Standard
Removes the Search link from the Start menu, and
disables some Windows Explorer search elements.
Note that this does not remove the search box from
the new style Start menu.
This setting removes the Search item from the Start
menu and from the shortcut menu that appears
when you right-click the Start menu. In addition, the
system does not respond when users press the
Application key (the key with the Windows logo)+ F.
\Start Menu and In Windows Explorer, the Search item still appears
Operational
Taskbar::Remove Search on the Standard buttons toolbar, but the system
Roles
link from Start Menu does not respond when the user presses Ctrl+F. In
addition, Search does not appear in the shortcut
menu when you right-click an icon representing a
drive or a folder.
This setting affects the specified user interface
elements only. It does not affect Internet Explorer
and does not prevent the user from using other
methods to search.
Note: This setting also prevents the user from using
the F3 key.
If you enable this policy, a "See more results" /
"Search Everywhere" link will not be shown when
the user performs a search in the start menu search
\Start Menu and Microsoft box.
Taskbar::Remove See More Operational Windows 7 If you disable or do not configure this policy, a "See
Results / Search Roles Profession more results" link will be shown when the user
Everywhere link al (32-bit)/ performs a search in the start menu search box. If a
3rd party protocol handler is installed, a "Search
Everywhere" link will be shown instead of the "See
more results" link.
Microsoft If you enable this setting, the "Undock PC" button is
\Start Menu and
Windows removed from the simple Start Menu, and your PC
Taskbar::"Remove the Operational
XP cannot be undocked.
""Undock PC"" button from Roles
/Microsoft
the Start Menu" If you disable this setting or do not configure it, the

- 103 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows
Server
2003 (32-
bit),
Microsoft
Windows
Vista
/Microsoft "Undock PC" button remains on the simple Start
Windows menu, and your PC can be undocked.
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Prevents the Action Center in the system control
area from being displayed. If you enable this setting,
Operational Microsoft the Action Center icon will not be displayed in the
\Start Menu and
Roles and Windows 7 system notification area.
Taskbar::Remove the Action
Engineerin Profession
Center icon
g Role al (32-bit)/ If you disable or do not configure this setting, the
Action Center icon will be displayed in the system
notification area.
Microsoft
Windows
Vista Prevents the battery meter in the system control area
/Microsoft from being displayed. If you enable this setting, the
Windows battery meter will not be displayed in the system
\Start Menu and
Operational Server notification area.
Taskbar::Remove the
Roles 2008
battery meter If you disable or do not configure this setting, the
Standard,
Microsoft battery meter will be displayed in the system
Windows 7 notification area.
Profession
al (32-bit)/
Microsoft
Windows
Vista
/Microsoft If you enable this policy the start menu will not show
Windows a link to the user's storage folder.
\Start Menu and
Operational Server
Taskbar::Remove user If you disable or do not configure this policy, the start
Roles 2008
folder link from Start Menu menu will display a link, unless the user chooses to
Standard,
Microsoft remove it in the start menu control panel.
Windows 7
Profession
al (32-bit)/
Microsoft Hides all folders on the user-specific (top) section of
Windows the Start menu. Other items appear, but folders are
XP hidden.
\Start Menu and
Operational /Microsoft
Taskbar::Remove user's This setting is designed for use with redirected
Roles Windows
folders from the Start Menu folders. Redirected folders appear on the main
Server
2003 (32- (bottom) section of the Start menu. However, the
original, user-specific version of the folder still

- 104 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
appears on the top section of the Start menu.
Because the appearance of two folders with the
bit), same name might confuse users, you can use this
Microsoft setting to hide user-specific folders.
Windows
Vista Note that this setting hides all user-specific folders,
/Microsoft not just those associated with redirected folders.
Windows If you enable this setting, no folders appear on the
Server top section of the Start menu. If users add folders to
2008 the Start Menu directory in their user profiles, the
Standard, folders appear in the directory but not on the Start
Microsoft menu.
Windows 7
Profession If you disable this setting or do not configured it,
al (32-bit)/ Windows 2000 Professional and Windows XP
Professional display folders on both sections of the
Start menu.
Microsoft
\Start Menu and
Operational Windows 7 If you enable this policy the start menu will not show
Taskbar::Remove Videos
Roles Profession a link to the Videos library.
link from Start Menu
al (32-bit)/
This policy setting controls whether the
Microsoft QuickLaunch bar is displayed in the Taskbar.
Windows
Vista If you enable this policy setting, the QuickLaunch
\Start Menu and Operational bar will be visible and cannot be turned off.
/Microsoft
Taskbar::Show Roles is
Windows If you disable this policy setting, the QuickLaunch
QuickLaunch on Taskbar disabled
Server bar will be hidden and cannot be turned on.
2008
Standard If you do not configure this policy setting, then users
will be able to turn the QuickLaunch bar on and off.
If you enable this setting, certain notification
\Start Menu and Microsoft balloons that are marked as feature advertisements
Taskbar::Turn off feature Operational Windows 7 will not be shown.
advertisement balloon Roles Profession
notifications al (32-bit)/ If you disable this setting or do not configure it,
feature advertisement balloons will be shown.
Disables personalized menus.
Microsoft
Windows Windows personalizes long menus by moving
XP recently used items to the top of the menu and
/Microsoft hiding items that have not been used recently. Users
Windows can display the hidden items by clicking an arrow to
Server extend the menu.
2003 (32- If you enable this setting, the system does not
\Start Menu and
Operational bit), personalize menus. All menu items appear and
Taskbar::Turn off
Roles Microsoft remain in standard order. In addition, this setting
personalized menus
Windows removes the "Use Personalized Menus" option so
Vista users do not try to change the setting while a setting
/Microsoft is in effect.
Windows
Server Note: Personalized menus require user tracking. If
2008 you enable the "Turn off user tracking" setting, the
Standard system disables user tracking and personalized
menus and ignores this setting.

- 105 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system

TIP
To Turn off personalized menus without
specifying a setting, click Start, click
Settings, click Taskbar and Start Menu,
and then, on the General tab, clear the
"Use Personalized Menus" option.

If you disable or do not configure this setting, the

Microsoft system tracks the programs that the user runs. The
Windows system uses this information to customize Windows
XP features, such as showing frequently used programs
/Microsoft in the Start Menu.
Windows
Server If you enable this setting, the system does not track
2003 (32- the programs that the user runs, and does not
\Start Menu and display frequently used programs in the Start Menu.
Operational bit),
Taskbar::Turn off user
Roles Microsoft Also, see these related settings: "Remove frequent
tracking
Windows programs list from the Start Menu" and "Turn off
Vista personalized menus.”
/Microsoft
Windows This setting does not prevent users from pinning
Server programs to the Start Menu or Taskbar. See the
2008 "Remove pinned programs list from the Start Menu"
Standard and "Do not allow pinning programs to the Taskbar"
settings.
Suppresses the welcome screen.
This setting hides the welcome screen that is
displayed on Windows 2000 Professional each time
the user logs on.
Users can still display the welcome screen by
selecting it on the Start menu or by typing
"Welcome" in the Run dialog box.
This setting applies only to Windows 2000
Professional. It does not affect the "Configure Your
Operational Server on a Windows 2000 Server" screen on
Roles, Windows 2000 Server.
\System: Don’t display the Engineerin Note: This setting appears in the Computer
Getting Started welcome g Role, and Configuration and User Configuration folders. If both
screen at logon Product settings are configured, the setting in Computer
Administrat Configuration takes precedence over the setting in
or Role User Configuration.

TIP
To display the welcome screen, click
Start, point to Programs, point to
Accessories, point to System Tools, and
then click "Getting Started." To suppress
the welcome screen without specifying a
setting, clear the "Show this screen at
startup" check box on the welcome

- 106 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system

screen.

Microsoft
Windows
XP
/Microsoft
Windows
Server
2003 (32- Disables the Windows registry editor Regedit.exe.
bit),
If this setting is enabled and the user tries to start a
Operational Microsoft
registry editor, a message appears explaining that a
\System::Prevent access to Roles and Windows
setting prevents the action.
registry editing tools Engineerin Vista
g Role /Microsoft To prevent users from using other administrative
Windows tools, use the "Run only specified Windows
Server applications" setting.
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
No
Operational
Disable regedit from
Roles and
running silently
Engineerin
g Role.
Microsoft
Windows
XP
/Microsoft
Windows Prevents users from running the interactive
Server command prompt, Cmd.exe. This setting also
2003 (32- determines whether batch files (.cmd and .bat) can
bit), run on the computer.
Microsoft
If you enable this setting and the user tries to open a
\System::Prevent access to Operational Windows
command window, the system displays a message
the command prompt Roles Vista
explaining that a setting prevents the action.
/Microsoft
Windows Note: Do not prevent the computer from running
Server batch files if the computer uses logon, logoff, startup,
2008 or shutdown batch file scripts, or for users that use
Standard, Remote Desktop Services.
Microsoft
Windows 7
Profession
al (32-bit)/
Disable the command No
prompt script processing Operational
also Roles.
Microsoft Prevents users from locking the system.
\System\Ctrl+Alt+Del Windows
Operational While locked, the desktop is hidden and the system
Options::Remove Lock XP
Roles cannot be used. Only the user who locked the
Computer /Microsoft
system or the system administrator can unlock it.

- 107 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows
Server
2003 (32-
bit),
Microsoft
Windows
Vista TIP
/Microsoft To lock a computer without configuring a
Windows setting, press Ctrl+Alt+Delete, and then
Server click Lock Computer.
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
XP
/Microsoft
Windows Prevents users from starting Task Manager
Server (Taskmgr.exe).
2003 (32-
If this setting is enabled and users try to start Task
bit),
Manager, a message appears explaining that a
Microsoft
\System\Ctrl+Alt+Del policy prevents the action.
Operational Windows
Options::Remove Task
Roles Vista Task Manager lets users start and stop programs;
Manager
/Microsoft monitor the performance of their computers; view
Windows and monitor all programs running on their
Server computers, including system services; find the
2008 executable names of programs; and change the
Standard, priority of the process in which programs run.
Microsoft
Windows 7
Profession
al (32-bit)/
Specifies whether users can participate in the Help
Microsoft Experience Improvement program. The Help
Windows Experience Improvement program collects
Vista information about how customers use Windows
\System\Internet
/Microsoft Help so that Microsoft can improve it.
Communication
Windows
Management\Internet
Operational Server If this setting is enabled, this policy prevents users
Communication
Roles 2008 from participating in the Help Experience
settings::Turn off Help
Standard, Improvement program.
Experience Improvement
Microsoft
Program If this setting is disabled or not configured, users will
Windows 7
Profession be able to turn on the Help Experience Improvement
al (32-bit)/ program feature from the Help and Support settings
page.

Microsoft Specifies whether users can provide ratings for Help

\System\Internet content.
Communication Windows
Management\Internet Operational Vista If this setting is enabled, this policy setting prevents
Communication Roles /Microsoft ratings controls from being added to Help content.
settings::Turn off Help Windows
Ratings Server If this setting is disabled or not configured, a rating
control will be added to Help topics.

