Microsoft Windows XP Professional: Administrator's Pocket Consultant by William R.  Stanek

From Barnes & Noble

The Barnes & Noble Review
Whether you're upgrading your entire enterprise or simply buying new PCs on an ad hoc basis, Windows XP Professional is coming into your enterprise. If you're responsible for supporting or administering it, this handy pocket guide offers you more useful answers per ounce than any other book we've seen. It's especially strong on XP's new administrative features, and those really important tasks (like setting up desktop VPN connections) that you won't do often enough to memorize on your own.

The book's organized into four sections: essentials, core administration, networking, and optimization/recovery. In 350 pages, it manages to be remarkably complete. Want to use Windows XP's new Remote Assistance feature to resolve users' problems without leaving your computer? Prohibit users from setting up Internet Connection Sharing on your DNS domain? Set a new home page for all your users at once? Place custom content on each user's desktop? Use System Restore across a network? Lock the taskbar, so it can't be moved or lost? William B. Stanek walks you through all these tasks, and more.

We could go on. Setting disk quotas. Managing security zones. Using notebook power schemes. Rolling back troublesome driver versions. Checking the status of a LAN connection. Configuring the synchronization of offline files. If you need to do it as a manager or support professional, there's no faster way to find out how. (Bill Camarda)

Bill Camarda is a consultant, writer, and web/multimedia content developer with nearly 20 years' experience in helping technology companies deploy and market advanced software, computing, and networking products and services. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.

From the Publisher

The practical, portable guide to Windows® XP Professional!

Whether you support 50 desktops or 5000, this indispensable guide provides fast answers for the day-to-day administration of the Windows® XP Professional operating system. This pocket-sized resource zeroes in on essential desktop support issues and procedures—delivering critical details through quick-reference tables, step-by-step instructions, and lists. It's the precise information you need to solve problems and get the job done—whether you're at your desk or in the field!

Get fast facts to:

• Manage and troubleshoot system configuration
• Configure hardware and network devices
• Customize desktop settings and optimize the user workspace
• Control system access through user and group accounts
• Support laptops and mobile users
• Enable remote access—from dial-up to wireless
• Configure offline files and disk quotas
• Use Group Policy to customize Internet settings
• Schedule routine maintenance and backups
• Resolve system problems and optimize performance

Product Details

• Table of Contents
• Read an Excerpt
• Read a Sample Chapter

Table of Contents

Read an Excerpt

Chapter 8: Configuring User and Computer Policies

• Group Policy Essentials
• Understanding Policy Application
• Accessing and Using Local Group Policies
• Accessing and Using Site, Domain, and Unit Policies
• Using the Group Policy Console
• Configuring Policies
• Viewing Policies and Templates
• Enabling, Disabling, and Configuring Policies
• Adding or Removing Templates
• Working with File and Data Management Policies
• Configuring Disk Quota Policies
• Configuring System Restore Policies
• Configuring Offline File Policies
• Working with Access and Connectivity Policies
• Configuring Network Policies
• Configuring Remote Assistance Policies
• Working with Computer and User Script Policies
• Controlling Script Behavior Through Policy
• Assigning Computer Startup and Shutdown Scripts
• Assigning User Logon and Logoff Scripts
• Working with Logon and Startup Policies
• Hiding the Welcome Screen
• Using Classic Logon vs. Simple Logon
• Setting Policy-Based Startup Programs
• Disabling Run Lists Through Policy

Chapter 8   Configuring User and Computer Policies

In this chapter, you’ll learn how to manage group policy settings. The chapter examines policies that you might want to configure in the domain and on local computers. These policies are organized by topic area, such as file and data management. Group policies apply only to systems running Microsoft Windows 2000 and Microsoft Windows XP. (In this book, "Windows XP" refers to Windows XP Professional unless otherwise indicated.) They will also apply to systems running the Windows .NET operating system.

Group Policy Essentials

Understanding Policy Application

When multiple policies are in place, they are applied in the following order:

1. Microsoft Windows NT 4 policies (NTCONFIG.POL)
2. Local group policies
3. Site group policies
4. Domain group policies
5. Organizational unit (OU) group policies
6. Child OU group policies

If there are conflicts among the policy settings, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain group policies. As you might expect, there are exceptions to the precedence rule that allow administrators to block, overview, and disable policies.

The events that take place during startup and logon are as follows:

1. The network starts and then Windows XP applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
2. Windows XP runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn’t displayed to the user unless specified.
3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows XP loads the user profile.
4. Windows XP applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
5. Windows XP runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn’t displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window.
6. Windows XP displays the start shell interface configured in Group Policy.

Accessing and Using Local Group Policies

You access and use local policies on a computer by completing the following steps:

1. Open the Run dialog box by clicking Start and then clicking Run.
2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
3. In MMC, click File, and then click Add/Remove Snap-in. This opens the Add/Remove Snap-In dialog box.
4. Click the Stand-Alone tab, and then click Add.
5. In the Add Snap-In dialog box, select Group Policy, and then click Add. This opens the Select Group Policy Object dialog box.
6. Select Local Computer to edit the local policy on your computer or browse to find the local policy on another computer.
7. Click Finish, and then click Close.
8. Click OK. You can now manage the local policy on the selected computer. For more details, see the section of the chapter entitled "Configuring Policies."

Accessing and Using Site, Domain, and Unit Policies

You access and use site, domain, and OU policies by completing the following steps:

1. For sites, open the Active Directory Sites and Services console and start the Group Policy snap-in.
2. For domains and OUs, open the Active Directory Users and Computers console and start the Group Policy snap-in.
3. In the left pane, right-click the site, domain, or OU for which you want to create or manage a group policy. Then select Properties on the shortcut menu, which opens the Properties dialog box.
4. In the Properties dialog box, click the Group Policy tab. To create a new policy or edit an existing policy, click New. Then you can configure the new policy.
5. To edit an existing policy, select the policy and then click Edit. Then you can edit the policy. For more details, see the section of this chapter entitled "Configuring Policies."
6. To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.

