COMPUTER Administrative Templates\Windows
Components\Windows Messenger
Do not allow Windows Messenger to be run At least Microsoft Windows XP Professional or Windows Server 2003 family
Allows you to disable Windows Messenger. If you enable this setting, Windows Messenger will not run. If you disable or do not configure this setting, Windows Messenger can be used. Note: If you enable this setting, Remote Assistance also cannot use Windows Messenger. Note: This setting is available under both Computer Configuration and User Configuration. If both are present, the Computer Configuration version of this setting takes precedence.
COMPUTER Administrative Templates\Windows Components\Windows Movie Maker
Do not allow Windows Movie Maker to run
At least Microsoft Windows XP Professional with SP2
Specifies whether Windows Movie Maker can run. Windows Movie Maker is a feature of the Windows XP operating system that can be used to capture, edit, and then save video as a movie to share with others. If you enable this setting, Windows Movie Maker will not run. If you disable or do not configure this setting, Windows Movie Maker can be run.
COMPUTER Administrative Templates\Windows Components\Windows Update Configure Automatic Updates Windows Server 2003, XP SP1, 2000 SP3
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating service. This setting lets you specify if automatic updates are enabled on this computer. If the service is enabled, you must select one of the four options in the Group Policy Setting: 2 = Notify before downloading any updates and notify again before installing them. When Windows finds updates that apply to this computer, an icon appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates to download. Windows then downloads the selected updates in the background. When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install. 4 = Automatically download updates and install them on the schedule specified below Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified and given the option to delay the restart.) 5 = Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates With this option, the local administrators will be allowed to use the Automatic Updates control panel to select a configuration option of their choice. For example they can choose their own scheduled installation time. Local administrators will not be allowed to disable Automatic Updates' configuration. To use this setting, click Enabled, and then select one of the options (2, 3, 4 or 5). If you select 4, you can set a recurring schedule (if no schedule is specified, all installations will occur everyday at 3:00 AM). If the status is set to Enabled, Windows recognizes when this computer is online and uses its Internet connection to search the Windows Update Web site for updates that apply to this computer. If the status is set to Disabled, any updates that are available on the Windows Update Web site must be downloaded and installed manually by going to http://windowsupdate.microsoft.com. If the status is set to Not
Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
COMPUTER Administrative Templates\Windows
Components\Windows Update Specify intranet Microsoft update service location
Windows Server 2003, XP SP1, 2000 SP3
Specifies an intranet server to host updates from the Microsoft Update Web sites. You can then use this update service to automatically update computers on your network. This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. To use this setting, you must set two servername values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them. If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. Note: If the Configure Automatic
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
Updates policy is disabled, then this policy has no effect. COMPUTER Administrative Templates\Windows
Components\Windows Update Automatic Updates detection frequency Windows Server 2003, XP SP1, 2000 SP3
Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20 hour detection frequency, then all clients to which this policy is applied will check for updates anywhere between 16 and 20 hours. If the status is set to Enabled, Windows will check for available updates at the specified interval. If the status is set to Disabled or Not Configured, Windows will check for available updates at the default interval of 22 hours. Note: The Specify intranet Microsoft update service location setting must be enabled for this policy to have effect. Note: If the Configure Automatic Updates policy is disabled, this policy has no effect.
COMPUTER Administrative Templates\Windows
Components\Windows Update Allow non-administrators to receive update notifications
Windows Server 2003, XP SP1, 2000 SP3
Specifies whether, when logged on, non-administrative users will receive update notifications based on the configuration settings for Automatic Updates. If Automatic Updates is configured, by policy or locally, to notify the user either before downloading or only before installation, these notifications will be offered to any non-administrator who logs onto the computer. If the status is set to Enabled, Automatic Updates will include non-administrators when determining which logged-on user should receive notification. If the status is set to Disabled or Not Configured, Automatic Updates will notify only logged-on administrators. Note: If the Configure Automatic Updates policy is disabled, this policy has no effect. COMPUTER Administrative Templates\Windows
Components\Windows Update Allow Automatic Updates immediate installation
Windows Server 2003, XP SP1, 2000 SP3
Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows. If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downloaded and ready to install. If the status is set to Disabled, such updates will not be installed immediately. Note: If the Configure Automatic Updates policy is disabled, this policy has no effect.