- 108 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
2008
Standard,
Users can use the control to provide feedback on
Microsoft
the quality and usefulness of the Help and Support
Windows 7
content.
Profession
al (32-bit)/
Microsoft Specifies whether Windows Messenger collects
Windows anonymous information about how Windows
XP Messenger software and service is used.
/Microsoft With the Customer Experience Improvement
Windows program, users can allow Microsoft to collect
Server anonymous information about how the product is
\System\Internet 2003 (32- used. This information is used to improve the
Communication bit), product in future releases.
Management\Internet Microsoft
Communication Operational Windows If you enable this setting, Windows Messenger will
settings::Turn off the Roles Vista not collect usage information and the user settings
Windows Messenger /Microsoft to enable the collection of usage information will not
Customer Experience Windows be shown.
Improvement Program Server
2008 If you disable this setting, Windows Messenger will
Standard, collect anonymous usage information and the
Microsoft setting will not be shown.
Windows 7 If you do not configure this setting, users will have
Profession the choice to opt-in and allow information to be
al (32-bit)/ collected.
Specifies whether users can search and view
Microsoft content from Windows Online in Help and Support.
Windows Windows Online provides the most up-to-date Help
Vista content for Windows.
\System\Internet /Microsoft
Communication Windows If this setting is enabled, users will be prevented
Management\Internet Operational Server from accessing online assistance content from
Communication Roles 2008 Windows Online.
settings::Turn off Windows Standard,
Online Microsoft If this setting is disabled or not configured, users will
Windows 7 be able to access online assistance if they have a
Profession connection to the Internet and have not disabled
al (32-bit)/ Windows Online from the Help and Support Options
page.
Microsoft Removes access to the performance center control
Windows panel OEM and Microsoft branding links.
Vista
/Microsoft If you enable this setting, the OEM and Microsoft
\System\Performance Windows web links within the performance control panel page
Control Panel::Turn off Operational Server will not be displayed. The administrative tools will
access to the OEM and Roles 2008 not be affected.
Microsoft branding section Standard,
Microsoft If you disable or do not configure this setting, the
Windows 7 performance center control panel OEM and
Profession Microsoft branding links will be displayed to the
al (32-bit)/ user.

\System\Performance Microsoft Removes access to the performance center control

Control Panel::Turn off Operational Windows panel page.
access to the performance Roles Vista
center core section /Microsoft If you enable this setting, some settings within the

- 109 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Windows
Server performance control panel page will not be
2008 displayed. The administrative tools will not be
Standard, affected.
Microsoft If you disable or do not configure this setting, the
Windows 7 performance center control panel core section will
Profession be displayed to the user.
al (32-bit)/
Microsoft Removes access to the performance center control
Windows panel solutions to performance problems.
Vista
/Microsoft If you enable this setting, the solutions and issue
\System\Performance
Windows section within the performance control panel page
Control Panel::Turn off
Operational Server will not be displayed. The administrative tools will
access to the solutions to
Roles 2008 not be affected.
performance problems
Standard,
section If you disable or do not configure this setting, the
Microsoft
Windows 7 performance center control panel solutions to
Profession performance problems section will be displayed to
al (32-bit)/ the user.

Turns off the Autoplay feature.

Autoplay begins reading from a drive as soon as
Microsoft you insert media in the drive. As a result, the setup
Windows file of programs and the music on audio media start
XP immediately.
/Microsoft Prior to XP SP2, Autoplay is disabled by default on
Windows removable drives, such as the floppy disk drive (but
Server not the CD-ROM drive), and on network drives.
2003 (32-
bit), Starting with XP SP2, Autoplay is enabled for
Microsoft removable drives as well, including ZIP drives and
\Windows
Operational Windows some USB Mass Storage devices.
Components\AutoPlay
Roles Vista
Policies::Turn off Autoplay If you enable this setting, you can disable Autoplay
/Microsoft
Windows on CD-ROM and removable media drives, or
Server disable Autoplay on all drives.
2008 This setting disables Autoplay on additional types of
Standard, drives. You cannot use this setting to enable
Microsoft Autoplay on drives on which it is disabled by default.
Windows 7
Profession Note: This setting appears in both the Computer
al (32-bit)/ Configuration and User Configuration folders. If the
settings conflict, the setting in Computer
Configuration takes precedence over the setting in
User Configuration.
Operational
Turn off Autoplay on: Roles are
for all drives
\Windows Microsoft If this policy is enabled, autoplay will not be enabled
Components\AutoPlay Operational Windows 7 for non-volume devices like MTP devices. If you
Policies::Turn off Autoplay Roles Profession disable or not configure this policy, autoplay will
for non-volume devices al (32-bit)/ continue to be enabled for non-volume devices.
\Windows This policy setting allows you to turn off desktop
Operational Microsoft
Components\Desktop Windows gadgets. Gadgets are small applets that display
Roles
Gadgets::Turn off desktop information or utilities on the desktop.

- 110 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Vista
/Microsoft
Windows If you enable this setting, desktop gadgets will be
Server turned off.
2008
gadgets If you disable or do not configure this setting,
Standard,
desktop gadgets will be turned on.
Microsoft
Windows 7 The default is for desktop gadgets to be turned on.
Profession
al (32-bit)/
Prevents users from entering author mode.

Microsoft This setting prevents users from opening the

Windows Microsoft Management Console (MMC) in author
XP mode, explicitly opening console files in author
/Microsoft mode, and opening any console files that open in
Windows author mode by default.
Server
As a result, users cannot create console files or add
2003 (32-
or remove snap-ins. In addition, because they
bit),
\Windows cannot open author-mode console files, they cannot
Microsoft
Components\Microsoft use the tools that the files contain.
Operational Windows
Management
Roles Vista This setting permits users to open MMC user-mode
Console::Restrict the user
/Microsoft console files, such as those on the Administrative
from entering author mode
Windows Tools menu in Windows 2000 Server family or
Server Windows Server 2003 family. However, users
2008 cannot open a blank MMC console window on the
Standard, Start menu. (To open the MMC, click Start, click Run,
Microsoft and type mmc.) Users also cannot open a blank
Windows 7 MMC console window from a command prompt.
Profession
al (32-bit)/ If you disable this setting or do not configure it, users
can enter author mode and open author-mode
console files.
Permits or prohibits use of this snap-in.
Microsoft If you enable this setting, the snap-in is permitted. If
Windows you disable the setting, the snap-in is prohibited.
XP
/Microsoft If this setting is not configured, the setting of the
Windows "Restrict users to the explicitly permitted list of snap-
Server ins" setting determines whether this snap-in is
2003 (32- permitted or prohibited.
bit),
\Windows l If "Restrict users to the explicitly permitted list of
Microsoft
Components\Microsoft Operational snap-ins" is enabled, users cannot use any
Windows
Management Roles is snap-in except those explicitly permitted.
Vista
Console\Restricted/Permitte disabled
/Microsoft
d snap-ins::Server Manager To permit explicit use of this snap-in, enable this
Windows
setting. If this setting is not configured (or disabled),
Server
this snap-in is prohibited.
2008
Standard, l If "Restrict users to the explicitly permitted list of
Microsoft snap-ins" is disabled or not configured, users
Windows 7 can use any snap-in except those explicitly
Profession prohibited.
al (32-bit)/
To prohibit explicit use of this snap-in, disable this

- 111 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
setting. If this setting is not configured (or enabled),
the snap-in is permitted.
When a snap-in is prohibited, it does not appear in
the Add/Remove Snap-in window in MMC. In
addition, when a user opens a console file that
includes a prohibited snap-in, the console file
opens, but the prohibited snap-in does not appear.
This setting removes the "Open advanced properties
for this task when I click Finish" checkbox from the
last page of the Scheduled Task Wizard. This policy
is only designed to simplify task creation for
beginning users.
The checkbox, when checked, instructs Task
Scheduler to open the newly created task's property
Microsoft sheet automatically upon completion of the "Add
Windows Scheduled Task" wizard. The task's property sheet
\Windows
XP allows users to change task characteristics such as,
Components\Task
Operational /Microsoft the program the task runs, details of its schedule,
Scheduler::Hide Advanced
Roles Windows idle time and power management settings, and its
Properties Checkbox in Add
Server security context. Beginning users will often not be
Scheduled Task Wizard
2003 (32- interested or confused by having the property sheet
bit) displayed automatically. Note that the checkbox is
not checked by default even if this setting is
Disabled or Not Configured.
Note: This setting appears in the Computer
Configuration and User Configuration folders. If both
settings are configured, the setting in Computer
Configuration takes precedence over the setting in
User Configuration.
Prevents users from viewing and changing the
properties of an existing task.
This setting removes the Properties item from the
File menu in Scheduled Tasks and from the shortcut
menu that appears when you right-click a task. As a
result, users cannot change any properties of a task.
They can only see the properties that appear in
Detail view and in the task preview.
Microsoft
Windows This setting prevents users from viewing and
\Windows XP changing characteristics such as the program the
Components\Task Operational /Microsoft task runs, its schedule details, idle time and power
Scheduler::Hide Property Roles Windows management settings, and its security context.
Pages Server Note:This setting appears in the Computer
2003 (32- Configuration and User Configuration folders. If both
bit) settings are configured, the setting in Computer
Configuration takes precedence over the setting in
User Configuration.

TIP
This setting affects existing tasks only. To
prevent users from changing the

- 112 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system

properties of newly created tasks, use

the "Remove Advanced Menu" setting.

Prevents users from starting and stopping tasks

manually.
Microsoft This setting removes the Run and End Task items
Windows from the shortcut menu that appears when you right-
\Windows XP click a task. As a result, users cannot start tasks
Components\Task Operational /Microsoft manually or force tasks to end before they are
Scheduler::Prevent Task Roles Windows finished.
Run or End Server
2003 (32- Note: This setting appears in the Computer
bit) Configuration and User Configuration folders. If both
settings are configured, the setting in Computer
Configuration takes precedence over the setting in
User Configuration.
Limits newly scheduled to items on the user's Start
menu, and prevents the user from changing the
scheduled program for existing tasks.
This setting removes the Browse button from the
Schedule Task Wizard and from the Task tab of the
properties dialog box for a task. In addition, users
cannot edit the "Run" box or the "Start in" box that
determine the program and path for a task.
Microsoft
As a result, when users create a task, they must
Windows
select a program from the list in the Scheduled Task
XP
\Windows Wizard, which displays only the tasks that appear on
Operational /Microsoft
Components\Task the Start menu and its submenus. Once a task is
Roles Windows
Scheduler::Prohibit Browse created, users cannot change the program a task
Server
runs.
2003 (32-
bit) Important: This setting does not prevent users from
creating a new task by pasting or dragging any
program into the Scheduled Tasks folder. To prevent
this action, use the "Prohibit Drag-and-Drop" setting.
Note: This setting appears in the Computer
Configuration and User Configuration folders. If both
settings are configured, the setting in Computer
Configuration takes precedence over the setting in
User Configuration.
Prevents users from adding or removing tasks by
moving or copying programs in the Scheduled
Tasks folder.
Microsoft
Windows This setting disables the Cut, Copy, Paste, and
\Windows XP Paste Shortcut items on the shortcut menu and the
Components\Task Operational /Microsoft Edit menu in Scheduled Tasks. It also disables the
Scheduler::Prohibit Drag- Roles Windows drag-and-drop features of the Scheduled Tasks
and-Drop Server folder.
2003 (32- As a result, users cannot add new scheduled tasks
bit) by dragging, moving, or copying a document or
program into the Scheduled tasks folder.
This setting does not prevent users from using other

- 113 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
methods to create new tasks, and it does not prevent
users from deleting tasks.
Note: This setting appears in the Computer
Configuration and User Configuration folders. If both
settings are configured, the setting in Computer
Configuration takes precedence over the setting in
User Configuration.
Prevents users from creating new tasks.
This setting removes the Add Scheduled Task item
that starts the New Task Wizard. In addition, the
system does not respond when users try to move,
Microsoft paste, or drag programs or documents into the
Windows Scheduled Tasks folder.
\Windows XP
Components\Task Operational /Microsoft Note: This setting appears in the Computer
Scheduler::Prohibit New Roles Windows Configuration and User Configuration folders. If both
Task Creation Server settings are configured, the setting in Computer
2003 (32- Configuration takes precedence over the setting in
bit) User Configuration.
Important: This setting does not prevent
administrators of a computer from using At.exe to
create new tasks or prevent administrators from
submitting tasks from remote computers.
Prevents users from deleting tasks from the
Scheduled Tasks folder.
This setting removes the Delete command from the
Edit menu in the Scheduled Tasks folder and from
Microsoft the menu that appears when you right-click a task. In
Windows addition, the system does not respond when users
\Windows XP try to cut or drag a task from the Scheduled Tasks
Components\Task Operational /Microsoft folder.
Scheduler::Prohibit Task Roles Windows Note: This setting appears in the Computer
Deletion Server Configuration and User Configuration folders. If both
2003 (32- settings are configured, the setting in Computer
bit) Configuration takes precedence over the setting in
User Configuration.
Important: This setting does not prevent
administrators of a computer from using At.exe to
delete tasks.
By default Windows Anytime Upgrade is available
\Windows for all administrators.
Microsoft
Components\Windows
Operational Windows 7 If you enable this policy setting, Windows Anytime
Anytime Upgrade::Prevent
Roles Profession Upgrade will not run.
Windows Anytime Upgrade
al (32-bit)/
from running. If you disable this policy setting or set it to Not
Configured, Windows Anytime Upgrade will run.
Microsoft This policy setting prevents the display of the
\Windows Welcome Center at user logon.
Windows
Components\Windows
Operational Vista If you enable this policy setting, the Welcome Center
Explorer::Do not display the
Roles /Microsoft will not be displayed at user logon. The user will be
Welcome Center at user
Windows able to access the Welcome Center using the
logon
Server Control Panel or Start menu.

