Experion PKS
Release 516
Windows Domain Implementation Guide for Windows Server 2016
EPDOC-X472-en-516A
August 2020 Disclaimer
This document contains Honeywell proprietary information. Information contained herein is to be used solely for the purpose submitted, and no part of this document or its contents shall be repro- duced, published, or disclosed to a third party without the express permission of Honeywell Inter- national Sàrl. While this information is presented in good faith and believed to be accurate, Honeywell disclaims the implied warranties of merchantability and fitness for a purpose and makes no express warranties except as may be stated in its written agreement with and for its customer. In no event is Honeywell liable to anyone for any direct, special, or consequential damages. The information and specifications in this document are subject to change without notice.
Copyright 2020 - Honeywell International Sàrl
- 2 - Contents
Contents
Contents 3 About this guide 8 Revision history 8 8 Intended audience 8 Prerequisite skills 8 Related documents 8 Getting started 10 Hardware and software requirements 10 Software requirements for a Domain Controller 10 System requirements for a Domain Controller 10 Guidelines 12 General guidelines for implementing a domain controller 12 Installing a Windows Domain Controller 15 Hardware and software requirements 15 Domain configuration worksheet 15 Preparing a Windows Domain Controller 16 Installing Microsoft Windows Server 2016 operating system 16 Defining an alternate Administrative User 17 Changing the computer name 18 Configuring TCP/IP settings 19 Preconfiguring Network Configuration for FTE 20 Installing Microsoft service packs and Windows updates 20 Preparing a Windows Domain Controller 20 Preparing Microsoft Windows Server 2016 to be a Domain Controller 22 Configuring Microsoft Windows Server 2016 as a Domain Controller 23 Setting up a new domain in a new forest 24
- 3 - Contents
Adjust Alternate Administrative User’s Group membership 26 Setting up a new domain in an existing forest 26 Adding a Domain Controller to an existing domain 27 Setting up a Read-only Domain Controller 29 Common tasks for setting up a Domain Controller 31 Adding Microsoft Windows Server 2016 to a Windows domain 31 Verifying that the DNS server role is active 32 Verifying that the Global Catalog server role is active 33 Adding a reverse lookup zone 35 Adjusting a DNS Configuration 35 Post Installation Tasks 38 Configuring Active Directory sites 38 Creating a site in the Active Directory 38 Moving Domain Controllers to sites 38 Verifying the availability of a Global Catalog server in a site 39 Adjusting replication intervals for a site 40 Creating an Organizational Unit 41 Prerequisites 41 Creating a Active Directory users and groups 41 Creating Honeywell Active Directory users 41 Creating a Active Directory groups 42 Changing group membership 42 Configuring time synchronization in a domain 43 Adding workstation/server to a Windows domain 44 Setting the DNS server IP address 44 Adding a node to a Windows domain 44 Viewing the workstation/server added to a domain 46 Configuring time synchronization on the workstations/servers added to a Windows domain 46 Prerequisites 46
- 4 - Contents
Honeywell Experion PKS Software Support for Domain Controllers 49 Initiating Setup 49 Installing the Domain Controller Policies 50 Installing the .Net Framework 53 Installing Experion Optional Features 53 Preparing the domain for migration 56 Recording the current domain controller configuration information 56 Migration planning worksheet 56 Inventorying the current domain controller configuration 57 Installing Windows Support Tools on Windows Server 2003 domain controllers 57 Identifying the domain controllers holding the FSMO roles 57 Identifying GC servers configured in the domain 58 Identifying DNS servers configured in the domain 59 Identifying the domain operation mode 60 Verifying domain controller readiness for migration 61 Checking the domain health 62 Run the Network Diagnostics (NetDiag) utility 62 Ensuring availability of multiple domain controllers 63 Ensuring availability of multiple DNS servers 63 Preparing the Active Directory 64 Evaluating the functional level of the domain 64 Upgrading existing Domain Controllers to Windows Server 2016 65 Raising the functional level of the domain 65 Expanding the Active Directory schema 66 Joining a Server 2016 Domain Controller to replace an existing Controller 67 Remove the DNS Role (if configured) 67 Installing a new Windows Server 2016 Domain Controller 67 Promote and Join Existing Domain 69 Transfer roles and functions from Old DC to New DC 70
- 5 - Contents
Decommission Old DC 71 Raising Functional Levels 71 FRS to DFS Migration 73 Experion domain group policy settings 77 Security Model specific permissions 151
- 6 - CHAPTER
- 7 - About this guide About this guide
This guide describes how to perform the following:
l Implementing Microsoft Windows domain controllers for Experion. l Implementing stand-alone Microsoft Windows domain controllers. l Migrating existing domain controllers to the latest supported Windows operating system for domain controllers. l Demoting domain controllers. Revision history
Update the revision history table whenever the document is updated. A revision history table is optional for revision A of a document. If there is a revision B of a document, a revision history table must be added to the document. You can add revisions as A, B, C, D, and so on.
Revision Date Description
A August 2020 Initial release of the document. Intended audience
l Customers who want to integrate their process domains into their corporate hierarchy and IT staffs who support them. l Customers with limited networking and IT experience who are using stand-alone domains. l Projects group and Services group. Prerequisite skills
It is assumed that you are familiar with the operation of Experion system software and the plant pro- cesses which Experion controls, Microsoft Windows operating systems, Windows domains and domain controllers, and network administration tasks. Related documents
l Windows Domain and Workgroup Implementation Guide l For planning information, refer to Windows Domain and Workgroup Planning Guide l For operation system migration information, refer the appropriate operating system-specific implementation guide Windows Domain Implementation Guide for Windows Server 2008 R2 l Getting Started with Experion Software Guide l Software Installation User's Guide l Experion migration documentation l Supplementary Installation Tasks Guide l Server and Client Overview and Planning Guide l Server and Client Configuration Guide
- 8 - CHAPTER
- 9 - Getting started Getting started Hardware and software requirements Software requirements for a Domain Controller To implement a domain controller in Experion, you need the following media/software:
l Microsoft Windows Server 2016 l Experion PKS R511.1 or Higher System requirements for a Domain Controller
Component Microsoft Windows Server 2016
Computer and processor l Minimum – 1.4 GHz (x64) l Recommended – 2GHz or faster
Memory l Minimum – 2 GB or greater (Desktop Experience is required) l Recommended – 4GB or greater
Hard disk l Minimum – 32GB l Recommended – 32GB or more
Attention In virtual environments Honeywell recommends that you have at least one DC on each network level serviced by the virtual environment, this would include a domain controller on level 2.5 and each level 2 network. If the entire domain is hosted on virtual machines, you must ensure that the virtual domain is always availability. Refer to the latest version of the following documents on http://www.honeywellprocess.com for the hardware and software requirements of VM.
l HPS Virtualization Specification l Virtualization Planning and Implementation Guide Ensure that at least one domain controller is in real environment.
- 10 - CHAPTER
- 11 - Guidelines Guidelines General guidelines for implementing a domain controller
The following table describes some general guidelines and Honeywell recommendations for imple- menting a domain controller in a domain.
Guideline Honeywell recommendation
Operating It is recommended to have a Standard Edition with Desktop Experience System Edi- tion Data Center Edition is supported, but not required. Note This guide was developed using only Standard Edition. Server Core, Containers, Nano and other variations/configurations are currently not supported. Honeywell’s installation, utilities, and software require that a user interface be present on the system, so it is required that the system have the “Desktop Exper- ience” present in the Operating System. (This includes the GUI and various sup- porting applications, like Internet Explorer.)
Number of It is recommended to have a minimum of two domain controllers per domain. In domain cases where multiple network configurations are used, each network configuration controllers must include at least one domain controller. If you have multiple level 2 with a level 3 per domain network. It is recommend having at least one domain controller on each network level. Domains with multiple OUs must have at least one domain controller per OU.
Operating The version of the Windows Server operating system installed on all the domain con- system trollers in a domain should be the same. installed on domain It is recommended to use different versions of the Windows Server operating sys- controllers tem only during a migration scenario. After completing the migration, any servers running an older version of the operating system should be demoted or removed from the domain. After demoting the server, the domain operation level should be set to the native level for that version of the operating system.
Location of Though Microsoft recommends placing the Database, Log files, and SYSVOL Active Dir- objects on different drives in a system for optimal performance, Honeywell recom- ectory mends using the following default locations. Database, Log files, l Active Directory Database — C:\Windows\NTDS
and l Log Files — C:\Windows\NTDS SYSVOL objects l SYSVOL — C:\Windows\SYSVOL
Availability When the first domain controller for a domain is configured, DNS and GC server of Domain roles are enabled by default. Though Microsoft recommends disabling these roles Name Sys- while creating additional domain controllers in the domain, Honeywell recom- tem (DNS) mendation is to configure these roles on each domain controller in the domain.
- 12 - Guidelines
Guideline Honeywell recommendation and Global It is recommended to configure minimum of two DNS servers and two GC servers. Catalog You can limit the distribution of GC servers based on the network design. (GC) serv- ers
Naming Honeywell recommends the following while configuring domain names. convention for l The length of the domain name should contain 1 to 15 characters. domains l Domain name should always consist of at least two parts, a name and a des- ignator separated by a period as follows:
l The Netbios name must match the DNS name of the domain. For example, pcn.- local is the DNS domain name and pcn is the Netbios name.
Reverse It is recommended to configure Reverse Lookup Zone for each subnet. Lookup Zones
Windows WINS servers are not required. Do not configure WINS for domain controllers in an Internet Experion network. Name Ser- vice (WINS)
Setting Up Honeywell does not recommend configuring Standby Operations Masters for Flex- Standby ible Single Master Operation (FSMO) roles in a process control network. When the Operations FSMO role holder is unavailable, it does not automatically change the FSMO role to Master the standby server. A Standby Operations Master is beneficial particularly in large domains with multiple domain controllers hosting millions of objects.
- 13 - CHAPTER
- 14 - Installing a Windows Domain Controller Installing a Windows Domain Controller Hardware and software requirements
While setting up a domain, as a best practice you must record all the important details about the domain configuration in the below worksheet. Domain configuration worksheet The following table provides you an understanding about the information that you need to capture.
Basic information
Domain name
IP address range
IP Subnet Mask
Groups for RODC creation(if required)
Directory Services Restore Mode (DSRM) password
Starting domain functional level
Global Catalog (GC) and DNS server roles
GC server
DNS servers
User accounts Groups
Flexible Single Master Operation (FSMO) roles Record the details about the domain controllers which hold each of the FSMO roles in the current domain.
FSMO role Site and owner
Schema master
Domain naming master
Infrastructure master
Relative ID (RID) master
PDC emulator
Site Information
Site name Subnet address
Domain controller information
- 15 - Installing a Windows Domain Controller
Basic information
For each domain controller that is being created, capture the following details which can be used later if required.
DC type (One column per domain controller)
Domain controller name
Site
IP address
Preferred DNS
Alternate DNS
Admin account
Password
Group Preparing a Windows Domain Controller
Perform each of the sub section here:
Starting from Path to Microsoft Windows Server 2016
Install Operating System Installing Microsoft Windows.htm
Add a new Administrative User Define an alternate Administrative.htm
Set Computer Name Changing the computer name.htm
Set TCP/IP Addresses Configuring TCP IP settings.htm
Preconfigure NIC Cards Preconfiguring Network Configuration.htm
Operating System Updates Installing Microsoft service.htm
Task Complete. Return to task list. Installing Microsoft Windows Server 2016 operating system It is recommended that you follow the OEM operating system installation document for loading the operating system on Honeywell-qualified or non-qualified platform. During the initial stages of the operating system installation, a “Select the operating system you want to install” page appears. As Honeywell requires server installation with a GUI, ensure to select Microsoft Windows Server 2016 Standard (with Desktop Experience) or Embedded Microsoft Windows Server 2016 Datacenter option.
- 16 - Installing a Windows Domain Controller
Defining an alternate Administrative User ON at least the first Domain Controller (local account will become a Domain Account). As a secur- ity best practice, you should create a custom Administrative User account to manage the system and Disable the default Administrator account created by the install. 1. Post OS install, right-click Start and choose Computer Management. 2. In the left pane of Computer Management, expand “Local Users and Groups” and click Users. 3. In the right pane, right-click and select New User. The New User window appears.
4. Fill in a User Name and Password. 5. Change the Password Options and click Create. 6. Double-click the newly created user in right pane of Computer Management to bring up its properties.
- 17 - Installing a Windows Domain Controller
7. Click Add, define Administrators and click OK.
8. Optional – Click on Users and then Remove. Then, click Apply. 9. Use this account for subsequent log-ons, management, and software installs. Changing the computer name This procedure is normally performed right after installation of the operating system. Perform this procedure to change the computer name after the operating system installation (it automatically assigned a default during install) or if you are using a computer preinstalled with the target oper- ating system. To change the computer name: 1. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 2. In the left pane, click Local Server. The Local Server page appears. 3. In PROPERTIES field, click the text against Computer name. The System Properties dialog appears. 4. On the Computer Name tab, click Change. The Computer Name/Domain Changes dialog box appears. 5. In the Computer Name box, type the computer name and click OK. While performing migration, you must configure the computer with the same name as the domain controller that this computer is replacing. A message appears indicating to restart the computer. 6. Click OK. 7. In the System Properties dialog box, click Close. The System Properties dialog box closes. A message appears prompting to restart the computer. 8. Click Restart now. The computer restarts.
- 18 - Installing a Windows Domain Controller
Attention It is important to restart the server after changing the computer name and before pro- moting the server to a domain controller. Configuring TCP/IP settings Attention For any Experion release, it is recommended that you install the highest Microsoft service packs for Microsoft Windows Server 2016 operating system. If Fault Tolerant Ethernet (FTE) is to be installed on the Domain Controller, you must pre con- figure the NIC adapters to be ready for FTE. Refer to the latest version of Fault Tolerant Ethernet Installation and Service Guide available on www.honeywellprocess.com for the following:
l FTE-qualified NICs. l Configure NIC adapters for FTE. To open Network Connections dialog box: 1. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 2. In the left pane, click Local Server. The Local Server page appears. 3. In PROPERTIES field, click the text against Ethernet. The Network Connections dialog box appears. To configure TCP/IP settings: 1. Open the Network Connections dialog box. 2. Right-click Ethernet, and then click Properties. If Honeywell FTE adapter #1 is enabled, then right-click the FTE adapter #1 and then click Properties. The Ethernet Properties dialog box appears. 3. Select Internet Protocol Version 4 (TCP/IPv4) and then click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box appears. 4. Click Use the following IP address option button and configure the following: l In the IP address box, type the IP address to be assigned for this network connection. Attention If you are performing migration, you must configure the computer with the IP address of the domain controller that this computer is replacing.
l In the Subnet mask box, type the subnet mask for the network. l In the Default gateway box, type the IP address of the computer or device on your net- work that connects your network to another network or to the Internet. If you are configuring a stand-alone domain, you need not configure Default gateway.
- 19 - Installing a Windows Domain Controller
Note It is unnecessary to configured DNS configuration at this time unless you have external DNS Servers. (e.g. you are not combining the DNS with this Domain controller). 1. Click Use the following DNS Server addresses option button and configure the following: l In the Preferred DNS server box, type the IP address of the DNS server. l In the Alternate DNS server box, type the IP address of the alternate DNS server. 2. Click OK. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog box closes. 3. In the Local Area Connection Properties dialog box, click OK. Preconfiguring Network Configuration for FTE If you intend to support FTE, you should install or activate the appropriate supported NIC Cards and drivers prior to promoting the system to a Domain Controller. Refer to the latest Fault Tolerant Ethernet Installation and Service Guide for additional information about supported devices and set- tings on the http://www.honeywellprocess.com website. Installing Microsoft service packs and Windows updates Install Microsoft service packs and Windows updates as recommended for the Experion system installed on your computer. For more information about the supported versions, refer to the Soft- ware Change Notice (SCN) for the release of Experion that is installed on your system. The latest Software Change Notice is available at the following Honeywell Process Solutions website link “http://www.honeywellprocess.com”. Attention For any Experion release, it is recommended that you install the highest Microsoft service packs for Microsoft Windows Server 2016 operating system. Clean operating system installation without Honeywell software is not supported by the ISO disk provided with the SUIT. That is, if you perform a clean operating system installation using the ISO disk provided with the SUIT. Then, Honeywell is not responsible for installing Microsoft service packs and applying Windows updates on such systems. However, Honeywell still supports Domain Controllers set up with clean installation. Preparing a Windows Domain Controller
The following table lists the tasks that you must perform for setting up a domain controller.
Task Reference
Installing the Microsoft Windows Server 2016 server as a Preparing a Windows Domain domain controller (First Domain Controller/Forest) Controller.htm Then Preparing Microsoft Windows Server 2016 to be a Domian Con- troller.htm Then
- 20 - Installing a Windows Domain Controller
Task Reference
Configuring Microsoft Windows Server 2016 as a Domian Con- troller.htm continuing through Set up a new domain in a new forest.htm
Adding a Microsoft Windows Server 2016 based Domain con- Preparing a Windows domain troller to establish a new Domain to the Forest Controller.htm Then Preparing Microsoft Windows Server 2016 to be a Domian Con- troller.htm Then Configuring Microsoft Windows Server 2016 as a Domian Con- troller.htm continuing through Set up a new domain in an exist- ing forest.htm
Adding additional Microsoft Windows Server 2016 based Preparing a Windows domain Domain Controllers to any an existing Domain in the forest Controller.htm (Writable) Then Adding Microsoft Windows Server 2016 to a Windows domain.htm Then Preparing Microsoft Windows Server 2016 to be a Domian Con- troller.htm Then Configuring Microsoft Windows Server 2016 as a Domian Con- troller.htm continuing through Add a Domain Controller to an existing domain.htm
Adding additional Microsoft Windows Server 2016 based Preparing a Windows domain Read Only Domain Controllers to any an existing Domain in Controller.htm the forest (RODC) Then
- 21 - Installing a Windows Domain Controller
Task Reference
Adding Microsoft Windows Server 2016 to a Windows domain.htm Then Preparing Microsoft Windows Server 2016 to be a Domian Con- troller.htm Then Configuring Microsoft Windows Server 2016 as a Domian Con- troller.htm continuing through Setting up a Read only Domain Controller.htm
Verifying if DNS server role is active Verifying if DNS server role is act- ive.htm
Verifying if Global Catalog server role is active Verifying if Global Catalog server role is active.htm
Adding reverse lookup zone Adding reverse lookup zone.htm
Preparing Microsoft Windows Server 2016 to be a Domain Controller This topic describes the steps to set up or install a Microsoft Windows Server 2016 server as a domain controller added to a new domain in a new forest, a new domain in an existing forest, or as a peer domain controller. In addition, this section also describes the steps to automatically assign the Microsoft Windows Server 2016 server the role of a primary domain controller. Adding Roles and Features to Microsoft Windows Server 2016
Note Operating system has already been installed. 1. Log on to the computer using a local administrator account. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. In Server Manager Dashboard, click Add roles and features. The Add Roles and Features Wizard appears. 4. Click Next. The Select installation type page appears. 5. Click Role-based or feature-based installation option and then click Next. The Select destination server page appears.
- 22 - Installing a Windows Domain Controller
6. In Server Pool, select the server that must be configured as a domain controller and then click Next. The Select server roles page appears. 7. In Roles, select Active Directory Domain Services. A dialog box for adding features for the Active Directory Domain appears. 8. Click Add Features. The Select server roles page appears with the Active Directory Domain Services option enabled. 9. If the Domain Controller is also going to host DNS, then in Roles, select DNS Server. A dialog box for adding features for the DNS Server appears. 10. Click Add Features. The Select server roles page appears with the DNS Server option enabled. 11. Click Next. The Select features page appears. 12. Click Next. The Active Directory Domain Services page appears. 13. Click Next. The DNS Server page appears. 14. Click Next. The Confirm installation selections page appears. All the features selected in the pre- vious steps appears in this page. 15. Verify the selected features and then click Install. The Installation progress page appears. Attention During installation, if you close the Installation progress page, you can view this page again in the Server Manager dialog box, by clicking Notifications icon and selecting Add Roles and Features. 16. After a couple of minutes, feature installation will complete. Task Complete – Return to task list. Configuring Microsoft Windows Server 2016 as a Domain Controller
1. Return to Server Manager, in left panel select ADDS. On right panel, towards top, select “More” on the Configuration required for Active Directory Domain
- 23 - Installing a Windows Domain Controller
Services…. notification.
2. The All Servers Task Details and Notification page appears. Click Promote this server to a domain controller.
The Deployment Configuration page appears. 3. You can set up a primary domain controller in one of the following ways: a. Setup a new domain in a new forest b. Setup a new domain (child) in an existing forest. c. Add a domain controller to an existing domain. d. Setting up a Read Only Domain Controller (RODC). Setting up a new domain in a new forest The following table lists the task that you must perform for setting up a new domain in an existing forest.
Task Refer to
Creating a new Microsoft Windows Server Below
- 24 - Installing a Windows Domain Controller
Task Refer to
2016 domain/forest
Adjusting DNS definition Post creation, refer to Section Adjusting DNS Configuration.htm
Required for First Domain Controller setting up a new domain General conventions for Root Domain Name:
l Integration with company: Doman.<
- 25 - Installing a Windows Domain Controller
8. In the Prerequisites Check page, review Results and click Install. The Installation page appears. The installation of the Active Directory services starts and the progress of installation is displayed. 9. After the installation is complete, the server automatically restarts. The login screen appears and you can login to the server.