Using the Group Policy Console

• Computer Configuration  Allows you to set policies that should be applied to computers, regardless of who logs on
• User Configuration  Allows you to set policies that should be applied to users, regardless of which computer they log on to

---

NOTE:
Keep in mind that user configuration options set through local group policies apply only to computers on which the options are configured. If you want the options to apply to all computers the user might use, you must use domain, site, or OU group policies.

---

Figure 8-1. Group Policy options depend on the type of policy you’re creating and the add-ons installed. (Image Unavailable)

The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you’re creating. You’ll usually find that both nodes have subnodes for the following:

• Software Settings  Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.
• Windows Settings  Sets policies for folder redirection, scripts, and security.
• Administrative Templates  Sets policies for the operating system, Windows components, and programs. These policies, examined later in this chapter, apply specifically to users and computers.

Configuring Policies

Viewing Policies and Templates

Figure 8-2. User and computer policies are set through administrative templates. (Image Unavailable)

Any changes you make to policies available through the administrative templates are saved in the registry. Computer configurations are saved in HKEY_LOCAL_MACHINE and user configurations are saved in HKEY_CURRENT_USER. The best way to get to know what administrative template policies are available is to browse the Administrative Templates node in the Group Policy console. As you browse the templates, you’ll find that policies are in one of three states:

• Not Configured  The policy isn’t used and no settings for it are saved in the registry.
• Enabled  The policy is actively being enforced and its settings are saved in the registry.
• Disabled  The policy is turned off and isn’t enforced unless overridden. This setting is saved in the registry.

Enabling, Disabling, and Configuring Policies

You can enable, disable, and configure policies by completing the following steps:

1. Access the Group Policy console for the resource you want to work with. Then in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set, access the Administrative Templates folder.
2. In the left pane, click the subfolder containing the policies you want to work with. The related policies are then displayed in the right pane.
3. Double-click or right-click a policy and select Properties to display its related Properties dialog box.
4. Click the Explain tab to see a description of the policy. A description is only available if one is defined in the related .adm file.
5. To set the policy’s state, click the Policy tab and then use the following buttons to change the state of the policy:
• Not Configured  The policy is not configured.
• Enabled  The policy is enabled.
• Disabled  The policy is disabled.

6. If you enabled the policy, set any additional parameters specified in the Policy tab, and then click Apply.
7. Use the Previous Policy and Next Policy buttons to manage other policies in the current folder. Then configure them in the same way.
8. Click OK when you’re finished managing policies.

Adding or Removing Templates

1. Access the Group Policy console for the site, domain, or OU you want to work with.
2. In the Computer Configuration or User Configuration node, whichever is appropriate for the type of template you want to add or remove, right-click the Administrative Templates folder. This displays the Add/Remove Templates dialog box shown in Figure 8-3.

Figure 8-3. Use the Add/Remove Templates dialog box to add more templates or remove existing ones. (Image Unavailable)

3. To add new templates, click Add. Then, in the Policy Templates dialog box, select the template you want to add and click Open.
4. To remove an existing template, select the template to remove, and then click Remove.
5. When you’re finished adding and removing templates, click Close.

Working with File and Data Management Policies

Configuring Disk Quota Policies

Table 8-1.   Disk Quota Policies

Policy Name	Description
Enable Disk Quotas	Turns disk quotas on or off for all NT file system (NTFS) volumes of the computer and prevents users from changing the setting.
Enforce Disk Quota Limit	Specifies whether quota limits are enforced. If quotas are enforced, users are denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.
Default Quota Limit And Warning Level	Sets a default quota limit and warning level for all users. This setting overrides other settings and only affects new users.
Log Event When Quota Limit Exceeded	Determines whether an event is logged when users reach their limit and prevents users from changing their logging options.
Log Event When Quota Warning Level Exceeded	Determines whether an event is logged when users reach the warning level.
Apply Policy To Removable Media	Determines whether quota policies apply to NTFS volumes on removable media. If you do not enable this policy, quota limits only apply to fixed media drives.

Whenever you work with quota limits, you’ll want to use a standard set of policies on all systems. Typically, you won’t want to enable all of the policies. Instead, selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:

1. Access Group Policy for the system you want to work with, such as a file server. Next, access the Disk Quotas node through Computer Configuration\Administrative Templates\System\Disk Quotas.
2. Double-click Enable Disk Quotas. In the Setting tab, select Enabled and then click Next Setting. This displays the Enforce Disk Quota Limit Properties dialog box.
3. If you want to enforce disk quotas on all NTFS volumes residing on this computer, select Enabled. Otherwise, select Disabled and then set specific limits on a per-volume basis as discussed in Chapter 9, "Configuring Folder Options, Offline Files, and Quotas."
4. Click Next Setting. This displays the Default Quota Limit And Warning Level Properties dialog box shown in Figure 8-4. Select Enabled....

Read a Sample Chapter

• Group Policy Essentials
• Understanding Policy Application
• Accessing and Using Local Group Policies
• Accessing and Using Site, Domain, and Unit Policies
• Using the Group Policy Console
• Configuring Policies
• Viewing Policies and Templates
• Enabling, Disabling, and Configuring Policies
• Adding or Removing Templates
• Working with File and Data Management Policies
• Configuring Disk Quota Policies
• Configuring System Restore Policies
• Configuring Offline File Policies
• Working with Access and Connectivity Policies
• Configuring Network Policies
• Configuring Remote Assistance Policies
• Working with Computer and User Script Policies
• Controlling Script Behavior Through Policy
• Assigning Computer Startup and Shutdown Scripts
• Assigning User Logon and Logoff Scripts
• Working with Logon and Startup Policies
• Hiding the Welcome Screen
• Using Classic Logon vs. Simple Logon
• Setting Policy-Based Startup Programs
• Disabling Run Lists Through Policy

Group policies simplify administration by giving administrators central control over privileges, permissions, and capabilities of both users and computers. You can think of a group policy as a set of rules that helps you manage users and computers. Group policies can be applied to multiple domains, to individual domains, to subgroups within a domain, or to individual systems. Policies that apply to individual systems are referred to as local group policies and are stored on the local system only. Other group policies are linked as objects in the Active Directory service.