- 114 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
2008 If you disable or do not configure this policy setting,
Standard the Welcome Center will be displayed at user logon.
Removes the icons representing selected hard
drives from My Computer and Windows Explorer. In
addition, the drive letters representing the selected
drives do not appear in the standard Open dialog
Microsoft
box.
Windows
XP To use this setting, select a drive or combination of
/Microsoft drives in the drop-down list. To display all drives,
Windows disable this setting or select the "Do not restrict
Server drives" option in the drop-down list.
2003 (32-
bit), Note: This setting removes the drive icons. Users
\Windows can still gain access to drive contents by using other
Microsoft
Components\Windows methods, such as by typing the path to a directory on
Operational Windows
Explorer::Hide these the drive in the Map Network Drive dialog box, in the
Roles Vista
specified drives in My Run dialog box, or in a command window.
/Microsoft
Computer
Windows In addition, this setting does not prevent users from
Server using programs to access these drives or their
2008 contents. In addition, it does not prevent users from
Standard, using the Disk Management snap-in to view and
Microsoft change drive characteristics.
Windows 7
Profession Also, see the "Prevent access to drives from My
al (32-bit)/ Computer" setting.
It is a requirement for third-party applications with
Windows 2000 or later certification to adhere to this
setting.
Operational
Pick one of the following Roles
combinations restrict all
drives
Removes the Manage item from the Windows
Microsoft Explorer shortcut menu. This shortcut menu appears
Windows when you right-click Windows Explorer or My
XP Computer.
/Microsoft
The Manage item opens Computer Management
Windows
(Compmgmt.msc), a console tool that includes many
Server
of the primary Windows administrative tools, such as
2003 (32-
Event Viewer, Device Manager, and Disk
bit),
\Windows Management. You must be an administrator to use
Microsoft
Components\Windows many of the features of these tools.
Operational Windows
Explorer::Hides the Manage
Roles Vista This setting does not remove the Computer
item on the Windows
/Microsoft Management item from the Start menu (Start,
Explorer context menu
Windows Programs, Administrative Tools, Computer
Server Management), nor does it prevent users from using
2008 other methods to start Computer Management.
Standard,
Microsoft
Windows 7 TIP
Profession
al (32-bit)/ To hide all shortcut menus, use the
"Remove Windows Explorer's default

- 115 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system

context menu" setting.

Removes computers in the user's workgroup and

domain from lists of network resources in Windows
Explorer and Network Locations.
If you enable this setting, the system removes the
Microsoft "Computers Near Me" option and the icons
Windows representing nearby computers from Network
\Windows Locations. This setting also removes these icons
XP
Components\Windows from the Map Network Drive browser.
Operational /Microsoft
Explorer::No Computers
Roles Windows This setting does not prevent users from connecting
Near Me in Network
Server to computers in their workgroup or domain by other
Locations
2003 (32- commonly used methods, such as typing the share
bit) name in the Run dialog box or the Map Network
Drive dialog box.
To remove network computers from lists of network
resources, use the "No Entire Network in Network
Locations" setting.
Removes all computers outside of the user's
workgroup or local domain from lists of network
resources in Windows Explorer and Network
Locations.
If you enable this setting, the system removes the
Entire Network option and the icons representing
networked computers from Network Locations and
from the browser associated with the Map Network
Microsoft Drive option.
Windows
\Windows XP This setting does not prevent users from viewing or
Components\Windows Operational /Microsoft connecting to computers in their workgroup or
Explorer::No Entire Network Roles Windows domain. It also does not prevent users from
in Network Locations Server connecting to remote computers by other commonly
2003 (32- used methods, such as by typing the share name in
bit) the Run dialog box or the Map Network Drive dialog
box.
To remove computers in the user's workgroup or
domain from lists of network resources, use the "No
Computers Near Me in Network Locations" setting.
Note: It is a requirement for third-party applications
with Windows 2000 or later certification to adhere to
this setting.
Microsoft Prevents users from using My Computer to gain
Windows access to the content of selected drives.
XP
/Microsoft If you enable this setting, users can browse the
\Windows Windows directory structure of the selected drives in My
Components\Windows Operational Server Computer or Windows Explorer, but they cannot
Explorer::Prevent access to Roles 2003 (32- open folders and access the contents. In addition,
drives from My bit), they cannot use the Run dialog box or the Map
Microsoft Network Drive dialog box to view the directories on
Windows these drives.
Vista To use this setting, select a drive or combination of

- 116 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
drives from the drop-down list. To allow access to all
drive directories, disable this setting or select the
"Do not restrict drives" option from the drop-down
list.
/Microsoft
Windows Note: The icons representing the specified drives
Server still appear in My Computer, but if users double-click
2008 the icons, a message appears explaining that a
Standard, setting prevents the action.
Microsoft In addition, this setting does not prevent users from
Windows 7 using programs to access local and network drives.
Profession In addition, it does not prevent them from using the
al (32-bit)/ Disk Management snap-in to view and change drive
characteristics.
Also, see the "Hide these specified drives in My
Computer" setting.
Operational
Pick one of the following Roles
combinations restrict all
drives
This policy setting allows administrators to prevent
users from adding new items such as files or folders
to the root of their Users Files folder in Windows
Microsoft Explorer.
Windows
Vista If you enable this policy setting, users will no longer
/Microsoft be able to add new items such as files or folders to
\Windows the root of their Users Files folder in Windows
Windows
Components\Windows Explorer.
Operational Server
Explorer::Prevent users from
Roles 2008 If you disable or do not configure this policy setting,
adding files to the root of
Standard, users will be able to add new items such as files or
their Users Files folder.
Microsoft folders to the root of their Users Files folder in
Windows 7 Windows Explorer.
Profession
al (32-bit)/ Note: Enabling this policy setting does not prevent
the user from being able to add new items such as
files and folders to their actual file system profile
folder at %userprofile%.
Microsoft Prevents users from using Windows Explorer or
Windows Network Locations to map or disconnect network
XP drives.
/Microsoft
Windows If you enable this setting, the system removes the
Server Map Network Drive and Disconnect Network Drive
\Windows 2003 (32- commands from the toolbar and Tools menus in
Components\Windows bit), Windows Explorer and Network Locations and from
Operational Microsoft menus that appear when you right-click the
Explorer::Remove "Map
Roles Windows Windows Explorer or Network Locations icons.
Network Drive" and
"Disconnect Network Drive" Vista This setting does not prevent users from connecting
/Microsoft to another computer by typing the name of a shared
Windows folder in the Run dialog box.
Server
2008 Note: This setting was documented incorrectly on
Standard, the Explain tab in Group Policy for Windows 2000.
Microsoft The Explain tab states incorrectly that this setting

- 117 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
prevents users from connecting and disconnecting
Windows 7 drives.
Profession It is a requirement for third-party applications with
al (32-bit)/ Windows 2000 or later certification to adhere to this
setting.
Microsoft
Windows
XP
/Microsoft Windows Explorer allows you to create and modify
Windows re-writable CDs if you have a CD writer connected to
Server your PC.
2003 (32-
bit), If you enable this setting, all features in the Windows
\Windows Microsoft Explorer that allow you to use your CD writer are
Components\Windows Operational Windows removed.
Explorer::Remove CD Roles Vista If you disable or do not configure this setting, users
Burning features /Microsoft are able to use the Windows Explorer CD burning
Windows features.
Server
2008 Note: This setting does not prevent users from using
Standard, third-party applications to create or modify CDs
Microsoft using a CD writer.
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
XP
/Microsoft
Windows
Server Removes the DFS tab from Windows Explorer.
2003 (32-
This setting removes the DFS tab from Windows
bit),
Explorer and from other programs that use the
Operational Microsoft
\Windows Windows Explorer browser, such as My Computer.
Roles and Windows
Components\Windows As a result, users cannot use this tab to view or
Engineerin Vista
Explorer::Remove DFS tab change the properties of the Distributed File System
g Role /Microsoft
(DFS) shares available from their computer.
Windows
Server This setting does not prevent users from using other
2008 methods to configure DFS.
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
XP
\Windows Removes the File menu from My Computer and
/Microsoft
Components\Windows Windows Explorer.
Operational Windows
Explorer::Remove File Server This setting does not prevent users from using other
Roles
menu from Windows 2003 (32- methods to perform tasks available on the File
Explorer bit), menu.
Microsoft
Windows

- 118 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Vista
/Microsoft
Windows
Server
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Microsoft
Windows
XP
/Microsoft
Windows
Server Removes the Hardware tab.
2003 (32- This setting removes the Hardware tab from Mouse,
bit), Keyboard, and Sounds and Audio Devices in
\Windows Microsoft Control Panel. It also removes the Hardware tab
Components\Windows Operational Windows from the Properties dialog box for all local drives,
Explorer::Remove Roles Vista including hard drives, floppy disk drives, and CD-
Hardware tab /Microsoft ROM drives. As a result, users cannot use the
Windows Hardware tab to view or change the device list or
Server device properties, or use the Troubleshoot button to
2008 resolve problems with the device.
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
Removes the Search button from the Windows
Explorer toolbar.
This setting removes the Search button from the
Standard Buttons toolbar that appears in Windows
Explorer and other programs that use the Windows
Microsoft Explorer window, such as My Computer and
Windows Network Locations.
\Windows
XP It does not remove the Search button or affect any
Components\Windows
Operational /Microsoft search features of Internet browser windows, such
Explorer::Remove Search
Roles Windows as the Internet Explorer window.
button from Windows
Server
Explorer This setting does not affect the Search items on the
2003 (32-
bit) Windows Explorer shortcut menu or on the Start
menu. To remove Search from the Start menu, use
the "Remove Search menu from Start menu" setting
(in User Configuration\Administrative
Templates\Start Menu and Taskbar). To hide all
shortcut menus, use the "Remove Windows
Explorer's default context menu" setting.
Microsoft Removes the Security tab from Windows Explorer.
\Windows Windows
Components\Windows Operational XP If you enable this setting, users opening the
Explorer::Remove Security Roles /Microsoft Properties dialog box for all file system objects,
tab Windows including folders, files, shortcuts, and drives, will not
Server be able to access the Security tab. As a result, users

