268 Part II: Group Policy Implementation and Scenarios
To allow administrators to access existing profile folders, complete the following steps:
1. Log on to the profile server using an account that has administrator privileges.
2. In Windows Explorer, locate the user’s profile folder. Right-click it, and then
choose Properties.
3. When you see a warning prompt telling you that you do not have permission to
access the profile folder but can take ownership, click OK.
4. In the Properties dialog box, click the Security tab, and then click Advanced.
5. In the Advanced Security Settings dialog box, click the Owner tab.
6. Under Change Owner To, click Administrators, and then select the Replace
Owners On Subcontainers And Objects check box.
7. Click OK. When prompted to confirm that you want to take ownership of the
folder, click Yes.
8. You are prompted to close and open the folder’s Properties dialog box before
you can view or change permissions. Click OK three times to close all open
dialog boxes.
9. In Windows Explorer, right-click the user’s profile folder and then choose
Properties.
10. In the Properties dialog box, click the Security tab and then click Advanced.
11. In the Advanced Security Settings For dialog box, click Add.
12. In the Select Users, Computers, Or Groups dialog box, type the user’s logon
account name and then click Check Names. If the name is shown correctly,
click OK.
13. In the Permissions Entry For dialog box, select This Folder, Subfolders And Files
under Apply Onto and then select Allow for Full Control. Click OK.
Caution
In the Entry For dialog box, Apply These Permissions To Objects And/
Or Containers Within This Container Only is not selected by default. Do not select
this option. If you do, permissions will not be set correctly. For example, if this
option is selected, a user logging on would see a specific error related to not being
able to read the contents of the Application Data\Identities folder. If a user sees

such an error during logon, you need to open the Advanced Security Settings For
dialog box, select the user name, and click Edit. You then clear Apply These Permis-
sions To Objects And/Or Containers Within This Container Only and click OK.
14. In the Advanced Security Settings For dialog box, select Replace Permission
Entries On All Child Objects and then click OK. When prompted to confirm the
action, click Yes.
15. Click OK.
Chapter 7: Managing User Settings and Data 269
Note If the user sees a prompt indicating that the roaming profile is not available,
security permissions have not been configured correctly. Repeat steps 8 through 12
and ensure that you select Replace Permission Entries On All Child Objects.
Limiting Profile Size and Included Folders
User profiles can grow very large, and sometimes when you allow roaming you’ll want
to limit their size or the folders they include. A key reason for doing this is to save
space on the server storing the profiles, but limiting profile size and included folders
can also speed up the logon and logoff processes. Don’t forget that you can also redi-
rect some of the profile folders, such as My Documents and Application Data, so that
they are connected via shares rather than moved around the network in the user’s pro-
file. Limiting the profile size in this case might not be necessary.
Limiting Profile Size
If you limit profile size, any user who exceeds the profile limit sees this warning message
when she tries to log off: “You have exceeded your profile storage space. Before you can
log off, you need to move some items from your profile to network or local storage.” The
warning dialog box includes a list of files in her profile and provides details on her cur-
rent profile size and the maximum allowed profile size. The user cannot log off until she
deletes files and thereby reduces the size of her profile to within the permitted limits.
To limit the size of user profiles for a site, domain, or OU, follow these steps:
1. Access the GPO with which you want to work. Access User Configuration\
Administrative Templates\System\User Profiles.
2. Double-click Limit Profile Size, and then select Enabled, as shown in Figure 7-5.

Figure 7-5 Limiting the profile to a specific maximum size and configure notification
270 Part II: Group Policy Implementation and Scenarios
3. If a user exceeds the profile limit and tries to log off, she sees the standard warn-
ing message. To display a different warning message at logoff, type the text of the
message in the Custom Message box.
4. With this policy setting enabled, the default maximum profile size is 30 MB
(30,000 KB). If you redirect profile data folders, such as My Documents and
Application Data, to network shares, this default value might suffice. If you do
not redirect profile data folders, this default value will, in most cases, be much
too small. Either way, you should carefully consider what the profile limit
should be and then use the Max Profile Size combo box to set the appropriate
limit (in kilobytes).
5. By default, global settings are stored in the Ntuser.dat file in a user’s profile; the
size of the Ntuser.dat file does not count toward the user’s profile limit. If you
want to include the file size of the Ntuser.dat file in the profile limit, select
Include Registry In File List.
6. By default, users see a warning about profile size only at logoff and are then
given the opportunity to remove files from their profile. If you want to notify
users whenever they exceed their profile storage space, select Notify User When
Profile Storage Space Is Exceeded and then use the Remind User Every X Minutes
combo box to determine how often the reminder is displayed.
Tip
Notifying users that they’ve exceeded the profile limit can be helpful, but
repeatedly reminding them of this can be annoying. Therefore, if you want to
notify users, do so infrequently, such as once every 120 minutes.
7. Click OK.
Limiting Folders Included in Profiles
Another way to limit the user’s profile size is to exclude folders and prevent them from
roaming with the user’s profile. As discussed previously, folders under %SystemDrive%\
Documents and Settings\%UserName%\Local Settings do not roam. If you want to