In this chapter, you'll learn how to manage group policy settings. The chapter examines policies that you might want to configure in the domain and on local computers. These policies are organized by topic area, such as file and data management. Group policies apply only to systems running Microsoft Windows 2000 and Microsoft Windows XP. (In this book, "Windows XP" refers to Windows XP Professional unless otherwise indicated.) They will also apply to systems running the Windows .NET operating system.

Group Policy Essentials

Careful management of policies is essential to proper operations. Policy settings are divided into two broad categories: those that apply to computers and those that apply to users. Computer policies are normally applied during system startup, and user policies are normally applied during logon.

Understanding Policy Application

During logon, policies are applied in an exact sequence, which is often important in troubleshooting system behavior.

When multiple policies are in place, they are applied in the following order:

1. Microsoft Windows NT 4 policies (NTCONFIG.POL)
2. Local group policies
3. Site group policies
4. Domain group policies
5. Organizational unit (OU) group policies
6. Child OU group policies

If there are conflicts among the policy settings, settings applied later take precedence and overwrite previous policy settings. For example, OU policies take precedence over domain group policies. As you might expect, there are exceptions to the precedence rule that allow administrators to block, overview, and disable policies.

The events that take place during startup and logon are as follows:

1. The network starts and then Windows XP applies computer policies. By default, the computer policies are applied one at a time in the previously specified order. No user interface is displayed while computer policies are being processed.
2. Windows XP runs startup scripts. By default, startup scripts are executed one at a time, with each completing or timing out before the next starts. Script execution isn't displayed to the user unless specified.
3. A user presses Ctrl+Alt+Del to log on. After the user is validated, Windows XP loads the user profile.
4. Windows XP applies user policies. By default, the policies are applied one at a time in the previously specified order. The user interface is displayed while user policies are being processed.
5. Windows XP runs logon scripts. Group policy logon scripts are executed simultaneously by default. Script execution isn't displayed to the user unless specified. Scripts in the Netlogon share are run last in a normal command-shell window.
6. Windows XP displays the start shell interface configured in Group Policy.

Accessing and Using Local Group Policies

Each computer running Windows XP has one local group policy stored in its %SystemRoot%\System32\GroupPolicy folder. You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use local policies on a computer by completing the following steps:

1. Open the Run dialog box by clicking Start and then clicking Run.
2. Type mmc in the Open field and then click OK. This opens the Microsoft Management Console (MMC).
3. In MMC, click File, and then click Add/Remove Snap-in. This opens the Add/Remove Snap-In dialog box.
4. Click the Stand-Alone tab, and then click Add.
5. In the Add Snap-In dialog box, select Group Policy, and then click Add. This opens the Select Group Policy Object dialog box.
6. Select Local Computer to edit the local policy on your computer or browse to find the local policy on another computer.
7. Click Finish, and then click Close.
8. Click OK. You can now manage the local policy on the selected computer. For more details, see the section of the chapter entitled "Configuring Policies."

Accessing and Using Site, Domain, and Unit Policies

Each site, domain, and OU can have one or more group policies. Group policies higher in the Group Policy list have a higher precedence than policies lower in the list. Group policies set at this level are associated with Active Directory. This ensures that site policies get applied appropriately throughout the related domains and OUs. Site, domain, and OU group policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers. In this folder you'll find one subfolder for each policy you've defined on the domain controller. You shouldn't edit these folders and files directly. Instead, you should use the appropriate features of the Group Policy console.

You access and use site, domain, and OU policies by completing the following steps:

1. For sites, open the Active Directory Sites and Services console and start the Group Policy snap-in.
2. For domains and OUs, open the Active Directory Users and Computers console and start the Group Policy snap-in.
3. In the left pane, right-click the site, domain, or OU for which you want to create or manage a group policy. Then select Properties on the shortcut menu, which opens the Properties dialog box.
4. In the Properties dialog box, click the Group Policy tab. To create a new policy or edit an existing policy, click New. Then you can configure the new policy.
5. To edit an existing policy, select the policy and then click Edit. Then you can edit the policy. For more details, see the section of this chapter entitled "Configuring Policies."
6. To change the priority of a policy, use the Up or Down buttons to change its position in the Group Policy Object Links list.

Using the Group Policy Console

Once you've selected a policy for editing or created a new policy, you use the Group Policy console to work with group policies. As Figure 8-1 shows, the Group Policy console has two main nodes:

• Computer Configuration  Allows you to set policies that should be applied to computers, regardless of who logs on
• User Configuration  Allows you to set policies that should be applied to users, regardless of which computer they log on to

---

NOTE:
Keep in mind that user configuration options set through local group policies apply only to computers on which the options are configured. If you want the options to apply to all computers the user might use, you must use domain, site, or OU group policies.

---

Figure 8-1. Group Policy options depend on the type of policy you're creating and the add-ons installed. (Image Unavailable)

The exact configuration of Computer Configuration and User Configuration depends on the add-ons installed and which type of policy you're creating. You'll usually find that both nodes have subnodes for the following:

• Software Settings  Sets policies for software settings and software installation. When you install software, subnodes may be added to Software Settings.
• Windows Settings  Sets policies for folder redirection, scripts, and security.
• Administrative Templates  Sets policies for the operating system, Windows components, and programs. These policies, examined later in this chapter, apply specifically to users and computers.

Configuring Policies

When you want to manage users and computers, you'll want to configure the administrative template policies. These policies provide easy access to registry-based policy settings that control the operating system, Windows components, and programs.

Viewing Policies and Templates

As shown in Figure 8-2, you can view the currently configured templates in the Group Policy console's Administrative Templates node, which contains policies that can be configured for local systems, OUs, domains, and sites. Different sets of templates are found under Computer Configuration and User Configuration. You can add additional templates containing new policies manually in the Group Policy console and when you install new Windows components.