- 119 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
will be able to neither change the security settings
nor view a list of all users that have access to the
2003 (32- resource in question.
bit)
If you disable or do not configure this setting, users
will be able to access the security tab.
Removes the Shared Documents folder from My
Computer.
When a Windows client is in a workgroup, a Shared
Documents icon appears in the Windows Explorer
Web view under "Other Places" and also under
"Files Stored on This Computer" in My Computer.
Microsoft Using this policy setting, you can choose not to have
Windows these items displayed.
\Windows
XP
Components\Windows
Operational /Microsoft If you enable this setting, the Shared Documents
Explorer::Remove Shared
Roles Windows folder is not displayed in the Web view or in My
Documents from My
Server Computer.
Computer
2003 (32-
bit) If you disable or do not configure this setting, the
Shared Documents folder is displayed in Web view
and also in My Computer when the client is part of a
workgroup.
Note: The ability to remove the Shared Documents
folder via Group Policy is only available on Windows
XP Professional
If you enable this policy, the "Internet" "Search
again" link will not be shown when the user
performs a search in the Explorer window.
\Windows
Microsoft If you disable this policy, there will be an "Internet"
Components\Windows
Operational Windows 7 "Search again" link when the user performs a search
Explorer::"Remove the
Roles Profession in the Explorer window. This button launches a
Search the Internet ""Search
al (32-bit)/ search in the default browser with the search terms.
again"" link"
If you do not configure this policy (default), there will
be an "Internet" link when the user performs a
search in the Explorer window.
Disables the "Hide keyboard navigation indicators
until I use the ALT key" option in Display in Control
Microsoft Panel.
Windows
\Windows
XP When this Display Properties option is selected, the
Components\Windows
Operational /Microsoft underlining that indicates a keyboard shortcut
Explorer::Remove UI to
Roles Windows character (hot key) does not appear on menus until
change keyboard
Server you press ALT.
navigation indicator setting
2003 (32-
bit) Effects, such as transitory underlines, are designed
to enhance the user's experience but might be
confusing or distracting to some users.
Microsoft Prevents users from selecting the option to animate
\Windows Windows the movement of windows, menus, and lists.
Components\Windows XP
Operational If you enable this setting, the "Use transition effects
Explorer::Remove UI to /Microsoft
Roles for menus and tooltips" option in Display in Control
change menu animation Windows
Panel is disabled.
setting Server
2003 (32- Effects, such as animation, are designed to enhance

- 120 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
the user's experience but might be confusing or
bit)
distracting to some users.
Microsoft
Windows
XP
/Microsoft
Windows
Server
2003 (32- Removes shortcut menus from the desktop and
bit), Windows Explorer. Shortcut menus appear when
\Windows you right-click an item.
Microsoft
Components\Windows
Operational Windows If you enable this setting, menus do not appear
Explorer::Remove Windows
Roles Vista when you right-click the desktop or when you right-
Explorer's default context
/Microsoft click the items in Windows Explorer. This setting
menu
Windows does not prevent users from using other methods to
Server issue commands available on the shortcut menus.
2008
Standard,
Microsoft
Windows 7
Profession
al (32-bit)/
This setting allows an administrator to revert specific
Windows Shell behavior to classic Shell behavior.
If you enable this setting, users cannot configure
their system to open items by single-clicking (such
as in Mouse in Control Panel). As a result, the user
interface looks and operates like the interface for
Microsoft Windows NT 4.0, and users cannot restore the new
Windows features. Enabling this policy will also turn off the
XP preview pane and set the folder options for Windows
/Microsoft explorer to Use classic folders view and disable the
Windows user’s ability to change these options.
Server
\Windows 2003 (32- If you disable or not configure this policy, the default
Components\Windows Operational bit), Windows explorer behavior is applied to the user.
Explorer::Turn on Classic Roles Microsoft
Shell Windows Note: In operating systems earlier than Windows
Vista Vista, enabling this policy will also disable the Active
/Microsoft Desktop and Web view. This setting will also take
Windows precedence over the "Enable Active Desktop"
Server setting. If both policies are enabled, Active Desktop
2008 is disabled.
Standard In addition, see the "Disable Active Desktop" setting
in User Configuration\Administrative
Templates\Desktop\Active Desktop and the
"Remove the Folder Options menu item from the
Tools menu" setting in User
Configuration\Administrative Templates\Windows
Components\Windows Explorer.
Microsoft Prevents users from installing programs from
\Windows Windows removable media.
Components\Windows Operational XP
Installer::Prevent removable Roles /Microsoft If a user tries to install a program from removable
media source for any install Windows media, such as CD-ROMs, floppy disks, and DVDs,
a message appears, stating that the feature cannot

- 121 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
be found.
This setting applies even when the installation is
running in the user's security context.

Server If you disable this setting or do not configure it, users

2003 (32- can install from removable media when the
bit), installation is running in their own security context,
Microsoft but only system administrators can use removable
Windows media when an installation is running with elevated
Vista system privileges, such as installations offered on
/Microsoft the desktop or in Add or Remove Programs.
Windows
Also, see the "Enable user to use media source
Server
2008 while elevated setting" in Computer
Standard, Configuration\Administrative
Microsoft Templates\WindowsComponents\Windows
Windows 7 Installer.
Profession
al (32-bit)/ Also, see the "Hide the 'Add a program from CD-
ROM or floppy disk' option" setting in User
Configuration\Administrative
Templates\Control Panel\Add or
Remove Programs.
Microsoft
Windows
Vista Denies or allows access to the Windows Mail
/Microsoft application.
\Windows Windows
Components\Windows Operational Server If you enable this setting, access to the Windows
Mail::Turn off Windows Mail Roles 2008 Mail application is denied.
application Standard,
Microsoft If you disable or do not configure this setting, access
Windows 7 to the Windows Mail application is allowed.
Profession
al (32-bit)/
Microsoft
Windows
Vista
/Microsoft Specifies whether Windows Media Center can run.
\Windows
Windows
Components\Windows If you enable this setting, Windows Media Center
Operational Server
Media Center::Do not allow will not run.
Roles 2008
Windows Media Center to
Standard, If you disable or do not configure this setting,
run
Microsoft Windows Media Center can be run.
Windows 7
Profession
al (32-bit)/
Prevents media information for CDs and DVDs from
being retrieved from the Internet.
\Windows
Components\Windows This policy prevents the Player from automatically
Operational obtaining media information from the Internet for
Media Player::Prevent CD
Roles CDs and DVDs played by users. In addition, the
and DVD Media Information
Retrieval Retrieve media information for CDs and DVDs from
the Internet check box on the Privacy Options tab in
the first use dialog box and on the Privacy tab in the

- 122 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
Player are not selected and are not available.
When this policy is not configured or disabled, users
can change the setting of the Retrieve media
information for CDs and DVDs from the Internet
check box.
Prevents media information for music files from
being retrieved from the Internet.
This policy prevents the Player from automatically
obtaining media information for music files such as
Windows Media Audio (WMA) and MP3 files from
\Windows the Internet. In addition, the Update my music files
Components\Windows (WMA and MP3 files) by retrieving missing media
Operational
Media Player::Prevent information from the Internet check box in the first
Roles
Music File Media use dialog box and on the Privacy and Media
Information Retrieval Library tabs in the Player are not selected and are
not available.
When this policy is not configured or disabled, users
can change the setting of the Update my music files
(WMA and MP3 files) by retrieving missing media
information from the Internet check box.
Prevents radio station presets from being retrieved
from the Internet.
Microsoft
This policy prevents the Player from automatically
Windows
\Windows retrieving radio station presets from the Internet and
XP
Components\Windows displaying them in Media Library. In addition,
Operational /Microsoft
Media Player::Prevent presets that exist before the policy is configured will
Roles Windows
Radio Station Preset not be updated, and presets a user adds will not be
Server
Retrieval displayed.
2003 (32-
bit) When this policy is not configured or disabled, the
Player automatically retrieves radio station presets
from the Internet.
Windows Messenger is automatically loaded and
Microsoft running when a user logs on to a Windows XP
Windows computer. You can use this setting to stop Windows
XP Messenger from automatically being run at logon.
/Microsoft
Windows If you enable this setting, Windows Messenger will
Server not be loaded automatically when a user logs on.
2003 (32- If you disable or do not configure this setting, the
bit), Windows Messenger will be loaded automatically at
\Windows
Microsoft logon.
Components\Windows
Operational Windows
Messenger::Do not Note: This setting simply prevents Windows
Roles Vista
automatically start Windows Messenger from running initially. If the user invokes
/Microsoft
Messenger initially and uses Windows Messenger from that point on,
Windows
Server Windows Messenger will be loaded.
2008 The user can also configure this behavior on the
Standard, Preferences tab on the Tools menu in the Windows
Microsoft Messenger user interface.
Windows 7
Profession If you do not want users to use Windows Messenger,
al (32-bit)/ enable the "Do not allow Windows Messenger to
run" setting

- 123 -
Chapter 12 - Appendix

Policy settings related to Operating Applicable

Operating System Affected operating Description
releasesPath::Setting roles system
This setting is available under both Computer
Configuration and User Configuration. If both are
present, the Computer Configuration version of this
setting takes precedence
Microsoft
Windows Windows Sidebar is a feature that allows the use of
Vista gadgets, which are small applets that may display
/Microsoft information or utilities to the user.
\Windows Windows
Components\Windows Operational Server If you enable this setting, Windows Sidebar will be
Sidebar::Turn off Windows Roles 2008 turned off.
Sidebar Standard, If you disable or do not configure this setting,
Microsoft Windows Sidebar will be turned on.
Windows 7
Profession The default is for Windows Sidebar to be turned on.
al (32-bit)/
Microsoft
Windows
Vista This policy setting turns off Windows SideShow.
/Microsoft
If you enable this policy setting, the Windows
\Windows Windows
SideShow Control Panel will be disabled and data
Components\Windows Operational Server
from Windows SideShow-compatible gadgets
SideShow::Turn off Roles 2008
(applications) will not be sent to connected devices.
Windows SideShow Standard,
Microsoft If you disable or do not configure this policy setting,
Windows 7 Windows SideShow is on by default.
Profession
al (32-bit)/

12.2 Workstation security settings

l Security Model specific permissions
l Local policy settings

12.2.1 Security Model specific permissions

Part of the installation of the Common Security Model is to set up permissions on some keys in the
registry and directories in the file system. In addition, it installs a base set of files, with defined
permissions, that act as proxy access control lists (ACLs) for Experion objects and functions that do not
have an integral Windows ACL.

- 124 -
Chapter 12 - Appendix

Permissi
Scop
Registry PermissionsKey on for
e
Subkey

HKLM\SOFTWARE\Honeywell (add) Product RW Ful

Admins l

HKLM\SOFTWARE\Honeywell\ProgramData (add) Product Full Ful

Admins l

Engineer RW Full Ful

l
Supervisor RW Full

Operator RW Full

Ack View RW Full

View Only RW Full

HKLM\SOFTWARE\Honeywell\EngineeringData (set) Engineer RW

Windows Admin Full Full R

W
Windows Users R R

SYSTEM Full Full

Creator Owner Full

HKLM\software\Microsoft\MSDTC (add - legacy) Product RW

Admins

Local Servers RW RW R
W
HKLM\software\Clients\Mail (add - legacy) Product RW
Admins

Local Servers RW RW R

HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServer Local R
s\winreg (add) Servers

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib Product R R

(add) Admins

Local Servers R R

HKLM\Software\Microsoft\Windows Product R R
NT\CurrentVersion\WbemPerf (add) Admins

Local Servers R R

- 125 -
Chapter 12 - Appendix

Registry Permission for Scope

Files
PermissionsDirectories Folder Subfolders

%HwProgramData% (set) Product Admins RWX Full Full

Engineer RWX Full Full

Supervisor RWX Full Full

Operator RWX Full Full

Ack View RWX Full Full

View Only RWX Full Full

Windows Admin Full Full Full

SYSTEM Full Full RW

Ack View RX

%HwSecurityPath%\view only (add) Engineer RX

Supervisor RX

Operator RX

Ack View RX

View Only RX

%HwSecurityPath%\program (add) Engineer RX

%HwSecurityPath%\continuous control (add) Engineer RX

%HwSecurityPath%\checkpoint (add) Product Admins RX

Engineer RX

Supervisor RX

Operator RX

Ack View RX

View Only RX

%HwSecurityPath%\start (add) Product Admins RX

- 128 -
Chapter 12 - Appendix

File System PermissionsProxy Files Permission for Files Scope

Engineer RX

Supervisor RX

Operator RX

Ack View RX

View Only RX

%HwSecurityPath%\shutdown (add) Product Admins RX

Engineer RX

Supervisor RX

%HwSecurityPath%\shutdownforce (add) Product Admins RX

Engineer RX

Supervisor RX

In the preceding table, strings between percent signs (%) represent system environment variables that
may vary based on installation conditions. The default values for these are:
l .................................%HwProgramData% C:\ProgramData\Honeywell
l .................................%HwEngineeringData%
C:\ProgramData\Honeywell\EngineeringData
l .................................%HwProductConfig% C:\ProgramData\Honeywell\ProductConfig
l .................................%HwSecurityPath%
C:\ProgramData\Honeywell\ProductConfig\Security

12.2.2 Local policy settings

The local policy settings are applied through the SECEDIT.EXE command, using a template that is
installed by the Workstation Security package.
In the following table, cells with (*) symbol indicate default settings that were modified for Experion per
operating system. Cells with (**) indicate settings on Experion that differ between Windows 7, Windows
server 2008/2008 R2, Windows server 2012/2012 R2, Windows 10, and Windows server 2016.

