Use Group Policy to Log Out Users After Inactivity

Shared or multi-user computers come with their own unique management issues.  Fast User Switching allows someone like a receptionist to leave programs running while taking breaks, but also allows other users of that same system to leave their applications running even when they may not return to the computer for hours or days later.

With a free utility and some simple Group Policy, you can kill those idle sessions so that they don’t stay logged in for days or weeks at a time hogging system resources.




Prevent the “Your browser has been upgraded” tab in Internet Explorer

Microsoft’s June Cumulative Security Update for Internet Explorer (MS14-035 / KB2957689) had a change that caught many IT departments off guard. If you’re in an environment running Windows 7 with either Internet Explorer 9 or Internet Explorer 10 your users may have received an additional tab that opened after the reboot from their monthly updates applying:

Your browser has been upgraded… sort of… with a monthly security patch…

Initially, users were redirected to, a rather lengthy privacy statement for Internet Explorer 9. After customer complaints user feedback, Microsoft altered the redirect to send users to

Unfortunately, this still isn’t expected behavior in a corporate environment. End users tend to either ignore something like this completely or open a help desk ticket costing the IT organization money in the form of the help desk request. The problem is compounded by: (#1) Microsoft not warning corporate IT departments this change was coming, (#2) Microsoft not giving corporate IT departments a way to suppress the extra tab with the warning, and (#3) some users receiving the additional tab every time they open an IE window instead of seeing it just once.

The good news is that this extra tab can be suppressed with a Registry entry. The easiest way to do this in a managed environment is with Group Policy.  In a Group Policy Object (GPO) that applies to user accounts, go to User Configuration > Preferences > Windows Settings > Registry.  Right-click on Registry and choose New > Registry Item.

Group Policy Management Editor Add new Registry entryIn the Properties for the new Registry item, set the following:

Action:  Update
Key Path: Software\Microsoft\Internet Explorer\Main
Value Name: PrivacyPolicyShown
Value Type: REG_DWORD
Value Data: 00000001

PrivacyPolicyShown PropertiesObviously this won’t help you for the hordes of end users that have already received the extra tab, but it should prevent anyone logging into a system for the first time from seeing it down the road.

Targeting OS Platform/Bitness with Group Policy Preferences

I’ve had several people ask about targeting the bit level/bitness/platform of Windows with Group Policy Preferences using Item Level Targeting who were having problems getting it to work properly. Before we jump in, I should probably define bitness since I only first heard the term a few months back (Sorry… no… I can’t claim credit for making it up…). There’s an MSDN glossary entry that has very geeky sounding definition: “The distinction between 32-bit and 64-bit address spaces, and the potential differences in instantiation of components that this entails.” The less geeky, but easier to explain to your co-workers and/or boss definition is that we want to determine whether the operating system is 32-bit (x86) or 64-bit (x64) so we can selectively apply a Group Policy Preference setting. Continue reading

Group Policy Hotfixes

KB2862565 – AppLocker blocks administrators and other high privileged group’s users from executing files on a Windows 7 SP1-based or Windows Server 2008 R2 SP1-based computer

KB2849027 – Internet Explorer 10 security settings are silently applied to client computers when you use GPMC to view the Group Policy Preferences settings in Windows 8 or Windows Server 2012

KB2466373 – BACKSPACE or arrow keys do not work in MMC [especially in the Group Policy Management Console (GPMC)!!!!] on a computer that is running Windows 7 or Windows Server 2008 R2

KB2816253 – Known issues with Office if Desktop or My Documents is redirected

KB981177 – You can still unpin a program from the taskbar unexpectedly when you enable the “Do not allow pinning programs to the Taskbar” Group Policy on a computer that is running Windows 7 or Windows Server 2008 R2

KB981750 – Error message occurs when you use GPMC to view a software restriction Group Policy setting in Windows 7 and in Windows Server 2008 R2: “An error has occurred while collecting data for Software Restriction Policies”

Continue reading

Control the Windows 8.1 Start Screen Layout with Group Policy

If you had the opportunity to attend TechEd North America 2013, one of the new Windows 8.1 features that was showed off was the ability to set the layout of the Start screen in Group Policy. (In the event you didn’t attend, you can watch a replay of the keynote here; skip to 13:30 to see the demo of customizing the Start screen.) Continue reading

Set the Default Save Location to Computer in Office 2013

Office 2013 comes with a number of cool new features. One of those new features is the ability to save to “cloud” locations like SkyDrive and SkyDrive Pro right out of the box without having to install extra helper applications that sync the data down to the local system. With the big cloud push at Microsoft, the locations are now favored by default over saving to the local storage or mapped drives on a computer. This can be changed in the UI of the various Office applications. However, Microsoft chose not to include the option to change the default in Group Policy. The good news is that the settings can be configured in the Registry which means they can be manipulated by Group Policy Preferences.

Continue reading

Disable Adobe Acrobat XI Updates with Group Policy

01-disable_acrobat_xi_updates-iconBy default, an installation of Adobe Acrobat XI will check for updates and then will prompt the end user to install the update whether or not the user has Admin rights. In a small environment, this may not be a problem, but in a larger environment, this can generate a lot of unnecessary support requests when a user that doesn’t have Admin rights gets a UAC prompt that wants Admin credentials. Here’s how to disable the Acrobat update checks so that your end users don’t see messages like this:


Continue reading