Tag Archives: Windows-Vista

Managing Control Panel in Windows Vista

At some point in your migration from Windows XP to Windows Vista you’ll no doubt be looking to manage which Control Panel applets are available to users. Controlling access to applets is no different than earlier version of Windows, but given that there are approximately 48 default applets in Windows Vista compared to 29 in Windows XP, more consideration will need to be given to those which you make available.

There’s a good chance that list will be different for everyone, but here’s my approach: Hiding Control Panel applets is not a replacement for ensuring users are not logging into their workstations with administrative access. Without administrative access, users cannot make system wide changes. Restrict applets too much and you can make support difficult.

I consider the task of restricting the available applets as a means of de-cluttering the interface, not ‘locking the system down’.

Here’s what Control Panel applets I would consider to be relevant to most users in a Windows XP environment:

A couple of these may not be completely necessary, but they give users enough access to manage their environment to suit the way they work. Note that there’s nothing in these applets (yes, including Network Connections) that lets standard users change system settings. There are also many Group Policy settings that allow you to be fairly granular for settings within these applets.

This is what I’m looking at providing for users in Windows Vista:

As you can see there’s many more icons, but Vista does provide many more features. There are a few applets here that you may wonder why I’ve not hidden them:

Network and Sharing Center: especially useful to laptop users for providing connectivity information
Problem Reports and Solutions: Vista does a good job of providing solutions for device and software compatibility issues
System: Information list here is useful for support personnel, hard to see this info if this applet is unavailable
User Accounts: this will allow users to change their user picture

Here’s a short list of recommendations when configuring Group Policy for the Control Panel:

Leave the standard Control Panel view as the default – don’t be tempted to force Classic view. The default view in Windows Vista is less cluttered and search makes finding the right option easier.
Provide the complete list of Control Panel applets across all device types in a GPO on the user’s OU using the Show only specified Control Panel items policy
Remove additional applets from the previous list for special case machines (e.g. Terminal Server) in a loop-back policy using the Hide specified Control Panel items policy
Using applet names in these policies provides more granular access than using the .CPL filenames (plus they’re easier to read)

There are also a couple of other settings that remove options that users don’t need to see:

User Configuration / Policies / Administrative Templates / Windows Components / Windows Explorer / Remove Hardware tab
User Configuration / Policies / Administrative Templates / Control Panel / Regional and Language Options / Hide Regional and Language Options administrative options

And finally, here’s what Control Panel under Windows 2008 Terminal Server might look like:

So, what do you think – am I off my tree for giving users so many options? Or can I get some support for the ‘enabling users’ camp?

Customise the Windows Vista Default User Profile

There are numerous ways to customise the default user profile in earlier versions of Windows, including:

Create a user account, configure the profile, then copy over the top of the local default profile or save a copy to your NETLOGON share;
Use the [GuiRunOnce] section in an unattended answer file for Windows XP/2003.

The first option carries over to Windows Vista and Windows Server 2008 however the second option is not available in quite the same way. Windows Vista’s setup is a very different beast and customising the default profile with scripts requires using the auditUser pass and setting the CopyProfile value.

There’s some great detail about using this process to modify the default user profile at FireGeier’s Unattended Vista Guide plus there’s a post at MSFN.org that my help you understand the process too. However, I think there’s a simpler way. It’s perhaps not a flexible as deploying via the UNATTEND.XML file but it doesn’t require running SYSPREP to get the job done.

You can edit the default profile by directly modifying the Windows Vista or Windows Server 2008 image. This involves mounting the image and making your changes:

Mount the image in read/write mode;
Load the \Users\Default\NTUSER.DAT hive into the Registry. It’s worth looking around at this registry hive to see the differences between it and the user hive once a user has logged in;
Add the required modifications and unload the hive;
Commit changes to the Windows image.