- 129 -
Chapter 12 - Appendix

Window
s server Window Window Window
Window Window Window
Window 2008/20 s server s Server Window s Server
Local Policy s 7 for s 10 for s Server
s7 08 R2 2008/20 2012/20 s 10 2016 for
Settings Experio Experio 2016
defaults for 08 R2 12 R2 defaults Experio
n n defaults
Experio defaults defaults n
n
[System Access]
MinimumPasswor
0 0 0 0 1 1 1 1 1
dAge
MaximumPasswo
-1 42(*) -1 42(*) 42 42 42 42 42
rdAge
MinimumPasswor
0 0 0 0 7 7 7 7 7
dLength
PasswordComple
0(**) 0 1(**) 1 1 1 0 1 1
xity
PasswordHistory
10 0(*) 10 0(*) 24 24
Size
LockoutBadCount 0 0 0 0 0 0
RequireLogonTo
0 0 0 0
ChangePassword
ForceLogoffWhen
0 0 0 0 0 0
HourExpire
NewAdministrator Administ Administ Administ Administ
Name rator rator rator rator
NewGuestName Guest Guest Guest Guest
ClearTextPasswo
0 0 0 0
rd
LSAAnonymousN
0 0 0 0
ameLookup
EnableAdminAcc
0(**) 0 1(**) 1 0 0
ount
EnableGuestAcco
0 0 0 0 0 0
unt
[Event Audit]
AuditSystemEven
0 0 0 0
ts
AuditLogonEvent
2 0(*) 2 0(*)
s
AuditObjectAcces
0 0 0 0
s
AuditPrivilegeUse 0 0 0 0
AuditPolicyChang
3 0(*) 3 0(*)
e
AuditAccountMan
0 0 0 0
age
AuditProcessTrac
0 0 0 0
king
AuditDSAccess 0 0 0 0
AuditAccountLog
2 0(*) 2 0(*)
on

- 130 -
Chapter 12 - Appendix

[Registry Values]
HKLM\software\m
icrosoft\Ole\Enabl "Y" "Y" "Y" "Y" "Y" "Y" "Y" "Y" "Y"
eDCOM
HKLM\software\m
icrosoft\Ole\Legac
2 (*) 2 (*) (*) (*) (*) (*) (*)
yAuthenticationLe
vel
HKLM\software\m
icrosoft\Ole\Legac
3 2 3 2 2 3 2 3 2
yImpersonationLe
vel
HKLM\software\m
icrosoft\windows\
currentversion\pol
1 (*) 1 (*) (*) 1 (*) 1 (*)
icies\system\Hide
FastUserSwitchin
g
HKLM\software\m
icrosoft\windows\
currentversion\pol 0 (*) 0 (*) (*) 0 (*) 0 (*)
icies\system\Logo
nType
HKLM\SOFTWAR
E\Microsoft\Windo
ws\Windows Error
10 (*) 10 (*) (*) 10 (*) 10 (*)
Reporting\LocalD
umps\DumpCoun
t
"%HwPr "%HwPr "%HwPr "%HwPr
HKLM\SOFTWAR
ogramD ogramD ogramD ogramD
E\Microsoft\Windo
ata%\ ata%\ ata%\ ata%\
ws\Windows Error
Experio (*) Experio (*) (*) Experio (*) Experio (*)
Reporting\LocalD
n PKS n PKS n PKS n PKS
umps\DumpFolde
\CrashD \CrashD \CrashD \CrashD
r
ump ump" ump" ump"
HKLM\SOFTWAR
E\Microsoft\Windo
ws\Windows Error 2 (*) 2 (*) (*) 2 (*) 2 (*)
Reporting\LocalD
umps\DumpType
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio
0 0 0 0 0 0 0 0 0
n\Setup\Recovery
Console\Security
Level
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio
0 0 0 0 0 0 0 0 0
n\Setup\Recovery
Console\SetCom
mand
HKLM\Software\M
icrosoft\Windows “0” (*) “0” (*) (*) “0” (*) “0” (*)
NT\CurrentVersio

- 131 -
Chapter 12 - Appendix

n\Winlogon\Alloc
ateCDRoms
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio “0” (*) “0” (*) (*) “0” (*) “0” (*)
n\Winlogon\Alloc
ateDASD
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio “1” (*) “1” (*) (*) “1” (*) “1” (*)
n\Winlogon\Alloc
ateFloppies
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio “10” “10” “10” “25”(*) 10 10 10 10 10
n\Winlogon\Cach
edLogonsCount
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio 0 0 0 0 0 0 0 0 0
n\Winlogon\Force
UnlockLogon
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio
5(**) 5 14(**) 14 5 5 5 5 5
n\Winlogon\Pass
wordExpiryWarni
ng
HKLM\Software\M
icrosoft\Windows
NT\CurrentVersio “0” “0” “0” “0” “0” “0” “0” “0” “0”
n\Winlogon\ScRe
moveOption
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
5(**) 5 2(**) 2 5 5 5 5 5
olicies\System\Co
nsentPromptBeha
viorAdmin
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
3(**) 3 1(**) 1 3 3 3 3 3
olicies\System\Co
nsentPromptBeha
viorUser
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P 0 0 0 0 0 0 (*) 0 0
olicies\System\Di
sableCAD
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
1 (*) 1 0(*) 0 1 0 1 0
olicies\System\Do
ntDisplayLastUse
rName

- 132 -
Chapter 12 - Appendix

HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
1 1 1 1 1 1 1 1 1
olicies\System\En
ableInstallerDete
ction
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P 1 1 1 1 1 1 1 1 1
olicies\System\En
ableLUA
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
1 1 1 1 1 1 1 1 1
olicies\System\En
ableSecureUIAPa
ths
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
0 0 0 0 1 1 1 1 1
olicies\System\En
ableUIADesktopT
oggle
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P 0 1(*) 0 1(*) 0 0 0 0 0
olicies\System\En
ableVirtualization
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
1 0(*) 1 0(*) 1 0 1 0 1
olicies\System\Filt
erAdministratorTo
ken
HKLM\Software\M
icrosoft\Windows\ "Importa "Importa "Importa "Importa
No No No
CurrentVersion\P nt 0(*) nt 0(*) nt nt
Value Value Value
olicies\System\Le Notice:" Notice:" Notice:" Notice:"
galNoticeCaption
“Do not “ Do not “ Do not “ Do not
attempt attempt attempt attempt
HKLM\Software\M
to log on to log on to log on to log on
icrosoft\Windows\
unless unless No unless No unless No
CurrentVersion\P 0(*) 0(*)
you are you are Value you are Value you are Value
olicies\System\Le
an an an an
galNoticeText
authoriz authoriz authoriz authoriz
ed user” ed user” ed user” ed user”
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
0 1(*) 0 1(*) 1 0 1 0 1
olicies\System\Pr
omptOnSecureDe
sktop
HKLM\Software\M
icrosoft\Windows\
0 0 0 0 0 0 0 0 0
CurrentVersion\P
olicies\System\Sc

- 133 -
Chapter 12 - Appendix

ForceOption
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
1(**) 1 0(**) 0 0 1 1 1 0
olicies\System\Sh
utdownWithoutLo
gon
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
1 1 1 1 1 1 1 1 1
olicies\System\Un
dockWithoutLogo
n
HKLM\Software\M
icrosoft\Windows\
CurrentVersion\P
0 0 0 0 0 0 0 0 0
olicies\System\Va
lidateAdminCode
Signatures
HKLM\Software\P
olicies\Microsoft\
Windows\Safer\C
0 0 0 0 0 0 0 0 0
odeIdentifiers\Aut
henticodeEnable
d
HKLM\System\Cu
rrentControlSet\C
0 0 0 0 0 0 0 0 0
ontrol\Lsa\AuditB
aseObjects
HKLM\System\Cu
rrentControlSet\C
0 0 0 0 0 0 0 0 0
ontrol\Lsa\Crash
OnAuditFail
HKLM\System\Cu
rrentControlSet\C
0 0 0 0 0 0 0 0 0
ontrol\Lsa\Disabl
eDomainCreds
HKLM\System\Cu
rrentControlSet\C
ontrol\Lsa\Everyo 0 0 0 0 0 0 0 0 0
neIncludesAnony
mous
HKLM\System\Cu
rrentControlSet\C
ontrol\Lsa\FIPSAl 0 0 0 0 0 0 0 0 0
gorithmPolicy\En
abled
HKLM\System\Cu
rrentControlSet\C
0 0 0 0 0 0 0 0 0
ontrol\Lsa\ForceG
uest
HKLM\System\Cu
rrentControlSet\C
0 0 0 0 0 0 0 0 0
ontrol\Lsa\FullPriv
ilegeAuditing
HKLM\System\Cu 1 1 1 1 1 1 1 1 1

- 134 -
Chapter 12 - Appendix

rrentControlSet\C
ontrol\Lsa\LimitBl
ankPasswordUse
HKLM\System\Cu
rrentControlSet\C
4 (*) 4 3(*) (*) 4 (*) 4 (*)
ontrol\Lsa\LmCo
mpatibilityLevel
HKLM\System\Cu
rrentControlSet\C
536,870 536,870 536,870 536,870 53, 68, 536,870 53, 68,
ontrol\Lsa\MSV1_ 0(**) 0
,912(**) ,912 ,912 ,912 70, 91, 2 ,912 70, 91, 2
0\NTLMMinClient
Sec
HKLM\System\Cu
rrentControlSet\C
536,870 536,870 536,870 536,870 53, 68, 536,870 53, 68,
ontrol\Lsa\MSV1_ 0(**) 0
,912(**) ,912 ,912 ,912 70, 91, 2 ,912 70, 91, 2
0\NTLMMinServe
rSec
HKLM\System\Cu
rrentControlSet\C
1 1 1 1 1 1 1 1 1
ontrol\Lsa\NoLM
Hash
HKLM\System\Cu
rrentControlSet\C
0 0 0 0 0 0 0 0 0
ontrol\Lsa\Restrict
Anonymous
HKLM\System\Cu
rrentControlSet\C
1 1 1 1 1 1 1 1 1
ontrol\Lsa\Restrict
AnonymousSAM
HKLM\System\Cu
rrentControlSet\C
ontrol\Print\Provid
1 0(*) 1 1 1 1 0 1 1
ers\LanMan Print
Services\Servers\
AddPrinterDrivers
System\ System\ System\ System\ System\ System\ System\ System\ System\
Current Current Current Current Current Current Current Current Current
Control Control Control Control Control Control Control Control Control
Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont
rol\Prod rol\Prod rol\Prod rol\Prod rol\Prod rol\Prod rol\Prod rol\Prod rol\Prod
uctOptio uctOptio uctOptio uctOptio uctOptio uctOptio uctOptio uctOptio uctOptio
ns, ns, ns, ns, ns, ns, ns, ns, ns,
System\ System\ System\ System\ System\ System\ System\ System\ System\
HKLM\System\Cu Current Current Current Current Current Current Current Current Current
rrentControlSet\C Control Control Control Control Control Control Control Control Control
ontrol\SecurePipe Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont
Servers\Winreg\Al rol\Serv rol\Serv rol\Serv rol\Serv rol\Serv rol\Serv rol\Serv rol\Serv rol\Serv
lowedExactPaths\ er er er er er er er er er
Machine Applicati Applicati Applicati Applicati Applicati Applicati Applicati Applicati Applicati
ons, ons, ons, ons, ons, ons, ons, ons, ons,
Softwar Softwar Softwar Softwar Softwar Softwar Softwar Softwar Softwar
e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros
oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind
ows ows ows ows ows ows ows ows ows
NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr
entVersi entVersi entVersi entVersi entVersi entVersi entVersi entVersi entVersi
on on on on on on on on on