COMPUTER Administrative Templates\Windows Components\Windows Update No auto-restart for scheduled Automatic Updates installations Windows Server 2003, XP SP1, 2000 SP3
Specifies that to complete a scheduled installation, Automatic Updates will wait for the computer to be restarted by any user who is logged on, instead of causing the computer to restart automatically. If the status is set to Enabled, Automatic Updates will not restart a computer
automatically during a scheduled installation if a user is logged in to the computer. Instead, Automatic Updates will notify the user to restart the computer. Be aware that the computer needs to be restarted for the updates to take effect. If the status is set to Disabled or Not Configured,
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
Automatic Updates will notify the user that the computer will
automatically restart in 5 minutes to complete the installation. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.
COMPUTER Administrative Templates\Windows Components\Windows Update
Re-prompt for restart with scheduled installations
Windows Server 2003, XP SP1, 2000 SP3
Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured, the default interval is 10 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.
COMPUTER Administrative Templates\Windows
Components\Windows Update Delay Restart for scheduled installations Windows Server 2003, XP SP1, 2000 SP3
Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished. If the status is set to Disabled or Not Configured, the default wait time is 5 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.
COMPUTER Administrative Templates\Windows
Components\Windows Update Reschedule Automatic Updates scheduled installations
Windows Server 2003, XP SP1, 2000 SP3
Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously. If the status is set to Enabled, a scheduled
installation that did not take place earlier will occur the specified number of minutes after the computer is next started. If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled installation. If the status is set to Not Configured, a missed scheduled installation will occur one minute after the computer is next started. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the Configure Automatic Updates policy is disabled, this policy has no effect.
COMPUTER Administrative Templates\Windows
Components\Windows Update Enable client-side targeting Windows Server 2003, XP SP1, 2000 SP3
Specifies the target group name that should be used to receive updates from an intranet Microsoft update service. If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer. If the status is set to Disabled or Not Configured, no target group information will be sent to the intranet
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
Microsoft update service. Note: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting. If the Specify intranet
Microsoft update service location policy is disabled or not configured, this policy has no effect.
COMPUTER Administrative Templates\Windows NT Network\Sharing
Create hidden drive shares (server) COMPUTER Administrative Templates\Windows
NT Network\Sharing
Create hidden drive shares (workstation) COMPUTER Administrative Templates\Windows
NT Printers Beep for error enabled
COMPUTER Administrative Templates\Windows
NT Printers Disable browse thread on this computer COMPUTER Administrative Templates\Windows
NT Printers Scheduler priority
COMPUTER Administrative Templates\Windows
NT Remote Access Auto Disconnect
COMPUTER Administrative Templates\Windows
NT Remote Access Wait interval for callback COMPUTER Administrative Templates\Windows
NT Remote Access Max number of unsuccessful authentication retries COMPUTER Administrative Templates\Windows
NT Remote Access
Max time limit for authentication COMPUTER Administrative Templates\Windows
NT Shell\Custom shared folders
Custom shared desktop icons
COMPUTER Administrative Templates\Windows NT Shell\Custom shared folders
Custom shared Programs folder COMPUTER Administrative Templates\Windows
NT Shell\Custom shared folders
Custom shared Start menu
COMPUTER Administrative Templates\Windows NT Shell\Custom shared folders
Custom shared Startup folder
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
COMPUTER Administrative Templates\WindowsNT System\File system
Allow extended characters in 8.3 file names
COMPUTER Administrative Templates\Windows
NT System\File system Do not create 8.3 file names for long file names
COMPUTER Administrative Templates\Windows NT System\File system
Do not update last access time COMPUTER Administrative Templates\Windows
NT System\Logon Do not display last logged on user name COMPUTER Administrative Templates\Windows
NT System\Logon Logon banner
COMPUTER Administrative Templates\Windows
NT System\Logon Run logon scripts synchronously. COMPUTER Administrative Templates\Windows
NT System\Logon Enable shutdown from Authentication dialog box