exclude other folders, you can specify this in policy by completing the following steps:
1. Access the GPO you want to work with. Access User Configuration\Administrative
Templates\System\User Profiles.
2. Double-click Exclude Directories In Roaming Profile and then select Enabled, as
shown in Figure 7-6.
Chapter 7: Managing User Settings and Data 271
Figure 7-6 Preventing specific folders from roaming by entering the folder name in
a semicolon-separated list
3. Specify the folders that should not roam by entering them in the appropriate
box. When you specify multiple folders to exclude, they must be separated by a
semicolon. Always type folder names relative to the root of the profile, which
is %SystemDrive%\Documents and Settings\%UserName%. For example, if
you want to exclude two folders on the desktop called Dailies and Old, type
Desktop\Dailies;Desktop\Old.
4. Click OK.
Redirecting User Profile Folders and Data
In many organizations, workers use or have access to more than one computer on a
daily basis. They might have both a portable computer and a PC in their office. They
might have a PC in their office and log on to other computers to do development or
test work. They might have to log on to another user’s computer while theirs are being
repaired, or they might check out a loaner before traveling to a remote office. What-
ever the reason, ensuring that users have consistent access to their data is essential,
and this is where redirected folders come in handy. Not only do redirected folders
make it possible for users to consistently access their data regardless of the computer
they use to log on to the network, but redirected folders also make the administrator’s
job easier by providing a centralized repository for user profile folders and data that
can be more consistently managed and more easily backed up. The key reason for this
is that with redirected folders, user data resides on a central server or servers rather
than on individual user computers.
272 Part II: Group Policy Implementation and Scenarios

Understanding Folder Redirection
As discussed previously in “User Profiles and Group Policy,” redirected folders allow
for seamless redirection of folders and data that would otherwise be a part of a user’s
profile. In the case of roaming profiles, redirected folders reduce network traffic dur-
ing logon and logoff because the redirected folders do not need to be retrieved or
updated, which also can speed up logon and logoff. So, in a sense, users and adminis-
trators get the best of both worlds. Users get better access to their data, experience
faster logon and logoff, and have fewer profile-related problems overall. Administra-
tors get centralized management and better control over user data, which in turn
makes the data easier to backup and restore.
You can configure folder redirection for domain users at the domain or OU level
through User Configuration settings. As Figure 7-7 shows, you can redirect the follow-
ing user profile folders:
■ Application Data The per-user data store for applications under %SystemDrive%\
Documents and Settings\%UserName%\Application Data rather than the per-
computer data store for applications under %SystemDrive%\Documents and
Settings\%UserName%\Local Settings\Application Data. Many applications
have per-user data stores, which can grow very large. With Office, the per-user
data store contains the user’s custom dictionaries, address book, and more, so it
often makes sense to have a single Application Data folder for all the computers
a user logs on to.
■ Desktop The user’s complete desktop including the configuration settings,
shortcuts, and any files or folders stored on the desktop. Users often store files
and folders on their desktop, so it often makes sense to redirect their desktop
data as well as their My Documents data. With a roaming profile, redirecting the
desktop also ensures that any desktop shortcuts and setting preferences, such
as wallpaper and the quick access toolbar, remain when a user moves from com-
puter to computer. As long as a shortcut points to a valid location, such as a file
in a user’s profile folder or on a network share, it will work. For example, if the
user has a shortcut to a document stored in My Documents, the shortcut will

work. On the other hand, a shortcut to a document in a D drive folder, which is
only on the user’s laptop, will not work.
■ My Documents The complete contents of My Documents including all files
and folders. By default, all automatically created subfolders are included in this
folder. You do have the option of excluding My Pictures, but all other subfolders
of My Documents are redirected, including My Data Sources, My Deliveries, My
DVDs, My eBooks, My Music, My Received Files, My Videos, My Virtual
Machines, and My Web Sites.
Chapter 7: Managing User Settings and Data 273
■ Start Menu The complete Start menu including the Programs menu and its
related menu items, shortcuts pinned to the Start menu, and any applications in
the Startup folder. You might want to redirect the Start menu when, for example,
users access applications over the network or you have identically configured
workstations deployed throughout a department or office. With redirection, you
can be certain that users have access to the appropriate applications on their
Start menus.
Note
Unlike other types of folder redirection, Start menu redirection does not copy
the contents of a user’s local Start menu. Instead, users are directed to a standard Start
menu that the administrator previously created and stored on a server.
Figure 7-7 Folder redirection
No other user profile folders can be redirected. This means the following user profile
folders cannot be redirected:
■ NetHood
■ PrintHood
■ My Recent Documents
■ SendTo
■ Templates
274 Part II: Group Policy Implementation and Scenarios
Behind the scenes, redirected folders are connected via network shares. You should