- 135 -
Chapter 12 - Appendix

System\ System\ System\ System\ System\ System\ System\ System\ System\

Current Current Current Current Current Current Current Current Current
Control Control Control Control Control Control Control Control Control
Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont
rol\Print\ rol\Print\ rol\Print\ rol\Print\ rol\Print\ rol\Print\ rol\Print\ rol\Print\ rol\Print\
Printers, Printers, Printers, Printers, Printers, Printers, Printers, Printers, Printers,
System\ System\ System\ System\ System\ System\ System\ System\ System\
Current Current Current Current Current Current Current Current Current
Control Control Control Control Control Control Control Control Control
Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv
ices\Eve ices\Eve ices\Eve ices\Eve ices\Eve ices\Eve ices\Eve ices\Eve ices\Eve
ntlog, ntlog, ntlog, ntlog, ntlog, ntlog, ntlog, ntlog, ntlog,
Softwar Softwar Softwar Softwar Softwar Softwar Softwar Softwar Softwar
e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros
oft\OLA oft\OLA oft\OLA oft\OLA oft\OLA oft\OLA oft\OLA oft\OLA oft\OLAP
P P P P P P P P Server,
Server, Server, Server, Server, Server, Server, Server, Server, Softwar
Softwar Softwar Softwar Softwar Softwar Softwar Softwar Softwar e\Micros
e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros oft\Wind
oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind ows
ows ows ows ows ows ows ows ows NT\Curr
NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr entVersi
entVersi entVersi entVersi entVersi entVersi entVersi entVersi entVersi on\Print,
on\Print, on\Print, on\Print, on\Print, on\Print, on\Print, on\Print, on\Print, Softwar
Softwar Softwar Softwar Softwar Softwar Softwar Softwar Softwar e\Micros
e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros oft\Wind
oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind ows
HKLM\System\Cu ows ows ows ows ows ows ows ows NT\Curr
rrentControlSet\C NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr entVersi
ontrol\SecurePipe entVersi entVersi entVersi entVersi entVersi entVersi entVersi entVersi on\Wind
Servers\Winreg\Al on\Wind on\Wind on\Wind on\Wind on\Wind on\Wind on\Wind on\Wind ows,
lowedPaths\Mach ows, ows, ows, ows, ows, ows, ows, ows, System\
ine System\ System\ System\ System\ System\ System\ System\ System\ Current
Current Current Current Current Current Current Current Current Control
Control Control Control Control Control Control Control Control Set\Cont
Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont rol\Cont
rol\Cont rol\Cont rol\Cont rol\Cont rol\Cont rol\Cont rol\Cont rol\Cont entInde
entInde entInde entInde entInde entInde entInde entInde entInde x,
x, x, x, x, x, x, x, x, System\
System\ System\ System\ System\ System\ System\ System\ System\ Current
Current Current Current Current Current Current Current Current Control
Control Control Control Control Control Control Control Control Set\Cont
Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont rol\Term
rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term inal
inal inal inal inal inal inal inal inal Server,
Server, Server, Server, Server, Server, Server, Server, Server, System\
System\ System\ System\ System\ System\ System\ System\ System\ Current
Current Current Current Current Current Current Current Current Control
Control Control Control Control Control Control Control Control Set\Cont
Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont rol\Term
rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term inal
inal inal inal inal inal inal inal inal Server\
Server\ Server\ Server\ Server\ Server\ Server\ Server\ Server\ UserCo
UserCo UserCo UserCo UserCo UserCo UserCo UserCo UserCo nfig,
nfig, nfig, nfig, nfig, nfig, nfig, nfig, nfig, System\
System\ System\ System\ System\ System\ System\ System\ System\ Current
Current Current Current Current Current Current Current Current Control
Control Control Control Control Control Control Control Control Set\Cont

- 136 -
Chapter 12 - Appendix

Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont Set\Cont

rol\Term
rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term rol\Term
inal
inal inal inal inal inal inal inal inal
Server\
Server\ Server\ Server\ Server\ Server\ Server\ Server\ Server\
Default
Default Default Default Default Default Default Default Default
UserCo
UserCo UserCo UserCo UserCo UserCo UserCo UserCo UserCo
nfigurati
nfigurati nfigurati nfigurati nfigurati nfigurati nfigurati nfigurati nfigurati
on,
on, on, on, on, on, on, on, on,
Softwar
Softwar Softwar Softwar Softwar Softwar Softwar Softwar Softwar
e\Micros
e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros e\Micros
oft\Wind
oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind oft\Wind
ows
ows ows ows ows ows ows ows ows
NT\Curr
NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr NT\Curr
entVersi
entVersi entVersi entVersi entVersi entVersi entVersi entVersi entVersi
on\Perfli
on\Perfli on\Perfli on\Perfli on\Perfli on\Perfli on\Perfli on\Perfli on\Perfli
b,
b, b, b, b, b, b, b, b,
System\
System\ System\ System\ System\ System\ System\ System\ System\
Current
Current Current Current Current Current Current Current Current
Control
Control Control Control Control Control Control Control Control
Set\Serv
Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv Set\Serv
ices\Sys
ices\Sys ices\Sys ices\Sys ices\Sys ices\Sys ices\Sys ices\Sys ices\Sys
monLog
monLog monLog monLog monLog monLog monLog monLog monLog
HKLM\System\Cu
rrentControlSet\C
ontrol\Session
1 1 1 1 1 1 1 1 1
Manager\Kernel\
ObCaseInsensitiv
e
HKLM\System\Cu
rrentControlSet\C
ontrol\Session
Manager\Memory 0 0 0 0 0 0 0 0 0
Management\Cle
arPageFileAtShut
down
HKLM\System\Cu
rrentControlSet\C
ontrol\Session 1 1 1 1 1 1 1 1 1
Manager\Protecti
onMode
HKLM\System\Cu
rrentControlSet\C
No No No No No
ontrol\Session Posix Posix Posix Posix
value value value value value
Manager\SubSyst
ems\optional
HKLM\System\Cu
rrentControlSet\S
ervices\LanManS 15 15 15 15 15 15 15 15 15
erver\Parameters\
AutoDisconnect
HKLM\System\Cu
rrentControlSet\S
ervices\LanManS
1 1 1 1 1 1 1 1 1
erver\Parameters\
EnableForcedLog
Off
HKLM\System\Cu
rrentControlSet\S 0 0 0 0 0 0 0 0 0

- 137 -
Chapter 12 - Appendix

ervices\LanManS
erver\Parameters\
EnableSecuritySi
gnature
HKLM\System\Cu
rrentControlSet\S “ “
No No No No No
ervices\LanManS (**) browse browse
value value value value value
erver\Parameters\ r”(**) r”
NullSessionPipes
HKLM\System\Cu
rrentControlSet\S
ervices\LanManS
0 0 0 0 0 0 0 0 0
erver\Parameters\
RequireSecurityS
ignature
HKLM\System\Cu
rrentControlSet\S
ervices\LanManS
1 1 1 1 1 1 1 1 1
erver\Parameters\
RestrictNullSessA
ccess
HKLM\System\Cu
rrentControlSet\S
ervices\LanmanW
0 0 0 0 0 0 0 0 0
orkstation\Param
eters\EnablePlain
TextPassword
HKLM\System\Cu
rrentControlSet\S
ervices\LanmanW
1 1 1 1 1 1 1 1 1
orkstation\Param
eters\EnableSecu
ritySignature
HKLM\System\Cu
rrentControlSet\S
ervices\LanmanW
0 0 0 0 0 0 0 0 0
orkstation\Param
eters\RequireSec
uritySignature
HKLM\System\Cu
rrentControlSet\S
1 1 1 1 1 1 1 1 1
ervices\LDAP\LD
APClientIntegrity
HKLM\System\Cu
rrentControlSet\S
ervices\Netlogon\
0 0 0 0 0 0 0 0 0
Parameters\Disab
lePasswordChan
ge
HKLM\System\Cu
rrentControlSet\S
ervices\Netlogon\
30 30 30 30 30 30 30 30 30
Parameters\Maxi
mumPasswordAg
e
HKLM\System\Cu 1 1 1 1 1 1 1 1 1

- 138 -
Chapter 12 - Appendix

rrentControlSet\S
ervices\Netlogon\
Parameters\Requ
ireSignOrSeal
HKLM\System\Cu
rrentControlSet\S
ervices\Netlogon\ 1(**) 1 0(**) 0 1 1 1 1 1
Parameters\Requ
ireStrongKey
HKLM\System\Cu
rrentControlSet\S
ervices\Netlogon\ 1 1 1 1 1 1 1 1 1
Parameters\Seal
SecureChannel
HKLM\System\Cu
rrentControlSet\S
ervices\Netlogon\ 1 1 1 1 1 1 1 1 1
Parameters\Sign
SecureChannel
[Privileg [Privileg [Privileg [Privileg [Privileg [Privileg [Privileg [Privileg
[Privileg
[Privilege Rights] e e e e e e e e
e Rights]
Rights] Rights] Rights] Rights] Rights] Rights] Rights] Rights]
Everyon Everyon Everyon Everyon Everyon Everyon Everyon Everyon Everyon
e, e, e, e, e, e, e, e, e,
Administ Administ Administ Administ Administ Administ Administ Administ Administ
SeNetworkLogon rators, rators, rators, rators, rators, rators, rators, rators, rators,
Right Users, Users, Users, Users, Users, Users, Users, Users, Users,
Backup Backup Backup Backup Backup Backup Backup Backup Backup
Operato Operato Operato Operato Operato Operato Operato Operato Operato
rs rs rs rs rs rs rs rs rs
Administ Administ Administ Administ Administ Administ Administ Administ Administ
rators, rators, rators, rators, rators, rators, rators, rators, rators,
SeBackupPrivileg
Backup Backup Backup Backup Backup Backup Backup Backup Backup
e
Operato Operato Operato Operato Operato Operato Operato Operato Operato
rs rs rs rs rs rs rs rs rs
Everyon Everyon Everyon Everyon Everyon Everyon Everyon Everyon Everyon
e, Local e, Local e, Local e, Local e, Local e, Local e, Local e, Local e, Local
Service, Service, Service, Service, Service, Service, Service, Service, Service,
Network Network Network Network Network Network Network Network Network
Service, Service, Service, Service, Service, Service, Service, Service, Service,
SeChangeNotifyP
Administ Administ Administ Administ Administ Administ Administ Administ Administ
rivilege
rators, rators, rators, rators, rators, rators, rators, rators, rators,
Users, Users, Users, Users, Users, Users, Users, Users, Users,
Backup Backup Backup Backup Backup Backup Backup Backup Backup
Operato Operato Operato Operato Operato Operato Operato Operato Operato
rs rs rs rs rs rs rs rs rs
Local Local Local Local Local Local Local Local Local
SeSystemtimePri Service, Service, Service, Service, Service, Service, Service, Service, Service,
vilege Administ Administ Administ Administ Administ Administ Administ Administ Administ
rators rators rators rators rators rators rators rators rators
SeCreatePagefile Administ Administ Administ Administ Administ Administ Administ Administ Administ
Privilege rators rators rators rators rators rators rators rators rators
SeDebugPrivileg Administ Administ Administ Administ Administ Administ Administ Administ Administ
e rators rators rators rators rators rators rators rators rators
SeRemoteShutdo Administ Administ Administ Administ Administ Administ Administ Administ Administ
wnPrivilege rators rators rators rators rators rators rators rators rators