Adjust Alternate Administrative User’s Group membership
Earlier, it was suggested that you create an alternate administrative user. Creating a New Domain will add additional groups to the Administrator account, but not the alternate. So you should adjust this now. 1. Using Server Manager, choose Tools, Active Directory Users and Computers. 2. Find your User and double-click it to bring up the properties. 3. Chang the Member Of tab. 4. Click Add and add the following groups: Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema Admins. 5. After adding, click Domain Admins and then click the Set Primary Group. Then Apply and OK to close the properties. 6. When completed, Active Directory Users and Computers can now be closed. 7. You should log out and back in with this account before adding additional Domain Con- trollers to this domain (if using this account to do so…) Task Complete. Return to task list. Setting up a new domain in an existing forest The following table lists the task that you must perform for setting up a new domain in an existing forest.
Task Refer to
Creating a new Microsoft Windows Server 2016 domain in an Below existing forest
Adjusting DNS definition Post creation, refer to Sec- tion Adjusting DNS Con- figuration.htm
1. Click the Add a new domain to an existing forest option and then click Next. The Active Directory Domain Services Configuration Wizard appears. 2. In the Active Directory Domain Services Configuration Wizard window, under Deploy- ment Configuration page, a. Select domain type dropdown, chose Child Domain. b. In the Parent domain name field, enter in the parent domain name. (For example – domainXYZ.local) or Click select.
- 26 - Installing a Windows Domain Controller
The Windows Security dialog appears. 3. In the Windows Security dialog, fill in an appropriate Username and Password to access the domain. The Select domain from the forest dialog box appears. 4. In the Select domain from the forest dialog box, from the domain list, select the required domain name and then click OK. The selected domain appears in the Parent domain name field. 5. In the New domain name field, type a name for the child domain and then click Next. The Deployment Configuration page appears. 6. In the Deployment Configuration page, ensure that Domain Name System (DNS) server option is enabled and checked. Click Next. The Domain Controller Options page appears. 7. In the Domain Controller Options page, a. Select Forest functional level and Domain functional level b. Select Domain Name System (DNS) server and Global Catalog (GC) options c. Type Directory Services Restore Mode (DSRM) password and click Next. The DNS Options page appears. 8. In the DNS Options, click Next. The Additional Options page appears. 9. In the Additional Options page, type NetBIOS domain name and click Next. The Paths page appears. 10. In the Paths page, review the path information and if necessary, change the paths by clicking the small boxes against each path. After you set the path click Next. The Review Options page appears. 11. Review the path information and if necessary, change the paths by clicking the small boxes against each path. After you set the path click Next. The Review Options page appears. 12. In the Review Options page, review the configuration settings that you have selected. To change any of the configuration settings, click Previous. If all the configuration settings are acceptable, then click Next. The Prerequisites Check page appears. 13. In the Prerequisites Check page, if the message All prerequisites checks passed successful, Click Install to begin installation prompt appears. Click Install to begin installation. The Installation page appears. The installation of the Active Directory services starts and the progress of installation is displayed. 14. After the installation is complete, the server automatically restarts. The login screen appears and you can login to the server. Adding a Domain Controller to an existing domain The following table lists the task that you must perform for adding a domain controller to an exist- ing domain.
Task Refer to
Join Microsoft Windows Server 2016 to a Refer to Windows domain Adding Microsoft Windows Server 2016 to a Windows domain.htm
- 27 - Installing a Windows Domain Controller
Task Refer to
Add a Microsoft Windows Server 2016 domain con- Below troller in an existing domain
Adjusting DNS definition Post creation, refer to Section Adjusting DNS Configuration.htm
(If system was previously joined to the domain, domain should be already filled in) 1. Click the Add a Domain Controller to an existing domain option, and then click Next. The Active Directory Domain Services Configuration Wizard appears. 2. In the Active Directory Domain Services Configuration Wizard window, under Deploy- ment Configuration page, a. Select Add a domain controller to an existing domain option. b. Type the Domain name and click Next. The Domain Controller Options page appears. 3. After seconds, a Site name will be automatically entered in Domain Controller Options page. a. Select Domain Name System (DNS) server and Global Catalog (GC) options b. Type Directory Services Restore Mode (DSRM) password and click Next. The DNS Options page appears. 4. In the DNS Options, click Next. The Additional Options page appears. Note If your system is not connected to an upstream network, you may receive the warning above. 5. Click Next. The Paths page appears. 6. Click Next. The Review Options page appears. 7. In the Review Options page, review the configuration settings that you have selected. To change any of the configuration settings, click Previous. If all the configuration settings are acceptable, then click Next. The Prerequisites Check page appears.
- 28 - Installing a Windows Domain Controller
8. In the Prerequisites Check page, review for any errors that require correction. If all Pre- requisites are pass click Install. 9. The Installation page appears. The installation of the Active Directory services starts and the progress of installation is dis- played. Task Complete. Return to task list. Setting up a Read-only Domain Controller You can set up a Read-only Domain Controller (RODC) in the following way:
l Direct installation – Enables you to install an RODC similar to the approach used for installing additional domain controllers in the domain. In this method, RODC installation can performed by a member of the domain administrator group. This method installs an RODC by selecting the Read-only domain controller (RODC) option in the Active Directory Domain Services Installation Wizard. Attention It is not possible to change a domain controller from writable to read-only or from read-only to writ- able, directly. To change a writable domain controller to an RODC, you must demote the domain controller and then promote it again to an RODC. This requires domain administrator permissions and uses the direct installation method for creating the RODC. The following table lists the task that you must perform for setting up a read-only domain con- troller.
- 29 - Installing a Windows Domain Controller
Guideline Honeywell recommendation
Join Microsoft Windows Server 2016 to a Windows Refer to Adding Microsoft Windows domain Server 2016 to a Windows domain.htm
Add a Microsoft Windows Server 2016 domain con- Below troller in the role of Read Only Domain Controller
Adjusting DNS definition Post creation, refer to Section Adjusting DNS Configuration.htm
To add Microsoft Windows Server 2016 server to the role of an RODC The Deployment Configuration page appears. 1. Click Add a domain controller to an existing domain. The Domain field displays the name of the domain to which this RODC is being added. 2. Click Change to provide the credentials of the root domain to which the RODC must be added. The Windows Security dialog box appears. 3. Type the Username and Password of a domain account that has administrator privileges and then click OK. 4. Click Next. The Domain Controller Options page appears. 5. Check the Read only domain controller (RODC) option. 6. Ensure that the Domain Name System (DNS) server and Global Catalog (GC) options are enabled and checked. 7. Type the password for Directory Services Restore Mode (DSRM), in the Password and Confirm password fields. 8. Click Next. The RODC Options page appears. 9. Click Next. The Additional Options page appears. 10. Click Next. The Paths page appears. 11. Review the path information and if necessary, change the paths by clicking the small boxes against each path. After you set the path click Next. The Review Options page appears. 12. Review the configuration settings that you have selected. To change any of the configuration settings, click Previous. If all the configuration settings are acceptable, then click Next. The Prerequisites Check page appears. 13. If the message All prerequisites checks passed successful. Click Install to begin install- ation appears, then click Install. a. The Installation page appears. The installation of the Active Directory services starts and the progress of installation is displayed. b. After the installation is complete, the server automatically restarts. The login screen appears and you can login to the server. c. Next steps d. Perform the steps in section Adding a reverse lookup zone.
- 30 - Installing a Windows Domain Controller
Common tasks for setting up a Domain Controller
This section describes the tasks that are common for setting up a primary or peer or read-only domain controller. Adding Microsoft Windows Server 2016 to a Windows domain Pre-task - Define DNS Configuration (If not done so prior) 1. Log on to the computer using an administrator account. 2. Open the Network and Sharing Center (you can right click network icon on taskbar and choose or type to search. 3. On the left hand side, click Change Adapter Settings. It will open a new window titled Network Connections. 4. Right click one of your active network connections and choose Properties. It will open the NIC properties window. 5. Click Internet Protocol Version 4 (TCP/IPv4), and the click the Properties button. 6. Fill in the appropriate IP Address for the Preferred DNS Server and Alternate DNS Server, then click OK. 7. Click OK to Close the NIC Properties Window 8. You then close any remaining open Window. To add a Microsoft Windows Server 2016 to a Windows domain 1. Log on to the computer using an administrator account. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. In the left pane, click Local Server. The Local Server page appears. 4. In PROPERTIES field, click WORKGROUP. The System Properties dialog box appears. 5. Click Change.
The Computer Name/Domain Changes dialog box appears. 6. In Member of field, click the Domain option. This enables the Domain field. 7. In the Domain field, type the name of the domain and then click OK. The Windows Security dialog box appears. 8. Type the User name and Password of the domain having administrative rights and the click OK. Once the server is added to the domain a confirmation dialog box appears.
- 31 - Installing a Windows Domain Controller
9. Click OK. A message appears indicating to restart the computer. 10. Click OK. The System Properties dialog box appears with the full computer name and Domain inform- ation. This indicates that the computer is now a member of the domain. 11. After verifying the information, click Close. A message appears indicating to restart the computer. 12. Click Restart Now The computer restarts and the server is added to the domain. Verifying that the DNS server role is active To verify if DNS server role is active on the domain controller 1. Log on to the computer using a domain administrator account. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. In Server Manager Dashboard, click Add roles and features. The Add Roles and Features Wizard appears. 4. Click Next. The Select installation type page appears. 5. Click Next. The Select destination server page appears. 6. In Server Pool, select the server for which you must verify if the DNS role is active and then click Next. The Select server roles page appears.
7. In Roles, ensure that DNS Server option is enabled. This determines that the DNS server is
- 32 - Installing a Windows Domain Controller
role is active on the domain controller.
Verifying that the Global Catalog server role is active To verify if Global Catalog server role is active on the domain controller 1. Log on to the domain controller. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears. 4. In the console tree on the left pane of the Active Directory Users and Computers window, expand
- 33 - Installing a Windows Domain Controller
5. In the details pane that is on the right side of the Active Directory Users and Computers window, right click the domain controller, and then click Properties. The domain controller Properties dialog box appears.
6. On the General tab, ensure that the DC Type field displays Global Catalog. 7. Click NDTS Settings. The NDTS Settings Properties dialog box appears.
8. On the General tab, ensure that the Global Catalog check box is selected. This indicates that the Global Catalog server role is active.
- 34 - Installing a Windows Domain Controller
9. Close all the open dialog boxes. Adding a reverse lookup zone Reverse lookup zones that are active directory integrated are replicated to the new DNS server. To add reverse lookup zone 1. In the Server Manager Window, click Tools > DNS. The DNS Manager window appears. 2. In the console tree, expand items under DNS until Reverse Lookup Zones item appears. If there is an entry for the IP address configured in your domain, do not perform the remain- ing steps in this procedure. Note that the order of the IP address octets is reversed in the IP address entry. 3. Right click on Reverse Lookup Zones, and then select New Zone. The New Zone Wiz- ard appears. 4. On the Welcome page of the New Zone Wizard, click Next. 5. Click Primary zone, and then click Next. The Active Directory Zone Replication Scope page appears. 6. Select To all DNS servers running on domain controllers in this domain :
- 35 - Installing a Windows Domain Controller
By default, when setting up a Domain Controller, the system may automatically configure the local address as the preferred DNS Address. We recommend following a cross registration pattern where the preferred DNS is actually another DNS Server, and the alternate is the local system. This configuration must be configured manually. Consider the following example:
l 2 Domain Controllers are hosting DNS. o Domain Controller 1 has an IP Address 10.0.1.3. o Domain Controller 2 has an IP Address 10.0.1.4. l Domain Controller 1 (10.0.1.3) DNS configuration: o Preferred DNS should be 10.0.1.4 o Alternate DNS should be 127.0.0.1. l Domain Controller 2 (10.0.1.4) DNS configuration: o Preferred DNS should be 10.0.1.3 o Alternate DNS should be 127.0.0.1. 1. Log on to the computer using an administrator account. 2. Open the Network and Sharing Center (you can right click network icon on taskbar and choose or type to search 3. On the left hand side, click Change Adapter Settings. It will open a new window titled Network Connections. 4. Right click one of your active network connections and choose Properties. It will open the NIC properties window. 5. Click Internet Protocol Version 4 (TCP/IPv4), and the click the Properties button. 6. Fill in the appropriate IP Address for the Preferred DNS Server and Alternate DNS Server, then click OK. 7. Click OK to Close the NIC Properties Window. 8. You then close any remaining open Window.
- 36 - CHAPTER
- 37 - Post Installation Tasks Post Installation Tasks Configuring Active Directory sites
A default site is always provided. The default site is adequate for simple installations. Creating a site in the Active Directory To create a site in Active Directory 1. Log on to one of the domain controllers in the domain using an account with administrative privileges. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Sites and Services. The Active Directory Sites and Services page appears. 4. In the console tree, right-click Sites, and then click New Site. The New Object — Site dialog box appears. 5. In the Name box, type the name of the new site. 6. In Link Name list, select the site link object for this site and then click OK. A dialog box appears indicating that a new site is created in the Active Directory. Note This Dialog box does not appears, if the user deletes an old site and tries to add a New Site. 7. Click OK. The new site name appears under Sites folder in the console tree. 8. In the console tree, right-click the Subnets folder, and then click New Subnet. The New Object — Site dialog box appears.
9. In the Prefix box, type the IPv4 or the IPv6 subnet prefix. 10. In the Select a site object for this prefix list, click the site to be associated with the subnet prefix. 11. Click OK. This creates a site in Active directory. Moving Domain Controllers to sites To move domain controllers to sites 1. Log on to one of the domain controllers in the domain using an account with administrative privileges.
- 38 - Post Installation Tasks
2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Sites and Services. The Active Directory Sites and Services page appears. 4. In the console tree, expand the Sites folder and the site in which the server object resides. By default, a domain controller is added to the site named Default-First-Site-Name. 5. Expand the site Default-First-Site-Name, and then the Servers folder. The Servers folder displays the domain controllers that are currently configured for that site. 6. Right-click the sever object that you want to move, and then click Move. The Move Server dialog box appears. 7. In the Select the site that should contain this server list, click the site name to which the server needs to be transferred, and then click OK. The Active Directory Sites and Services window updates indicating that the server is moved to the site. Verifying the availability of a Global Catalog server in a site It is recommended that at least one of the domain controllers associated with each site is configured as a GC server. This accelerates the authentication requests within the site and also helps to avoid cross site transfers. To verify the availability of Global Catalog server in a site 1. Log on to one of the domain controllers in the domain using an account with administrative privileges. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Sites and Services. The Active Directory Sites and Services page appears. 4. In the console tree, expand Sites folder, and then expand the site object on which the servers reside. 5. Expand the Servers folder, and then expand the server name. The NDTS Settings items appear under the server name. 6. Right-click NDTS Settings item, and then click Properties. The NDTS Settings Properties dialog box appears. 7. Verify if the Global Catalog check box is selected. If not, select the Global Catalog check
- 39 - Post Installation Tasks
box, and then click OK. The NDTS Settings Properties dialog box closes. Adjusting replication intervals for a site Changes to the Active Directory information in any of the domain controllers replicates to the other servers in the domain on a regular basis. The replication also occurs during a system reboot or when manually initiated. Windows uses a very efficient algorithm to replicate only the information that is changed so that the network load due to replication is minimal. The default time between rep- lications can be configured using the Active Directory Sites and Services snap-in as follows. Attention Honeywell recommends that you to leave the replication interval with the default settings. However, refer to the following procedure if you want to make any adjustment to the replication interval for your site. To adjust replication interval for a site 1. Log on to one of the domain controllers in the domain using an account with administrative privileges. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Sites and Services. The Active Directory Sites and Services page appears. 4. In the console tree, expand Inter-Site Transports folder, and then click the IP folder. 5. In the right-pane of the Active Directory Sites and Services window, double-click DEFAULTIPSITELINK. The DEFAULTIPSITELINK Properties dialog box appears. The Replicate every box dis- plays the configured replication time. 6. To change the replication time, in the Replicate every box, type or select the new time in minutes. Attention
The minimum replication time is 15 minutes and the maximum replication time is 10080 minutes (168 hours, or 7 days). When the sites are interconnected over high-speed links, it is recommended to configure the replication interval as 15 minutes. If slow links are used or in cases where the network traffic is heavy, the replication interval can be increased.
You can also adjust the replication interval as follows: i. Click Change Schedule. The Schedule for DEFAULTIPSITELINK dialog box appears. By default, the rep- lication schedule appears as 24 hours a day, 7 days a week.
- 40 - Post Installation Tasks
ii. To change the default replication interval, adjust the day and time settings using the mouse pointer. iii. Click Replication Not Available or Replication Available, as appropriate. iv. Click OK. 7. Click Apply, and then click OK. The DEFAULTIPSITELINK Properties dialog box closes. Creating an Organizational Unit
Prerequisites Ensure to install the Honeywell domain security policy. The Organizational Unit (OU) must be cre- ated after installing Honeywell domain security policy. To create Honeywell Active Directory users 1. Log on to the domain controller using an account with administrative privileges. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears. 4. In the console tree, expand
Creating Honeywell Active Directory users To create Honeywell Active Directory users 1. Log on to the domain controller using an account with administrative privileges. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears.
- 41 - Post Installation Tasks
4. In the console tree, expand
- 42 - Post Installation Tasks
1. Log on to the domain controller using an account with administrative privileges. 2. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 3. Click Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears. 4. In the console tree, browse to the folder (Active Directory Users and Computers/domain node/folder) containing the group that you want to modify. 5. Select the Honeywell Group that you want to modify. 6. In the details pane (right pane), right-click the group, and then click Properties. 7. On the Members tab, click Add. 8. Enter the Honeywell user name and then Check Names. A valid entry will have an underline. 9. Click OK. 10. Repeat steps until the required users are added to the group. 11. Click OK. For further guidance on managing groups, refer to the following Microsoft documentation. http://technet.microsoft.com/en-us/library/cc738263(WS.10).aspx Configuring time synchronization in a domain
After configuring all systems for roles in a domain, any prior time topology becomes invalid due to the configuration changes. Hence, you must configure a new time topology by considering the domain and control system requirements; otherwise, the system uses the local clock for the author- itative time source in the domain. If possible, you should configure an external time source for the domain. If configuring, you must set the external time source on the PDC role holder. For more information about configuring an external time source, refer to the following Microsoft documentation. http://sup- port.microsoft.com/kb/816042 Using “time.windows.com” as an example, (an IP address of a local NTP Server (for example) could also be used), perform the following commands: 1. w32tm.exe /config /manualpeerlist:”time.windows.com” /syncfromflags:manual /re- liable:YES /update 2. w32tm.exe /config /update 3. net stop w32time 4. net start w32time For all other nodes, consider the section “Time synchronization” in the Server and Client Planning Guide. And refer to the section “Setting up time synchronization” in the Supplementary Install- ation Tasks Guide.
- 43 - Post Installation Tasks
Adding workstation/server to a Windows domain
Setting the DNS server IP address Setting the DNS server IP address 1. Log on to the stand-alone workstation/Experion server as a local administrator. 2. Click Start > Controlpanel > Network > Network and Sharing Center. The Network and Sharing Center window appears. 3. On the left pane, click Change adapter settings. The Network Connections window appears. 4. Right-click Ethernet, and then click Properties. If Honeywell FTE adapter #1 is enabled, then right-click the FTE adapter #1 and then click Properties. The Ethernet Properties dialog box appears. 5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. The Internet Protocols (TCP/IP) Properties dialog box appears. 6. Click Use the following DNS server addresses. 7. In Preferred DNS server and Alternate DNS server box, type the preferred DNS server IP address and the alternate DNS server IP address of the domain controller. 8. Click OK. The Local Area Connection Properties dialog box closes. Adding a node to a Windows domain Caution While adding a node to a domain, you must not change the computer name and the domain at the same time. Attention To join the domain, the client machine (server or desktop) must have DNS resolution to the domain. This may require editing the network card properties and configuring primary and altern- ative DNS server addresses. These should be the addresses of the domain controllers on a domain running Active Directory-integrated DNS. 1. Log on to the client node as a local administrator. 2. Perform one of the following:
Operating System Steps
For Windows 7: 1. Click Start > Control Panel. 2. In View by list, click Small icons. 3. Click System.
- 44 - Post Installation Tasks
Operating System Steps
4. Under Computer name, Domain, and Workgroup Settings area, click Change Settings. 5. Click Continue in the User Account Control dialog box, if prompted. The System Properties dialog box appears.
For Windows 1. Click Start > Control Panel. Server 2008: 2. Select Classic View, if not selected. 3. Double-click System. 4. Under Computer name, Domain, and Workgroup Settings area, click Change Settings. 5. Click Continue in the User Account Control dialog box, if prompted. The System Properties dialog box appears.
For Windows 1. On the taskbar, click Server Manager icon. Server 2012: The Server Manager dialog box appears. 2. In the left pane click Local Server. The Local Server page appears. 3. In PROPERTIES field, click the text against Workgroup. The System Properties dialog box appears.
For Windows 10: 1. Click Start, Settings > In the left pane, select About. 2. Select Connect to work or school 3. Click Connect 4. Under Alternate Actions, click “Join this device to a local Active Directory Domain” 5. Type in the domain name in the Join a Domain box 6. Type in the username and password of a domain admin- istrator account and click OK 7. You can Skip adding any accounts. 8. Skip to Step 10 below
For Windows 1. On the taskbar, click Server Manager icon. Server 2016: The Server Manager dialog box appears. 2. In the left pane click Local Server. The Local Server page appears. 3. In PROPERTIES field, click the text against Workgroup. The System Properties dialog box appears.
