Group Policy is an extremely flexible and complicated tool. One question I am asked quite a bit is, “Can you give me a list of settings I need to enable?” The short answer is No, Microsoft has already enabled the vast majority of things that should be enabled. And while Microsoft’s guidance may change over time (see Offline Files as an example of this), most settings stay the same. There is one setting, however, that is not enabled by default. If you are going to use Group Policy and want to make your troubleshooting life easier, you will want to enable it.
There are a handful of Group Policy settings that can make your life so much easier! One awesome troubleshooting setting that we’ve covered is Group Policy Verbose Mode. Today, we are going to cover two settings that can speed up your logons, stop auto-updaters (like Java), and secure your machines. The first one will kill the MSConfig Startup tab. The second grants us exclusions.
What is the legacy run list and how to kill it?
If you have ever taken a look at the Startup tab in MSConfig (or in Task Manager on Windows 8+), you’ve seen the legacy run list. This startup list is normally populated with drivers applications and certain start once applications.
As an example, my machine has two application updaters, a music app, my phone’s tethering app, and several driver apps. Most of these applications have corresponding icons in the notification area on your taskbar. Take a quick look at your notification area and your legacy run list.
By using Group Policy, we can make our computers ignore the legacy run list. Within an unlinked GPO, navigate to Computer Configuration/Policies/Administrative Templates/System/Logon. Enable Do Not Process the Legacy Run List.
After enabling, scope and link the GPO to a test computer. Pay attention to the notification area on your machine and reboot once. You can also run a gpupdate and log out/log back in. You should notice fewer icons in the notification area and probably had a faster logon!
This is awesome! Prepare to die MSConfig Startup tab!
Yes, it is awesome but hold on one more minute. This policy has the potential to break certain apps in your environment. Two notable examples are security software and interactive software (like SmartBoards).
When you have an application that should start automatically, you can add it to the Run these programs at user logon Group Policy setting. This setting is found within the same System/Logon folder.
Take a slow and steady approach on deploying this setting. Once deployed, you will have faster logons, a cleaner desktop, and a safer machine! All of this from just killing the MSConfig Startup tab. If you have any Group Policy settings that you couldn’t live without, share them in the comments below.
Old user profiles are making life difficult for you. They eat up space, slow down troubleshooting times, and can re-introduce forgotten problems. There are a few ways to handle old profiles. Some will use simply delete them (bad mistake). Others will manually run the tool DelProf. But you, wise reader, prefer the automatic way. That is why you perform user profile cleanup with Group Policy!
How to Delete Old Profiles with Group Policy
Create a new GPO named User Profile Cleanup and edit it. Browse to Computer Configuration\Policies\Administrative Templates\System\User Profiles. Enable Delete User Profiles Older than a Specified Number of Days on System Restart.
The default deletion age for a profile starts at 30 days. You will need to think about your environment and how your computers are used. Do you stored all critical information and documents outside of the user profile (ex: by using folder redirection)? Then you can probably set the deletion value to a lower number such as 14 days.
If you do keep important information in your local profiles, consider how old a profile needs to be before it should be considered obsolete. 90 days might be a more appropriate number for you. If your organization has down time, keep that in mind (ex: School Systems that are off in the Summer).
With your setting enabled, link your GPO. Remote into a few machines and take a snapshot of the Users folder. Check back after the user profile service runs. You should be pleasantly surprised by how clean everything is!
Remember that the user profile service will only clean profiles on a reboot. If your machines never restart, this setting won’t help you. Our next post will cover automatic restarts and why you need them. If you have any questions about this Group Policy setting or on cleaning up machines, leave a comment below.