consider several other configuration options whenever you redirect folders:
■ Using offline files Redirected folders aren’t available for offline use by default.
Users can make files available offline by right-clicking a file in My Documents or
another folder and selecting Make Available Offline. Administrators also can
configure offline file usage on the server-stored shared folder. Right-click the share
and then select Properties. In the Properties dialog box, click the Sharing tab and
then click Caching. Select All Files And Programs That Users Open From The
Share Will Be Automatically Available Offline, and then click OK twice. For more
information, see Chapter 37 in Microsoft Windows Server 2003 Inside Out.
■ Using shadow copies Shadow copies of shared folders make it easier to recover
previous versions of files and restore accidentally deleted files. If you configure
shadow copies on the file shares associated with the redirected folders, users
have access to previous versions of all their data files and folders. This allows
them to go back and recover files on their own without an administrator’s help.
For more information, see Chapter 22 in Microsoft Windows Server 2003 Inside Out.
Configuring Folder Redirection
Folder redirection is configured under User Configuration\Windows Settings\Folder
Redirection. There are separate policy settings for Application Data, Desktop, My
Documents, and Start Menu. These can be configured in several ways. If you don’t
want to redirect a particular folder for the selected site, domain, or OU, you can use
the Not Configured setting to disable redirection of the selected folder in the site,
domain, or OU whose GPO you are currently working with.
If you want to redirect a particular folder for a designated site, domain, or OU, you can
use one of two top-level settings:
■ Basic Used to redirect affected users to the same base location
■ Advanced Used to redirect affected users according to security group
membership
The sections that follow discuss how these top-level settings and their related options
can be used in various scenarios.
Using Basic Folder Redirection

The Basic setting is used to redirect all users in a site, domain, or OU to the same base
location. Basic redirection is primarily for small organizations or organizations whose
OU structure is based on physical location—for example, a small business group or
department that is autonomous might want to use basic redirection. An organization
in which employees in an OU are in the same physical location might also want to use
basic redirection.
Chapter 7: Managing User Settings and Data 275
To configure basic folder redirection, follow these steps:
1. Access the GPO with which you want to work. Access User Configuration\
Windows Settings\Folder Redirection.
2. The four folders that can be redirected are listed separately. Right-click the folder
you want to redirect, and then select Properties.
3. In the Settings list, choose Basic - Redirect Everyone’s Folder To The Same
Location, as shown in Figure 7-8.
Figure 7-8 Configuring basic folder redirection
4. Under Target Folder Location, choose one of the following options:
❑ Redirect To The User’s Home Directory Applies only to redirection of a
user’s My Documents Folder. If you have configured the user’s home
folder in her account properties, you can use this setting to redirect the My
Documents folder to the same location as the home folder. For example, if
the user’s home drive is X, the network drive X and the My Documents
folder will point to the same location (as set in the user’s domain account
properties).
Caution
Use this setting only if the home folder has already been cre-
ated. If there is no home folder, this option is ignored and the folder is not
redirected.
❑ Create A Folder For Each User Under The Root Path Appends the user’s
name to a designated network share. Individual user folders then become
subfolders of the designated network share. For example, if you want the

My Documents folder to be redirected to \\NYServer08\UserData, this
276 Part II: Group Policy Implementation and Scenarios
folder will contain subfolders for each user, based on the user’s account
name (%UserName%), and the user’s My Documents data will be stored
in the appropriate subfolder. This option is not available with redirection
of the Start menu.
❑ Redirect To The Following Location Allows you to specify a root path to
a file share and folder location for each user. If you do not include a user-
specific environment variable, all the users are redirected to the same
folder. If you add %UserName% to the path, you can create individual
folders for each user, as in the previous option.
Note
For classrooms, kiosks, and some office settings, you might want
to ensure that all users in an OU or all users who are members of a partic-
ular security group have exactly the same folder. In this case, you can
redirect to the same folder location. For example, if you want everyone
logging on to a classroom computer to have the same Start menu and
Desktop even though they use different logon accounts, you can do this
by redirecting the Start menu and Desktop to a specific folder. To ensure
that only administrators can make changes to the Start menu and Desk-
top, you can change the security on the redirected folders so that the
Administrators groups has Full Control and the Authenticated Users
group (or a specific security group) has Read access only.
❑ Redirect To The Local User Profile Location Causes the default location of
the user’s profile to be used as the location for the user data. This is the
default configuration if no redirection policies are enabled. If you use this
option, the folders are not redirected to a network share and you essen-
tially undo folder redirection.
5. Under Root Path, enter the root path to use, as necessary. If you chose Create
A Folder For Each User Under The Root Path, you can enter \\NYServer08\