- 139 -
Chapter 12 - Appendix

Local Local Local Local Local Local Local Local Local

Service, Service, Service, Service, Service, Service, Service, Service, Service,
SeAuditPrivilege
Network Network Network Network Network Network Network Network Network
Service Service Service Service Service Service Service Service Service
Local Local Local Local Local Local Local Local Local
Service, Service, Service, Service, Service, Service, Service, Service, Service,
SeIncreaseQuota Network Network Network Network Network Network Network Network Network
Privilege Service, Service, Service, Service, Service, Service, Service, Service, Service,
Administ Administ Administ Administ Administ Administ Administ Administ Administ
rators rators rators rators rators rators rators rators rators
SeIncreaseBaseP Administ Administ Administ Administ Administ Administ Administ Administ Administ
riorityPrivilege rators rators rators rators rators rators rators rators rators
SeLoadDriverPriv Administ Administ Administ Administ Administ Administ Administ Administ Administ
ilege rators rators rators rators rators rators rators rators rators
SeLockMemoryPr Local Local Local Local
(*) (*) (*) (*) (*)
ivilege Servers Servers Servers Servers
Local Local
Servers, Administ Servers, Administ Administ Administ Administ Administ Administ
Administ rators, Administ rators, rators, rators, rators, rators, rators,
rators, Backup rators, Backup Backup Backup Backup Backup Backup
Backup Operato Backup Operato Operato Operato Operato Operato Operato
SeBatchLogonRi
Operato rs, Operato rs, rs, rs, rs, rs, rs,
ght
rs, Perform rs, Perform Perform Perform Perform Perform Perform
Perform ance Perform ance ance ance ance ance ance
ance Log ance Log Log Log Log Log Log
Log Users(*) Log Users(*) Users(*) Users(*) Users(*) Users(*) Users(*)
Users Users
Local
SeServiceLogon Servers, *S-1-5- Local
(*)
Right *S-1-5- 80-0(*) Servers
80-0(**)
Guest, Guest,
Administ Administ Administ Administ Administ Administ Administ
Administ Administ
rators, rators, rators, rators, rators, rators, rators,
rators, rators,
SeInteractiveLog Users, Users, Users, Users, Users, Users, Users,
Users, Users,
onRight Backup Backup Backup Backup Backup Backup Backup
Backup Backup
Operato Operato Operato Operato Operato Operato Operato
Operato Operato
rs(**) rs rs rs rs rs rs
rs(**) rs
SeSecurityPrivile Administ Administ Administ Administ Administ Administ Administ Administ Administ
ge rators rators rators rators rators rators rators rators rators
SeSystemEnviron Administ Administ Administ Administ Administ Administ Administ Administ Administ
mentPrivilege rators rators rators rators rators rators rators rators rators
SeProfileSinglePr Administ Administ Administ Administ Administ Administ Administ Administ Administ
ocessPrivilege rators rators rators rators rators rators rators rators rators
Administ Administ
rators,* rators,*
S-1-5- S-1-5-
80- 80-
313915 313915
Administ
SeSystemProfileP 7870- 7870- Administ Administ Administ Administ Administ Administ
rators
rivilege 298339 298339 rators rators rators rators rators rators
(**)
1045- 1045-
367874 367874
7466- 7466-
658725 658725
712- 712-

- 140 -
Chapter 12 - Appendix

180934 180934
0420(**) 0420
Local Local Local Local Local Local Local Local Local
SeAssignPrimary Service, Service, Service, Service, Service, Service, Service, Service, Service,
TokenPrivilege Network Network Network Network Network Network Network Network Network
Service Service Service Service Service Service Service Service Service
Administ Administ Administ Administ Administ Administ Administ Administ Administ
rators, rators, rators, rators, rators, rators, rators, rators, rators,
SeRestorePrivile
Backup Backup Backup Backup Backup Backup Backup Backup Backup
ge
Operato Operato Operato Operato Operato Operato Operato Operato Operato
rs rs rs rs rs rs rs rs rs
Local Local Local Local
Enginee Enginee Enginee Enginee
rs, Local rs, Local rs, Local rs, Local
Supervi Supervi Supervi Supervi
Administ
sors, sors, Administ Administ sors, Administ sors, Administ
rators,
Product Product rators, rators, Product rators, Product rators,
SeShutdownPrivil Users,
Administ Administ Backup Backup Administ Backup Administ Backup
ege Backup
rators, rators, Operato Operato rators, Operato rators, Operato
Operato
Administ Administ rs(*) rs(*) Administ rs(*) Administ rs(*)
rs(*)
rators, rators, rators, rators,
Backup Backup Backup Backup
Operato Operato Operato Operato
rs rs rs rs
SeTakeOwnershi Administ Administ Administ Administ Administ Administ Administ Administ Administ
pPrivilege rators rators rators rators rators rators rators rators rators
Local
SeDenyNetworkL Guest Servers,
Guest (*)
ogonRight (**) Guest
(**)
Local
Administ
SeDenyInteractiv Servers,
Guest(*) rators (*)
eLogonRight Guest
(**)
(**)
Administ
Administ Administ
SeUndockPrivileg rators, Administ Administ Administ Administ Administ Administ
rators, rators
e Users rators rators rators rators rators rators
Users (**)
(**)
Administ
Administ rators,
SeManageVolum Administ Administ
rators Remote
ePrivilege rators rators(*)
(**) Desktop
Users(*)
Administ
Administ Administ Administ Administ Administ Administ Administ
rators,
rators, Local rators, rators, rators, rators, rators, rators,
SeRemoteInteract Remote
Remote Servers, Remote Remote Remote Remote Remote Remote
iveLogonRight Desktop
Desktop Guest Desktop Desktop Desktop Desktop Desktop Desktop
Users
Users Users(*) Users(*) Users(*) Users(*) Users(*) Users(*)
(**)
Local
Service,
Local Network
SeDenyRemoteIn
Servers, Service,
teractiveLogonRi (*) (*)
Guest Administ
ght
(**) rators,
Service
(**)

- 141 -
Chapter 12 - Appendix

Local Local Local Local Local Local Local Local Local

Service, Service, Service, Service, Service, Service, Service, Service, Service,
Network Network Network Network Network Network Network Network Network
SeImpersonatePri
Service, Service, Service, Service, Service, Service, Service, Service, Service,
vilege
Administ Administ Administ Administ Administ Administ Administ Administ Administ
rators, rators, rators, rators, rators, rators, rators, rators, rators,
Service Service Service Service Service Service Service Service Service
Local Local
Local
Service, Service,
Service,
Network Network
Network
SeCreateGlobalP Service, Users Service,
Service,
rivilege Administ (**) Administ
Administ
rators, rators,
rators,
Service Service
Service
(**) (*)
Local
Service,
SeIncreaseWorki Users
Users Administ Users(*)
ngSetPrivilege (**)
rators
(**)
Local
Local
Service, Local
Service, Administ
SeTimeZonePrivil Administ Service,
Administ rators
ege rators, Administ
rators, (**)
Users rators(*)
Users
(**)
Administ
SeCreateSymboli Administ [Versio Administ Administ Administ Administ Administ Administ
rators
cLinkPrivilege rators n](**) rators(*) rators(*) rators(*) rators(*) rators(*) rators(*)
(**)

- 142 -
Notices
Trademarks
Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of
Honeywell International, Inc.
ControlEdge™ is a trademark of Honeywell International, Inc.
OneWireless™ is a trademark of Honeywell International, Inc.
Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon International is a
business unit of Honeywell International, Inc.
Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business unit of
Honeywell International, Inc.

Other trademarks
Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Trademarks that appear in this document are used only to the benefit of the trademark owner, with no
intention of trademark infringement.

Third-party licenses
This product may contain or be derived from materials, including software, of third parties. The third
party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor.
The licenses, notices, restrictions and obligations, if any, may be found in the materials accompanying
the product, in the documents or files accompanying such third party materials, in a file named third_
party_licenses on the media containing the product, or at
http://www.honeywell.com/ps/thirdpartylicenses.

Documentation feedback
You can find the most up-to-date documents on the Honeywell Process Solutions support website at:
http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your feedback to:
[email protected]
Use this email address to provide feedback, or to report errors and omissions in the documentation. For
immediate help with a technical problem, contact your local Honeywell Process Solutions Customer
Contact Center (CCC) or Honeywell Technical Assistance Center (TAC).

How to report a security vulnerability

For the purpose of submission, a security vulnerability is defined as a software defect or weakness that
can be exploited to reduce the operational or security capabilities of the software.
Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and services.
To report a potential security vulnerability against any Honeywell product, please follow the instructions
at:
https://www.honeywell.com/product-security

Support

- 143 -
For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find
your local CCC visit the website, https://www.honeywellprocess.com/en-US/contact-us/customer-
support-contacts/Pages/default.aspx.

Training classes
Honeywell holds technical training classes that are taught by process control systems experts. For more
information about these classes, contact your Honeywell representative, or see
http://www.automationcollege.com.