3. Click Change. 4. Under Member of area, click the Domain option button, and then type the domain name. 5. Click OK.
- 45 - Post Installation Tasks
6. Type the user name and password of a domain administrator account, and then click OK. 7. In the Welcome dialog box, click OK. 8. In the You must restart… dialog box, click OK. 9. In the System Properties dialog box, click Close. 10. Click Restart Now. The computer restarts. Viewing the workstation/server added to a domain To view the workstation/server added to a domain on a Domain Controller 1. On the taskbar, click Server Manager icon. The Server Manager dialog box appears. 2. Click Tools > Active Directory Users and Computers. The Active Directory Users and Computers page appears. 3. In the console tree, expand
If your Experion system is integrated with a Windows domain, it is recommended that you use the domain controller as the time source for all the clients within the domain. The Experion server should be configured as the NTP server which receives time from the domain controller. Though Flex Stations and Console Stations are set up as NTP clients, they receive time from the domain controller rather than the Experion servers. The Experion servers configured as NTP servers serve time to the control hardware. This is because domain controllers are typically not on a network that is accessible to Experion. The con- trollers within the process control should be configured to get their time from an Experion server that has been set up as an NTP server acting as a secondary NTP server. Prerequisites Before setting up time synchronization, read the section “ Time synchronization” in the Server and Client Planning Guide.
- 46 - Post Installation Tasks
Tasks to be performed for configuring time synchronization on the workstations/servers added to the Windows domain
Guideline Honeywell recommendation
Configure primary Experion server “Adjusting NTP servers” in the Supplementary Installation as the secondary NTP server. Tasks Guide.
Configure secondary Experion “Adjusting NTP clients” in the Supplementary Installation server and other Experion clients as Tasks Guide. the NTP clients.
Configure control hardware to “Setting up control hardware to receive time from an NTP receive time from secondary NTP server in a Windows domain” in the Supplementary Install- server. ation Tasks Guide.
- 47 - CHAPTER
- 48 - Honeywell Experion PKS Software Support for Domain Controllers Honeywell Experion PKS Software Support for Domain Controllers
Refer to the latest Software Installation User's Guide for installing the Honeywell Domain Con- troller package. Caution When installing software on Domain Controllers, it is best practice to do one at a time. Restarts will be necessary, which will affect the controller’s ability to perform authentication and other duties. Initiating Setup
If using DVD/USB, insert the Media (Installation Disk 1). Using Explorer, go to the drive and Setup.exe in the root. If using ESIS: 1. Open Explorer. In the Navigation Bar type in \\ESIS Server Name\R511 Share Name 2. Double click Setup.exe. Answer Yes to the User Account Control dialog.
3. Change Option to “Product Install Only”. 4. Enter UserName and Password. 5. Click Next.
- 49 - Honeywell Experion PKS Software Support for Domain Controllers
Installing the Domain Controller Policies
1. Click Setup to install domain policies on the domain controller.
2. On the first Domain Controller in the Domain, select Yes. It is unnecessary to install more than once as the policies are added to the Domain, so for each additional Domain Controller, select No. If you selected Yes:
- 50 - Honeywell Experion PKS Software Support for Domain Controllers
3. Click Next.
4. If you agree, change Option to “I accept…” and click Next.
5. Enter password for DcsComServer Password account that will be created in the Domain.
- 51 - Honeywell Experion PKS Software Support for Domain Controllers
6. Click Next.
7. Click Install.
- 52 - Honeywell Experion PKS Software Support for Domain Controllers
8. Package will install.
9. When it completes, click Finish. Installing the .Net Framework
1. Run the Honeywell security model - domain controller.msi.
If not installed earlier, you must click Yes to install the .Net Framework components used to support the optional components. Installing Experion Optional Features
1. If .Net is already installed, user will directly get the page for Optional Features selection (Setup type of Node to install page). 2. In the Setup type of Node to install page, click Optional Features, then click Next. The User and License Information page appears. 3. In the User and License Information page, type the Name and Company, and then click Next. The Feature and Options Selection page appears.
- 53 - Honeywell Experion PKS Software Support for Domain Controllers
4. In the Feature and Options Selection page, select the Optional Features you wish to install, and, then click Next. The Security Password Entry page appears. 5. In the Security Password Entry page, type the password and, then click Next. The Summary page appears. Note The Summary screen will vary based on options selected in step 3. 6. Review Options and click Install. The installation progress page appears. Installation will proceed. 7. Depending on options selected, it may be necessary to log in to continue install after neces- sary restarts (reboots) are performed, as indicated by the Status Panel. Click OK to proceed with Restart. Note Make sure you log back in with the same account to which you started the install, as instruc- ted by the Message. 8. Click OK to finish, then Shutdown and Restart the system.
- 54 - CHAPTER
- 55 - Preparing the domain for migration Preparing the domain for migration Recording the current domain controller configuration information
The first stage in planning a migration is understanding the current domain controller configuration. Before starting the migration, you must record all the important details about the current domain controller configuration in the below worksheet. Migration planning worksheet The following table provides you an understanding about the information that you need to capture:
Basic information
Domain name
Domain operation mode
Authentication objects Record the information about each user account and the groups in which the accounts are added as members. Even though this information automatically migrates to the new server, as a best practice it is recommended to capture this information. After migration, you can use this information to check if the migration completed successfully.
User accounts Groups
Flexible Single Master Operation (FSMO) roles Record the details about the domain controllers which hold each of the FSMO roles in the current domain.
FSMO role Current site and owner Destination site and owner
Schema master
Domain naming master
Domain Functional level
Forests Functional level
Infrastructure master
Relative ID (RID) master
PDC emulator
Domain controller networking information For each domain controller that is being migrated, capture the following details which can be used for setting up the network connections during and after the migration.
- 56 - Preparing the domain for migration
Subnet mask
Domain controller 1 of type peer or RODC
Domain controller name
IP address
Is a GC server (yes or no)
Is a DNS server (yes or no)
Preferred DNS
Alternate DNS
Path for AD database
Path for log files
Inventorying the current domain controller configuration Installing Windows Support Tools on Windows Server 2003 domain controllers The process of inventorying the current domain controller configuration utilizes several command line utilities provided by Microsoft known as Windows Support Tools. On Windows Server 2003, the Windows Support Tools are not installed along with the operating system. You must install them separately from the Windows operating system CD of the version that is currently installed on the domain controller. To install Windows Support Tools 1. Log on to the domain controller using a Windows account with local administrator rights. 2. Insert the Windows Server 2003 CD into the CD/DVD drive. 3. Browse the contents of the CD and navigate to the folder \Support\Tools. 4. Double-click SupTools.msi. The Windows Support Tools Setup Wizard appears. 5. Click Next. The End User License Agreement page appears. 6. In the End User License Agreement page, click I Agree, and then Next. The User Information page appears. 7. In the User Information page, fill in/verify Name and Organization details and then click Next. The Destination Directory page appears. 8. In the Destination Directory page, click Install Now. The Installation Progress page appears. 9. Once the installation is done, the Completing the Windows Support Tools Setup Wizard page appears. 10. Click Finish. Identifying the domain controllers holding the FSMO roles To identify the domain controllers holding the FSMO roles
- 57 - Preparing the domain for migration
1. Open the Windows Support Tools Command Prompt.
2. Type the following command and then press ENTER. netdom query /domain:%userdnsdomain% fsmo or just netdom /query FSMO (defaults to the current systems domain). Attention You can also use the domain name in place of %userdnsdomain%. The Command Prompt lists the FSMO roles available and the name of the domain con- troller that holds the respective FSMO role.
3. Record the information about the domain controllers and the FSMO roles they hold in the Recording the current domain controller configuration information. Identifying GC servers configured in the domain If you have configured GC servers in your domain, before starting the migration you must identify the domain controllers that are hosting the GC server role. To identify the GC servers, you must per- form this task on one of the domain controllers in the domain. To identify the GC servers in a domain 1. Log on to the domain controller using an account with administrative privileges. 2. Perform one of the following:
Operating System Steps
Windows Server 2003, 2003 Click Start > All Programs > Administrative Tools > Act- R2, 2008, 2008 R2 ive Directory Sites and Services.
Windows Server 2012, 2012 l On the taskbar, click Server Manager icon.
- 58 - Preparing the domain for migration
Operating System Steps
R2 The Server Manager dialog box appears.
l Click Tools > Active Directory Sites and Ser- vices.
The Active Directory Sites and Services window appears. 3. In the console tree, expand Sites folder, and then expand the site object on which the servers reside. 4. Expand the Servers folder, and then expand the server name. The NDTS Settings items appear under the server name. 5. Right-click NDTS Settings item, and then click Properties. The NDTS Settings Properties dialog box appears. 6. Verify if the Global Catalog check box is selected. If not, select the Global Catalog check box, and then click OK. The NDTS Settings Properties dialog box closes. 7. Repeat steps 5 through 6 for each available server under the site object. 8. Record the details about the domain controllers configured as GC servers in the Recording the current domain controller configuration information. Identifying DNS servers configured in the domain If you have configured DNS servers in your domain, before starting the migration you must identify the domain controllers that are hosting the DNS server role. To identify the DNS servers, you must perform this task on each domain controller in the domain. Choose a Domain Controller where you have the DNS role installed. Locate the DNS Manager tool that was installed on the server.
Operating System Steps
Windows Server 2003, 2003 R2, Click Start > All Programs > Administrative Tools > 2008, 2008 R2 DNS Manager.
Windows Server 2012, 2012 R2 l On the taskbar, click Server Manager icon. The Server Manager dialog box appears.
l Click Tools > DNS.
1. Expand the Server Name under DNS on the left hand side. Expand Forward Lookup Zones, click on your domain name. (idea.local in example below) 2. Locate Name Server (NS) records on the right hand side. Note Any Server hosting DNS should have a NS record listed here.
- 59 - Preparing the domain for migration
Double clicking a NS record and bringing up the properties will also list all Name Servers.
Identifying the domain operation mode To identify the domain operation mode
- 60 - Preparing the domain for migration
1. Perform one of the following:
Operating System Steps
Windows Server 2003, 2003 Click Start > All Programs > Administrative Tools > Act- R2, 2008, 2008 R2 ive Directory Domains and Trusts.
Windows Server 2012, 2012 l On the taskbar, click Server Manager icon. R2 The Server Manager dialog box appears.
l Click Tools > Active Directory Domains and Trusts.
The Active Directory Domains and Trusts window appears. 2. In the console tree, right-click the domain name, and then click Properties. The domain Properties dialog box appears.
The Domain functional level displays the operation mode currently configured for the domain controller. 3. Record the information about the current domain operation mode in the Recording the cur- rent domain controller configuration information. Verifying domain controller readiness for migration
- 61 - Preparing the domain for migration
Checking the domain health
Run the Network Diagnostics (NetDiag) utility
NetDiag is a command-line diagnostic utility that is used for diagnosing any network connectivity problems prior to starting the migration. NetDiag utility performs a series of tests to determine the state of the network. Running this utility helps to identify and isolate any network connectivity prob- lems that might occur during migration. Prerequisites
l Adjust the screen buffer size of Command Prompt. The NetDiag utility test output displayed in Command Prompt can be enormous and hence it is recommended to adjust the screen buffer size of the Command Prompt. To adjust the screen buffer size, 1. Open Command Prompt, click the upper-left icon on the title bar, and then click Properties. 2. Click the Layout tab and set the following under Screen Buffer Size area. n In the Width box, type or select 200. n In the Height box, type or select 3000. 3. Click OK. To run the Network Diagnostics (NetDiag) utility 1. At the Command Prompt, type NETDIAG, and then press ENTER. The NETDIAG output displays the details about the system, including the details about the hotfixes that are installed. After the system details, the output also displays the status of the tests that are performed by this utility. The following are the results that are displayed in the output.
l Passed — indicates that the test is completed successfully l Skipped — indicates that the test is skipped as it is not relevant to the configuration l Failed — indicates that issues are reported Any test that failed or reported any errors should be analyzed before proceeding further. 2. If required, run the command DCDiag /fix, to resolve the issues which are reported.
Run the Domain Controller Diagnostics (DCDiag) utility DCDiag is a command-line diagnostic utility that is used for analyzing the performance of one or all of the domain controllers in an Active Directory forest and identifies any problems to assist in troubleshooting. DCDiag consists of many tests that can be run individually or as part of a suite to verify the domain controller health. DCDiag utility is installed as part of the Windows 2000 Sup- port Tools installation. To run the DCDiag utility 1. Open Command Prompt, type DCDIAG and then press ENTER.
- 62 - Preparing the domain for migration
The DCDIAG utility displays a summary of the test results, for each domain controller tested. It also reports any issues encountered. 2. If required, run the command DCDiag /fix, to resolve the issues which are reported. Attention For further information about the DCDiag utility or if you have any setup problem while executing the DCDiag utility, contact your nearest Honeywell TAC representative. Ensuring availability of multiple domain controllers As a best practice, it is recommended to have at least two domain controllers in a domain, which operate as peers to each other in providing the Active Directory information. An advantage of hav- ing multiple domain controllers in a domain is that, the domain controllers can be migrated with min- imal impact to the domain members. When migrating one of the domain controllers in a domain, you can transfer the functions that it provides to a peer domain controller to prevent disruption of operations during migration. In a domain consisting of only a single domain controller, you must add a temporary peer domain controller to enable the migration. The temporary peer should be configured with a unique name and IP address, so that it does not conflict with the name or IP address of the domain controller being migrated. In addition, while setting up a temporary peer, you should also configure it as a GC server and a DNS server. The server operating system for the temporary peer can either be the same version installed on the current domain controllers in the domain or can be installed with the latest supported operating sys- tem. Attention If the temporary peer domain controller is installed with the latest version of the Windows Server operating system, to promote it to a domain controller you must prepare the schema of the tem- porary peer domain controller by running the adprep utility. After completing the migration of the original domain controller, if you do not want to migrate the temporary peer domain controller and retain it in the domain, demote the temporary peer domain controller and then remove it from the domain. However, since the best practice is to always have a minimum of two domain controllers in a domain, it is recommended to install the temporary peer domain controller with and retain it in the domain even after migrating the original domain con- troller. Ensuring availability of multiple DNS servers Attention You can ensure the availability of multiple DNS server only if you have multiple domain con- trollers. Before starting the migration of domain controllers, it is important to ensure that there are multiple DNS servers configured in the domain. You can configure one or more of the domain controllers in the domain as the DNS servers. If there is only one domain controller configured as the DNS
- 63 - Preparing the domain for migration server, you must configure one of the peer domain controllers in the domain as the alternate DNS server. In addition, ensure that the IP address for the DNS servers, configured on the domain controllers in the domain are accurate. Preparing the Active Directory
Evaluating the functional level of the domain Prior to starting the migration, you should review the functional level of the Domain. (May need to be raise it to support new clients.) Post Migration, you should review it again to see if you have met the requirements to raise the level (To support new or enhanced capabilities). Functional levels determine the Domain and Forest capabilities, but are limited by the operating sys- tems that are hosting it. So you can only raise the level to the lowest value operating system you are using currently as a domain controller. Once all Domain Controllers are upgraded to a higher level, can it can be raised. The host requirement typically only effects Domain Controllers, but the capabilities may affect the clients that can be added to the domain as well. The advanced capabilities of Windows 10 and Server 2016 require that the Domain they are added to (as clients) must be at a functional level of Windows Server 2003 or higher.
Minimum Domain Functional Level
Microsoft Windows Server 2003 (see Note 1)
Supported Domain Functional Levels with Windows Server 2016.
Supported Domain Functional Level
Windows Server 2003 (see Note 1)
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Note This operating system is End of Life (EOL) and is only supported for Migration purposes. Cus- tomer should decommission any Windows 2003 Servers and raise the functional level when com- pleted.
- 64 - Preparing the domain for migration
Upgrading existing Domain Controllers to Windows Server 2016 Refer to the table below for to reference operating system upgrade options for existing Domain Con- trollers.
Starting from Path to 2016
Windows Server 2003 (or R2) New Install/Replacement required Notes: A
Windows Server 2008 New Install/Replacement required Notes: A
Windows Server 2008 R2 Can Direct Upgrade first to 2012 R2 Then Direct Upgrade from 2012 R2 to 2016 Notes: B, C, D Or New Install/replacement required
Windows Server 2012 Direct Upgrade to 2016 Notes: B, C, D Or New Install/replacement
Windows Server 2012 R2 Direct Upgrade to 2016 Notes: B, C, D Or New Install/replacement
Note A – Starting OS is 32 bit based, Target OS is 64 bit. OS cannot be direct upgraded. B – Hardware/Host platform needs to be checked to see if it supports new OS. C - Any third party software needs to be checked to see if it supports upgrade D – Microsoft recommends Clean Installs for Domain controllers Raising the functional level of the domain If the current domain operation mode determined during the domain inventorying task (as described in the section “Identifying the domain operation mode”) and recorded on the Recording the current domain controller configuration information is not at the required minimum or supported level (as documented in Evaluating the functional level of the domain), after upgrading the OS (as ref- erenced in as referenced in Note 1). This operating system is End of Life (EOL) and is only sup- ported for Migration purposes. Customer should decommission any Windows 2003 Servers and raise the functional level when completed. To raise the functional level of the domain 1. Log on to the domain controller. 2. Perform one of the following:
- 65 - Preparing the domain for migration
Operating System Steps
Windows Server 2003, 2003 Click Start > All Programs > Administrative Tools > Act- R2, 2008, 2008 R2 ive Directory Domains and Trusts.
Windows Server 2012, 2012 l On the taskbar, click Server Manager icon. R2 The Server Manager dialog box appears.
l Click Tools > Active Directory Domains and Trusts.
The Active Directory Domains and Trusts window appears. 3. In the console tree, right-click the domain name, and then click Raise Domain Functional Level. The Raise Domain Functional Level dialog box appears. The dialog box displays the cur- rent domain functional level and provides a list of available domain functional levels. Attention If the domain functional level is already at the appropriate level, a dialog box appears indic- ating that it is already set to the highest level. Close the dialog box and then close the Active Directory Domains and Trusts window. Skip the rest of the steps in this procedure and pro- ceed to next task in migration Expanding the Active Directory schema. 4. In the Select an available domain functional level list, click the required functional level, and then click Raise. 5. A warning message appears indicating that changing the domain functional level affects the entire domain and that this action cannot be reversed. 6. Click OK to close the dialog box. 7. When the domain functional level is raised, a confirmation message appears indicating that the level is raised and that the new level replicates to each domain controller in the domain. 8. Click OK to close the confirmation dialog box. 9. Close the Active Directory Domains and Trusts window. Attention While attempting to raise the functional level of the domain, if the Active Directory is busy, there are chances for the raise operation to fail. In such case, you must repeat this procedure till you succeed to raise the functional level of domain. Expanding the Active Directory schema With Microsoft Windows Server 2016, the schema updates are run automatically when the first con- troller is added to the domain. It is no longer necessary to run Adprep as a manual procedure beforehand.
- 66 - Preparing the domain for migration
Joining a Server 2016 Domain Controller to replace an exist- ing Controller
In cases where the domain controller must be replaced with a new Server 2016 system; Windows Server 2003 or 2008, follow this flow:
l Remove the DNS Role (if configured), Remove the DNS Role (if configured) Note Repeat this procedure as many times as necessary until all old controllers have been replaced.
l Promote and Join Existing Domain, Remove the DNS Role (if configured) Remove the DNS Role (if configured) j. For Windows Server 2003 1. Run Manage your Server: 2. Click Add or Remove a Role. The Configure Your Server Wizard with Preliminary Steps page appears. 3. Click Next. The Sever Role page appears. 4. In the Sever Role page, click/select DNS Server and then click Next. The Role Removal Confirmation page appears. 5. In the The Role Removal Confirmation page, check the box Remove DNS Server Role and then click Next. The DNS Server Role Removed page appears stating successful removal of DNS Server Role. 6. Click Finish. Installing a new Windows Server 2016 Domain Controller 1. Pre-requisite Step - Install Server 2016 a. Rename computer, assign IP Address and other localization/tailoring steps. b. System assumed to be temporarily in a workgroup at this stage.
- 67 - Preparing the domain for migration
2. Add existing DNS configuration to system:
3. In Server Manager, click Add Roles and Features:
The Add Roles and Features Wizard with Before you Begin page appears. 4. Click Next. The Installation Type page appears. 5. Click Next. The Server Selection page appears. 6. Click Next. The Server Roles page appears. 7. In the Server Roles page, select Active Directory Domain Services role. The Add features that are required for Active Directory Domain Services? Popup win- dow appears. 8. In the Add features that are required for Active Directory Domain Services? pop up window, select Include management tools (if applicable) option and then click Add Features tab. The Add Roles and Features Wizard with Server Roles page appears. 9. Select DNS Server. The Add features that are required for DNS Server? Pop up window appears. 10. In the Add features that are required for DNS Server? Pop up window, select Include management tools (if applicable) option and then click Add Features tab. The Add Roles and Features Wizard with Server Roles page appears. 11. Click Next. The Features page appears. 12. Click Next. The ADDS page appears. 13. Click Next. The DNS Server page appears.
- 68 - Preparing the domain for migration
14. Click Next. The Confirmation page appears. 15. Click Install. The Results page appears with installation progress details. 16. Click Close or watch. 17. Verify Installation Succeeded and click Close tab. Promote and Join Existing Domain 1. Return to Server Manager and click Notification Flag:
Click Promote this server to a domain controller option. The Active Directory Domain Services Configuration Wizard window with Deployment Configuration page appears. 2. In the with Deployment Configuration page, fill in Domain and Change credentials and then click Next. 3. Click Next. The Domain Controller Options page with “A Domain controller running….” warning appears. Note The “A Domain controller running….” warning can be ignored. 4. Click Next. The DNS Options page appears with “A delegation for this DNS server….” warning appears. Note The “A delegation for this DNS server….” warning is about RODC’s only being supported on 2008 and up domains. It can be ignored.
