3.9 Windows Group Policy

The Windows Group Policy allows you to configure a Group Policy for Windows devices.

  1. In ZENworks Control Center, click the Policies tab.

  2. In the Policies list, click New, then click Policy.

    or

    In the Policy Tasks, click New Policy.

    The Select Platform page is displayed.

  3. Select Windows, then click Next.

    The Select Policy Category page is displayed.

  4. Select Windows Configuration Policies, then click Next.

  5. Select Windows Group Policy as the Policy Type, then click Next

  6. In the Define Details page fill in the following fields:

    Policy Name: Provide a name for the policy. The policy name must be different than the name of any other item (group, folder, and so forth) that resides in the same folder. The name you provide displays in ZENworks Control Center.

    Folder: Type the name or browse to and select the ZENworks Control Center folder where you want the policy to reside. The default is /policies, but you can create additional folders to organize your policies.

    Administrator Notes: Provide a short description of the policy’s content. This description displays in ZENworks Control Center.

  7. Click Next to display the Windows Group Policy Settings page, then use the options to specify the settings. Refer to the following table for more information:

    Field

    Details

    Select the Type of Group Policy to Manage

    With the Windows Group Policy, you can manage either a Local group or an Active Directory group policy.

    Before you can configure the Group Policy, you need to install a helper application. Click Install the Group Policy Helper to install the novell-zenworks-grouppolicyhelper-11.x.x.x.msi, which is a Windows installer package. This installation needs to be done only once. After the helper is installed, clicking Configure launches the helper, which you then use to configure or import a policy.

    • Local Group Policy: Select this option to configure a Local Group policy.

      To launch the group policy helper, click Configure. Configure or edit the settings in the Local Group policy, then upload the configured policy to the ZENworks Server.

    • Active Directory Group Policy: Select this option to use an Active Directory Group policy.

      To launch the group policy helper, click Configure. Import an Active Directory Group policy created from Windows Server 2003 or Windows Server 2008 Active Directory, then upload to the ZENworks Server. (You cannot edit an Active Directory policy through ZENworks Control Center.)

    Select the Configuration Settings to Be Applied On the Managed Device

    After you have adjusted the policy settings as you prefer, you can select how to apply the settings to the managed device.

    Computer Configuration Select this option to apply the computer configuration settings to the managed device.

    • Apply all settings: Select this option to apply all the computer configuration settings to the managed device.

    • Apply only security settings: Select this option to apply only the security settings to the managed device.

      However, if you select this option, the software restrictions in security settings are not enforced on the device. To enforce the software restrictions, select Apply all settings.

    • Apply all settings except security settings: Select this option to apply all the computer configuration settings except for security settings to the managed device.

    User Configuration Select this option to apply the user configuration settings to the managed device.

    NOTE:

    • The Computer Configuration settings from a user associated group policy are not applied when the user logs into a Windows 2000 or Windows 2003 Terminal Server.

    • Group Policy Objects get assigned to a device on a general refresh. The Computer Configuration settings of a device-assigned Group Policy Object remains in-effect on user logout.

  8. Click Next to display the Summary page. Review the information and, if necessary, use the Back button to make changes to the information on the Summary page.

  9. (Conditional) Select Create as Sandbox, if you want to create the sandbox version of the policy.

  10. Click Finish to create the policy now, or select Define Additional Properties to specify additional information, such as policy assignment, system requirements, enforcement, status, and which group the policy is a member of.

    If the login/logoff scripts are configured in a user-associated group policy and the After enforcement, force a re-login on the managed device, if necessary, then a relogin is forced and the login scripts run when the user logs into the managed device again. The startup scripts from a device-associated policy run only when the device reboots the next time.

    The Group policy login scripts do not support the environment variables for users on Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

    The scripts configured through Active Directory group policy are not enforced on the device even though the policy displays success in the ZENworks Adaptive Agent Policies page. For more information see, Section A.14, Windows Group Policy Troubleshooting.

    IMPORTANT:If you want to apply the security settings of the Windows Group policy on Windows XP SP1 or SP2 managed device, ensure that the device has Windows Hotfix KB897327 installed. For more information about how to install the Hotfix, see the Microsoft Support Web site.