Figure 8-2. User and computer policies are set through administrative templates. (Image Unavailable)

Any changes you make to policies available through the administrative templates are saved in the registry. Computer configurations are saved in HKEY_LOCAL_MACHINE and user configurations are saved in HKEY_CURRENT_USER. The best way to get to know what administrative template policies are available is to browse the Administrative Templates node in the Group Policy console. As you browse the templates, you'll find that policies are in one of three states:

• Not Configured  The policy isn't used and no settings for it are saved in the registry.
• Enabled  The policy is actively being enforced and its settings are saved in the registry.
• Disabled  The policy is turned off and isn't enforced unless overridden. This setting is saved in the registry.

Enabling, Disabling, and Configuring Policies

In the Group Policy console, you'll find administrative templates in two nodes: Computer Configuration and User Configuration. In most cases, the policies in these areas don't overlap or cause conflict. If there is a conflict, however, computer policies have precedence, which means that the computer policy is the one that is enforced. You'll find details on commonly used policies and how you can employ them later in this chapter.

You can enable, disable, and configure policies by completing the following steps:

1. Access the Group Policy console for the resource you want to work with. Then in the Computer Configuration or User Configuration node, whichever is appropriate for the type of policy you want to set, access the Administrative Templates folder.
2. In the left pane, click the subfolder containing the policies you want to work with. The related policies are then displayed in the right pane.
3. Double-click or right-click a policy and select Properties to display its related Properties dialog box.
4. Click the Explain tab to see a description of the policy. A description is only available if one is defined in the related .adm file.
5. To set the policy's state, click the Policy tab and then use the following buttons to change the state of the policy:
• Not Configured  The policy is not configured.
• Enabled  The policy is enabled.
• Disabled  The policy is disabled.

6. If you enabled the policy, set any additional parameters specified in the Policy tab, and then click Apply.
7. Use the Previous Policy and Next Policy buttons to manage other policies in the current folder. Then configure them in the same way.
8. Click OK when you're finished managing policies.

Adding or Removing Templates

You can add or remove template folders in the Group Policy console. To do this, complete the following steps:

1. Access the Group Policy console for the site, domain, or OU you want to work with.
2. In the Computer Configuration or User Configuration node, whichever is appropriate for the type of template you want to add or remove, right-click the Administrative Templates folder. This displays the Add/Remove Templates dialog box shown in Figure 8-3.

Figure 8-3. Use the Add/Remove Templates dialog box to add more templates or remove existing ones. (Image Unavailable)

3. To add new templates, click Add. Then, in the Policy Templates dialog box, select the template you want to add and click Open.
4. To remove an existing template, select the template to remove, and then click Remove.
5. When you're finished adding and removing templates, click Close.

Working with File and Data Management Policies

Every system administrator should be familiar with file and data management policies, which affect the amount of data a user can store on systems, how offline files are used, and whether the System Restore feature is enabled.

Configuring Disk Quota Policies

Policies that control disk quotas are applied at the system level. You access these policies through Computer Configuration\Administrative Templates\System\Disk Quotas. The available policies are summarized in Table 8-1.

Table 8-1.   Disk Quota Policies

Policy Name	Description
Enable Disk Quotas	Turns disk quotas on or off for all NT file system (NTFS) volumes of the computer and prevents users from changing the setting.
Enforce Disk Quota Limit	Specifies whether quota limits are enforced. If quotas are enforced, users are denied disk space if they exceed the quota. This overrides settings in the Quota tab on the NTFS volume.
Default Quota Limit And Warning Level	Sets a default quota limit and warning level for all users. This setting overrides other settings and only affects new users.
Log Event When Quota Limit Exceeded	Determines whether an event is logged when users reach their limit and prevents users from changing their logging options.
Log Event When Quota Warning Level Exceeded	Determines whether an event is logged when users reach the warning level.
Apply Policy To Removable Media	Determines whether quota policies apply to NTFS volumes on removable media. If you do not enable this policy, quota limits only apply to fixed media drives.

Whenever you work with quota limits, you'll want to use a standard set of policies on all systems. Typically, you won't want to enable all of the policies. Instead, selectively enable policies and then use the standard NTFS features to control quotas on various volumes. If you want to enable quota limits, use the following technique:

1. Access Group Policy for the system you want to work with, such as a file server. Next, access the Disk Quotas node through Computer Configuration\Administrative Templates\System\Disk Quotas.
2. Double-click Enable Disk Quotas. In the Setting tab, select Enabled and then click Next Setting. This displays the Enforce Disk Quota Limit Properties dialog box.
3. If you want to enforce disk quotas on all NTFS volumes residing on this computer, select Enabled. Otherwise, select Disabled and then set specific limits on a per-volume basis as discussed in Chapter 9, "Configuring Folder Options, Offline Files, and Quotas."
4. Click Next Setting. This displays the Default Quota Limit And Warning Level Properties dialog box shown in Figure 8-4. Select Enabled.

Figure 8-4. Use the Default Quota Limit And Warning Level Properties dialog box to enforce disk quotas. (Image Unavailable)

5. Under Default Quota Limit, set a default limit that is applied to users when they first write to the quota-enabled volume. The limit does not apply to current users and doesn't affect current limits. On a corporate share, such as a share used by all members of a team, a good limit is between 500 and 1000 MB. Of course, this depends on the size of the data files the users routinely work with. Graphic designers and data engineers, for example, might need much more disk space.
6. If you scroll down in the subwindow provided in the Setting tab, you'll be able to set a warning limit as well. A good warning limit is about 90 per-cent of the default quota limit, meaning if you set the default quota limit to 1000 MB, you'd set the warning limit to 900 MB.
7. Click Next Setting. This displays the Log Event When Quota Limit Exceeded Properties dialog box. Select Enabled so that limit events are recorded in the application log.
8. Click Next Setting. This displays the Log Event When Quota Warning Exceeded Properties dialog box. Select Enabled so that warning events are recorded in the application log.
9. Click Next Setting. This displays the Apply Policy To Removable Media Properties dialog box. Select Disabled so that the quota limits only apply to fixed media volumes on the computer.
10. Click OK.