- 69 - Preparing the domain for migration
Add a Directory Services Restore Mode Password and click Next. Note The warning will occur if systems are not connected to the Internet and can be ignored. Click Next. The Additional Options page appears. 5. Click Next. The Paths page appears. 6. Click Next. The Preparations Options page appears. Note This screen will only occur on first controller added. 7. Click Next. The Review Options page appears. 8. Click Next. The Prerequisites Check page appears. 9. In the Prerequisites Check page, review Warnings and Click Install. Note System will restart when the installation is completed. Transfer roles and functions from Old DC to New DC Log into new system with a Domain based administration account. 1. Adjust DNS Configuration (if DNS was added). a. First Value should be another DNS server (not the Old Domain controller you are going to decommission). b. Second Value should be the local address – 127.0.0.1. 2. Open Command Prompt and run dcdiag. a. Correct any potential issues. Note If configuring FTE on this domain controller, it can be better to temporarily disable the Green NIC until the FTE Software is to be installed. 3. Transfer any owned roles over from the Old Domain Controller to the new 2016 Domain Controller. a. Operations Master can be transferred via the Active Directory Domains and Trust Tool. b. RID Master can be transferred via the Active Directory Users and Computers Tool. c. PDC Master can be transferred via the Active Directory Users and Computers Tool. Note If transferring PDC and it communicated with an external time source don’t forget to update it on new controller.
- 70 - Preparing the domain for migration
d. Infrastructure Master can be transferred via the Active Directory Users and Com- puters Tool. e. Schema Master can be transferred via the MMC - Active Directory Schema Tool. Decommission Old DC Intention here is to remove services/functionality from the Domain Controller before it is turned off. 1. Adjust DNS Configuration on all clients (if previously configured with this DC’s IP Address as one of the clients DNS values). a. Primary value should be another DNS server (possibly the new server just added). b. Secondary value can be any other available DNS Server (Not the server about to be removed). 2. Adjust DNS Configuration on the Old Domain Controller (the one about to be Decom- misioned). a. Primary value should be another DNS server (possibly the new server just added). b. Secondary value can be any other available DNS Server (Not the server about to be removed). 3. Remove Global Catalog from 2003 Server. a. Open Active Directory Users and Computers (on New 2016 DC) b. Navigate to your Domain, then Domain Controllers. c. Select the Domain Controller you wish to decommission and select properties. The PE2850-DC1 Properties window appears.In the PE2850-DC1 Properties win- dow, click NTDS Settings. The PE2850-DC1 Properties window appears. d. In the PE2850-DC1 Properties window, uncheck Global Catalog and click Apply. e. Click Ok and close the properties. f. After several minutes, the DC Type should change from GC to DC Raising Functional Levels Once all Domain Controllers have been replaced, you can now raise the domains functional level. You should raise it to the highest available level given the lowest Domain Controllers release value (assumed to now be 2008 or higher). 1. On an existing Domain Controller, run Active Directory Domains and Trusts. 2. To Raise the Domain Functional Level, a. Right-click the Domain and choose Raise Domain Functional Level. b. The Raise Domain Functional level dialog will appear. c. Click Drop Down option on the “Select an avail domain functional level”. d. You should choose the highest available level you can, based on the Oldest OS a Domain Contoller is running. e. After making your selection, click Raise.
- 71 - Preparing the domain for migration
f. A warning dialog will appear.
g. Click OK. A confirmation popup window appears.
Click OK. 3. Once all Domains have been raised, you can consider raising the Forest Level. a. Return to Active Directory Domains and Trusts. b. Right-click on the left hand side “Active Directory Domains and Trusts and choose Raise Forest Functional Level. c. The Raise Forst Functional level window appears. d. Click Drop Down option on the “Select an avail forest functional level”. e. You should choose the highest available level you can, based on the Oldest OS a Domain within the Forest is running. f. After making your selection, click Raise. g. A warning dialog will appear.
c. Click OK. A confirmation window appears.
- 72 - Preparing the domain for migration
h. Click OK. FRS to DFS Migration 1. Verify you meet all requirements (may have to raise functional levels first) by typing in the command: dfsrmig /getglobalstate at a command prompt.
If you are ready to start a migration, the return value should look like the above. 2. Start migration by typing in the command: dfsrmig /setglobalstate 1 at a command prompt.
- 73 - Preparing the domain for migration
3. Query the status by typing in: dfsrmig /getmigrationstate at a command prompt.
Be patient, it may take a little time. Need to wait until this value is returned:
4. Continue migration (phase 2) by typing in the command: dfsrmig /setglobalstate 2 at a command prompt.
5. Verify the status by again typing in: dfsrmig /getmigrationstate at a command prompt.
Wait until the status reaches.
- 74 - Preparing the domain for migration
6. Continue migration (phase 3) by typing in the command: dfsrmig /setglobalstate 3 at a command prompt.
7. Verify the status by again typing in: dfsrmig /getmigrationstate at a command prompt.
Wait until the status reaches.
8. Verify by completion by typing in Net Share:
- 75 - Preparing the domain for migration
NETLOGON and SYSVOL shares should now be under SYSVOL_DFSR. 9. In addition, File Replication Service should be stopped and disabled on all Domain Con- trollers.
- 76 - Preparing the domain for migration
Appendix
l Experion domain group policy settings l Security Model specific permissions
Experion domain group policy settings
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
\Control Panel::Prohibit Operational Microsoft Disables all Control Panel programs access to the Control Pane Roles Windows and prevents Control.exe (the program XP file for Control Panel) from starting. /Microsoft Windows This setting also removes Control Server Panel from the Start menu and Control 2003 (32- Panel folder from Windows Explorer. bit), If users try to select a Control Panel Microsoft item from the Properties item on a short- Windows cut menu, a message appears explain- Vista ing that a setting prevents the action. /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Control Panel\Add or Operational Microsoft Prevents users from using Add or Remove Programs::Go dir- Roles Windows Remove Programs to configure ectly to Components Wiz- XP installed services. ard /Microsoft Windows This setting removes the "Set up ser- Server vices" section of the Add/Remove Win- 2003 (32- dows Components page. The "Set up bit) services" section lists system services that have not been configured and offers users easy access to the con- figuration tools. If you disable this setting or do not con- figure it, "Set up services" appears only when there are no configured system services. If you enable this setting, "Set up services" never appears.
- 77 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
This setting does not prevent users from using other methods to configure services. Note: When "Set up services" does not appear, clicking the Add/Remove Win- dows Components button starts the Windows Component Wizard imme- diately. This is because, the only option remaining on the Add/Remove Win- dows Components page starts the wiz- ard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and pre- vent the Windows Component Wizard from starting, enable the "Hide Add/Re- move Windows Components page" set- ting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored.
\Control Panel\Add or Operational Microsoft Removes the Add New Programs but- Remove Programs::Hide Roles Windows ton from the Add or Remove Programs Add New Programs page XP bar. As a result, users cannot view or /Microsoft change the attached page. Windows Server The Add New Programs button lets 2003 (32- users install programs published or bit) assigned by a system administrator. If you disable this setting or do not con- figure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs.
\Control Panel\Add or Operational Microsoft Removes the Add/Remove Windows Remove Programs::Hide Roles Windows Components button from the Add or Add/Remove Windows XP Remove Programs bar. As a result, Components page /Microsoft users cannot view or change the asso- Windows ciated page. Server 2003 (32- The Add/Remove Windows Com- bit) ponents button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows
- 78 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
from the installation files. If you disable this setting or do not con- figure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services, add, or remove pro- gram components. However, this set- ting blocks user access to the Windows Component Wizard.
\Control Panel\Add or Operational Microsoft Removes the Change or Remove Pro- Remove Programs::Hide Roles Windows grams button from the Add or Remove Change or Remove Pro- XP Programs bar. As a result, users can- grams page /Microsoft not view or change the attached page. Windows Server The Change or Remove Programs but- 2003 (32- ton lets users uninstall, repair, add, or bit) remove features of installed programs. If you disable this setting or do not con- figure it, the Change or Remove Pro- grams page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs.
\Control Panel\Add or Operational Microsoft Removes the "Add a program from Remove Programs::"Hide Roles Windows CD-ROM or floppy disk" section from the ""Add a program from XP the Add New Programs page. This pre- CD-ROM or floppy disk"" /Microsoft vents users from using Add or Remove option" Windows Programs to install programs from Server removable media. 2003 (32- bit) If you disable this setting or do not con- figure it, the "Add a program from CD- ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored. In addition, if the "Prevent removable media source for any install" setting (located in User Con-
- 79 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
figuration\Administrative Tem- plates\Windows Com- ponents\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this set- ting.
\Control Panel\Add or Operational Microsoft Removes the "Add programs from Remove Programs::"Hide Roles Windows Microsoft" section from the Add New the ""Add programs from XP Programs page. This setting prevents Microsoft"" option" /Microsoft users from using Add or Remove Pro- Windows grams to connect to Windows Update. Server 2003 (32- If you disable this setting or do not con- bit) figure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
\Control Panel\Add or Operational Microsoft Prevents users from viewing or Remove Programs::"Hide Roles Windows installing published programs. the ""Add programs from XP your network"" option" /Microsoft This setting removes the "Add pro- Windows grams from your network" section from Server the Add New Programs page. The 2003 (32- "Add programs from your network" sec- bit) tion lists published programs and provides an easy way to install them. Published programs are those pro- grams that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators pub- lish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for install- ation files. If you enable this setting, users cannot tell which programs have been pub- lished by the system administrator, and they cannot use Add or Remove Pro- grams to install published programs.
- 80 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
However, they can still install programs by using other methods, and view and install assigned (partially installed) pro- grams that are offered on the desktop or on the Start menu. If you disable this setting or do not con- figure it, "Add programs from your net- work" is available to all users. Note: If the "Hide Add New Programs page" setting is enabled, this setting is ignored.
\Control Panel\Add or Operational Microsoft Prevents users from using Add or Remove Pro- Roles Windows Remove Programs. grams::Remove Add or XP Remove Programs /Microsoft This setting removes Add or Remove Windows Programs from Control Panel and Server removes the Add or Remove Programs 2003 (32- item from menus. bit) Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows and a wide variety of Win- dows programs. Programs published or assigned to the user appear in Add or Remove Programs. If you disable this setting or do not con- figure it, Add or Remove Programs is available to all users. When enabled, this setting takes pre- cedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
\Control Panel\Add or Operational Microsoft Removes links to the Support Info dia- Remove Pro- Roles Windows log box from programs on the Change grams::Remove Support XP or Remove Programs page. Information /Microsoft Windows Programs listed on the Change or Server Remove Programs page can include a 2003 (32- "Click here for support information" bit) hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a
- 81 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disable this setting or do not con- figure it, the Support Info hyperlink appears. Note: Not all programs provide a sup- port information hyperlink.
\Control Panel\Dis- Operational Microsoft Disables Display in Control Panel. play::Disable the Display Roles Windows Control Panel XP If you enable this setting, Display in /Microsoft Control Panel does not run. When Windows users try to start Display, a message Server appears explaining that a setting pre- 2003 (32- vents the action. bit), Also, see the "Prohibit access to the Microsoft Control Panel" (User Con- Windows figuration\Administrative Tem- Vista plates\Control Panel) and "Remove /Microsoft programs on Settings menu" (User Windows Configuration\Administrative Tem- Server plates\Start Menu & Taskbar) settings. 2008 Standard
\Control Panel\Dis- Operational Microsoft Removes the Appearance and play::Hide Appearance and Roles Windows Themes tabs from Display in Control Themes tab XP Panel. /Microsoft Windows When this setting is enabled, it Server removes the desktop color selection 2003 (32- option from the Desktop tab. bit), This setting prevents users from using Microsoft Control Panel to change the colors or Windows color scheme of the desktop and win- Vista dows. /Microsoft Windows If this setting is disabled or not con- Server figured, the Appearance and Themes 2008 tabs are available in Display in Control Standard Panel.
- 82 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
\Control Panel\Dis- Operational Microsoft Removes the Desktop tab from Display play::Hide Desktop tab Roles Windows in Control Panel. XP /Microsoft This setting prevents users from using Windows Control Panel to change the pattern Server and wallpaper on the desktop. 2003 (32- Enabling this setting also prevents the bit), user from customizing the desktop by Microsoft changing icons or adding new Web con- Windows tent through Control Panel. Vista /Microsoft Windows Server 2008 Standard
\Control Panel\Dis- Operational Microsoft Removes the Screen Saver tab from play::Hide Screen Saver Roles Windows Display in Control Panel. tab XP /Microsoft This setting prevents users from using Windows Control Panel to add, configure, or Server change the screen saver on the com- 2003 (32- puter. bit), Microsoft Windows Vista /Microsoft Windows Server 2008 Standard
\Control Panel\Dis- Operational Microsoft Removes the Settings tab from Display play::Hide Settings tab Roles Windows in Control Panel. XP /Microsoft This setting prevents users from using Windows Control Panel to add, configure, or Server change the display settings on the com- 2003 (32- puter. bit), Microsoft Windows Vista /Microsoft Windows Server 2008
- 83 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Control Panel\Dis- Operational Microsoft Prevents users from adding or chan- play::Prevent changing wall- Roles Windows ging the background design of the paper XP desktop. /Microsoft Windows By default, users can use the Desktop Server tab of Display in Control Panel to add a 2003 (32- background design (wallpaper) to their bit), desktop. Microsoft If you enable this setting, the Desktop Windows tab still appears, but all options on the Vista tab are disabled. /Microsoft Windows To remove the Desktop tab, use the Server "Hide Desktop tab" setting. 2008 To specify wallpaper for a group, use Standard the "Desktop Wallpaper" setting. Note: You must also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wall- paper. Refer to KB article: Q327998 for more information. Also, see the "Allow only bitmapped wallpaper" setting.
\Control Panel\Dis- Operational Microsoft Enables desktop screen savers. play::Screen Saver Roles is dis- Windows abled XP If you disable this setting, screen /Microsoft savers do not run. In addition, this set- Windows ting disables the Screen Saver section Server of the Screen Saver tab in Display in 2003 (32- Control Panel. As a result, users can- bit), not change the screen saver options. Microsoft If you do not configure it, this setting Windows has no effect on the system. Vista /Microsoft If you enable it, a screen saver runs, Windows provided the following two conditions Server hold: First, a valid screensaver on the 2008 client is specified through the Standard "Screensaver executable name" set-
- 84 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
ting or through Control Panel on the cli- ent computer. Second, the screensaver timeout is set to a nonzero value through the setting or Control Panel. Also, see the "Hide Screen Saver tab" setting.
\Control Panel\Dis- Operational Microsoft Prevents users from changing the play\Desktop Themes::Pre- Roles Windows visual style of the windows and buttons vent selection of windows XP displayed on their screens. When and buttons styles /Microsoft enabled, this setting disables the "Win- Windows dows and buttons" drop-down list on Server the Appearance tab in Display Prop- 2003 (32- erties. bit)
\Control Panel\Dis- Operational Microsoft Prevents users from changing the size play\Desktop Themes::Pro- Roles Windows of the font in the windows and buttons hibit selection of font size XP displayed on their screens. /Microsoft Windows If this setting is enabled, the "Font size" Server drop-down list on the Appearance tab 2003 (32- in Display Properties is disabled. bit) If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab.
\Control Panel\Dis- Operational Microsoft This setting forces the theme color to play\Desktop Themes::Pro- Roles Windows be the default color scheme. hibit Theme color selection XP /Microsoft If you enable this setting, a user cannot Windows change the color scheme of the current Server desktop theme. 2003 (32- If you disable or do not configure this bit) setting, a user may change the color scheme of the current desktop theme.
\Control Panel\Dis- Operational Microsoft This setting effects the Themes tab that play\Desktop Themes::Re- Roles Windows controls the overall appearance of win- move Theme option XP dows. /Microsoft Windows It is accessed through the Display icon Server in Control Panel. 2003 (32- Using the options under the Themes bit), tab, users can configure the theme for Microsoft their desktop.
- 85 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Windows If you enable this setting, it removes the Vista Themes tab. /Microsoft Windows If you disable or do not configure this Server setting, there is no effect. 2008 Note: If you enable this setting but do Standard not set a theme, the theme defaults to whatever the user previously set.
\Control Panel\Per- Operational Microsoft Enables desktop screen savers. sonalization::Enable screen Roles is dis- Windows saver abled XP If you disable this setting, screen /Microsoft savers do not run. In addition, this set- Windows ting disables the Screen Saver section Server of the Screen Saver dialog in the Per- 2003 (32- sonalization or Display Control Panel. bit), As a result, users cannot change the Microsoft screen saver options. Windows If you do not configure it, this setting Vista has no effect on the system. /Microsoft Windows If you enable it, a screen saver runs, Server provided the following two conditions 2008 hold: First, a valid screen saver on the Standard, client is specified through the "Screen Microsoft Saver executable name" setting or Windows 7 through Control Panel on the client Pro- computer. Second, the screen saver fessional timeout is set to a nonzero value (32-bit)/ through the setting or Control Panel. Also, see the "Prevent changing Screen Saver" setting.
\Control Panel\Per- Operational Microsoft This setting forces the theme color sonalization::Prevent chan- Roles Windows scheme to be the default color scheme. ging color scheme XP /Microsoft If you enable this setting, a user cannot Windows change the color scheme of the current Server desktop theme. 2003 (32- If you disable or do not configure this bit), setting, a user may change the color Microsoft scheme of the current desktop theme. Windows Vista For Windows 7 and later, use the "Pre- /Microsoft vent changing window color and Windows appearance" setting. Server 2008
- 86 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Control Panel\Per- Operational Microsoft Prevents users from adding or chan- sonalization::Prevent chan- Roles Windows ging the background design of the ging desktop background XP desktop. /Microsoft Windows By default, users can use the Desktop Server Background page in the Per- 2003 (32- sonalization or Display Control Panel to bit), add a background design (wallpaper) Microsoft to their desktop. Windows If you enable this setting, none of the Vista Desktop Background settings can be /Microsoft changed by the user. Windows Server To specify wallpaper for a group, use 2008 the "Desktop Wallpaper" setting. Standard, Note: You must also enable the Microsoft "Desktop Wallpaper" setting to prevent Windows 7 users from changing the desktop wall- Pro- paper. Refer to KB article: Q327998 for fessional more information. (32-bit)/ Also, see the "Allow only bitmapped wallpaper" setting.
\Control Panel\Per- Operational Microsoft Prevents users from changing the sonalization::Prevent chan- Roles Windows desktop icons. ging desktop icons XP /Microsoft By default, users can use the Desktop Windows Icon Settings dialog in the Per- Server sonalization or Display Control Panel to 2003 (32- show, hide, or change the desktop bit), icons. Microsoft If you enable this setting, none of the Windows desktop icons can be changed by the Vista user. /Microsoft Windows For systems prior to Windows Vista, Server this setting also hides the Desktop tab 2008 in the Display Control Panel Standard, Microsoft Windows 7
- 87 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Pro- fessional (32-bit)/
\Control Panel\Per- Operational Microsoft Prevents users from changing the sonalization::Prevent chan- Roles Windows 7 mouse pointers. ging mouse pointers Pro- fessional By default, users can use the Pointers (32-bit)/ tab in the Mouse Control Panel to add, remove, or change the mouse pointers. If you enable this setting, none of the mouse pointer scheme settings can be changed by the user
\Control Panel\Per- Operational Microsoft Prevents the Screen Saver dialog from sonalization::Prevent chan- Roles Windows opening in the Personalization or Dis- ging screen saver XP play Control Panel. /Microsoft Windows This setting prevents users from using Server Control Panel to add, configure, or 2003 (32- change the screen saver on the com- bit), puter. It does not prevent a screen Microsoft saver from running Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Control Panel\Per- Operational Microsoft Prevents users from changing the sonalization::Prevent chan- Roles Windows 7 sound scheme. ging sounds Pro- fessional By default, users can use the Sounds (32-bit)/ tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. If you enable this setting, none of the Sound Scheme settings can be changed by the user
\Control Panel\Per- Operational Microsoft This setting disables the theme gallery sonalization::Prevent chan- Roles Windows in the Personalization Control Panel.
- 88 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system ging theme XP If you enable this setting, users cannot /Microsoft change or save a theme. Elements of a Windows theme such as the desktop back- Server ground, window color, sounds, and 2003 (32- screen saver can still be changed bit) (unless policies are set to turn them off). If you disable or do not configure this setting, there is no effect. Note: If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user pre- viously set or the system default
\Control Panel\Per- Operational Microsoft Prevents users or applications from sonalization::Prevent chan- Roles Windows changing the visual style of the win- ging visual style for XP dows and buttons displayed on their windows and buttons /Microsoft screens. Windows Server When enabled on Windows XP, this 2003 (32- setting disables the "Windows and but- bit) tons" drop-down list on the Appear- ance tab in Display Properties. When enabled on Windows XP and later systems, this setting prevents users and applications from changing the visual style through the command line. Also, a user may not apply a dif- ferent visual style when changing themes
\Control Panel\Per- Operational Microsoft Disables the Window Color page in the sonalization::Prevent chan- Roles Windows Personalization Control Panel, or the ging window color and XP Color Scheme dialog in the Display appearance /Microsoft Control Panel on systems where the Windows Personalization feature is not available. Server 2003 (32- This setting prevents users from using bit), Control Panel to change the glass Microsoft color, system colors, or color scheme of Windows the desktop and windows. Vista If this setting is disabled or not con- /Microsoft figured, the Window Color page or Windows Color Scheme dialog is available in the Server Personalization or Display Control 2008 Panel.