UserData to redirect the selected folder to a user-specific folder under
\\NYServer08\UserData.
6. Any necessary folders and subfolders are created automatically by Windows the
next time an affected user logs on. Any currently logged-on user must then log
off and log back on. By default, users are granted exclusive access to their redi-
rected data and the contents of the existing folder are moved across the network
to the new location the next time they log on. To change these or other configu-
ration behaviors, click the Settings tab and then configure additional settings,
as discussed in the “Configuring Setup, Removal, and Preference Settings for
Redirection” section in this chapter.
7. Click OK.
Chapter 7: Managing User Settings and Data 277
Using Advanced Folder Redirection
The Advanced setting is used to redirect user data based on security group member-
ship. If you select this option, you can set an alternative target folder location for each
security group you want to configure. For example, you can redirect My Documents
separately for the Sales, Engineering, and Customer Service groups. Sales users can
have their My Documents redirected to \\NYServer12\Sales. Engineering users can
have their My Documents redirected to \\NYServer04\Engineering. Customer
Service users can have their My Documents redirected to \\NYServer02\Services. As
with basic redirection, the designated folder contains subfolders for each user.
In most cases, the advanced configuration scales better for the large enterprise because it
allows you to zero in on security groups within sites, domains, or OUs. Thus rather than
assigning a single location for all users within an OU, you can assign each security group
within an OU a separate location. However, keep in mind that the group policy you are
working with applies only to user accounts that are in the container for which you are
configuring Group Policy. So if you set a redirection policy for a group that isn’t defined
in the site, domain, or OU you are working with, folder redirection is not applied.
To configure advanced redirection of user profiles, follow these steps:
1. Access the GPO with which you want to work. Access User Configuration\

Windows Settings\Folder Redirection.
2. The four folders that can be redirected are listed separately. Right-click the folder
you want to redirect, and then select Properties.
3. In the Settings list, choose Advanced - Specify Locations For Various User
Groups, as shown in Figure 7-9. The Target tab is updated so that you can
configure redirection settings by security group membership.
Figure 7-9 Configuring targeting for individual security groups within a site,
domain, or OU
278 Part II: Group Policy Implementation and Scenarios
4. Click Add to display the Specify Group And Location dialog box (Figure 7-10).
Figure 7-10 Specifying the security group membership and target folder settings
5. Click Browse to display the Select Group dialog box. Type the name of a group
account in the selected container, and then click Check Names. When a single
match is found, the dialog box is automatically updated as appropriate and the
entry is underlined. When you click OK, the group is added to the Security
Group Membership list in the Specify Group And Location dialog box.
6. Under Target Folder Location, choose one of the following options:
❑ Redirect To The User’s Home Directory Applies only to redirection of a
user’s My Documents Folder. If you have configured the user’s home
folder in his account properties, you can use this setting to redirect the My
Documents folder to the same location as the home folder. For example, if
the user’s home drive is X, the network drive X and the My Documents
folder will point to the same location (as set in the user’s domain account
properties).
Caution
Use this setting only if the home folder has already been cre-
ated. If there is no home folder, this option is ignored and the folder is not
redirected.
❑ Create A Folder For Each User Under The Root Path Appends the user’s
name to a designated network share. Individual user folders then become

subfolders of the designated network share. For example, if you want the
My Documents folder to be redirected to \\NYServer08\UserData, this
Chapter 7: Managing User Settings and Data 279
folder will contain subfolders for each user, based on the user’s account
name (%UserName%), and the user’s My Documents data will be stored
in the appropriate subfolder. This option is not available with redirection
of the Start menu.
❑ Redirect To The Following Location Allows you to specify a root path to a
file share and folder location for each user. If you do not include a user-
specific environment variable, all the users are redirected to the same
folder. If you add %UserName% to the path, you can create individual
folders for each user as in the previous option.
❑ Redirect To The Local User Profile Location Causes the default location of
the user’s profile to be used as the location for the user data. This is the
default configuration if no redirection policies are enabled. If you use this
option, the folders are not redirected to a network share and you essen-
tially undo folder redirection.
7. Under Root Path, type the root path to use as necessary. If you chose Create
A Folder For Each User Under The Root Path, you can type \\NYServer08\
UserData to redirect the selected folder to a user-specific folder under
\\NYServer08\UserData.
8. When you are finished configuring these options, click OK. You can then repeat
steps 4 through 7 to configure redirection of the selected folder for other
groups.
9. Any necessary folders and subfolders are created automatically by Windows the
next time an affected user logs on. Any currently logged on user must log off and
then log back on. By default, users are granted exclusive access to their redi-
rected data and the contents of the existing folder are moved across the network
to the new location the next time they log on. To change these or other configu-
ration behaviors, click the Settings tab and then configure additional settings as