Be sure to set the CopyProfile value to False in the UNATTEND.XML, otherwise these changes will be overwritten. Here’s a script that performs those steps for me:

@ECHO OFF
REM -----------------------------------------------------------------------------
REM  Script configures the Default User Profile in a Windows Vista/2008 image
REM -----------------------------------------------------------------------------

REM Mount the Windows image
IMAGEX /MOUNTRW "D:\install.wim" 1 D:\mount

REM Load the default profile hive
REG LOAD HKU\Default D:\mount\Users\Default\NTUSER.DAT

REM Configure the default user profile
REG ADD "HKU\Default\Control Panel\Sound" /v Beep /t REG_SZ /d NO /f
REG ADD "HKU\Default\Control Panel\Sound" /v ExtendedSounds /t REG_SZ /d NO /f
REG ADD "HKU\Default\Control Panel\Desktop" /v HungAppTimeout /t REG_SZ /d 5000 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v AutoEndTasks /t REG_SZ /d 1 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v WaitToKillAppTimeout /t REG_SZ /d 4000 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v FontSmoothing /t REG_SZ /d 2 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v FontSmoothingType /t REG_DWORD /d 2 /f
REG ADD "HKU\Default\Control Panel\Desktop" /v WallPaper /t REG_SZ /d "" /f
REG ADD "HKU\Default\Control Panel\Colors" /v Background /t REG_SZ /d "10 59 118" /f
REG ADD "HKU\Default\Console" /v QuickEdit /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Command Processor" /v CompletionChar /t REG_DWORD /d 9 /f
REG ADD "HKU\Default\Software\Microsoft\Command Processor" /v PathCompletionChar /t REG_DWORD /d 9 /f
REG ADD "HKU\Default\Software\Microsoft\CTF\LangBar" /v ShowStatus /t REG_DWORD /d 3 /f
REG ADD "HKU\Default\Software\Microsoft\CTF\LangBar" /v Label /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\CTF\LangBar" /v ExtraIconsOnMinimized /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v SeparateProcess /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowControlPanel /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_EnableDragDrop /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuFavorites /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuLogoff /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuScrollPrograms /t REG_SZ /d "YES" /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v IntelliMenus /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowHelp /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyComputer /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyDocs /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyMusic /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowMyPics /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowNetPlaces /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowPrinters /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowSetProgramAccessAndDefaults /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_ShowRecentDocs /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_AutoCascade /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_NotifyNewApps /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_AdminToolsRoot /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v StartMenuAdminTools /t REG_SZ /d "NO" /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Start_SortByName /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete" /v "Append Completion" /t REG_SZ /d YES /f
REG ADD "HKU\Default\Software\Microsoft\Internet Explorer\TabbedBrowsing" /v PopupsUseNewWindow /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Internet Explorer\PhishingFilter" /v Enabled /t REG_DWORD /d 1 /f
REG ADD "HKU\Default\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d YES /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{59031a47-3f72-44a7-89c5-5595fe6b30ee}" /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel" /v "{20D04FE0-3AEA-1069-A2D8-08002B30309D}" /t REG_DWORD /d 0 /f
REG ADD "HKU\Default\AppEvents\Schemes\Apps\Explorer\Navigating\.Current" /ve /t REG_EXPAND_SZ /d "" /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v DesktopShortcut /d No /t REG_SZ /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Setup\UserOptions" /v QuickLaunchShortcut /d /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v AcceptedPrivacyStatement /d 1 /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v FirstRun /d 0 /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v DisableMRU /d 1 /t REG_DWORD /f
REG ADD "HKU\Default\Software\Microsoft\MediaPlayer\Preferences" /v AutoCopyCD /d 0 /t REG_DWORD /f
REG DELETE "HKU\Default\Software\Microsoft\Windows\CurrentVersion\Run" /v Sidebar /f

REM Unload the default profile hive
REG UNLOAD HKU\Default

REM Unmount the Windows image and commit changes
IMAGEX /UNMOUNT /COMMIT D:\mount

As you can see I’m adding registry entries that will configure the user environment which does mean that there’s a bit of work required to find them in the first place, but it does allow me to document every change to the profile, so I think the effort is worth it.