---

TIP:
To ensure that the policies are enforced immediately, access the Computer Configuration\Administrative Templates\System\Group Policy node and then double-click Disk Quota Policy Processing. Next, select Enabled and then select Process Even If The Group Policy Objects Have Not Changed. Click OK.

---

Configuring System Restore Policies

System Restore is designed to save the state of system volumes and enable users to restore a system in the event of a problem. It is a helpful feature for the average user, but it can use a tremendous amount of disk space. As you learned in Chapter 2, "Configuring the Environment," you can turn System Restore off for individual drives or for all drives on a computer.

In the Group Policy console, you'll find the System Restore policies under Computer Configuration\Administrative Templates\System\System Restore. Through System Restore policies, you can override and disable management of this feature. The following policies are available:

• Turn Off System Restore  If you enable this policy, System Restore is turned off and can't be managed using the System utility or the System Restore Wizard. If you disable this policy, System Restore is enforced and cannot be turned off.
• Turn Off Configuration  If you enable this policy, you prevent configuration of the System Restore feature. Users can't access the Settings dialog box but can still turn off System Restore. If you disable this policy, users can access the Settings dialog box but can't manipulate it, and they can still turn off System Restore.

To configure system restore policies, follow these steps:

1. Access Group Policy for the system you want to work with. Next, access the System Restore node by expanding Computer Configuration\Administrative Templates\System\System Restore.
2. To enable or disable System Restore, double-click Turn Off System Restore. In the Setting tab, select either Enabled or Disabled as appropriate. Click OK.
3. To enable or disable configuration of System Restore, double-click Turn Off Configuration. In the Setting tab, select either Enabled or Disabled as appropriate. Click OK.

Configuring Offline File Policies

Offline file policies are set at both the computer and the user level, and there are identically named policies at each level. If you work with identically named policies at both levels, keep in mind that computer policies override user policies and that these policies may be applied at different times.

The primary policies you'll want to use are summarized in Table 8-2. As the table shows, most offline policies affect access, synchronization, caching, and encryption. You'll find Offline File policies under Computer Configuration\Administrative Templates\Network\Offline Files and User Configuration\Administrative Templates\Network\Offline Files.

Table 8-2.   Offline File Policies

Policy Type	Policy Name	Description
Computer	Allow Or Disallow Use Of The Offline Files Feature	Forces enabling or disabling of the Offline Files feature and prevents overriding by users. In this way, you can administratively control Offline File settings for a system.
Computer\User	Prohibit User Configuration Of Offline Files	Prevents users from enabling, dis-abling, and configuring Offline Files. This locks down the default settings for Offline Files.
Computer\User	Synchronize All Offline Files When Logging On	Forces full synchronization when users log on and prevents them from changing synchronization timing.
Computer\User	Synchronize All Offline Files Before Logging Off	Forces full synchronization before users log off and prevents them from changing synchronization timing.
Computer\User	Synchronize Offline Files Before Suspend	Forces synchronization before a computer goes into standby or hibernate mode. You can specify quick or full synchronization.
Computer	Default Cache Size	Limits size of automatically cached offline files and prevents users from changing related options. If you enable this option you can set a cache size. If you disable this option the limit is 10 percent of drive space.
Computer\User	Action On Server Disconnect	Specifies how the system responds when a server becomes unavailable. The Work Offline action ensures offline files are available.
Computer\User	Remove "Make Available Offline"	Prevents users from making files available offline.
Computer\User	Prevent Use Of Offline Files Folder	Prevents users from accessing the Offline Files folder. Users can't view or open copies of cached files, but they can work offline.
Computer	Files Not Cached	Lists types of files that cannot be used offline by file extension.
Computer\User	Administratively Assigned Offline Files	Specifies files and folders that are always available offline by Universal Naming Convention (UNC) path.
Computer	At Logoff, Delete Local Copy Of User's Offline Files	Cleans up the offline file cache on the local computer at logoff.
Computer\User	Event Logging Level	Ensures offline file events are logged in the application log.
Computer	Subfolders Always Available Offline	Makes subfolders available offline when a parent folder is available offline.
Computer	Encrypt The Offline Files Cache	Determines whether offline files are encrypted to improve security.
Computer\User	Prohibit "Make Available Offline" For These Files And Folders	Prohibits users from making specific files and folders available offline. Enter UNC paths to resources.

Setting Offline File Configuration Policies

Offline file configuration can be easily controlled through policy. You can allow users to specify which files and folders should be available offline, prevent them from configuring offline file features on their own, and allow them to work offline but not access other cached resources. Follow these steps to set offline file configuration policies:

1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
2. To control the availability of offline files, double-click Allow Or Disallow Use Of The Offline Files Feature. In the Setting tab select either Enabled or Disabled as appropriate. Click OK. Users are now able to select specific files and folders that they want to have available when working offline. To prevent this and assign specific offline files folders, you'll need to prohibit this feature and administratively assign offline files.
3. To prevent users from changing offline file configuration settings, double-click Prohibit User Configuration Of Offline Files. In the Setting tab, select Enabled. Once this policy is set, users can't configure offline file options.
4. To prevent users from accessing the offline files folder but still allow them to work offline, double-click Prevent Use Of Offline Files Folder. In the Setting tab, select Enabled. Once you select this option, users cannot view or open copies of cached files. They can, however, save current work and continue to use active files when offline.

Administratively Controlling Offline Files and Subfolders

You can administratively control which files and folders are available for offline use. Typically, you'll want to do this on file servers or other systems sharing resources on the network. You can use several different techniques to administratively control which resources are available offline.

You can prevent users from making files available offline and assign specific offline resources by following these steps:

1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
2. To prevent users from making files available offline, double-click Remove "Make Available Offline." In the Setting tab, select Enabled. Click OK. Once this policy is enforced, users are unable to specify files that should be used offline.
3. To assign resources that are available offline automatically, double-click Administratively Assigned Offline Files. In the Setting tab, select Enabled. Next click Show, and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \\corpserver\data. Figure 8-5 shows a list of resources that have been added to the Show Contents list.