discussed in the next section.
10. Click OK.
Configuring Setup, Removal, and Preference Settings
for Redirection
When you are configuring folder redirection, the Settings tab (Figure 7-11) provides
additional configuration options. In the default configuration shown, several things
happen the next time a user logs on to the network:
1. Any necessary folders and subfolders are created automatically.
2. Folder security is set so that only the user has access.
3. The contents of the existing folder are moved across the network to the new
location. If you redirected My Documents, My Pictures is copied as well.
280 Part II: Group Policy Implementation and Scenarios
4. If you later stop redirecting the folder, the data stays in the shared folder and the
user continues to access the data in this location.
Figure 7-11 Specifying additional redirection settings
You can control the redirection behavior by modifying the settings:
■ Grant The User Exclusive Rights To When this option is selected, any necessary
folders and subfolders are created automatically the next time a user logs on.
The folder security is set so that the user has exclusive access. This means
Windows creates the directory and gives the user Full Control to the folder.
When this option is not selected, any necessary folders and subfolders are
created automatically the next time a user logs on. The existing security on the
folder is not changed. Because of inheritance, the newly created folder has the
same permissions as the parent folder.
Note
Through Group Policy, you have two basic configuration options for
redirected folder security. You can tell Windows to either give the user exclusive
access or accept the inherited security permissions of the parent folder. With
exclusive access, all other users (even administrators) are blocked from access-
ing the redirected folders and their data. One way an administrator can gain

access to a redirected folder is to take ownership of it. If you want the user and
administrators to have access, you can use a technique described in Microsoft
Knowledge Base Article 288991. Basically, you clear Grant The User Exclusive
Access and then configure permissions on the redirected folder as follows:
■ Authenticated Users have Create Folders/Append Data, Read Permissions,
Read Attributes and Read Extended Attributes for This folder only
■ Administrators, System, and Creator Owner have Full Control for This folder,
subfolders and files
Chapter 7: Managing User Settings and Data 281
■ Move The Contents Of When this option is selected, the next time the user logs
on the contents of the existing folder are moved across the network to the new
location. If a user has a local profile on multiple machines, the contents are
moved at logon on a per-computer basis.
When this option is not selected, the existing folder contents are copied across
the network rather than moved. This means a local copy of the folder still exists.
On a portable computer, this might seem like a good way to ensure that a
local copy of data exists, but it is generally better to move the data and then
configure offline file caching.
■ Leave The Folder In The New Location When Policy Is Removed When this
option is selected, if you later stop redirecting the folder or the user account is
moved out of the GPO for which redirecting is configured, the data stays in
the shared folder. The user continues to access the data in this location.
■ Redirect The Folder Back When this option is selected, if you later stop redirect-
ing the folder or the user account is moved out of the GPO for which redirection
is configured, a copy of the data is sent to the user’s profile location when the
user logs off the network. With a roaming profile, this means that a copy is sent
to the profile server when the user logs off the network. If the user has a local
profile, a copy is sent to the local computer when she logs off (and if she logs on
to multiple computers, each will eventually get a copy). If the user account is
moved to a GPO where redirection is configured, the data is moved according to

the redirection settings.
■ Make My Pictures A Subfolder Of My Documents When this option is selected,
if you redirected My Documents, My Pictures is copied as a subfolder of My
Documents.
■ Do Not Specify Administrative Policy For My Pictures When this option is
selected, if you redirected My Documents, My Pictures is not copied as a
subfolder of My Documents.
Managing Computer and User Scripts
So far in this chapter, we’ve talked about the many ways you can work with user
profiles and data within profiles to optimize the user environment. Now let’s look at
an additional technique for optimizing user environments that involves scripts. In
Windows Server 2003, you can configure two types of scripts to help configure the
desktop and user environment:
■ Computer scripts, which are run at startup or shutdown
■ User scripts, which are run at logon or logoff
282 Part II: Group Policy Implementation and Scenarios
Not only can you write these scripts as command-shell batch scripts ending with the
.bat or .cmd extension, but you can also write them using the Windows Script Host
(WSH). WSH is a feature of Windows Server 2003 that lets you use scripts written
in a scripting language, such as Microsoft JScript (.js files) and Microsoft VBScript
(.vbs files).
Working with Computer and User Scripts
Computer and user scripts can be used to perform just about any commonly run task.
Startup and shutdown scripts can be used to perform any system-wide task, such as
maintenance, backups, or virus checking. Logon and logoff scripts can be used to
perform user-related tasks, such as launching applications, cleaning up temporary
folders, setting up printers, or mapping network drives.
The three basic steps for using scripts with Group Policy are as follows:
1. Create the script, and save it with the appropriate file extension.
2. Copy the script you want to use to an accessible and appropriate folder so that