- 89 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Standard, For systems prior to Windows Vista, Microsoft this setting hides the Appearance and Windows 7 Themes tabs in the in Display in Con- Pro- trol Panel fessional (32-bit)/
\Control Panel\Per- Operational Microsoft Prevents users from changing the size sonalization::Prohibit selec- Roles Windows of the font in the windows and buttons tion of visual style font size XP displayed on their screens. /Microsoft Windows If this setting is enabled, the "Font size" Server drop-down list on the Appearance tab 2003 (32- in Display Properties is disabled. bit) If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab
\Control Panel\Print- Operational Microsoft Allows users to use the Add Printer Wiz- ers::Browse the network to Roles Windows ard to search the network for shared find printers XP printers. /Microsoft Windows If you enable this setting or do not con- Server figure it, when users choose to add a 2003 (32- network printer by selecting the "A net- bit), work printer, or a printer attached to Microsoft another computer" radio button on Add Windows Printer Wizard's page 2, and also Vista check the "Connect to this printer (or to /Microsoft browse for a printer, select this option Windows and click Next)" radio button on Add Server Printer Wizard's page 3, and do not spe- 2008 cify a printer name in the adjacent Standard, "Name" edit box, then Add Printer Wiz- Microsoft ard displays the list of shared printers Windows 7 on the network and invites to choose a Pro- printer from the shown list. fessional If you disable this setting, the network (32-bit)/ printer browse page is removed from within the Add Printer Wizard, and users cannot search the network but must type a printer name. Note: This setting affects the Add Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers.
- 90 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
\Control Panel\Print- Operational Microsoft Prevents users from using familiar ers::Prevent addition of Roles Windows methods to add local and network print- printers XP ers. /Microsoft Windows This setting removes the Add Printer Server option from the Start menu. (To find the 2003 (32- Add Printer option, click Start, click bit), Printers, and then click Add Printer.) Microsoft This setting also removes Add Printer Windows from the Printers folder in Control Vista Panel. /Microsoft In addition, users cannot add printers Windows by dragging a printer icon into the Print- Server ers folder. If they try, a message 2008 appears explaining that the setting pre- Standard, vents the action. Microsoft Windows 7 However, this setting does not prevent Pro- users from using the Add Hardware fessional Wizard to add a printer. Nor does it pre- (32-bit)/ vent users from running other pro- grams to add printers. This setting does not delete printers that users have already added. However, if users have not added a printer when this setting is applied, they cannot print. Note: You can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder, right-click a printer, click Prop- erties, and then click the Security tab. If this policy is disabled, or not con- figured, users can add printers using the methods described above
\Control Panel\Print- Operational Microsoft Prevents users from deleting local and ers::Prevent deletion of Roles Windows network printers. printers XP /Microsoft If a user tries to delete a printer, such Windows as by using the Delete option in Print- Server ers in Control Panel, a message 2003 (32- appears explaining that a setting pre- bit), vents the action. Microsoft This setting does not prevent users Windows from running other programs to delete a printer.
- 91 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Vista If this policy is disabled, or not con- /Microsoft figured, users can delete printers using Windows the methods described previously Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Control Panel\Pro- Operational Microsoft Prevents users from viewing or grams::"Hide ""Get Pro- Roles Windows installing published programs from the grams"" page" Vista network. /Microsoft Windows This setting prevents users from Server accessing the "Get Programs" page 2008 from the Programs Control Panel in Standard, Category View, Programs and Microsoft Features in Classic View and the Windows 7 "Install a program from the network" Pro- task. The "Get Programs" page lists fessional published programs and provides an (32-bit)/ easy way to install them. Published programs are those pro- grams that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators pub- lish programs to notify users of their availability, to recommend their use, or to enable users to install them without having to search for installation files. If this setting is enabled, users cannot view the programs that have been pub- lished by the system administrator, and they cannot use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offered on the desktop or on the Start menu. If this setting is disabled or is not con- figured, the "Install a program from the
- 92 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
network" task to the "Get Programs" page will be available to all users. Note: If the "Hide Programs Control Panel" setting is enabled, this setting is ignored
\Control Panel\Pro- Operational Microsoft This setting prevents users from grams::"Hide ""Installed Roles Windows accessing "Installed Updates" page Updates"" page" Vista from the "View installed updates" task. /Microsoft Windows "Installed Updates," allows users to Server view and uninstall updates currently 2008 installed on the computer. The updates Standard, are often downloaded directly from Win- Microsoft dows Update or from various program Windows 7 publishers. Pro- If this setting is disabled or not con- fessional figured, the "View installed updates" (32-bit)/ task and the "Installed Updates" page will be available to all users. This setting does not prevent users from using other tools and methods to install or uninstall programs
\Control Panel\Pro- Operational Microsoft This setting prevents users from grams::"Hide ""Programs Roles Windows accessing "Programs and Features" to and Features"" page" Vista view, uninstall, change, or repair pro- /Microsoft grams that are currently installed on the Windows computer. Server 2008 If this setting is disabled or not con- Standard, figured, "Programs and Features" will Microsoft be available to all users. Windows 7 This setting does not prevent users Pro- from using other tools and methods to fessional view or uninstall programs. It also does (32-bit)/ not prevent users from linking to related Programs Control Panel Features including Windows Features, Get Pro- grams, or Windows Marketplace
\Control Panel\Pro- Operational Microsoft This setting removes the Set Program grams::"Hide ""Set Pro- Roles Windows Access and Defaults page from the Pro- gram Access and Computer Vista grams Control Panel. As a result, users Defaults"" page" /Microsoft cannot view or change the associated Windows page. Server
- 93 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
2008 The Set Program Access and Com- Standard, puter Defaults page allows admin- Microsoft istrators to specify default programs for Windows 7 certain activities, such as Web brows- Pro- ing or sending e-mail, as well as specify fessional the programs that are accessible from (32-bit)/ the Start menu, desktop, and other loc- ations. If this setting is disabled or not con- figured, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Default Programs icon from appearing on the Start menu
\Control Panel\Pro- Operational Microsoft This setting prevents users from grams::Hide "Windows Roles Windows accessing the "Turn Windows features Features" Vista on or off" task from the Programs Con- /Microsoft trol Panel in Category View, Programs Windows and Features in Classic View, and Get Server Programs. As a result, users cannot 2008 view, enable, or disable various Win- Standard, dows features and services. Microsoft Windows 7 If this setting is disabled or is not con- Pro- figured, the "Turn Windows features on fessional or off" task will be available to all users. (32-bit)/ This setting does not prevent users from using other tools and methods to configure services or enable or disable program components
\Control Panel\Pro- Operational Microsoft This setting prevents users from grams::Hide "Windows Mar- Roles Windows access the "Get new programs from ketplace" Vista Windows Marketplace" task from the /Microsoft Programs Control Panel in Category Windows View, Programs and Features in Clas- Server sic View, and Get Programs. 2008 Standard, Windows Marketplace allows users to Microsoft purchase and/or download various pro- Windows 7 grams to their computer for installation. Pro- Enabling this feature does not prevent fessional users from navigating to Windows Mar-
- 94 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
(32-bit)/ ketplace using other methods. If this feature is disabled or is not con- figured, the "Get new programs from Windows Marketplace" task link will be available to all users. Note: If the "Hide Programs control Panel" setting is enabled, this setting is ignored
\Control Panel\Pro- Operational Microsoft This setting prevents users from using grams::Hide the Programs Roles Windows the Programs Control Panel in Cat- Control Panel Vista egory View and Programs and /Microsoft Features in Classic View. Windows Server The Programs Control Panel allows 2008 users to uninstall, change, and repair Standard, programs, enable and disable Win- Microsoft dows Features, set program defaults, Windows 7 view installed updates, and purchase Pro- software from Windows Marketplace. fessional Programs published or assigned to the (32-bit)/ user by the system administrator also appear in the Programs Control Panel. If this setting is disabled or not con- figured, the Programs Control Panel in Category View and Programs and Features in Classic View will be avail- able to all users. When enabled, this setting takes pre- cedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs.
\Control Panel\Regional Operational Microsoft This policy removes the Administrative and Language Option- Roles Windows options from the Regional and Lan- s::Hide Regional and Lan- Vista guage Options control panel. Admin- guage Options /Microsoft istrative options include interfaces for administrative options Windows setting system locale and copying set- Server tings to the default user. This policy 2008 does not, however, prevent an admin- Standard, istrator or another application from Microsoft changing these values pro- Windows 7 grammatically. Pro- The policy is used only to simplify the
- 95 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
fessional Regional Options control panel. (32-bit)/ If the policy is Enabled, then the user will not be able to see the Admin- istrative options. If the policy is Disabled or Not Con- figured, then the user will see the Administrative options. Note that even if a user can see the Administrative options, other policies may prevent them from modifying the values.
\Control Panel\Regional Operational Microsoft This policy removes the option to and Language Option- Roles Windows change the user's geographical loc- s::Hide the geographic loc- Vista ation (GeoID) from the Language and ation option /Microsoft Regional Options control panel. This Windows does not, however, prevent the user or Server an application from changing the 2008 GeoID programmatically. Standard, Microsoft The policy is used only to simplify the Windows 7 Regional Options control panel. Pro- If the policy is Enabled, then the user fessional will not see the option to change the (32-bit)/ user geographical location (GeoID). If the policy is Disabled or Not Con- figured, then the user will see the option for changing the user location (GeoID). Note that even if a user can see the GeoID Option, the "Disallow changing of geographical location" option may prevent them from actually changing their current geographical location.
\Control Panel\Regional Operational Microsoft This policy removes the option to and Language Option- Roles Windows change the user's menus and dialogs s::Hide the select language Vista (UI) language from the Language and group options /Microsoft Regional Options control panel. This Windows does not, however, prevent the user or Server an application from changing the UI lan- 2008 guage programmatically. Standard, Microsoft The policy is used only to simplify the Windows 7 Regional Options control panel.
- 96 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Pro- If the policy is Enabled, then the user fessional will not see the option for changing the (32-bit)/ UI language. If the policy is Disabled or Not Con- figured, then the user will see the option for changing the UI language. Note that even if a user can see the option to change the UI language, other policies may prevent them from changing their UI language.
\Control Panel\Regional Operational Microsoft This policy removes the regional and Language Option- Roles Windows formats interface from the Regional s::Hide user locale selection Vista and Language Options control panel. and customization options /Microsoft This does not, however, prevent the Windows user or an application from changing Server their user locale or user overrides pro- 2008 grammatically. Standard, Microsoft The policy is only used to simplify the Windows 7 Regional Options control panel. Pro- If the policy is Enabled, then the user fessional will not see the regional formats (32-bit)/ options. If the policy is Disabled or Not Con- figured, then the user will see the regional formats options for changing and customizing the user locale.
\Desktop::Do not add Operational Microsoft Remote shared folders are not added shares of recently opened Roles Windows to Network Locations whenever you documents to Network XP open a document in the shared folder. Locations /Microsoft Windows If you disable this setting or do not con- Server figure it, when you open a document in 2003 (32- a remote shared folder, the system bit) adds a connection to the shared folder to Network Locations. If you enable this setting, shared folders are not added to Network Loca- tions automatically when you open a document in the shared folder.
\Desktop::Don't save set- Operational Microsoft Prevents users from saving certain tings at exit Roles Windows changes to the desktop. XP If you enable this setting, users can
- 97 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
/Microsoft change the desktop, but some Windows changes, such as the position of open Server windows or the size and position of the 2003 (32- taskbar, are not saved when users log bit), off. However, shortcuts placed on the Microsoft desktop are always saved Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Desktop::Hide and disable Operational Microsoft Removes icons, shortcuts, and other all items on the desktop Roles Windows default and user-defined items from the XP desktop, including Briefcase, Recycle /Microsoft Bin, Computer, and Network Loca- Windows tions. Server 2003 (32- Removing icons and shortcuts does not bit), prevent the user from using another Microsoft method to start the programs or open- Windows ing the items they represent. Vista Also, see "Items displayed in Places /Microsoft Bar" in User Con- Windows figuration\Administrative Tem- Server plates\Windows 2008 Components\Common Open File Dia- Standard, log to remove the Desktop icon from Microsoft the Places Bar. This will help prevent Windows 7 users from saving data to the Desktop Pro- fessional (32-bit)/
\Desktop::Hide Internet Operational Microsoft Removes the Internet Explorer icon Explorer icon on desktop Roles Windows from the desktop and from the Quick XP Launch bar on the taskbar. /Microsoft Windows This setting does not prevent the user Server from starting Internet Explorer by using 2003 (32- other methods
- 98 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
bit), Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Desktop::Hide Network Operational Microsoft Removes the Network Locations icon Locations icon on desktop Roles Windows from the desktop. XP /Microsoft This setting only affects the desktop Windows icon. It does not prevent users from con- Server necting to the network or browsing for 2003 (32- shared computers on the network. bit), Note: In operating systems earlier than Microsoft Microsoft Windows Vista, this policy Windows applies to the My Network Places icon Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Desktop::"Prevent adding, Operational Microsoft Prevents users from manipulating dragging, dropping and clos- Roles Windows desktop toolbars. ing the Taskbar's toolbars" XP /Microsoft If you enable this setting, users cannot Windows add or remove toolbars from the Server desktop. In addition, users cannot drag 2003 (32- toolbars on to or off of docked toolbars. bit), Note: If users have added or removed Microsoft toolbars, this setting prevents them Windows from restoring the default configuration. Vista
- 99 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
/Microsoft To view the toolbars that can be added Windows to the desktop, right-click a docked tool- Server bar (such as the taskbar beside the 2008 Start button), and point to "Toolbars." Standard, Microsoft Also, see the "Prohibit adjusting Windows 7 desktop toolbars" setting Pro- fessional (32-bit)/
\Desktop::Prohibit adjusting Operational Microsoft Prevents users from adjusting the desktop toolbars Roles, Windows length of desktop toolbars. In addition, Engin- XP users cannot reposition items or tool- eering /Microsoft bars on docked toolbars. Role, and Windows Product Server This setting does not prevent users Admin- 2003 (32- from adding or removing toolbars on istrator bit), the desktop. Role Microsoft Note: If users have adjusted their tool- Windows bars, this setting prevents them from Vista restoring the default configuration. /Microsoft Windows Also, see the "Prevent adding, drag- Server ging, dropping and closing the 2008 Taskbar's toolbars" setting. Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Desktop::Prohibit User Operational Microsoft Prevents users from changing the path from manually redirecting Roles Windows to their profile folders. Profile Folders XP /Microsoft By default, a user can change the loc- Windows ation of their individual profile folders Server like Documents, Music etc. by typing a 2003 (32- new path in the Locations tab of the bit), folder's Properties dialog box. Microsoft If you enable this setting, users are Windows unable to type a new location in the Tar- Vista get box /Microsoft Windows Server 2008 Standard,
- 100 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Microsoft Windows 7 Pro- fessional (32-bit)/
\Desktop::Remove Com- Operational Microsoft If you enable this setting, Computer is puter icon on the desktop Roles Windows hidden on the desktop, the new Start XP menu, the Explorer folder tree pane, /Microsoft and the Explorer Web views. If the user Windows manages to navigate to Computer, the Server folder will be empty. 2003 (32- bit) If you enable this setting, Computer is hidden on the desktop, the new Start menu, the Explorer folder tree pane, and the Explorer Web views. If the user manages to navigate to Computer, the folder will be empty If you disable this setting, Computer is displayed as usual, appearing as nor- mal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting. If you do not configure this setting, the default is to display Computer as usual. Note: In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hid- ing Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
\Desktop::Remove My Operational Microsoft Removes most occurrences of the My Documents icon on the Roles Windows Documents icon. desktop XP /Microsoft This setting removes the My Docu- Windows ments icon from the desktop, from Win- Server dows Explorer, from programs that use 2003 (32- the Windows Explorer windows, and bit) from the standard Open dialog box. This setting does not prevent the user from using other methods to gain access to the contents of the My Docu-
- 101 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
ments folder. This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Docu- ments icon from Start Menu" setting. Note: To make changes to this setting effective, you must log off from and log back on to Windows.
\Desktop::Remove Prop- Operational Microsoft Removes the Properties option from erties from the Recycle Bin Roles Windows the Recycle Bin shortcut menu. context menu XP /Microsoft If you enable this setting, the Properties Windows option will not be present when the Server user right-clicks on Recycle Bin or 2003 (32- opens Recycle Bin and then clicks File. bit) Likewise, Alt-Enter does nothing when Recycle Bin is selected. If you disable or do not configure this setting, the Properties option is dis- played as usual.
\Desktop::Remove the Operational Microsoft Prevents users from using the Desktop Desktop Cleanup Wizard Roles Windows Cleanup Wizard. XP /Microsoft If you enable this setting, the Desktop Windows Cleanup wizard does not automatically Server run on a user’s workstation every 60 2003 (32- days. The user will also not be able to bit) access the Desktop Cleanup Wizard. If you disable this setting or do not con- figure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs. Note: When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
\Desktop\Active Dir- Operational Hides the Active Directory folder in Net- ectory::Hide Active Dir- Roles work Locations. ectory folder The Active Directory folder displays Act- ive Directory objects in a browse win- dow.
- 102 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
If you enable this setting, the Active Dir- ectory folder does not appear in the Net- work Locations folder. If you disable this setting or do not con- figure it, the Active Directory folder appears in the Network Locations folder. This setting is designed to let users search Active Directory but not tempt them to casually browse Active Dir- ectory.
\Desktop\Desktop::Disable Operational Microsoft Disables Active Desktop and prevents Active Desktop Roles, Windows users from enabling it. Engin- XP eering Role /Microsoft This setting prevents users from trying and Windows to enable or disable Active Desktop Product Server while a policy controls it. Admin- 2003 (32- If you disable this setting or do not con- istrator bit) figure it, Active Desktop is disabled by Role default, but users can enable it. Note: If both the "Enable Active Desktop" setting and the "Disable Act- ive Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Con- figuration\Administrative Tem- plates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
\Desktop\Desktop::Prohibit Operational Microsoft Prevents the user from enabling or dis- changes Roles, Windows abling Active Desktop or changing the Engin- XP Active Desktop configuration. eering Role /Microsoft and Windows This is a comprehensive setting that Product Server locks down the configuration you estab- Admin- 2003 (32- lish by using other policies in this folder. istrator bit) This setting removes the Web tab from Role Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop com-
- 103 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
ponents.
\Network\Network Con- Operational Microsoft Determines whether users can use the nections::Prohibit access to Roles Windows New Connection Wizard, which cre- the New Connection Wiz- XP ates new network connections. ard /Microsoft Windows If you enable this setting (and enable Server the "Enable Network Connections set- 2003 (32- tings for Administrators" setting), the bit) Make New Connection icon does not appear in the Start Menu on in the Net- work Connections folder. As a result, users (including administrators) cannot start the New Connection Wizard. Important: If the "Enable Network Con- nections settings for Administrators" is disabled or not configured, this setting will not apply to administrators on post- Windows 2000 computers. If you disable this setting or do not con- figure it, the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Con- nection icon starts the New Connection Wizard. Note: Changing this setting from Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting are applied, the icon does not appear or disappear in the Network Connections folder until the folder is refreshed. This setting does not prevent users from using other programs, such as Internet Explorer, to bypass this set- ting.
\Network\Windows Con- Operational Microsoft This policy setting prohibits access to nect Now::Prohibit Access Roles Windows Windows Connect Now (WCN) wiz- of the Windows Connect Vista ards. If this policy setting is enabled, the Now wizards /Microsoft wizards are disabled and users will Windows have no access to any of the wizard Server tasks. All the configuration related 2008 tasks, including ‘Set up a wireless Standard,
- 104 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Microsoft router or access point’ and ‘Add a wire- Windows 7 less device’, will be disabled. If this Pro- policy is disabled or not configured, fessional users will have access to the wizard (32-bit)/ tasks; including ‘Set up a wireless router or access point’ and ‘Add a wire- less device’. The default for this policy setting allows users to access all WCN wizards.
\Start Menu and Operational Microsoft This policy only applies to the classic Taskbar::Add Logoff to the Roles, Windows version of the start menu and does not Start Menu Engin- XP affect the new style start menu. eering Role /Microsoft and Windows Adds the "Log Off
\Start Menu and Operational Microsoft Set the default action of the power but- Taskbar::Change Start Roles, Windows 7 ton on the Start menu. Menu power button Engin- Pro- eering fessional If you enable this setting, the Start
- 105 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Role, and (32-bit)/ Menu will set the power button to the Product chosen action, and not let the user Admin- change this action. istrator Role are If you set the button to either Sleep or logged off Hibernate, and that state is not supported on a computer, then the but- ton will fall back to Shut Down. If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action.
\Start Menu and Operational Microsoft Clear history of recently opened doc- Taskbar::Clear history of Roles Windows uments on exit. recently opened documents XP on exit /Microsoft If you enable this setting, the system Windows deletes shortcuts to recently used doc- Server ument files when the user logs off. As a 2003 (32- result, the Recent Items menu on the bit), Start menu is always empty when the Microsoft user logs on. In addition, recently and Windows frequently used items in the Jump Lists Vista off of programs in the Start Menu and /Microsoft Taskbar will be cleared when the user Windows logs off. Server If you disable or do not configure this 2008 setting, the system retains document Standard, shortcuts, and when a user logs on, the Microsoft Recent Items menu and the Jump Lists Windows 7 appear just as it did when the user Pro- logged off. fessional (32-bit)/ Note: The system saves document shortcuts in the user profile in the Sys- tem-drive\Users\User-name\Recent folder. Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened doc- uments" policies in this folder. The sys- tem only uses this setting when neither of these related settings are selected. This setting does not clear the list of recent files that Windows programs dis- play at the bottom of the File menu.
- 106 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
See the "Do not keep history of recently opened documents" setting. This policy setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. This policy also does not clear items that the user may have pinned to the Jump Lists, or Tasks that the applic- ation has provided for their menu. See the "Do not allow pinning items in Jump Lists" setting.
\Start Menu and Operational Microsoft If you enable this setting, users cannot Taskbar::Do not allow pin- Roles Windows 7 pin files, folders, websites, or other ning items in Jump Lists Pro- items to their Jump Lists in the Start fessional Menu and Taskbar. Users also cannot (32-bit)/ unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show. If you disable this setting or do not con- figure it, users can pin files, folders, websites, and other items to a pro- gram's Jump List so that the items is always present in this menu.