Figure 8-5. Use the Show Contents dialog box to specify resources according to their UNC path. (Image Unavailable)


---

CAUTION:
You should carefully consider which resources are available offline automatically. The more resources you assign through this technique, the more network traffic is generated to maintain offline file caches. You can slow down an entire network by assigning too many resources to be available automatically.

---

You can make specific files automatically available and prevent others from being used offline by following these steps:

1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
2. To assign resources that are available offline automatically, double-click Administratively Assigned Offline Files. In the Setting tab, select Enabled. Next click Show, and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \\corpserver\data.
3. To specify resources that users shouldn't be able to make available offline, double-click Prohibit "Make Available Offline" For These Files And Folders. In the Setting tab, select Enabled. Next click Show, and then, in the Show Contents dialog box, specify resources according to their UNC path, such as \\corpserver\data. This setting doesn't prevent automatic caching of resources assigned through step 2.
4. Click OK until all open dialog boxes are closed.

Setting Offline File Synchronization Policies

Offline file synchronization is normally controlled using the Synchronization Manager. However, you can set specific synchronization timing and techniques through policies. Normally resources are either fully synchronized, meaning that all files are checked to ensure they are complete and current, or quickly synchronized, meaning files are checked to ensure they are current, but file contents are not examined for completeness.

Several events can trigger synchronization automatically, such as logon, logoff, standby, and hibernate. Again, the Synchronization Manager normally determines which events are used. Using policies you can override this behavior. In most circumstances, you'll want to synchronize files only when a user logs on. The advantage to synchronizing when users log on is that they'll always have the freshest copies of files. The disadvantage is that the logon process may take longer. The notable exception for synchronizing at logon is for laptop users. Here, you may want to synchronize at logoff to ensure that users have the freshest copy of files when they go home and use their laptop offline.

To configure synchronization policies, follow these steps:

1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
2. The policies that control synchronization are Synchronize All Offline Files When Logging On, Synchronize All Offline Files Before Logging Off, and Synchronize Offline Files Before Suspend. Double-click the policy related to the synchronization technique that you want to use for this computer. In the Setting tab, select Enabled.
3. Click OK.

Setting Offline File Cache Policies

Careful configuration of the offline file cache is essential to managing the system and network overhead generated by offline file usage. You can specify a maximum file cache size, whether the cache is encrypted for security, and which file types should never be cached. To configure policies for the offline file cache, follow these steps:

1. Access Group Policy for the system you want to work with. Next, access the Offline Files node by expanding Computer Configuration\Administrative Templates\Network\Offline Files or User Configuration\Administrative Templates\Network\Offline Files.
2. To set the maximum cache size, double-click Default Cache Size. In the Setting tab, select Enabled. Afterward, use the Default Cache Size Properties box, shown in Figure 8-6, to set the default cache size. The value entered is percentage of disk space used times 10,000, meaning that if you enter 15,000 the cache can use up to 15 percent of the free space on the system drive.

Figure 8-6. Set a default cache size for offline files in the Default Cache Size Properties dialog box. (Image Unavailable)


---

NOTE:
If you don't configure the Default Cache Size policy or disable it, the cache size limit is 10 percent of the free space on the system drive.

---

3. To specify file types that are not cached, double-click Files Not Cached and then select Enabled. Next, in the Extensions field, enter a semicolon-separated list of file extensions to exclude. Each extension must be pre-ceded by an asterisk and a period. Following this you could enter *.wbk; *.tmp; *.lnk; *.ndx to block caching of many temporary types of files.
4. To encrypt the cache, double-click Encrypt The Offline Files Cache and then select Enabled. Once enforced, all existing and new files in the cache are encrypted and users cannot unencrypt the offline files.

Working with Access and Connectivity Policies

Access and connectivity policies control network connections, dial-up connections, and Remote Assistance configurations. These policies affect a system's connectivity to the network and connectivity to the system.

Configuring Network Policies

Many network policies are available. Network policies that control Internet Connection Sharing, Personal Firewall, and Network Bridge are configured at the computer level. Network policies that control local area network (LAN) connections, Transmission Control Protocol/Internet Protocol (TCP/IP) configuration, and remote access are configured at the user level. The primary policies that you'll want to use are summarized in Table 8-3. You'll find Network policies under Computer Configuration\Administrative Templates\Network\Network Connections and User Configuration\Administrative Templates\Network\Network Connections.

Table 8-3.   Network Policies

Policy Type	Policy Name	Description
Computer	Prohibit Use Of Internet Connection Sharing On Your DNS Domain Network	Determines whether administrators can enable and configure connection sharing. This policy only applies to the domain in which it is assigned.
Computer	Prohibit Use Of Internet Connection Firewall On Your DNS Domain Network	Determines whether users can enable the personal firewall. This policy only applies to the domain in which it is assigned.
Computer	Prohibit Installation And Configuration Of Network Bridge On Your DNS Domain Network	Determines whether users can install and configure network bridges. This policy only applies to the domain in which it is assigned.
User	Prohibit Access To Properties Of Components Of A Remote Access Connection	Determines whether users can access and change properties of remote access connections.
User	Prohibit TCP/IP Advanced Configuration	Determines whether users can access advanced TCP/IP settings.
User	Prohibit Access To Properties Of A LAN Connection	Determines whether users can change the properties of LAN connections.
User	Ability To Change Properties Of An All User Remote Access Connection	Determines whether users can access connection available to all users of the computer.
User	Prohibit Deletion Of Remote Access Connections	Determines whether users can delete remote access connections.
User	Ability To Delete All User Remote Access Connections	Determines whether users can delete remote access connections available to all users of the computer.
User	Ability To Enable/Disable A LAN Connection	Determines whether users can enable or disable LAN connections.