it can be used with Group Policy.
3. Assign the script as a startup, shutdown, logon, or logoff script in Group Policy.
To run a startup or shutdown script, a computer must be in the site, domain, or OU
linked to a GPO that contains the script. Similarly, to run a logon or logoff script, a
user must be in the site, domain, or OU linked to a GPO that contains the script.
Most scripts are easy to create. For example, with command-shell batch scripts, you
can connect users to shared printers and drives with the NET USE command. Let’s say
that at logon you want to connect the user to a printer named CustSvcsPrntr on a
print server called PrntSvr03. To do this, you type the following command in a
Notepad file:
net use \\prntsvr03\custsvcprntr /persistent:yes
You then save the script with the .bat extension. Next you copy this file to an accessi-
ble folder so that it can be used with Group Policy and you assign it as a logon script.
From then on, any user logging on to the affected site, domain, or OU can run the
logon script and be connected to the printer.
Note
You don’t have to copy a script to a folder within Group Policy. However,
scripts are more easily managed if you copy them to the appropriate folder in Group
Policy and then assign them as the appropriate type of script.
Chapter 7: Managing User Settings and Data 283
Configuring Computer Startup and Shutdown Scripts
You can assign startup and shutdown scripts as part of a group policy. In this way, all
computers in a site, domain, or OU run the scripts automatically when they’re started
or shut down.
To configure a script that should be used during computer startup or shutdown,
follow these steps:
1. Copy the startup or shutdown script you want to use to a network share or other
folder that is easily accessible over the network.
2. Start the Group Policy Object Editor. In the Group Policy Management Console
(GPMC), right-click the GPO you want to modify and select Edit.

3. In the Computer Configuration node, double-click the Windows Settings folder,
and then click Scripts.
4. To work with startup scripts, right-click Startup, and then select Properties.
Or right-click Shutdown, and then select Properties to work with shutdown
scripts.
5. Any previously defined startup or shutdown scripts are listed in order of prior-
ity, as shown in Figure 7-12. The topmost script has the highest priority. The
priority is important because by default startup and shutdown scripts do not all
run at the same time. Instead, they run one at a time (synchronously) in order
of priority.
Figure 7-12 A list of current startup or shutdown scripts by order of priority
6. To change the priority of an existing script, select the script in the Script For list,
and then click the Up or Down button as appropriate to change the priority order.
284 Part II: Group Policy Implementation and Scenarios
7. To change the parameters associated with a script, select the script in the Script
For list, and then click Edit. You can then change the script name and the
optional parameters to pass to the script.
8. To define an additional startup or shutdown script, click Add. This displays the
Add A Script dialog box (Figure 7-13). Click Browse, and in the Browse dialog
box, find the script you want to use and then click Open. The script is copied to
the Machine\Scripts\Startup or Machine\Scripts\Shutdown folder for the
related policy. By default, policies are stored by GUID in the %SystemRoot%\
Sysvol\Domain\Policies folder on domain controllers.
Figure 7-13 Specifying a script and defining optional parameters
9. To delete a script, select the script in the Script For list, and then click Remove.
Configuring User Logon and Logoff Scripts
You can assign logon and logoff scripts as part of a group policy. In this way, all
users in a site, domain, or OU run the scripts automatically when they’re logging on
or logging off.
To configure a script that should be using during logon or logoff, follow these steps:

1. Copy the logon or logoff script you want to use to a network share or other
folder that is easily accessible over the network.
2. Start the Group Policy Object Editor. In the GPMC, right-click the Group Policy
Object you want to modify, and then select Edit.
3. In the User Configuration node, double-click the Windows Settings folder, and
then click Scripts.
4. To work with logon scripts, right-click Logon, and then select Properties. Or
right-click Logoff, and then select Properties to work with logoff scripts.
5. Any previously defined logon or logoff scripts are listed in order of priority, as
shown in Figure 7-14. The topmost script has the highest priority. The priority is
important because logon and logoff scripts are started in order of priority by
default. Unlike startup and shutdown scripts, however, logon and logoff scripts
are not synchronized and can run simultaneously, so if you’ve configured
multiple logon or logoff scripts, they can all run at the same time.
Chapter 7: Managing User Settings and Data 285
Figure 7-14 Current logon or logoff scripts are listed in order of priority
6. To change the priority of an existing script, select the script in the Script For list,
and then click the Up or Down button as appropriate to change the order.
7. To change the parameters associated with a script, select the script in the Script
For list, and then click Edit. You can then change the script name and the
optional parameters to pass to the script.
8. To define an additional logon or logoff script, click Add. In the Add A Script dialog
box (Figure 7-15), click Browse. In the Browse dialog box, find the script you want
to use, and then click Open. The script is copied to the User\Scripts\Logon or
User\Scripts\Logoff folder for the related policy. By default, policies are stored by
GUID in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers.
Figure 7-15 Specifying a script and defining optional parameters
9. To delete a script, select the script in the Script For list, and then click Remove.
Controlling Script Visibility
When you configure and work with computer and user scripts, you should keep sev-