\Start Menu and Operational Microsoft Prevents the operating system and Taskbar::Do not keep his- Roles Windows installed programs from creating and tory of recently opened doc- XP displaying shortcuts to recently opened uments /Microsoft documents. Windows Server If you enable this setting, the system 2003 (32- and Windows programs do not create bit), shortcuts to documents opened while Microsoft the setting is in effect. In addition, they Windows retain but do not display existing doc- Vista ument shortcuts. The system empties /Microsoft the Recent Items menu on the Start Windows menu, and Windows programs do not Server display shortcuts at the bottom of the 2008 File menu. In addition, the Jump Lists Standard, off of programs in the Start Menu and Microsoft Taskbar do not show lists of recently or Windows 7 frequently used files, folders, or web- Pro- sites. fessional If you disable or do not configure this
- 107 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
(32-bit)/ setting, the system will store and dis- play shortcuts to recently and fre- quently used files, folders, and websites. Note: The system saves document shortcuts in the user profile in the Sys- tem-drive\Users\User-name\Recent folder. Also, see the "Remove Recent Items menu from Start Menu" and "Clear his- tory of recently opened documents on exit" policies in this folder. If you enable this setting but do not enable the "Remove Recent Items menu from Start Menu" setting, the Recent Items menu appears on the Start menu, but it is empty. If you enable this setting, but then later disable it or set it to Not Configured, the document shortcuts saved before the setting was enabled reappear in the Recent Items menu and program File menus, and Jump Lists. This setting does not hide or prevent the user from pinning files, folders, or websites to the Jump Lists. See the "Do not allow pinning items in Jump Lists" setting. This policy also does not hide Tasks that the application has provided for their Jump List. This set- ting does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting. Note:It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this set- ting.
\Start Menu and Operational Microsoft Prevents the user from making any Taskbar::Lock all taskbar Roles Windows changes to the taskbar settings through settings Vista the Taskbar Properties dialog. /Microsoft Windows If you enable this setting the user can- Server not access the taskbar control panel.
- 108 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
2008 The user is also unable to resize, move Standard, or rearrange toolbars on their taskbar. Microsoft Windows 7 If you disable or do not configure this Pro- setting the user will be able to set any fessional taskbar setting that is not disallowed by (32-bit)/ another policy setting.
\Start Menu and Operational Microsoft Removes the Taskbar and Start Menu Taskbar::Prevent changes Roles and Windows item from Settings on the Start menu. to Taskbar and Start Menu Engin- XP This setting also prevents the user from Settings eering Role /Microsoft opening the Taskbar Properties dialog Windows box. Server 2003 (32- If the user right-clicks the taskbar and bit), then clicks Properties, a message Microsoft appears explaining that a setting pre- Windows vents the action. Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft This setting affects the taskbar buttons Taskbar::Prevent grouping Roles and Windows used to switch between running pro- of taskbar items Engin- XP grams. eering Role /Microsoft Windows Taskbar grouping consolidates similar Server applications when there is no room on 2003 (32- the taskbar. It kicks in when the user's bit) taskbar is full. If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled. If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose.
- 109 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
\Start Menu and Operational Microsoft Prevents users from adding or remov- Taskbar::Prevent users Roles and Windows ing toolbars. from adding or removing Engin- Vista toolbars eering Role /Microsoft If you enable this policy setting the user Windows will not be allowed to add or remove Server any toolbars to the taskbar. Applic- 2008 ations will not be able to add toolbars Standard, either. Microsoft If you disable or do not configure this Windows 7 policy setting, the users and applic- Pro- ations will be able to add toolbars to the fessional taskbar. (32-bit)/
\Start Menu and Operational Microsoft Prevents users from moving taskbar to Taskbar::Prevent users Roles and Windows another screen dock location. from moving taskbar to Engin- Vista another screen dock loc- eering Role /Microsoft If you enable this policy setting the user ation Windows will not be able to drag their taskbar to Server another side of the monitor(s). 2008 If you disable or do not configure this Standard, policy setting the user may be able to Microsoft drag their taskbar to other sides of the Windows 7 monitor unless disallowed by another Pro- policy setting. fessional (32-bit)/
\Start Menu and Operational Microsoft Prevents users from rearranging tool- Taskbar::Prevent users Roles and Windows bars. from rearranging toolbars Engin- Vista eering Role /Microsoft If you enable this setting the user will Windows not be able to drag or drop toolbars to Server the taskbar. 2008 If you disable or do not configure this Standard, policy setting, users will be able to Microsoft rearrange the toolbars on the taskbar. Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Prevent users from resizing the Taskbar::Prevent users Roles and Windows taskbar. from resizing the taskbar Engin- Vista eering Role /Microsoft If you enable this policy setting the user Windows will not be able to resize their taskbar to Server be any other size. 2008 If you disable or do not configure this
- 110 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Standard, policy setting, the user will be able to Microsoft resize their taskbar to be any other size Windows 7 unless disallowed by another setting. Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Hides the menus that appear when you Taskbar::Remove access to Roles Windows right-click the taskbar and items on the the context menus for the XP taskbar, such as the Start button, the taskbar /Microsoft clock, and the taskbar buttons. Windows Server This setting does not prevent users 2003 (32- from using other methods to issue the bit), commands that appear on these Microsoft menus. Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft If you enable this setting, the "All Pro- Taskbar::Remove All Pro- Roles Windows grams" item is removed from the simple grams list from the Start XP Start menu. menu /Microsoft Windows If you disable this setting or do not con- Server figure it, the "All Programs" item 2003 (32- remains on the simple Start menu. bit)
\Start Menu and Operational Microsoft This policy setting prevents users from Taskbar::"Remove and pre- Roles Windows performing the following commands vent access to the Shut XP from the Start menu or Windows Secur- Down, Restart, Sleep, and /Microsoft ity screen: Shut Down, Restart, Sleep, Hibernate commands" Windows and Hibernate. This policy setting does Server not prevent users from running Win- 2003 (32- dows-based programs that perform bit), these functions. Microsoft Windows If you enable this policy setting, the Vista Power button and the Shut Down,
- 111 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
/Microsoft Restart, Sleep, and Hibernate com- Windows mands are removed from the Start Server menu. The Power button is also 2008 removed from the Windows Security Standard, screen, which appears when you press Microsoft CTRL+ALT+DELETE. Windows 7 Pro- If you disable or do not configure this fessional policy setting, the Power button and the (32-bit)/ Shut Down, Restart, Sleep, and Hibern- ate commands are available on the Start menu. The Power button on the Windows Security screen is also avail- able. Note: Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting.
\Start Menu and Operational Microsoft Hides pop-up text on the Start menu Taskbar::Remove Balloon Roles Windows and in the notification area. Tips on Start Menu items XP /Microsoft When you hold the cursor over an item Windows on the Start menu or in the notification Server area, the system displays pop-up text 2003 (32- providing additional information about bit) the object. If you enable this setting, some of this pop-up text is not displayed. The pop- up text affected by this setting includes "Click here to begin" on the Start but- ton, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area. If you disable this setting or do not con- figure it, all pop-up text is displayed on the Start menu and in the notification area.
\Start Menu and Operational Microsoft Removes items in the All Users profile Taskbar::Remove common Roles Windows from the Programs menu on the Start program groups from Start XP menu. Menu /Microsoft Windows By default, the Programs menu con- tains items from the All Users profile
- 112 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Server and items from the user's profile. If you 2003 (32- enable this setting, only items in the bit), user's profile appear in the Programs Microsoft menu. Windows Vista /Microsoft To see the Program menu items in the Windows All Users profile, on the system drive, Server go to Pro- 2008 gramData\Microsoft\Windows\Start Standard, Menu\Programs. Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Removes the Default Programs link Taskbar::Remove Default Roles and Windows from the Start menu. Programs link from the Start Engin- XP menu. eering Role /Microsoft Clicking the Default Programs link from Windows the Start menu opens the Default Pro- Server grams control panel and provides 2003 (32- administrators the ability to specify bit) default programs for certain activities, such as Web browsing or sending e- mail, as well as which programs are accessible from the Start menu, desktop, and other locations. Note: This setting does not prevent the Set Default Programs for This Com- puter option from appearing in the Default Programs control panel.
\Start Menu and Operational Microsoft Removes the Documents icon from the Taskbar::Remove Docu- Roles Windows Start menu and its submenus. ments icon from Start Menu XP /Microsoft This setting only removes the icon. It Windows does not prevent the user from using Server other methods to gain access to the 2003 (32- contents of the Documents folder. bit), Note: To make changes to this setting Microsoft effective, you must log off and then log Windows on. Vista /Microsoft Also, see the "Remove Documents Windows icon on the desktop" setting. Server
- 113 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft If you enable this policy the start menu Taskbar::Remove Down- Roles and Windows 7 will not show a link to the Downloads loads link from Start Menu Engin- Pro- folder. eering Role fessional (32-bit)/
\Start Menu and Operational Microsoft Prevents users from using the drag- Taskbar::Remove drag- Roles and Windows and-drop method to reorder or remove and-drop and context Engin- XP items on the Start menu. In addition, it menus on the Start Menu eering Role /Microsoft removes shortcut menus from the Start Windows menu. Server 2003 (32- If you disable this setting or do not con- bit), figure it, users can remove or reorder Microsoft Start menu items by dragging and drop- Windows ping the item. They can display shortcut Vista menus by right-clicking a Start menu /Microsoft item. Windows This setting does not prevent users Server from using other methods of cus- 2008 tomizing the Start menu or performing Standard, the tasks available from the shortcut Microsoft menus. Windows 7 Pro- Also, see the "Prevent changes to fessional Taskbar and Start Menu Settings" and (32-bit)/ the "Remove access to the context menus for taskbar" settings.
\Start Menu and Operational Microsoft Prevents users from adding the Favor- Taskbar::Remove Favorites Roles Windows ites menu to the Start menu or classic menu from Start Menu XP Start menu. /Microsoft Windows If you enable this setting, the Display Server Favorites item does not appear in the 2003 (32- Advanced Start menu options box. bit), If you disable or do not configure this Microsoft setting, the Display Favorite item is Windows available. Vista /Microsoft Note: The Favorites menu does not
- 114 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Windows appear on the Start menu by default. Server To display the Favorites menu, right- 2008 click Start, click Properties, and then Standard, click Customize. If you are using Start Microsoft menu, click the Advanced tab, and Windows 7 then, under Start menu items, click the Pro- Favorites menu. If you are using the fessional classic Start menu, click Display Favor- (32-bit)/ ites under Advanced Start menu options. The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a cus- tomized Favorites menu for a user group. This setting only affects the Start menu. The Favorites item still appears in Win- dows Explorer and in Internet Explorer.
\Start Menu and Operational Microsoft If you enable this setting, the frequently Taskbar::Remove frequent Roles Windows used programs list is removed from the programs list from the Start XP Start menu. Menu /Microsoft Windows If you disable this setting or do not con- Server figure it, the frequently used programs 2003 (32- list remains on the simple Start menu. bit), Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft If you enable this policy the start menu Taskbar::Remove Games Roles, Windows 7 will not show a link to the Games folder. link from Start Menu Engin- Pro- fessional If you disable or do not configure this
- 115 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
eering (32-bit)/ policy, the start menu will show a link to Role, and the Games folder, unless the user Product chooses to remove it in the start menu Admin- control panel. istrator Role
\Start Menu and Operational Microsoft Removes the Help command from the Taskbar::Remove Help Roles Windows Start menu. menu from Start Menu XP /Microsoft This setting only affects the Start menu. Windows It does not remove the Help menu from Server Windows Explorer and does not pre- 2003 (32- vent users from running Help. bit), Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft If you enable this policy the Start menu Taskbar::Remove Roles, Windows 7 will not show a link to Homegroup. It Homegroup link from Start Engin- Pro- also removes the homegroup item from Menu eering fessional the Start Menu options. As a result, Role, and (32-bit)/ users cannot add the homegroup link to Product the Start Menu. Admin- istrator If you disable or do not configure this Role policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.
\Start Menu and Operational Microsoft Prevents users from connecting to the Taskbar::Remove links and Roles, Windows Windows Update Web site. access to Windows Update Engin- XP eering /Microsoft This setting blocks user access to the Role, and Windows Windows Update Web site at http://win- Product Server dowsupdate.microsoft.com. In addi- Admin- 2003 (32- tion, the setting removes the Windows istrator bit), Update hyperlink from the Start menu and from the Tools menu in Internet
- 116 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Role Microsoft Explorer. Windows Vista Windows Update, the online extension /Microsoft of Windows, offers software updates to Windows keep a user’s system up-to-date. The Server Windows Update Product Catalog 2008 determines any system files, security Standard, fixes, and Microsoft updates that user’s Microsoft need and shows the newest versions Windows 7 available for download. Pro- Also, see the "Hide the "Add programs fessional from Microsoft" option" setting. (32-bit)/
\Start Menu and Operational Microsoft Removes the Music icon from the Start Taskbar::Remove Music Roles, Windows Menu. icon from Start Menu Engin- XP eering /Microsoft Role, and Windows Product Server Admin- 2003 (32- istrator bit), Role Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Prevents users from running Network Taskbar::Remove Network Roles, Windows Connections. Connections from Start Engin- XP Menu eering /Microsoft This setting prevents the Network Con- Role, and Windows nections folder from opening. This set- Product Server ting also removes Network Admin- 2003 (32- Connections from Settings on the Start istrator bit), menu. Role Microsoft Network Connections still appears in Windows Control Panel and in Windows Vista Explorer, but if users try to start it, a /Microsoft message appears explaining that a set- Windows ting prevents the action.
- 117 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Server Also, see the "Disable programs on Set- 2008 tings menu" and "Disable Control Standard Panel" settings and the settings in the Network Connections folder (Com- puter Configuration and User Con- figuration\Administrative Templates\Network\Network Con- nections).
\Start Menu and Operational Microsoft Removes the Network icon from the Taskbar::Remove Network Roles . Windows Start Menu. icon from Start Menu XP /Microsoft Windows Server 2003 (32- bit), Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Removes the Pictures icon from the Taskbar::Remove Pictures Roles, Windows Start Menu. icon from Start Menu Engin- XP eering /Microsoft Role, and Windows Product Server Admin- 2003 (32- istrator bit), Role Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7
- 118 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft If you enable this setting, pinned pro- Taskbar::Remove pinned Roles . Windows 7 grams are prevented from being shown programs from the Taskbar Pro- on the Taskbar. Users cannot pin pro- fessional grams to the Taskbar. (32-bit)/ If you disable this setting or do not con- figure it, users can pin programs so that the program shortcuts stay on the Taskbar.
\Start Menu and Operational Microsoft If you enable this setting, the "Pinned Taskbar::Remove pinned Roles . Windows Programs" list is removed from the programs list from the Start XP Start menu. Users cannot pin pro- Menu /Microsoft grams to the Start menu. Windows Server In Windows XP and Windows Vista, 2003 (32- the Internet and email checkboxes are bit), removed from the 'Customize Start Microsoft Menu' dialog. Windows If you disable this setting or do not con- Vista figure it, the "Pinned Programs" list /Microsoft remains on the Start menu. Users can Windows pin and unpin programs in the Start Server Menu. 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Prevents Control Panel, Printers, and Taskbar::Remove pro- Roles and Windows Network Connections from running. grams on Settings menu Engin- XP eering Role /Microsoft This setting removes the Control . Windows Panel, Printers, and Network and Con- Server nection folders from Settings on the 2003 (32- Start menu, and from Computer and bit), Windows Explorer. It also prevents the Microsoft programs represented by these folders Windows (such as Control.exe) from running. Vista However, users can still start Control /Microsoft Panel items by using other methods, Windows such as right-clicking the desktop to
- 119 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Server start Display or right-clicking Computer 2008 to start System. Standard, Microsoft Also, see the "Disable Control Panel," Windows 7 "Disable Display in Control Panel," and Pro- "Remove Network Connections from fessional Start Menu" settings. (32-bit)/
\Start Menu and Operational Microsoft Removes the Recent Items menu from Taskbar::Remove Recent Roles . Windows the Start menu. Removes the Docu- Items menu from Start XP ments menu from the classic Start Menu /Microsoft menu. Windows Server The Recent Items menu contains links 2003 (32- to the non-program files that users bit), have most recently opened. It appears Microsoft so that users can easily reopen their Windows documents. Vista If you enable this setting, the system /Microsoft saves document shortcuts but does not Windows display the Recent Items menu in the Server Start Menu, and users cannot turn the 2008 menu on. Standard, Microsoft If you later disable the setting, so that Windows 7 the Recent Items menu appears in the Pro- Start Menu, the document shortcuts fessional saved before the setting was enabled (32-bit)/ and while it was in effect, appear in the Recent Items menu. When the setting is disabled, the Recent Items menu appears in the Start Menu, and users cannot remove it. If the setting is not configured, users can turn the Recent Items menu on and off. Note: This setting does not prevent Win- dows programs from displaying short- cuts to recently opened documents. See the "Do not keep history of recently opened documents" setting. This setting also does not hide doc- ument shortcuts displayed in the Open dialog box. See the "Hide the drop-
- 120 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
down list of recent files" setting.
\Start Menu and Operational Microsoft If you enable this policy the start menu Taskbar::Remove Recor- Roles, Windows 7 will not show a link to the Recorded TV ded TV link from Start Menu Engin- Pro- library. eering fessional Role, and (32-bit)/ Product Admin- istrator Role .
\Start Menu and Operational Microsoft Allows you to remove the Run com- Taskbar::Remove Run Roles Windows mand from the Start menu, Internet menu from Start Menu XP Explorer, and Task Manager. /Microsoft Windows If you enable this setting, the following Server changes occur. 2003 (32- 1. The Run command is removed bit), from the Start menu. Microsoft Windows 2. The New Task (Run) command Vista is removed from Task Manager. /Microsoft 3. The user will be blocked from Windows entering the following into the Server Internet Explorer Address Bar: 2008
Standard, l A UNC path:\\
\Start Menu and Operational Microsoft If you enable this policy, the "See all res- Taskbar::Remove Search Roles Windows ults" link will not be shown when the Computer link Vista user performs a search in the start /Microsoft menu search box. Windows Server If you disable or do not configure this 2008 policy, the "See all results" link will be Standard shown when the user performs a search in the start menu search box.
- 121 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
\Start Menu and Operational Removes the Search link from the Start Taskbar::Remove Search Roles menu, and disables some Windows link from Start Menu Explorer search elements. Note that this does not remove the search box from the new style Start menu. This setting removes the Search item from the Start menu and from the short- cut menu that appears when you right- click the Start menu. In addition, the sys- tem does not respond when users press the Application key (the key with the Windows logo)+ F. In Windows Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. In addition, Search does not appear in the shortcut menu when you right-click an icon representing a drive or a folder. This setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other meth- ods to search. Note: This setting also prevents the user from using the F3 key.
\Start Menu and Operational Microsoft If you enable this policy, a "See more Taskbar::Remove See Roles Windows 7 results" / "Search Everywhere" link will More Results / Search Pro- not be shown when the user performs Everywhere link fessional a search in the start menu search box. (32-bit)/ If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more res- ults" link.
\Start Menu and Operational Microsoft If you enable this setting, the "Undock Taskbar::"Remove the Roles Windows PC" button is removed from the simple ""Undock PC"" button from XP Start Menu, and your PC cannot be the Start Menu" /Microsoft undocked. Windows If you disable this setting or do not con-
- 122 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Server figure it, the "Undock PC" button 2003 (32- remains on the simple Start menu, and bit), your PC can be undocked. Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Prevents the Action Center in the sys- Taskbar::Remove the Roles and Windows 7 tem control area from being displayed. Action Center icon Engin- Pro- If you enable this setting, the Action eering Role fessional Center icon will not be displayed in the (32-bit)/ system notification area. If you disable or do not configure this setting, the Action Center icon will be displayed in the system notification area.
\Start Menu and Operational Microsoft Prevents the battery meter in the sys- Taskbar::Remove the bat- Roles Windows tem control area from being displayed. tery meter Vista If you enable this setting, the battery /Microsoft meter will not be displayed in the sys- Windows tem notification area. Server 2008 If you disable or do not configure this Standard, setting, the battery meter will be dis- Microsoft played in the system notification area. Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft If you enable this policy the start menu Taskbar::Remove user Roles Windows will not show a link to the user's storage folder link from Start Menu Vista folder. /Microsoft Windows If you disable or do not configure this Server policy, the start menu will display a link, 2008 unless the user chooses to remove it in the start menu control panel.
- 123 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft Hides all folders on the user-specific Taskbar::Remove user's Roles Windows (top) section of the Start menu. Other folders from the Start Menu XP items appear, but folders are hidden. /Microsoft Windows This setting is designed for use with Server redirected folders. Redirected folders 2003 (32- appear on the main (bottom) section of bit), the Start menu. However, the original, Microsoft user-specific version of the folder still Windows appears on the top section of the Start Vista menu. Because the appearance of two /Microsoft folders with the same name might con- Windows fuse users, you can use this setting to Server hide user-specific folders. 2008 Note that this setting hides all user-spe- Standard, cific folders, not just those associated Microsoft with redirected folders. Windows 7 Pro- If you enable this setting, no folders fessional appear on the top section of the Start (32-bit)/ menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu. If you disable this setting or do not con- figured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
\Start Menu and Operational Microsoft If you enable this policy the start menu Taskbar::Remove Videos Roles Windows 7 will not show a link to the Videos library. link from Start Menu Pro- fessional (32-bit)/
\Start Menu and Operational Microsoft This policy setting controls whether the Taskbar::Show Quick- Roles is dis- Windows QuickLaunch bar is displayed in the Launch on Taskbar abled Vista Taskbar. /Microsoft Windows If you enable this policy setting, the Server QuickLaunch bar will be visible and can-
- 124 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
2008 not be turned off. Standard If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on. If you do not configure this policy set- ting, then users will be able to turn the QuickLaunch bar on and off.