- 144 -

Configuring Networking Settings On A Windows Device
No ratings yet
Configuring Networking Settings On A Windows Device
158 pages
Mcse Lab Manual
76% (17)
Mcse Lab Manual
620 pages
Windows Server 2016
100% (1)
Windows Server 2016
94 pages
Windows Domain Implementation Guide For Windows Server 2016 EPDOC X472 en A
No ratings yet
Windows Domain Implementation Guide For Windows Server 2016 EPDOC X472 en A
171 pages
Step-By-Step Guide 800xa System Installation
92% (13)
Step-By-Step Guide 800xa System Installation
78 pages
Migration Planning Guide
No ratings yet
Migration Planning Guide
84 pages
Windows Domain and Workgroup Implementation Guide For Windows Server 2003 and Windows Server 2008 EPDOC X148 en A
No ratings yet
Windows Domain and Workgroup Implementation Guide For Windows Server 2003 and Windows Server 2008 EPDOC X148 en A
190 pages
Windows Server SDN
No ratings yet
Windows Server SDN
992 pages
PMT Hps Windows Domain and Workgroup Planning Guide Epdoc x250 en 511a
No ratings yet
PMT Hps Windows Domain and Workgroup Planning Guide Epdoc x250 en 511a
137 pages
PMT Hps Software Installation Users Guide EPDOC X136 en 530A
No ratings yet
PMT Hps Software Installation Users Guide EPDOC X136 en 530A
365 pages
(Guide) Build A Directory Service Server With Active Directory
No ratings yet
(Guide) Build A Directory Service Server With Active Directory
42 pages
CH01-LS Deploy ADPrep
No ratings yet
CH01-LS Deploy ADPrep
80 pages
Windows Domain and Workgroup Implementation Guide EXDOC-X148-En-110
No ratings yet
Windows Domain and Workgroup Implementation Guide EXDOC-X148-En-110
202 pages
Windows Server 2019-Step by Step Installation of Domain Controller
80% (5)
Windows Server 2019-Step by Step Installation of Domain Controller
21 pages
Windows Domain Implementation Guide For Windows Server 2008 R2 EPDOC-X251-En-431
No ratings yet
Windows Domain Implementation Guide For Windows Server 2008 R2 EPDOC-X251-En-431
72 pages
Windows Security and Domains For Experion
No ratings yet
Windows Security and Domains For Experion
28 pages
Installing, Configuring, and Administering Microsoft Windows XP Professional (Text Book)
No ratings yet
Installing, Configuring, and Administering Microsoft Windows XP Professional (Text Book)
595 pages
Domain Controller and Antivirus Implementation
100% (1)
Domain Controller and Antivirus Implementation
22 pages
Windows Domain Implementation Guide For Windows Server 2012 EPDOC-X263-En
No ratings yet
Windows Domain Implementation Guide For Windows Server 2012 EPDOC-X263-En
86 pages
Networking PDF
No ratings yet
Networking PDF
944 pages
Test 2
No ratings yet
Test 2
46 pages
IPD - Active Directory Domain Services 2008
No ratings yet
IPD - Active Directory Domain Services 2008
31 pages
PMT Hps Experion Pks Domain Migration Guide r520
No ratings yet
PMT Hps Experion Pks Domain Migration Guide r520
43 pages
Microsoft Lync Server 2010 Active Directory Preparation and Schema Reference
No ratings yet
Microsoft Lync Server 2010 Active Directory Preparation and Schema Reference
81 pages
Application Under Section 476
100% (5)
Application Under Section 476
2 pages
Administrator Manual - VA10A and Higher
No ratings yet
Administrator Manual - VA10A and Higher
266 pages
10e972adc6ef5b32e9200fa63e16a12c
No ratings yet
10e972adc6ef5b32e9200fa63e16a12c
915 pages
Administeringad ch8
No ratings yet
Administeringad ch8
24 pages
3 - The-Comprehensive-Active-D-Directory-Penetration-Testing-Lab
No ratings yet
3 - The-Comprehensive-Active-D-Directory-Penetration-Testing-Lab
196 pages
ITSOP - Server Installation 3.0
No ratings yet
ITSOP - Server Installation 3.0
19 pages
Getting Started With Experion Software Guide EPDOC-X112-En-431
No ratings yet
Getting Started With Experion Software Guide EPDOC-X112-En-431
36 pages
AD - DS - Installation - Windows - Server - 2019 Lecture-2
No ratings yet
AD - DS - Installation - Windows - Server - 2019 Lecture-2
25 pages
Troubleshooting PDF
No ratings yet
Troubleshooting PDF
991 pages
Active Administrator Installation Guide - 81
No ratings yet
Active Administrator Installation Guide - 81
45 pages
ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide
No ratings yet
ChangeAuditor ActiveDirectory 7.1 EventReferenceGuide
69 pages
Getting Started With Experion Software Guide EPDOC-X112-En-430
No ratings yet
Getting Started With Experion Software Guide EPDOC-X112-En-430
38 pages
Learning Platform - CompTIA Joining A Domain
No ratings yet
Learning Platform - CompTIA Joining A Domain
2 pages
Indexing Sites
No ratings yet
Indexing Sites
2,191 pages
Odms E-14 Ef009-50 - Manual
100% (1)
Odms E-14 Ef009-50 - Manual
247 pages
Prerequisites: Task Go To Status
No ratings yet
Prerequisites: Task Go To Status
16 pages
Electrical Testing Dry Type Transformers
100% (1)
Electrical Testing Dry Type Transformers
5 pages
Windows Admin L2
No ratings yet
Windows Admin L2
32 pages
Geometric Design For Highways and Railways Including Cross Sections Horizontal and Vertical Alignments Super Elevation and Earthworks - Compress
No ratings yet
Geometric Design For Highways and Railways Including Cross Sections Horizontal and Vertical Alignments Super Elevation and Earthworks - Compress
23 pages
Green Building
100% (2)
Green Building
29 pages
Dec50103 PW6
No ratings yet
Dec50103 PW6
30 pages
803 Manual en PDF
No ratings yet
803 Manual en PDF
12 pages
System Administration Guide: Experion
No ratings yet
System Administration Guide: Experion
80 pages
EZXPRT-MCSE Course Outline.
No ratings yet
EZXPRT-MCSE Course Outline.
7 pages
MN06135 Installation With ALX Firmware
No ratings yet
MN06135 Installation With ALX Firmware
94 pages
Lesson Plan in Science 6 Components of Ecosystem
100% (1)
Lesson Plan in Science 6 Components of Ecosystem
5 pages
Es PPT - Green Building and Smart Cities
No ratings yet
Es PPT - Green Building and Smart Cities
28 pages
Project Report: "In Pursuit of Global Competitiveness"
75% (4)
Project Report: "In Pursuit of Global Competitiveness"
9 pages
Write Up PGDBF
No ratings yet
Write Up PGDBF
11 pages
Bintulu HR Management Sarawak Labour Ordinance
No ratings yet
Bintulu HR Management Sarawak Labour Ordinance
6 pages
Eportfolio Career Research Paper
100% (3)
Eportfolio Career Research Paper
8 pages
Pencil
No ratings yet
Pencil
17 pages
BUHK408
No ratings yet
BUHK408
5 pages
Manual Aire Acondicionado
No ratings yet
Manual Aire Acondicionado
44 pages
Compensation Management Systems - Paper B - 4
No ratings yet
Compensation Management Systems - Paper B - 4
9 pages
PMT Hps Controledge Builder Software Change Notice Rtdoc x166 en 1401a
No ratings yet
PMT Hps Controledge Builder Software Change Notice Rtdoc x166 en 1401a
37 pages
Being Lazy Is Art
No ratings yet
Being Lazy Is Art
13 pages
Pixilab Blocks
No ratings yet
Pixilab Blocks
108 pages
Atty. Agbayani Cases
No ratings yet
Atty. Agbayani Cases
46 pages
Application of Intermolecular Forces of Attraction
No ratings yet
Application of Intermolecular Forces of Attraction
3 pages
Prevention and Management of Obstetric Lacerations at Vaginal Delivery ACOG
No ratings yet
Prevention and Management of Obstetric Lacerations at Vaginal Delivery ACOG
46 pages
NPCIL RFP For BSR - 202412300511513510127RFP - Document - 31122024 - 01
No ratings yet
NPCIL RFP For BSR - 202412300511513510127RFP - Document - 31122024 - 01
89 pages
Blending Solution Note
No ratings yet
Blending Solution Note
7 pages
Ab06073 Vapor Recovery
No ratings yet
Ab06073 Vapor Recovery
6 pages
Bma-0001-En-Des-514-R400 1-Rev01-0-Blending-And-Movement-Fundamentals-Experion-Ratio-Controller-Maintenance
No ratings yet
Bma-0001-En-Des-514-R400 1-Rev01-0-Blending-And-Movement-Fundamentals-Experion-Ratio-Controller-Maintenance
1 page
History 4/3 Gold Mining 1886
No ratings yet
History 4/3 Gold Mining 1886
15 pages
mn06117 P2412 Converter
No ratings yet
mn06117 P2412 Converter
6 pages
PMT Hps Software Download Datasheet Controledge PCD Builder
No ratings yet
PMT Hps Software Download Datasheet Controledge PCD Builder
1 page
HPS AS BMM Dramatically Increasing Refinery Production Ques Answers
No ratings yet
HPS AS BMM Dramatically Increasing Refinery Production Ques Answers
3 pages
PDS AlphaTec MANUAL PRESSURE TEST KIT 2003
No ratings yet
PDS AlphaTec MANUAL PRESSURE TEST KIT 2003
1 page
GLM vs. Machine Leaning: - With Case Studies in Pricing
No ratings yet
GLM vs. Machine Leaning: - With Case Studies in Pricing
28 pages
U.S. Seismic Design Maps CHRYSLER
No ratings yet
U.S. Seismic Design Maps CHRYSLER
2 pages
Paper 2 Question
No ratings yet
Paper 2 Question
4 pages
Form 1
No ratings yet
Form 1
1 page
Consultancy Project Assessment Sheet
No ratings yet
Consultancy Project Assessment Sheet
1 page
R编程学习指南: Chinese Edition
From Everand
R编程学习指南: Chinese Edition
Posts & Telecom Press
No ratings yet
Optimized Docker: Strategies for Effective Management and Performance
From Everand
Optimized Docker: Strategies for Effective Management and Performance
Peter Jones
No ratings yet
Virtualization Security: Protecting Virtualized Environments
From Everand
Virtualization Security: Protecting Virtualized Environments
Dave Shackleford
3/5 (1)
OpenNebula 3 Cloud Computing
From Everand
OpenNebula 3 Cloud Computing
Giovanni Toraldo
No ratings yet
Red Hat Enterprise Linux 9 Essentials: Learn to Install, Administer, and Deploy RHEL 9 Systems
From Everand
Red Hat Enterprise Linux 9 Essentials: Learn to Install, Administer, and Deploy RHEL 9 Systems
Smyth
No ratings yet
MCA Windows Server Hybrid Administrator Complete Study Guide with 400 Practice Test Questions: Exam AZ-800 and Exam AZ-801
From Everand
MCA Windows Server Hybrid Administrator Complete Study Guide with 400 Practice Test Questions: Exam AZ-800 and Exam AZ-801
William Panek
No ratings yet
MCA Microsoft 365 Certified Associate Modern Desktop Administrator Complete Study Guide with 900 Practice Test Questions: Exam MD-100 and Exam MD-101
From Everand
MCA Microsoft 365 Certified Associate Modern Desktop Administrator Complete Study Guide with 900 Practice Test Questions: Exam MD-100 and Exam MD-101
William Panek
No ratings yet
Ubuntu 22.04 Essentials: A Guide to Ubuntu 22.04 Desktop and Server Editions
From Everand
Ubuntu 22.04 Essentials: A Guide to Ubuntu 22.04 Desktop and Server Editions
Neil Smyth
No ratings yet
MCSA Windows Server 2012 R2 Installation and Configuration Study Guide: Exam 70-410
From Everand
MCSA Windows Server 2012 R2 Installation and Configuration Study Guide: Exam 70-410
William Panek
No ratings yet
AlmaLinux 9 Essentials: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
From Everand
AlmaLinux 9 Essentials: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
Neil Smyth
No ratings yet
MCSA Windows Server 2012 Complete Study Guide: Exams 70-410, 70-411, 70-412, and 70-417
From Everand
MCSA Windows Server 2012 Complete Study Guide: Exams 70-410, 70-411, 70-412, and 70-417
William Panek
No ratings yet
978-1-951442-67-5: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
From Everand
978-1-951442-67-5: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
Neil Smyth
No ratings yet
Minikube in Practice: Definitive Reference for Developers and Engineers
From Everand
Minikube in Practice: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Rocky Linux 9 Essentials: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
From Everand
Rocky Linux 9 Essentials: Learn to Install, Administer, and Deploy Rocky Linux 9 Systems
Neil Smyth
No ratings yet
Ubuntu 20.04 Essentials: A Guide to Ubuntu 20.04 Desktop and Server Editions
From Everand
Ubuntu 20.04 Essentials: A Guide to Ubuntu 20.04 Desktop and Server Editions
Neil Smyth
No ratings yet
CentOS Stream 9 Essentials: Learn to Install, Administer, and Deploy CentOS Stream 9 Systems
From Everand
CentOS Stream 9 Essentials: Learn to Install, Administer, and Deploy CentOS Stream 9 Systems
Neil Smyth
No ratings yet
CentOS 8 Essentials: Learn to Install, Administer and Deploy CentOS 8 Systems
From Everand
CentOS 8 Essentials: Learn to Install, Administer and Deploy CentOS 8 Systems
Neil Smyth
No ratings yet
Ubuntu 18.04 Essentials: Learn to Install, Administer and Use Ubuntu 18.04 Systems
From Everand
Ubuntu 18.04 Essentials: Learn to Install, Administer and Use Ubuntu 18.04 Systems
Neil Smyth
No ratings yet
Mastering Docker for Scalable Deployment: From Container Basics to Orchestrating Complex Work
From Everand
Mastering Docker for Scalable Deployment: From Container Basics to Orchestrating Complex Work
Kameron Hussain
No ratings yet