eral things in mind. Computer and user scripts are not visible to the user when they
run. This prevents users from canceling execution of the script and also ensures that
the actual tasks performed by the script are hidden.
286 Part II: Group Policy Implementation and Scenarios
You can make scripts visible to users when they are running by enabling the following
policy settings as appropriate:
■ Run Startup Scripts Visible under Computer Configuration\Administrative
Templates\System\Scripts.
■ Run Shutdown Scripts Visible under Computer Configuration\Administrative
Templates\System\Scripts.
■ Run Logon Scripts Visible under User Configuration\Administrative Templates\
System\Scripts.
■ Run Logoff Scripts Visible under User Configuration\Administrative Templates\
System\Scripts.
Controlling Script Timeout
By default, Windows limits the total time allowed for scripts to run to 10 minutes. If a
logon, logoff, startup, or shutdown script has not completed running after 10 minutes
(600 seconds), the system stops processing the script and records an error event in
the event logs.
You can modify the timeout interval by completing the following steps:
1. Access the GPO with which you want to work. Access Computer Configuration\
Administrative Templates\System\Scripts.
2. Double-click Maximum Wait Time For Group Policy Scripts, and then select
Enabled, as shown in Figure 7-16.
Figure 7-16 Configuring the wait time for computer and user scripts
Chapter 7: Managing User Settings and Data 287
3. In the Seconds combo box, specify the wait time to use in seconds. In the rare
case in which you want Windows to wait indefinitely for scripts to run, use a
value of 0.
Note

Think carefully about the wait time. It is extremely important in ensur-
ing that scripts run as expected. If you set the wait time too short, some tasks
might not be able to complete, which can cause problems. If you set the wait
time too long, the user might have to wait too long to get access to the system.
4. Click OK.
Controlling Script Execution and Run Technique
Computer and user scripts run in slightly different ways. By default, Windows coordi-
nates the running of scripts so that startup scripts run one at a time, in order of prior-
ity. This means the system waits for each startup to complete before it runs the next
startup script. If you want to allow startup scripts to run simultaneously, which might
allow startup to complete faster, you can enable Run Startup Scripts Asynchronously
under Computer Configuration\Administrative Templates\System\Scripts.
By default, logon and logoff scripts are not synchronized and can run simultaneously.
Thus, if you’ve configured multiple logon or logoff scripts, they all run at the same
time. This setting is designed to ensure that there is little or no delay in displaying the
desktop during logon or closing the desktop during logoff. If you’d rather ensure that
all logon scripts are complete before allowing users to access the desktop, you can
configure logon scripts to run synchronously (one at a time). To do this, enable Run
Logon Scripts Asynchronously under Computer Configuration\Administrative
Templates\System\Scripts or under User Configuration\Administrative Templates\
System\Scripts. By default, the setting in Computer Configuration has precedence
over the setting in User Configuration.
Summary
As you’ve seen in this chapter, you can manage user settings and data in many ways.
Through the use of roaming profiles, you can ensure that users have access to their
global settings and essential data from anywhere on the network. Not only does this
ensure that a user’s desktop has a consistent look and feel regardless of the computer
he is using, but it also ensures that he can access his My Documents folder, user-specific
application data, and desktop settings.
288 Part II: Group Policy Implementation and Scenarios

A key drawback of a roaming profile is that a user’s data is moved across the network
at logon and logoff. You can reduce network traffic during logon and logoff and speed
up logon and logoff by using folder redirection. Redirected folders allow for seamless
redirection of folders and data that would otherwise be a part of a user’s profile,
including the Application Data, My Documents, Start Menu, and Desktop folders.
Because folders are redirected to a network share, administrators get centralized
management and better control over user data, which in turn makes the data easier
to back up and restore. Through policy, you can optimize the way profiles are used in
many ways.
Windows Server 2003 also allows you to configure two types of scripts to help config-
ure the desktop and user environment: computer scripts, which are run at startup or
shutdown, and user scripts, which are run at logon or logoff. Computer and user
scripts are also defined in policy.
289
Chapter 8
Maintaining Internet
Explorer Configurations
In this chapter:
Customizing the Internet Explorer Interface. . . . . . . . . . . . . . . . . . . . . . . . 290
Customizing URLs, Favorites, and Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Configuring Global Default Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Optimizing Connection and Proxy Settings . . . . . . . . . . . . . . . . . . . . . . . . 301
Enhancing Internet Explorer Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Configuring Additional Policies for Internet Options . . . . . . . . . . . . . . . . 313
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Microsoft® Internet Explorer is a highly configurable browser. Through Group Policy,
you can optimize just about every aspect of Internet Explorer configuration to
improve the user experience, gain more control over security and privacy, and make
your job as an administrator easier. Not only can you customize the general look and
feel of the browser for your environment, but you can also dig deep into its internal