\Start Menu and Operational Microsoft If you enable this setting, certain noti- Taskbar::Turn off feature Roles Windows 7 fication balloons that are marked as fea- advertisement balloon noti- Pro- ture advertisements will not be shown. fications fessional (32-bit)/ If you disable this setting or do not con- figure it, feature advertisement bal- loons will be shown.
\Start Menu and Operational Microsoft Disables personalized menus. Taskbar::Turn off per- Roles Windows sonalized menus XP Windows personalizes long menus by /Microsoft moving recently used items to the top of Windows the menu and hiding items that have Server not been used recently. Users can dis- 2003 (32- play the hidden items by clicking an bit), arrow to extend the menu. Microsoft If you enable this setting, the system Windows does not personalize menus. All menu Vista items appear and remain in standard /Microsoft order. In addition, this setting removes Windows the "Use Personalized Menus" option Server so users do not try to change the set- 2008 ting while a setting is in effect. Standard Note: Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system dis- ables user tracking and personalized menus and ignores this setting.
To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option.
\Start Menu and Operational Microsoft If you disable or do not configure this Taskbar::Turn off user track- Roles setting, the system tracks the programs
- 125 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system ing Windows that the user runs. The system uses XP this information to customize Windows /Microsoft features, such as showing frequently Windows used programs in the Start Menu. Server 2003 (32- If you enable this setting, the system bit), does not track the programs that the Microsoft user runs, and does not display fre- Windows quently used programs in the Start Vista Menu. /Microsoft Also, see these related settings: Windows "Remove frequent programs list from Server the Start Menu" and "Turn off per- 2008 sonalized menus.” Standard This setting does not prevent users from pinning programs to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning pro- grams to the Taskbar" settings.
\System: Don’t display the Operational Suppresses the welcome screen. Getting Started welcome Roles, screen at logon Engin- This setting hides the welcome screen eering that is displayed on Windows 2000 Pro- Role, and fessional each time the user logs on. Product Users can still display the welcome Admin- screen by selecting it on the Start menu istrator or by typing "Welcome" in the Run dia- Role log box. This setting applies only to Windows 2000 Professional. It does not affect the "Configure Your Server on a Win- dows 2000 Server" screen on Win- dows 2000 Server. Note: This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
To display the welcome screen, click Start, point to Programs, point to Accessories, point to System Tools,
- 126 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
and then click "Getting Started." To sup- press the welcome screen without spe- cifying a setting, clear the "Show this screen at startup" check box on the wel- come screen.
\System::Prevent access to Operational Microsoft Disables the Windows registry editor registry editing tools Roles and Windows Regedit.exe. Engin- XP eering Role /Microsoft If this setting is enabled and the user Windows tries to start a registry editor, a mes- Server sage appears explaining that a setting 2003 (32- prevents the action. bit), To prevent users from using other Microsoft administrative tools, use the "Run only Windows specified Windows applications" set- Vista ting. /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
Disable regedit from run- No Oper- ning silently ational Roles and Engin- eering Role.
\System::Prevent access to Operational Microsoft Prevents users from running the inter- the command prompt Roles Windows active command prompt, Cmd.exe. XP This setting also determines whether /Microsoft batch files (.cmd and .bat) can run on Windows the computer. Server 2003 (32- If you enable this setting and the user bit), tries to open a command window, the Microsoft system displays a message explaining Windows that a setting prevents the action. Vista Note: Do not prevent the computer /Microsoft from running batch files if the computer Windows uses logon, logoff, startup, or shutdown Server batch file scripts, or for users that use
- 127 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
2008 Remote Desktop Services. Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
Disable the command No Oper- prompt script processing ational also Roles.
\System\Ctrl+Alt+Del Operational Microsoft Prevents users from locking the sys- Options::Remove Lock Roles Windows tem. Computer XP /Microsoft While locked, the desktop is hidden and Windows the system cannot be used. Only the Server user who locked the system or the sys- 2003 (32- tem administrator can unlock it. bit), Microsoft Windows To lock a computer without configuring Vista a setting, press Ctrl+Alt+Delete, and /Microsoft then click Lock Computer. Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\System\Ctrl+Alt+Del Operational Microsoft Prevents users from starting Task Man- Options::Remove Task Roles Windows ager (Taskmgr.exe). Manager XP /Microsoft If this setting is enabled and users try to Windows start Task Manager, a message Server appears explaining that a policy pre- 2003 (32- vents the action. bit), Task Manager lets users start and stop Microsoft programs; monitor the performance of Windows their computers; view and monitor all Vista programs running on their computers, /Microsoft including system services; find the Windows executable names of programs; and Server change the priority of the process in 2008 which programs run.
- 128 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\System\Internet Com- Operational Microsoft Specifies whether users can participate munication Man- Roles Windows in the Help Experience Improvement agement\Internet Vista program. The Help Experience Communication set- /Microsoft Improvement program collects inform- tings::Turn off Help Exper- Windows ation about how customers use Win- ience Improvement Server dows Help so that Microsoft can Program 2008 improve it. Standard, Microsoft If this setting is enabled, this policy pre- Windows 7 vents users from participating in the Pro- Help Experience Improvement pro- fessional gram. (32-bit)/ If this setting is disabled or not con- figured, users will be able to turn on the Help Experience Improvement pro- gram feature from the Help and Sup- port settings page.
\System\Internet Com- Operational Microsoft Specifies whether users can provide munication Man- Roles Windows ratings for Help content. agement\Internet Vista Communication set- /Microsoft If this setting is enabled, this policy set- tings::Turn off Help Ratings Windows ting prevents ratings controls from Server being added to Help content. 2008 If this setting is disabled or not con- Standard, figured, a rating control will be added to Microsoft Help topics. Windows 7 Pro- Users can use the control to provide fessional feedback on the quality and usefulness (32-bit)/ of the Help and Support content.
\System\Internet Com- Operational Microsoft Specifies whether Windows Mes- munication Man- Roles Windows senger collects anonymous information agement\Internet XP about how Windows Messenger soft- Communication set- /Microsoft ware and service is used. tings::Turn off the Windows Windows Messenger Customer Server With the Customer Experience Experience Improvement 2003 (32- Improvement program, users can allow Program bit), Microsoft to collect anonymous inform- Microsoft ation about how the product is used. This information is used to improve the
- 129 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Windows product in future releases. Vista /Microsoft If you enable this setting, Windows Mes- Windows senger will not collect usage inform- Server ation and the user settings to enable 2008 the collection of usage information will Standard, not be shown. Microsoft If you disable this setting, Windows Windows 7 Messenger will collect anonymous Pro- usage information and the setting will fessional not be shown. (32-bit)/ If you do not configure this setting, users will have the choice to opt-in and allow information to be collected.
\System\Internet Com- Operational Microsoft Specifies whether users can search munication Man- Roles Windows and view content from Windows Online agement\Internet Vista in Help and Support. Windows Online Communication set- /Microsoft provides the most up-to-date Help con- tings::Turn off Windows Windows tent for Windows. Online Server 2008 If this setting is enabled, users will be Standard, prevented from accessing online assist- Microsoft ance content from Windows Online. Windows 7 If this setting is disabled or not con- Pro- figured, users will be able to access fessional online assistance if they have a con- (32-bit)/ nection to the Internet and have not dis- abled Windows Online from the Help and Support Options page.
\System\Performance Con- Operational Microsoft Removes access to the performance trol Panel::Turn off access Roles Windows center control panel OEM and to the OEM and Microsoft Vista Microsoft branding links. branding section /Microsoft Windows If you enable this setting, the OEM and Server Microsoft web links within the per- 2008 formance control panel page will not be Standard, displayed. The administrative tools will Microsoft not be affected. Windows 7 If you disable or do not configure this Pro- setting, the performance center control fessional panel OEM and Microsoft branding (32-bit)/ links will be displayed to the user.
\System\Performance Con- Operational Microsoft Removes access to the performance trol Panel::Turn off access Roles Windows center control panel page. to the performance center
- 130 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system core section Vista If you enable this setting, some settings /Microsoft within the performance control panel Windows page will not be displayed. The admin- Server istrative tools will not be affected. 2008 Standard, If you disable or do not configure this Microsoft setting, the performance center control Windows 7 panel core section will be displayed to Pro- the user. fessional (32-bit)/
\System\Performance Con- Operational Microsoft Removes access to the performance trol Panel::Turn off access Roles Windows center control panel solutions to per- to the solutions to per- Vista formance problems. formance problems section /Microsoft Windows If you enable this setting, the solutions Server and issue section within the per- 2008 formance control panel page will not be Standard, displayed. The administrative tools will Microsoft not be affected. Windows 7 If you disable or do not configure this Pro- setting, the performance center control fessional panel solutions to performance prob- (32-bit)/ lems section will be displayed to the user.
\Windows Com- Operational Microsoft Turns off the Autoplay feature. ponents\AutoPlay Roles Windows Policies::Turn off Autoplay XP Autoplay begins reading from a drive /Microsoft as soon as you insert media in the Windows drive. As a result, the setup file of pro- Server grams and the music on audio media 2003 (32- start immediately. bit), Prior to XP SP2, Autoplay is disabled Microsoft by default on removable drives, such as Windows the floppy disk drive (but not the CD- Vista ROM drive), and on network drives. /Microsoft Windows Starting with XP SP2, Autoplay is Server enabled for removable drives as well, 2008 including ZIP drives and some USB Standard, Mass Storage devices. Microsoft If you enable this setting, you can dis- Windows 7 able Autoplay on CD-ROM and remov- Pro- able media drives, or disable Autoplay fessional on all drives. (32-bit)/
- 131 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
This setting disables Autoplay on addi- tional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. Note: This setting appears in both the Computer Configuration and User Con- figuration folders. If the settings conflict, the setting in Computer Configuration takes precedence over the setting in User Configuration.
Turn off Autoplay on: Operational Roles are for all drives
\Windows Com- Operational Microsoft If this policy is enabled, autoplay will not ponents\AutoPlay Roles Windows 7 be enabled for non-volume devices like Policies::Turn off Autoplay Pro- MTP devices. If you disable or not con- for non-volume devices fessional figure this policy, autoplay will continue (32-bit)/ to be enabled for non-volume devices.
\Windows Com- Operational Microsoft This policy setting allows you to turn off ponents\Desktop Gad- Roles Windows desktop gadgets. Gadgets are small gets::Turn off desktop Vista applets that display information or util- gadgets /Microsoft ities on the desktop. Windows Server If you enable this setting, desktop gad- 2008 gets will be turned off. Standard, If you disable or do not configure this Microsoft setting, desktop gadgets will be turned Windows 7 on. Pro- fessional The default is for desktop gadgets to be (32-bit)/ turned on.
\Windows Com- Operational Microsoft Prevents users from entering author ponents\Microsoft Man- Roles Windows mode. agement Console::Restrict XP the user from entering /Microsoft This setting prevents users from open- author mode Windows ing the Microsoft Management Console Server (MMC) in author mode, explicitly open- 2003 (32- ing console files in author mode, and bit), opening any console files that open in Microsoft author mode by default. Windows As a result, users cannot create con- Vista sole files or add or remove snap-ins. In /Microsoft addition, because they cannot open Windows author-mode console files, they cannot
- 132 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Server use the tools that the files contain. 2008 Standard, This setting permits users to open Microsoft MMC user-mode console files, such as Windows 7 those on the Administrative Tools Pro- menu in Windows 2000 Server family fessional or Windows Server 2003 family. (32-bit)/ However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console win- dow from a command prompt. If you disable this setting or do not con- figure it, users can enter author mode and open author-mode console files.
\Windows Com- Operational Microsoft Permits or prohibits use of this snap-in. ponents\Microsoft Man- Roles is dis- Windows agement abled XP If you enable this setting, the snap-in is Con- /Microsoft permitted. If you disable the setting, the sole\Restricted/Permitted Windows snap-in is prohibited. snap-ins::Server Manager Server If this setting is not configured, the set- 2003 (32- ting of the "Restrict users to the expli- bit), citly permitted list of snap-ins" setting Microsoft determines whether this snap-in is per- Windows mitted or prohibited. Vista /Microsoft l If "Restrict users to the explicitly Windows permitted list of snap-ins" is Server enabled, users cannot use any 2008 snap-in except those explicitly Standard, permitted. Microsoft To permit explicit use of this snap-in, Windows 7 enable this setting. If this setting is not Pro- configured (or disabled), this snap-in is fessional prohibited. (32-bit)/
l If "Restrict users to the explicitly permitted list of snap-ins" is dis- abled or not configured, users can use any snap-in except those explicitly prohibited. To prohibit explicit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.
- 133 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. In addition, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
\Windows Com- Operational Microsoft This setting removes the "Open ponents\Task Sched- Roles Windows advanced properties for this task when uler::Hide Advanced XP I click Finish" checkbox from the last Properties Checkbox in Add /Microsoft page of the Scheduled Task Wizard. Scheduled Task Wizard Windows This policy is only designed to simplify Server task creation for beginning users. 2003 (32- bit) The checkbox, when checked, instructs Task Scheduler to open the newly cre- ated task's property sheet auto- matically upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows users to change task characteristics such as, the pro- gram the task runs, details of its sched- ule, idle time and power management settings, and its security context. Begin- ning users will often not be interested or confused by having the property sheet displayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled or Not Configured. Note: This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
\Windows Com- Operational Microsoft Prevents users from viewing and chan- ponents\Task Sched- Roles Windows ging the properties of an existing task. uler::Hide Property Pages XP /Microsoft This setting removes the Properties Windows item from the File menu in Scheduled Server Tasks and from the shortcut menu that 2003 (32- appears when you right-click a task. As bit) a result, users cannot change any prop- erties of a task. They can only see the properties that appear in Detail view and in the task preview.
- 134 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
This setting prevents users from view- ing and changing characteristics such as the program the task runs, its sched- ule details, idle time and power man- agement settings, and its security context. Note:This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
This setting affects existing tasks only. To prevent users from changing the properties of newly created tasks, use the "Remove Advanced Menu" setting.
\Windows Com- Operational Microsoft Prevents users from starting and stop- ponents\Task Sched- Roles Windows ping tasks manually. uler::Prevent Task Run or XP End /Microsoft This setting removes the Run and End Windows Task items from the shortcut menu that Server appears when you right-click a task. As 2003 (32- a result, users cannot start tasks manu- bit) ally or force tasks to end before they are finished. Note: This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
\Windows Com- Operational Microsoft Limits newly scheduled to items on the ponents\Task Sched- Roles Windows user's Start menu, and prevents the uler::Prohibit Browse XP user from changing the scheduled pro- /Microsoft gram for existing tasks. Windows Server This setting removes the Browse but- 2003 (32- ton from the Schedule Task Wizard bit) and from the Task tab of the properties dialog box for a task. In addition, users cannot edit the "Run" box or the "Start in" box that determine the program and path for a task.
- 135 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
As a result, when users create a task, they must select a program from the list in the Scheduled Task Wizard, which displays only the tasks that appear on the Start menu and its submenus. Once a task is created, users cannot change the program a task runs. Important: This setting does not pre- vent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To prevent this action, use the "Prohibit Drag-and- Drop" setting. Note: This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
\Windows Com- Operational Microsoft Prevents users from adding or remov- ponents\Task Sched- Roles Windows ing tasks by moving or copying pro- uler::Prohibit Drag-and- XP grams in the Scheduled Tasks folder. Drop /Microsoft Windows This setting disables the Cut, Copy, Server Paste, and Paste Shortcut items on the 2003 (32- shortcut menu and the Edit menu in bit) Scheduled Tasks. It also disables the drag-and-drop features of the Sched- uled Tasks folder. As a result, users cannot add new scheduled tasks by dragging, moving, or copying a document or program into the Scheduled tasks folder. This setting does not prevent users from using other methods to create new tasks, and it does not prevent users from deleting tasks. Note: This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
\Windows Com- Operational Microsoft Prevents users from creating new
- 136 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system ponents\Task Sched- Roles Windows tasks. uler::Prohibit New Task XP Creation /Microsoft This setting removes the Add Sched- Windows uled Task item that starts the New Task Server Wizard. In addition, the system does 2003 (32- not respond when users try to move, bit) paste, or drag programs or documents into the Scheduled Tasks folder. Note: This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. Important: This setting does not pre- vent administrators of a computer from using At.exe to create new tasks or pre- vent administrators from submitting tasks from remote computers.
\Windows Com- Operational Microsoft Prevents users from deleting tasks ponents\Task Sched- Roles Windows from the Scheduled Tasks folder. uler::Prohibit Task Deletion XP /Microsoft This setting removes the Delete com- Windows mand from the Edit menu in the Sched- Server uled Tasks folder and from the menu 2003 (32- that appears when you right-click a bit) task. In addition, the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder. Note: This setting appears in the Com- puter Configuration and User Con- figuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration. Important: This setting does not pre- vent administrators of a computer from using At.exe to delete tasks.
\Windows Com- Operational Microsoft By default Windows Anytime Upgrade ponents\Windows Anytime Roles Windows 7 is available for all administrators. Upgrade::Prevent Windows Pro- Anytime Upgrade from run- fessional If you enable this policy setting, Win- ning. (32-bit)/ dows Anytime Upgrade will not run. If you disable this policy setting or set it to Not Configured, Windows Anytime
- 137 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Upgrade will run.
\Windows Com- Operational Microsoft This policy setting prevents the display ponents\Windows Explorer- Roles Windows of the Welcome Center at user logon. ::Do not display the Vista Welcome Center at user /Microsoft If you enable this policy setting, the Wel- logon Windows come Center will not be displayed at Server user logon. The user will be able to 2008 access the Welcome Center using the Standard Control Panel or Start menu. If you disable or do not configure this policy setting, the Welcome Center will be displayed at user logon.
\Windows Com- Operational Microsoft Removes the icons representing selec- ponents\Windows Explorer- Roles Windows ted hard drives from My Computer and ::Hide these specified drives XP Windows Explorer. In addition, the in My Computer /Microsoft drive letters representing the selected Windows drives do not appear in the standard Server Open dialog box. 2003 (32- bit), To use this setting, select a drive or Microsoft combination of drives in the drop-down Windows list. To display all drives, disable this set- Vista ting or select the "Do not restrict drives" /Microsoft option in the drop-down list. Windows Note: This setting removes the drive Server icons. Users can still gain access to 2008 drive contents by using other methods, Standard, such as by typing the path to a directory Microsoft on the drive in the Map Network Drive Windows 7 dialog box, in the Run dialog box, or in Pro- a command window. fessional (32-bit)/ In addition, this setting does not pre- vent users from using programs to access these drives or their contents. In addition, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Prevent access to drives from My Computer" setting. It is a requirement for third-party applic- ations with Windows 2000 or later cer- tification to adhere to this setting.
Pick one of the following Operational combinations Roles
- 138 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
restrict all drives
\Windows Com- Operational Microsoft Removes the Manage item from the ponents\Windows Explorer- Roles Windows Windows Explorer shortcut menu. This ::Hides the Manage item on XP shortcut menu appears when you right- the Windows Explorer con- /Microsoft click Windows Explorer or My Com- text menu Windows puter. Server 2003 (32- The Manage item opens Computer bit), Management (Compmgmt.msc), a con- Microsoft sole tool that includes many of the Windows primary Windows administrative tools, Vista such as Event Viewer, Device Man- /Microsoft ager, and Disk Management. You must Windows be an administrator to use many of the Server features of these tools. 2008 This setting does not remove the Com- Standard, puter Management item from the Start Microsoft menu (Start, Programs, Administrative Windows 7 Tools, Computer Management), nor Pro- does it prevent users from using other fessional methods to start Computer Man- (32-bit)/ agement.
To hide all shortcut menus, use the "Remove Windows Explorer's default context menu" setting.
\Windows Com- Operational Microsoft Removes computers in the user's work- ponents\Windows Explorer- Roles Windows group and domain from lists of network ::No Computers Near Me in XP resources in Windows Explorer and Network Locations /Microsoft Network Locations. Windows Server If you enable this setting, the system 2003 (32- removes the "Computers Near Me" bit) option and the icons representing nearby computers from Network Loca- tions. This setting also removes these icons from the Map Network Drive browser. This setting does not prevent users from connecting to computers in their workgroup or domain by other com- monly used methods, such as typing the share name in the Run dialog box or the Map Network Drive dialog box.
- 139 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
To remove network computers from lists of network resources, use the "No Entire Network in Network Locations" setting.
\Windows Com- Operational Microsoft Removes all computers outside of the ponents\Windows Explorer- Roles Windows user's workgroup or local domain from ::No Entire Network in XP lists of network resources in Windows Network Locations /Microsoft Explorer and Network Locations. Windows Server If you enable this setting, the system 2003 (32- removes the Entire Network option and bit) the icons representing networked com- puters from Network Locations and from the browser associated with the Map Network Drive option. This setting does not prevent users from viewing or connecting to com- puters in their workgroup or domain. It also does not prevent users from con- necting to remote computers by other commonly used methods, such as by typing the share name in the Run dia- log box or the Map Network Drive dia- log box. To remove computers in the user's workgroup or domain from lists of net- work resources, use the "No Com- puters Near Me in Network Locations" setting. Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this set- ting.
\Windows Com- Operational Microsoft Prevents users from using My Com- ponents\Windows Explorer- Roles Windows puter to gain access to the content of ::Prevent access to drives XP selected drives. from My /Microsoft Windows If you enable this setting, users can Server browse the directory structure of the 2003 (32- selected drives in My Computer or Win- bit), dows Explorer, but they cannot open Microsoft folders and access the contents. In addi- Windows tion, they cannot use the Run dialog Vista box or the Map Network Drive dialog /Microsoft box to view the directories on these drives.