As shown in the table, network policies for computers are designed to restrict actions on the organization's network. When you enforce these restrictions, users are prohibited from using features such as Internet Connection Sharing in the applicable domain. This is designed to protect the integrity of corporate networks but it doesn't prevent users with laptops, for example, from taking their computers home and using these features on their own networks. To enable or disable these restrictions, follow these steps:

1. Access Group Policy for the resource you want to work with. Next, access the Network Connections node by expanding Computer Configuration\Administrative Templates\Network\Network Connections.
2. Double-click the policy that you want to configure. In the Setting tab, select Enabled or Disabled as appropriate. Click OK.

User policies for network connections usually prevent access to certain configuration features, such as the advanced TCP/IP property settings. To configure these policies, follow these steps:

1. Access Group Policy for the resource you want to work with. Next, access User Configuration\Administrative Templates\Network\Network Connections.
2. Double-click the policy that you want to configure. In the Setting tab, select Enabled or Disabled as appropriate. Click OK.

Configuring Remote Assistance Policies

Remote Assistance policies can be used to prevent or permit use of remote assistance on computers. Typically, when you set Remote Assistance policies, you'll want to prevent unsolicited offers for remote assistance while allowing requested offers. You can also force a specific expiration time limit for invitations through policy rather than setting this through the System utility. To configure policy in this manner, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Remote Assistance.
2. Double-click Solicited Remote Assistance. In the Setting tab, select Enabled. When enabled, this policy allows authorized users to respond to remote assistance invitations.
3. In the properties area, you can now specify the level of access for assistants. The Permit Remote Control Of This Computer selection list has two options:
• Allow Helpers To Remote Control This Computer Permits viewing and remote control of the computer.
• Allow Helpers To Only View This Computer Permits only viewing; assistants cannot take control to make changes.

4. Next, as shown in Figure 8-7, use the Maximum Ticket Time (Value) and Maximum Ticket Time (Units) fields to set the maximum time limit for remote assistance invitations. The default maximum time limit is 30 days.

Figure 8-7. Set a time expiration limit for Remote Assistance invitations. (Image Unavailable)

5. Click Next Setting. In the Offer Remote Assistance Properties dialog box, select Disabled. Disabling this policy prevents unsolicited assistance offers.
6. Click OK.

To prevent remote assistance and remote control of computers entirely, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Remote Assistance.
2. Double-click Solicited Remote Assistance. In the Setting tab, select Disabled and then click Next Setting.
3. In the Permit Unsolicited Offers Of Remote Assistance Properties dialog box, select Disabled and then click Next Setting.
4. In the Offer Remote Assistance dialog box, select Disabled and then click OK.

Working with Computer and User Script Policies

Script policies control the behavior and assignment of computer and user scripts. Four types of scripts can be configured:

• Computer startup  Executed during startup
• Computer shutdown  Executed prior to shutdown
• User logon  Executed when a user logs on
• User logoff  Executed when a user logs off

You can write these scripts as command-shell batch or Windows scripts. Batch scripts use the shell command language. Windows scripts use Windows Script Host (WSH) and are written in a scripting language, such as VBScript or JScript.

Controlling Script Behavior Through Policy

Through policy you can control the behavior of startup, shutdown, logon, and logoff scripts. The key policies that you'll use are described in Table 8-4. As you'll see, there are quite a few options for configuring script behavior.

Table 8-4.   Computer and User Script Policies

Policy Type	Policy Name	Description
Computer/User	Run Logon Scripts Synchronously	Ensures the system waits for logon scripts to finish before displaying the Windows interface.
Computer	Run Startup Scripts Asynchronously	Allows the system to run startup scripts simultaneously rather than one at a time.
Computer	Run Startup Scripts Visible	Displays startup scripts and their instructions as they execute.
Computer	Run Shutdown Scripts Visible	Displays shutdown scripts and their instructions as they execute.
Computer	Maximum Wait Time For Group Policy Scripts	Sets the maximum time to wait for scripts to finish running. The default value is 600 seconds (10 minutes).
User	Run Legacy Logon Scripts Hidden	Hides logon scripts configured through System Policy Editor in Windows NT 4.
User	Run Logon Scripts Visible	Displays logon scripts and their instructions as they execute.
User	Run Logoff Scripts Visible	Displays logoff scripts and their instructions as they execute.

Although there are many ways to control script behavior and many different combinations, you'll usually want scripts to behave as follows:

• Logon and startup scripts should run simultaneously (in most cases).
• All scripts should be hidden rather than visible.
• The system should wait no more than one minute for a script to complete (in most cases).

To enforce this behavior, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Scripts.
2. Double-click Run Logon Scripts Synchronously. In the Setting tab, select Disabled and then click Next Setting.
3. In the Run Startup Scripts Asynchronously Properties dialog box, select Enabled and then click Next Setting.
4. In the Run Startup Scripts Visible Properties dialog box, select Disabled and then click Next Setting.
5. In the Run Shutdown Scripts Visible Properties dialog box, select Disabled and then click Next Setting.
6. In the Maximum Wait Time For Group Policy Scripts Properties dialog box, select Enabled and then enter the wait time in the Seconds field, as shown in Figure 8-8. You should use a value between 60 and 120, with a preference for 60 seconds. Click OK.

Figure 8-8. Set the maximum wait time for scripts. (Image Unavailable)

7. Access User Configuration\Administrative Templates\System\Scripts.
8. Double-click Run Legacy Logon Scripts Hidden. In the Setting tab, select Enabled and then click Next Setting.
9. In the Run Logon Scripts Visible Properties dialog box, select Disabled and then click Next Setting.
10. In the Run Logoff Scripts Visible Properties dialog box, select Disabled and then click OK to complete the configuration process for scripts.

Assigning Computer Startup and Shutdown Scripts

Computer startup and shutdown scripts can be assigned as part of a group policy. In this way, a computer and all its users or all computers that are members of the site, domain, or OU execute scripts automatically when they're booted or shut down.