Extending this process, there are a few other things we can change in the Windows image that will impact the default environment:

Modify the default theme file in \Windows\Resources\Themes\aero.theme. I’ve used this file to do things such as remove the default wallpaper. Theme files are just text files so they’re easy to maintain;
Configure Internet Explorer defaults by using INSTALL.INS created with the Internet Explorer Administration Kit. This is useful for preventing IE from adding the default favourites or RSS feeds at first launch. Place a copy of INSTALL.INS in \Program Files\Internet Explorer\SIGNUP and \Program Files\Internet Explorer\CUSTOM.

Then there are a couple of additional tools that I’ve used to make changes to the default user environment once Windows has been installed and added to the domain:

Group Policy. Some settings such as preventing Windows Media Player from displaying the first run dialog are useful;
Group Policy Preferences. GPP allows you to set registry values as a preference, i.e. apply once only.

By modifying the Windows image directly, your custom default profile will be available on machines whether you use an unattended or manual deployment.

Here’s a few more articles worth reading:

Troubleshooting Windows Vista Performance KBs

To get the best out of Windows requires the wipe and load approach when confronted with a slow performing OEM install. I’m working on a post to that effect and Ed Bott has some great articles on Windows Vista performance lately (not that I think I’m in Ed Bott’s league).

Windows’ greatest strength and weakness is the ecosystem that Microsoft has built around it and I think that OEM’s aren’t doing enough to give consumers the best Windows experience. OEMs should be brought to task for much of Vistas’ failings in its first 12 months.

Anyway that’s a topic for another day, here’s what this post is about – If you are troubleshooting slow performance in Windows Vista, there are some knowledgebase articles that were published last month and are worth referring to for assistance:

No Redirected Folders? Just Wait Longer

No, Ace Ventura hasn’t started writing knowledgebase articles, it’s the advice given about an issue with redirected folders in Windows Vista and Windows Server 2008. I haven’t seen this myself, but fortunately there’s a better workaround than waiting 12 minutes.

Folder redirection does not work correctly after you restart a computer that is running Windows Server 2008 or Windows Vista

The article has some detail about why this happens:

Windows Server 2008 and Windows Vista use the Well-Known folders feature to determine the location of folders in the user profile. By using this feature, Windows redirects Well-Known folders to other locations as needed. Specifically, Windows Explorer queries the Well-Known folder GUID. This query returns the actual folder location, whether on a hard disk drive or on a remote server.

Windows Explorer optimizes Well-Known folder lookups by caching the Well-Known folders and their locations. Queries are performed against the cache, and the location is then returned to the application or to Windows Explorer.

When you use folder redirection, you receive the folder redirection settings from Group Policy. This process cannot occur unless the Workstation service has started. If the Workstation service has not started, the Well-Known folder cache is unavailable. This causes queries for redirected folder locations to fail. Additionally, the cache remains unavailable until the next update. By default, this cache is updated every 12 minutes (after the cache is first initialized and built during logon).

Delay On Windows Vista With Redirected Desktop

If you are redirecting the Desktop folder for users on Windows Vista laptops, a knowledgebase article just been published that might be useful to you. Here’s details of what this article addresses:

SYMPTOMS
Consider the following scenario:

On a Windows Vista-based computer, you redirect the Desktop folder to a network redirection folder.

You enable the Always Available offline option to make the Desktop folder available offline.

The computer is connected to a network that does not contain the redirection folder.

You restart the computer, and then you enter your user credentials on the Welcome screen to log on to the computer.

In this scenario, you see a black screen for 30 to 120 seconds before the desktop or the Start menu appears.

Details here: After you log on to a Windows Vista-based computer that has the Desktop folder redirected, you see a black screen for 30 to 120 seconds before the desktop or the Start menu appears

Aaron Parker

on application delivery and end user computing