COMPUTER Administrative Templates\Windows NT User Profiles
Choose profile default operation
COMPUTER Administrative Templates\Windows NT User Profiles
Delete cached copies of roaming profiles COMPUTER Administrative Templates\Windows
NT User Profiles
Automatically detect slow network connections COMPUTER Administrative Templates\Windows
NT User Profiles Timeout for dialog boxes
COMPUTER Administrative Templates\Windows
NT User Profiles Slow network default profile operation COMPUTER Administrative Templates\Windows
NT User Profiles
Slow network connection timeout
USER Administrative Templates\Advanced
settings
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
USER Administrative Templates\Advanced
settings
HTTP 1.1 settings
USER Administrative Templates\Advanced
settings
Internet Connection Wizard Settings
USER Administrative Templates\Advanced
settings
Microsoft VM
USER Administrative Templates\Advanced
settings
Connection
USER Administrative Templates\Advanced
settings Multimedia
USER Administrative Templates\Advanced
settings Printing
USER Administrative Templates\Advanced
settings Searching
USER Administrative Templates\Advanced
settings Security
USER Administrative Templates\Advanced
settings Signup Settings
USER Administrative
Templates\AutoComplete AutoComplete Settings
USER Administrative Templates\Control
Panel Hide specified Control Panel applets At least Microsoft Windows 2000 Hides specified Control Panel items and folders. This setting removes Control Panel items (such as Display) and folders (such as Fonts) from the Control Panel window and the Start menu. It can remove Control Panel items you have added to your system, as well as Control Panel items included in Windows 2000 Professional and Windows XP Professional. To hide a Control Panel item, type the file name of the item, such as Ncpa.cpl (for Network). To hide a folder, type the folder name, such as Fonts. This setting affects the Start menu and Control Panel window only. It does not prevent users from running Control Panel items. Also, see the Remove Display in Control Panel setting in User Configuration\Administrative Templates\Control Panel\Display. If both the Hide specified Control Panel applets setting and the Show only specified Control Panel applets setting are enabled, and the same item appears in both lists, the Show only specified Control Panel applets
Active Directory Training Seminar: Group Policy Administrator Reference
Node
Policy Path
Full Policy Name
Supported on
Help/Explain Text
setting is ignored. Note: To find the file name of a Control Panel item, search for files with the .cpl file name extension in the
%Systemroot%\System32 directory. Note: To create a list of disallowed Control Panel applets, click Show, click Add, and then enter the Control Panel file name (ends with .cpl) or the name displayed under that item in the Control Panel. (e.g., desk.cpl, powercfg.cpl, Printers and Faxes) Note: This setting does not affect the Categories that are displayed in the new Control Panel Category view in Windows XP. If you want to control which items are displayed in Control Panel, enable the Force classic Control Panel Style setting to remove the Category view, and then use this setting to control which .cpls are not displayed.
USER Administrative Templates\Control
Panel Force classic Control Panel Style At least Microsoft Windows XP Professional or Windows Server 2003 family
This setting affects the visual style and presentation of the Control Panel. It allows you to disable the new style of Control Panel, which is task- based, and use the Windows 2000 style, referred to as the classic Control Panel. The new Control Panel, referred to as the simple Control Panel, simplifies how users interact with settings by providing easy-to- understand tasks that help users get their work done quickly. The Control Panel allows the users to configure their computer, add or remove programs, and change settings. If you enable this setting, Control Panel sets the classic Control Panel. The user cannot switch to the new simple style. If you disable this setting, Control Panel is set to the task-based style. The user cannot switch to the classic Control Panel style. If you do not configure it, the default is the task-based style, which the user can change.
USER Administrative Templates\Control
Panel
Prohibit access to the Control Panel
At least Microsoft Windows 2000
Disables all Control Panel programs. This setting prevents Control.exe, the program file for Control Panel, from starting. As a result, users cannot start Control Panel or run any Control Panel items. This setting also removes Control Panel from the Start menu. (To open Control Panel, click Start, point to Settings, and then click Control Panel.) This setting also removes the Control Panel folder from Windows Explorer. If users try to select a Control Panel item from the Properties item on a context menu, a message appears explaining that a setting prevents the