To assign computer scripts, follow these steps:

1. For easy management, copy the scripts you want to use to the Scripts\Startup or Scripts\Shutdown folder for the related policy. Computer policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers and %WinDir%\System32\GroupPolicy\Machine on Windows XP workstations.
2. Access the Group Policy console for the resource you want to work with. Then access Computer Configuration\Windows Settings\Scripts.
3. To work with startup scripts, right-click Startup and then select Properties. To work with shutdown scripts, right-click Shutdown and then select Properties. This opens a dialog box similar to the one shown in Figure 8-9.

Figure 8-9. Manage computer startup scripts using the Startup Properties dialog box.  (Image Unavailable)

4. Click Show Files. If you copied the computer script to the correct location in the policies folder, you should see the script.
5. Click Add to assign a script. This opens the Add A Script dialog box. In the Script Name field, type the name of the script you copied to the Scripts\Startup or the Scripts\Shutdown folder for the related policy. In the Script Parameter field, enter any command-line arguments to pass to the command-line script or parameters to pass to the scripting host for a WSH script. Repeat this step to add other scripts.
6. During startup or shutdown, scripts are executed in the order in which they're listed in the Properties dialog box. Click Up or Down to reposition scripts as necessary.
7. If you want to edit the script name or parameters later, select the script in the Script For list and then click Edit.
8. To delete a script, select the script in the Script For list and then click Remove.

Assigning User Logon and Logoff Scripts

User scripts can be assigned as part of a group policy. In this way, all users who access a computer or are members of the site, domain, or OU execute scripts automatically when they log on or log off.

To assign user scripts, complete the following steps:

1. For easy management, copy the scripts you want to use to the Scripts\Logon or the Scripts\Logoff folder for the related policy. User policies are stored in the %SystemRoot%\Sysvol\Domain\Policies folder on domain controllers and %WinDir%\System32\GroupPolicy\Machine on Windows XP workstations.
2. Access the Group Policy console for the resource you want to work with. Then access User Configuration\Windows Settings\Scripts.
3. To work with logon scripts, right-click Logon and then select Properties. To work with logoff scripts, right-click Logoff and then select Properties. This opens a dialog box similar to the one shown in Figure 8-10.
4. Click Show Files. If you copied the user script to the correct location in the policies folder, you should see the script.
5. Click Add to assign a script. This opens the Add A Script dialog box. In the Script Name field, type the name of the script you copied to the Scripts\Logon or the Scripts\Logoff folder for the related policy. In the Script Parameter field, enter any command-line arguments to pass to the command-line script or parameters to pass to the scripting host for a WSH script. Repeat this step to add other scripts.
6. During logon or logoff, scripts are executed in the order in which they're listed in the Properties dialog box. Click Up or Down to reposition scripts as necessary.
7. If you want to edit the script name or parameters later, select the script in the Script For list and then click Edit.
8. To delete a script, select the script in the Script For list and then click Remove.

Figure 8-10. Manage user logon scripts using the Logon Properties dialog box. (Image Unavailable)

Working with Logon and Startup Policies

Windows XP provides a set of policies to control the logon process, some of which allow you to configure the way programs run at logon. This makes them similar to logon scripts, in that you can execute specific tasks at logon. Other policies change the view in the welcome and logon screens. The main logon and startup policies that you'll use are summarized in Table 8-5.

Table 8-5.   Logon and Startup Policies

Policy Type	Policy Name	Description
Computer	Don't Display The Getting Started Welcome Screen At Logon	Hides the welcome screen that is displayed when new users log on. This only applies to Windows XP and not to servers.
Computer	Always Use Classic Logon	This overrides the default simple logon screen and uses the logon screen from previous versions of Windows.
Computer/User	Run These Programs At User Logon	Sets programs that all users should run at logon. Use the full file path (unless program is in %SystemRoot%).
Computer/User	Do Not Process The Run-Once List	Forces the system to ignore customized run-once lists.
Computer/User	Do Not Process The Disable Legacy Run List	Disables running startup applications other than those set through System Policy Editor in Windows NT 4.

Hiding the Welcome Screen

Experienced users often find the welcome screen annoying, particularly because it is displayed automatically every time they log on to a new computer. To hide the welcome screen at logon, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
2. Double-click Don't Display The Getting Started Welcome Screen At Logon. In the Setting tab, select Enabled and then click OK.

Using Classic Logon vs. Simple Logon

The simple logon window is new in Windows XP. It is the default authentication, and although that view can be useful, some users might prefer to see only the classic logon window. To use classic logon rather than simple logon, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
2. Double-click Always Use Classic Logon. In the Setting tab, select Enabled and then click OK.

Setting Policy-Based Startup Programs

Although users can configure their startup applications separately, it usually makes more sense to handle this through policy, especially in an enterprise in which the same applications should be started by groups of users. To specify programs that should start at logon, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon.
2. Double-click Run These Programs At User Logon. In the Setting tab, select Enabled.
3. To assign startup applications through policy, click Show. In the Show Contents dialog box that appears, specify applications according to their full file or UNC path, such as D:\Program Files\Internet Explorer\IEXPLORE.EXE or \\DCServ01\Apps\STATS.EXE.
4. Close all open dialog boxes.

Disabling Run Lists Through Policy

Using policy, you can disable legacy run lists as well as run-once lists. Legacy run lists are stored in the registry in

HKEY_LOCAL_MACHINE 
 \Software
  \Microsoft
   \Windows
    \CurrentVersion
     \Run 

and

HKEY_CURRENT_USER
 \Software
  \Microsoft
   \Windows
    \CurrentVersion
     \Run 

Run-once lists can be created by administrators to specify programs that should run the next time the system starts but not on subsequent restarts. Run-once lists are stored in the registry under

HKEY_LOCAL_MACHINE
 \Software
  \Microsoft
   \Windows
    \CurrentVersion
     \RunOnce 

To disable run lists, follow these steps:

1. Access Group Policy for the computer you want to work with. Next, access Computer Configuration\Administrative Templates\System\Logon or User Configuration\Administrative Templates\System\Logon.
2. Double-click Do Not Process The Run Once List. In the Setting tab, select Enabled and then click Next Setting.
3. In the Do Not Process The Legacy Run List Properties dialog box, select Enabled and then click OK.