configuration to specify exactly how to handle connections, proxies, cookies, add-ons,
and many other aspects of security.
Related Information
■ For more information on Attachment Manager and other Microsoft Windows®
components, see Chapter 6.
■ For more information on kiosks and other types of custom environments, see
Chapter 12.
290 Part II: Group Policy Implementation and Scenarios
Customizing the Internet Explorer Interface
The first area of Internet Explorer customization we’ll look at is the browser interface.
You can add custom titles to the title bar, define custom logos that replace the Internet
Explorer logo, and create custom toolbars that replace the existing toolbar.
Customizing the Title Bar Text
Using the Browser Title policy, you can customize the text that appears in the title bar
of Internet Explorer. By default, the title bar displays the title of the current page
and the name of the browser, such as “Corporate Home Page—Microsoft Internet
Explorer.” When you add a custom title, you can add “provided by” details that list
your organization, as in “Corporate Home Page—Microsoft Internet Explorer
provided by City Power & Light.”
Note
Using a custom title is a subtle way to remind employees that they are using
a business resource and not a personal resource. The custom title also appears in
Microsoft Outlook
®
Express if this application is installed and used in your organization.
You can add a custom title to Internet Explorer by completing the following steps:
1. Access User Configuration\Windows Settings\Internet Explorer Maintenance\
Browser User Interface in Group Policy, and then double-click Browser Title.
This displays the Browser Title dialog box, shown in Figure 8-1.
Figure 8-1 Specifying a custom title

2. Select Customize Title Bars, and then type the custom title in the Title Bar Text box.
3. Click OK.
Chapter 8: Maintaining Internet Explorer Configurations 291
Customizing Logos
Using the Custom Logo policy, you can replace the standard Internet Explorer logos
with ones specifically created for your organization. This can serve to brand the
browser for your organization as well as subtly remind employees that they are using
a business resource and not a personal resource. One of two standard logos is displayed
in the upper-right corner in Internet Explorer:
■ Static logo Displayed when the browser isn’t performing an action
■ Animated logo Displayed when the browser is downloading pages or perform-
ing other actions
The logos must adhere to exact specifications, so you should ideally work with your
organization’s art department to create the necessary image files. You need two versions
of each logo: one that is 22 × 22 pixels and one that is 38 × 38 pixels. The logos must
be saved as bitmap images and use either 256 or 16 colors. Images in 256 colors
should be indexed to the Windows halftone palette; 16-color images should be
indexed to the 16-color Windows palette. The animated bitmap should consist of
numbered bitmaps that are vertically stacked into one bitmap. The first bitmap
appears static when no action is taking place, and the remaining bitmaps appear in
sequence when the browser is in use, producing the animation effect.
Note
In the Internet Explorer Administration Kit (IEAK), you’ll find two tools that
can help you with the logos. The first is the Animated Bitmap Creator (Makebmp.exe),
which you can use to create the animated logo. The second is the Animated Bitmap
Previewer (Animbmp.exe), which you can use to test the animated logo to make
sure it is displayed as expected. The IEAK is available for download from http://
www.microsoft.com/windows/ieak/downloads/default.mspx.
Tip When you finish creating the image files, you should test the files on your local
system before using Group Policy to update computers in a specific site, domain, or

organizational unit (OU). Once you tell Group Policy about the logo files, the files
become part of Group Policy and are stored within Group Policy. Because the files are
imported before use, they don’t need to reside on the local computer initially. In fact,
it might be best to put the logos on a network drive so that you can test them locally
and then incorporate them into Group Policy using the same file paths.
You can add custom logos to Internet Explorer by completing the following steps:
1. Access User Configuration\Windows Settings\Internet Explorer Maintenance\
Browser User Interface in Group Policy, and then double-click Custom Logo.
This displays the Custom Logo dialog box, shown in Figure 8-2.
292 Part II: Group Policy Implementation and Scenarios
Figure 8-2 The Custom Logo dialog box
2. If you want to set a static logo, select Customize The Static Logo Bitmaps. In the
Small (22 × 22) Bitmap box, type the path to the small logo that you want to use
or click Browse to find the image you want to use. In the Large (38 × 38) Bitmap
box, type the path to the large logo you want to use or click Browse to find the
image you want to use.
Note
The images must be exactly sized or they won’t be imported into Group
Policy. If you see a warning message that says the specified bitmap is too large,
you must select a different logo file.
If you want to set an animated logo, select Customize The Animated Bitmaps. In
the Small (22 × 22) Bitmap box, type the path to the small animated logo you want
to use or click Browse to find the image you want to use. In the Large (38 × 38)
Bitmap box, type the path to the large animated logo you want to use or click
Browse to find the image you want to use.
3. Click OK. The logo files are imported and stored in Group Policy.
Customizing Buttons and Toolbars
The Internet Explorer toolbar is completely customizable; you can add new buttons to
the toolbar to launch applications, run scripts, and perform other tasks. Custom
toolbar buttons have four required components:

■ Toolbar caption The ToolTip text to display when the pointer is over the
button.