- 140 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Windows To use this setting, select a drive or Server combination of drives from the drop- 2008 down list. To allow access to all drive Standard, directories, disable this setting or select Microsoft the "Do not restrict drives" option from Windows 7 the drop-down list. Pro- fessional Note: The icons representing the spe- (32-bit)/ cified drives still appear in My Com- puter, but if users double-click the icons, a message appears explaining that a setting prevents the action. In addition, this setting does not pre- vent users from using programs to access local and network drives. In addition, it does not prevent them from using the Disk Management snap-in to view and change drive characteristics. Also, see the "Hide these specified drives in My Computer" setting.
Pick one of the following Operational combinations Roles restrict all drives
\Windows Com- Operational Microsoft This policy setting allows admin- ponents\Windows Explorer- Roles Windows istrators to prevent users from adding ::Prevent users from adding Vista new items such as files or folders to the files to the root of their /Microsoft root of their Users Files folder in Win- Users Files folder. Windows dows Explorer. Server 2008 If you enable this policy setting, users Standard, will no longer be able to add new items Microsoft such as files or folders to the root of Windows 7 their Users Files folder in Windows Pro- Explorer. fessional If you disable or do not configure this (32-bit)/ policy setting, users will be able to add new items such as files or folders to the root of their Users Files folder in Win- dows Explorer. Note: Enabling this policy setting does not prevent the user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.
- 141 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
\Windows Com- Operational Microsoft Prevents users from using Windows ponents\Windows Explorer- Roles Windows Explorer or Network Locations to map ::Remove "Map Network XP or disconnect network drives. Drive" and "Disconnect Net- /Microsoft work Drive" Windows If you enable this setting, the system Server removes the Map Network Drive and 2003 (32- Disconnect Network Drive commands bit), from the toolbar and Tools menus in Microsoft Windows Explorer and Network Loca- Windows tions and from menus that appear Vista when you right-click the Windows /Microsoft Explorer or Network Locations icons. Windows This setting does not prevent users Server from connecting to another computer 2008 by typing the name of a shared folder in Standard, the Run dialog box. Microsoft Windows 7 Note: This setting was documented Pro- incorrectly on the Explain tab in Group fessional Policy for Windows 2000. The Explain (32-bit)/ tab states incorrectly that this setting prevents users from connecting and dis- connecting drives. It is a requirement for third-party applic- ations with Windows 2000 or later cer- tification to adhere to this setting.
\Windows Com- Operational Microsoft Windows Explorer allows you to create ponents\Windows Explorer- Roles Windows and modify re-writable CDs if you have ::Remove CD Burning XP a CD writer connected to your PC. features /Microsoft Windows If you enable this setting, all features in Server the Windows Explorer that allow you to 2003 (32- use your CD writer are removed. bit), If you disable or do not configure this Microsoft setting, users are able to use the Win- Windows dows Explorer CD burning features. Vista /Microsoft Note: This setting does not prevent Windows users from using third-party applic- Server ations to create or modify CDs using a 2008 CD writer. Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
- 142 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
\Windows Com- Operational Microsoft Removes the DFS tab from Windows ponents\Windows Explorer- Roles and Windows Explorer. ::Remove DFS tab Engin- XP eering Role /Microsoft This setting removes the DFS tab from Windows Windows Explorer and from other pro- Server grams that use the Windows Explorer 2003 (32- browser, such as My Computer. As a bit), result, users cannot use this tab to view Microsoft or change the properties of the Dis- Windows tributed File System (DFS) shares avail- Vista able from their computer. /Microsoft This setting does not prevent users Windows from using other methods to configure Server DFS. 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Windows Com- Operational Microsoft Removes the File menu from My Com- ponents\Windows Explorer- Roles Windows puter and Windows Explorer. ::Remove File menu from XP Windows Explorer /Microsoft This setting does not prevent users Windows from using other methods to perform Server tasks available on the File menu. 2003 (32- bit), Microsoft Windows Vista /Microsoft Windows Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Windows Com- Operational Microsoft Removes the Hardware tab. ponents\Windows Explorer- Roles Windows ::Remove Hardware tab XP This setting removes the Hardware tab /Microsoft from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It
- 143 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Windows also removes the Hardware tab from Server the Properties dialog box for all local 2003 (32- drives, including hard drives, floppy bit), disk drives, and CD-ROM drives. As a Microsoft result, users cannot use the Hardware Windows tab to view or change the device list or Vista device properties, or use the /Microsoft Troubleshoot button to resolve prob- Windows lems with the device. Server 2008 Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Windows Com- Operational Microsoft Removes the Search button from the ponents\Windows Explorer- Roles Windows Windows Explorer toolbar. ::Remove Search button XP from Windows Explorer /Microsoft This setting removes the Search button Windows from the Standard Buttons toolbar that Server appears in Windows Explorer and 2003 (32- other programs that use the Windows bit) Explorer window, such as My Com- puter and Network Locations. It does not remove the Search button or affect any search features of Internet browser windows, such as the Internet Explorer window. This setting does not affect the Search items on the Windows Explorer short- cut menu or on the Start menu. To remove Search from the Start menu, use the "Remove Search menu from Start menu" setting (in User Con- figuration\Administrative Tem- plates\Start Menu and Taskbar). To hide all shortcut menus, use the "Remove Windows Explorer's default context menu" setting.
\Windows Com- Operational Microsoft Removes the Security tab from Win- ponents\Windows Explorer- Roles Windows dows Explorer. ::Remove Security tab XP /Microsoft If you enable this setting, users opening Windows the Properties dialog box for all file sys-
- 144 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Server tem objects, including folders, files, 2003 (32- shortcuts, and drives, will not be able to bit) access the Security tab. As a result, users will be able to neither change the security settings nor view a list of all users that have access to the resource in question. If you disable or do not configure this setting, users will be able to access the security tab.
\Windows Com- Operational Microsoft Removes the Shared Documents ponents\Windows Explorer- Roles Windows folder from My Computer. ::Remove Shared XP Documents from My Com- /Microsoft When a Windows client is in a work- puter Windows group, a Shared Documents icon Server appears in the Windows Explorer Web 2003 (32- view under "Other Places" and also bit) under "Files Stored on This Computer" in My Computer. Using this policy set- ting, you can choose not to have these items displayed. If you enable this setting, the Shared Documents folder is not displayed in the Web view or in My Computer. If you disable or do not configure this setting, the Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup. Note: The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Pro- fessional
\Windows Com- Operational Microsoft If you enable this policy, the "Internet" ponents\Windows Explorer- Roles Windows 7 "Search again" link will not be shown ::"Remove the Search the Pro- when the user performs a search in the Internet ""Search again"" fessional Explorer window. link" (32-bit)/ If you disable this policy, there will be an "Internet" "Search again" link when the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms.
- 145 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
If you do not configure this policy (default), there will be an "Internet" link when the user performs a search in the Explorer window.
\Windows Com- Operational Microsoft Disables the "Hide keyboard navigation ponents\Windows Explorer- Roles Windows indicators until I use the ALT key" ::Remove UI to change XP option in Display in Control Panel. keyboard navigation indic- /Microsoft ator setting Windows When this Display Properties option is Server selected, the underlining that indicates 2003 (32- a keyboard shortcut character (hot key) bit) does not appear on menus until you press ALT. Effects, such as transitory underlines, are designed to enhance the user's experience but might be confusing or distracting to some users.
\Windows Com- Operational Microsoft Prevents users from selecting the ponents\Windows Explorer- Roles Windows option to animate the movement of win- ::Remove UI to change XP dows, menus, and lists. menu animation setting /Microsoft Windows If you enable this setting, the "Use trans- Server ition effects for menus and tooltips" 2003 (32- option in Display in Control Panel is dis- bit) abled. Effects, such as animation, are designed to enhance the user's exper- ience but might be confusing or dis- tracting to some users.
\Windows Com- Operational Microsoft Removes shortcut menus from the ponents\Windows Explorer- Roles Windows desktop and Windows Explorer. Short- ::Remove Windows XP cut menus appear when you right-click Explorer's default context /Microsoft an item. menu Windows Server If you enable this setting, menus do not 2003 (32- appear when you right-click the bit), desktop or when you right-click the Microsoft items in Windows Explorer. This setting Windows does not prevent users from using Vista other methods to issue commands /Microsoft available on the shortcut menus. Windows Server 2008 Standard,
- 146 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Microsoft Windows 7 Pro- fessional (32-bit)/
\Windows Com- Operational Microsoft This setting allows an administrator to ponents\Windows Explorer- Roles Windows revert specific Windows Shell behavior ::Turn on Classic Shell XP to classic Shell behavior. /Microsoft Windows If you enable this setting, users cannot Server configure their system to open items by 2003 (32- single-clicking (such as in Mouse in bit), Control Panel). As a result, the user Microsoft interface looks and operates like the Windows interface for Windows NT 4.0, and Vista users cannot restore the new features. /Microsoft Enabling this policy will also turn off the Windows preview pane and set the folder options Server for Windows explorer to Use classic 2008 folders view and disable the user’s abil- Standard ity to change these options. If you disable or not configure this policy, the default Windows explorer behavior is applied to the user. Note: In operating systems earlier than Windows Vista, enabling this policy will also disable the Active Desktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled, Active Desktop is disabled. In addition, see the "Disable Active Desktop" setting in User Con- figuration\Administrative Tem- plates\Desktop\Active Desktop and the "Remove the Folder Options menu item from the Tools menu" setting in User Configuration\Administrative Tem- plates\Windows Com- ponents\Windows Explorer.
\Windows Com- Operational Microsoft Prevents users from installing pro- ponents\Windows Installer- Roles Windows grams from removable media. ::Prevent removable media XP source for any install /Microsoft If a user tries to install a program from Windows removable media, such as CD-ROMs, floppy disks, and DVDs, a message
- 147 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Server appears, stating that the feature cannot 2003 (32- be found. bit), Microsoft This setting applies even when the Windows installation is running in the user's Vista security context. /Microsoft If you disable this setting or do not con- Windows figure it, users can install from remov- Server able media when the installation is 2008 running in their own security context, Standard, but only system administrators can use Microsoft removable media when an installation Windows 7 is running with elevated system priv- Pro- ileges, such as installations offered on fessional the desktop or in Add or Remove Pro- (32-bit)/ grams. Also, see the "Enable user to use media source while elevated setting" in Computer Con- figuration\Administrative Tem- plates\WindowsComponents\Windows Installer. Also, see the "Hide the 'Add a program from CD-ROM or floppy disk' option" setting in User Con- figuration\Administrative Tem- plates\Control Panel\Add or Remove Programs.
\Windows Com- Operational Microsoft Denies or allows access to the Win- ponents\Windows Roles Windows dows Mail application. Mail::Turn off Windows Mail Vista application /Microsoft If you enable this setting, access to the Windows Windows Mail application is denied. Server If you disable or do not configure this 2008 setting, access to the Windows Mail Standard, application is allowed. Microsoft Windows 7 Pro- fessional (32-bit)/
\Windows Com- Operational Microsoft Specifies whether Windows Media ponents\Windows Media Roles Windows Center can run. Center::Do not allow Win- Vista dows Media Center to run /Microsoft If you enable this setting, Windows Media Center will not run.
- 148 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Windows If you disable or do not configure this Server setting, Windows Media Center can be 2008 run. Standard, Microsoft Windows 7 Pro- fessional (32-bit)/
\Windows Com- Operational Prevents media information for CDs ponents\Windows Media Roles and DVDs from being retrieved from Player::Prevent CD and the Internet. DVD Media Information Retrieval This policy prevents the Player from automatically obtaining media inform- ation from the Internet for CDs and DVDs played by users. In addition, the Retrieve media information for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player are not selected and are not available. When this policy is not configured or dis- abled, users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box.
\Windows Com- Operational Prevents media information for music ponents\Windows Media Roles files from being retrieved from the Inter- Player::Prevent Music File net. Media Information Retrieval This policy prevents the Player from automatically obtaining media inform- ation for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition, the Update my music files (WMA and MP3 files) by retrieving missing media inform- ation from the Internet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available. When this policy is not configured or dis- abled, users can change the setting of the Update my music files (WMA and MP3 files) by retrieving missing media
- 149 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
information from the Internet check box.
\Windows Com- Operational Microsoft Prevents radio station presets from ponents\Windows Media Roles Windows being retrieved from the Internet. Player::Prevent Radio Sta- XP tion Preset Retrieval /Microsoft This policy prevents the Player from Windows automatically retrieving radio station Server presets from the Internet and dis- 2003 (32- playing them in Media Library. In addi- bit) tion, presets that exist before the policy is configured will not be updated, and presets a user adds will not be dis- played. When this policy is not configured or dis- abled, the Player automatically retrieves radio station presets from the Internet.
\Windows Com- Operational Microsoft Windows Messenger is automatically ponents\Windows Mes- Roles Windows loaded and running when a user logs senger::Do not XP on to a Windows XP computer. You automatically start Windows /Microsoft can use this setting to stop Windows Messenger initially Windows Messenger from automatically being Server run at logon. 2003 (32- bit), If you enable this setting, Windows Mes- Microsoft senger will not be loaded automatically Windows when a user logs on. Vista If you disable or do not configure this /Microsoft setting, the Windows Messenger will Windows be loaded automatically at logon. Server 2008 Note: This setting simply prevents Win- Standard, dows Messenger from running initially. Microsoft If the user invokes and uses Windows Windows 7 Messenger from that point on, Win- Pro- dows Messenger will be loaded. fessional The user can also configure this beha- (32-bit)/ vior on the Preferences tab on the Tools menu in the Windows Mes- senger user interface. If you do not want users to use Win- dows Messenger, enable the "Do not allow Windows Messenger to run" set- ting This setting is available under both
- 150 - Preparing the domain for migration
Policy settings related to Operating Applicable Operating System Affected operating Description releasesPath::Setting roles system
Computer Configuration and User Con- figuration. If both are present, the Com- puter Configuration version of this setting takes precedence
\Windows Com- Operational Microsoft Windows Sidebar is a feature that ponents\Windows Side- Roles Windows allows the use of gadgets, which are bar::Turn off Windows Vista small applets that may display inform- Sidebar /Microsoft ation or utilities to the user. Windows Server If you enable this setting, Windows 2008 Sidebar will be turned off. Standard, If you disable or do not configure this Microsoft setting, Windows Sidebar will be Windows 7 turned on. Pro- fessional The default is for Windows Sidebar to (32-bit)/ be turned on.
\Windows Com- Operational Microsoft This policy setting turns off Windows ponents\Windows Roles Windows SideShow. SideShow::Turn off Win- Vista dows SideShow /Microsoft If you enable this policy setting, the Win- Windows dows SideShow Control Panel will be Server disabled and data from Windows 2008 SideShow-compatible gadgets (applic- Standard, ations) will not be sent to connected Microsoft devices. Windows 7 If you disable or do not configure this Pro- policy setting, Windows SideShow is fessional on by default. (32-bit)/
Security Model specific permissions
Part of the installation of the Common Security Model is to set up permissions on some keys in the registry and directories in the file system. In addition, it installs a base set of files, with defined per- missions, that act as proxy access control lists (ACLs) for objects and functions that do not have an integral Windows ACL.
Per- Scop- [Registry Permissions] mission e for
Key Subkey
HKLM\SOFTWARE\Honeywell (add) Product RW Full
- 151 - Preparing the domain for migration
Per- Scop- [Registry Permissions] mission e for
Admins
HKLM\SOFTWARE\Honeywell\ProgramData (add) Product Full Full Admins
Engineer RW Full Full
Supervisor RW Full
Operator RW Full
Ack View RW Full
View Only RW Full
HKLM\SOFTWARE\Honeywell\EngineeringData (set) Engineer RW
Windows Admin Full Full R- W Windows Users R R
SYSTEM Full Full
Creator Owner Full
HKLM\software\Microsoft\MSDTC (add - legacy) Product RW Admins
Local Servers RW RW R- W HKLM\software\Clients\Mail (add - legacy) Product RW Admins
Local Servers RW RW R
HKLM\SYSTEM\Cur- Local Serv- R rentControlSet\Control\SecurePipeServers\winreg (add) ers
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib Product R R (add) Admins
Local Servers R R
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf Product R R (add) Admins
Local Servers R R
[Registry Permissions] Permission for Scope
[Directories] Folder Subfolders Files
- 152 - Preparing the domain for migration
[Registry Permissions] Permission for Scope
%HwProgramData% (set) Product Admins RWX Full Full
Engineer RWX Full Full
Supervisor RWX Full Full
Operator RWX Full Full
Ack View RWX Full Full
View Only RWX Full Full
Windows Admin Full Full Full
Windows Users RX RX RX
SYSTEM Full Full Full
%HwEngineeringData% (set) Engineer Engineer Full Full
Windows Admin Full Full Full
Windows Users RX RX RX
SYSTEM Full Full Full
Creator Owner Full Full
%HwProductConfig% (set) Product Admins RWX Full Full
Windows Admin Full Full Full
Windows Users RX RX RX
SYSTEM Full Full Full
Creator Owner Full Full
%HwSecurityPath% (set) Product Admins Full Full RW
Windows Admin Full Full RW
Windows Users RX RX R
SYSTEM Full Full RW
Creator Owner Full RW
[File System Permissions] Permission for Scope
[Proxy Files] Files
%HwSecurityPath%\tpn_priority_two (add) Engineer RX
Supervisor RX
- 153 - Preparing the domain for migration
[File System Permissions] Permission for Scope
Operator RX
%HwSecurityPath%\tpn_priority_three (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\tpn_priority_four (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\tpn_priority_five (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\tpn_priority_six (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\tpn_priority_seven (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\tpn_priority_eight (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\tpn_priority_nine (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\tpn_priority_ten (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\product admin (add) Product Admins RX
%HwSecurityPath%\engineer (add) Engineer RX
%HwSecurityPath%\supervisor (add) Engineer RX
- 154 - Preparing the domain for migration
[File System Permissions] Permission for Scope
Supervisor RX
%HwSecurityPath%\operator (add) Engineer RX
Supervisor RX
Operator RX
%HwSecurityPath%\AckUser (add) Engineer RX
Supervisor RX
Operator RX
Ack View RX
%HwSecurityPath%\view only (add) Engineer RX
Supervisor RX
Operator RX
Ack View RX
View Only RX
%HwSecurityPath%\program (add) Engineer RX
%HwSecurityPath%\continuous control (add) Engineer RX
%HwSecurityPath%\checkpoint (add) Product Admins RX
Engineer RX
Supervisor RX
Operator RX
Ack View RX
View Only RX
%HwSecurityPath%\start (add) Product Admins RX
Engineer RX
Supervisor RX
Operator RX
Ack View RX
View Only RX
%HwSecurityPath%\shutdown (add) Product Admins RX
- 155 - Preparing the domain for migration
[File System Permissions] Permission for Scope
Engineer RX
Supervisor RX
%HwSecurityPath%\shutdownforce (add) Product Admins RX
Engineer RX
Supervisor RX
In the preceding table, strings between percent signs (%) represent system environment variables that may vary based on installation conditions. The default values for these are:
l ...... %HwProgramData% C:\ProgramData\Honeywell
l ...... %HwEngineeringData% C:\ProgramData\Honeywell\EngineeringData
l ...... %HwProductConfig% C:\ProgramData\Honeywell\ProductConfig
l ...... %HwSecurityPath%C:\Pro- gramData\Honeywell\ProductConfig\Security
- 156 - Notices
Trademarks Experion®, PlantScape®, SafeBrowse®, TotalPlant®, and TDC 3000® are registered trademarks of Honeywell International, Inc. ControlEdge™ is a trademark of Honeywell International, Inc. OneWireless™ is a trademark of Honeywell International, Inc. Matrikon® and MatrikonOPC™ are trademarks of Matrikon International. Matrikon International is a business unit of Honeywell International, Inc. Movilizer® is a registered trademark of Movilizer GmbH. Movilizer GmbH is a business unit of Honeywell International, Inc. Other trademarks
Microsoft and SQL Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Trademarks that appear in this document are used only to the benefit of the trademark owner, with no intention of trademark infringement. Third-party licenses
This product may contain or be derived from materials, including software, of third parties. The third party materials may be subject to licenses, notices, restrictions and obligations imposed by the licensor. The licenses, notices, restrictions and obligations, if any, may be found in the materials accompanying the product, in the documents or files accompanying such third party materials, in a file named third_party_licenses on the media containing the product, or at http://www.hon- eywell.com/ps/thirdpartylicenses. Documentation feedback
You can find the most up-to-date documents on the Honeywell Process Solutions support website at: http://www.honeywellprocess.com/support
If you have comments about Honeywell Process Solutions documentation, send your feedback to: [email protected] Use this email address to provide feedback, or to report errors and omissions in the documentation. For immediate help with a technical problem, contact your local Honeywell Process Solutions Cus- tomer Contact Center (CCC) or Honeywell Technical Assistance Center (TAC). How to report a security vulnerability
- 157 - For the purpose of submission, a security vulnerability is defined as a software defect or weakness that can be exploited to reduce the operational or security capabilities of the software. Honeywell investigates all reports of security vulnerabilities affecting Honeywell products and ser- vices. To report a potential security vulnerability against any Honeywell product, please follow the instruc- tions at: https://www.honeywell.com/product-security Support
For support, contact your local Honeywell Process Solutions Customer Contact Center (CCC). To find your local CCC visit the website, https://www.honeywellprocess.com/en-US/contact-us/- customer-support-contacts/Pages/default.aspx. Training classes
Honeywell holds technical training classes that are taught by process control systems experts. For more information about these classes, contact your Honeywell representative, or see http://www.automationcollege.com.
- 158 -