Windows on the Desktop? There's a group policy for that
Managing by the book
Desktops are important and need managing with the same care as servers. If you are using Windows many of the tools you need are built into Active Directory, which lets you define individual users and computers along with their roles and the groups they fall into.
This division makes managing Windows PCs relatively easy.
The key to managing a suite of desktops centrally is Group Policy, which give you the ability to define rules that target the users and groups you want, locking down the desktop for task workers and opening it up for knowledge workers.
Windows features a surprising number of different group policies: Windows Vista has more than 3,000, Windows XP has about 1,800 and Windows 7 has more than 3,300.
Drilling down into the available Group Policies (there’s a useful online reference here), you will see that you can manage nearly everything on a PC, from defining the screen backdrop and look-and-feel to controlling how the machine handles encrypted files.
You can hide system utilities, making sure users don’t inadvertently mis-configure their machines, and control whether or not they can install software.
Preventing desktops from being customised makes it easier to manage a large number of them, reducing the risk of drift from your baseline system images. It also helps to keep users productive, as they won’t be spending time tweaking their PCs (especially if you have removed access to Minesweeper and Solitaire).
Express your preferences
While you can handle user security as part of an Active Directory user profile, Group Policies let you drill down into the Windows Firewall so you can control the open ports and the applications that have access to the network. Locking down applications that expose corporate data is important – especially if you are in a regulated industry.
Other security options control access to removable drives, as well as managing Windows’ built-in whole disk encryption BitLocker (including enforcing encryption on USB drives).
There is no point in chewing watts just to power screensavers
If there is something you want to manage that is not in the standard set of Group Policy Objects, you can use Group Policy Preferences to extend your reach. One option gives you control over a desktop’s scheduled tasks, so you can, for example, ensure that PCs are backed up regularly.
Group policies can do a lot more than handling user directories, application whitelists and security requirements.
Why not use them to push out power policies to desktops? There is no point in leaving PCs on overnight, chewing watts just to power screensavers. Recent versions of Windows let you use Group Policy Preferences to force shut down, hibernation or low-power sleep states on PCs out of working hours. There is no need to learn new scripting techniques as you work with familiar control panels.
Group Policies simplify complex tasks and make it easy to control specific users and groups. With this great power comes great responsibility, so make sure you have tested the policies you are planning on deploying before you add them to your Active Directory. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016