Working with Group Policy Preferences: How to Stop Using Specific Devices

Now for most users it is no longer a secret that any computer consists not only of a “tilivizer” and a “processor”, by which they called the system unit, but it has a decent number of devices that the operating system simply needs to know about to function properly. More advanced users also know that, starting from the 90s of the last century, the world first learned about such a concept associated with Windows-systems as Plug and Play or, more simply, about PnP, which is a technology that allows the operating system will automatically perform some configuration settings for connected devices. Well, for the appearance of additional features and the correct operation of the connected devices, of course, you should install the drivers developed by the manufacturers of components. In turn, administrators can install such drivers on target computers using various methods: they can independently run on computers with CD or DVD disks and install such drivers; can place them in a public folder on file servers and install them using scripts; Integrate drivers into operating systems using tools such as the Windows ADK Install drivers using Microsoft System Center Configuration Manager, as well as many other methods. But, by and large, this article is not about that. can place them in a public folder on file servers and install them using scripts; Integrate drivers into operating systems using tools such as the Windows ADK Install drivers using Microsoft System Center Configuration Manager, as well as many other methods. But, by and large, this article is not about that. can place them in a public folder on file servers and install them using scripts; Integrate drivers into operating systems using tools such as the Windows ADK Install drivers using Microsoft System Center Configuration Manager, as well as many other methods. But, by and large, this article is not about that.
Sometimes such situations may arise when you simply need to disconnect a certain device on a particular computer or, conversely, force users to work with specific devices. To perform such operations instead of the user, and without disconnecting (or, conversely, forcibly not including) such a device permanently, you can use a certain element of Group Policy Preference, which will be discussed later in this article.

Devices Group Policy Preference Node

Since one of the elements of group policy preferences is responsible for the task associated with device management, such an element should be managed by a specific dynamic library, which simply must be present on both computers with server and client operating systems. In principle, as is the case with most extensions of the client side of the preference elements, for the “ Devices ” element"The gpprefcl.dll library answers, which, in turn, is tied to the GUID {1A6364EB-776B-4120-ADE1-B63A406A76B5}. This preference item, as I already mentioned a little above, allows you to simply enable or disable the classes or types of certain hardware devices. In other words, installing, updating, uninstalling drivers is not the task that could be accomplished using this client-side extension. However, I believe that it would be extremely useful and convenient if Microsoft implemented this opportunity for the next releases of server operating systems.
Therefore, since the possibilities of the current expansion of the client side are extremely limited, in the next procedure I will step by step talk about how you can disconnect a DVD drive. Since this example can be attributed to the most basic ones, we complicate the task a little in that the drive will only need to be disconnected on computers whose addresses belong to a specific IP range. So, to implement such a task, you will need to perform the following steps:

1. To begin with, of course, in a snap " Group Policy Management " ( Group is the Policy Management ), you must create a new Group Policy object (or use an existing one, which would be suitable for the above purpose), for example, " Group is the Policy the Preferences - 18 ", and, if necessary, associate it with the required unit, and then select a command from the context menu that allows you to open the Group Policy Management Editor for such an object. In my case, solely for simplicity, such an object was associated with the level of the entire domain, however, in the production environment, I do not recommend performing such actions;
2. The snap GPME, navigate to Computer Configuration \ Preferences \ Control Panel Settings \ Devices ( Computer the Configuration \ the Preferences \ the Control the Settings Plesk Panel \ Devices' ). Despite the fact that this node can be found both in the computer configuration node and in the user configuration node, so that the settings we defined apply to all users of the target computers, the first node was selected. Now, being in the current node, you need to call the context menu in the details area and select the " Create " and " Device " ( New> Device ) commands , as shown in the following illustration: Fig. 1. Creating a new preference item
   
   
   
   
   
3. Here, as you can immediately see in the following illustration, in the dialog box that appears to create an element of device preference for such elements, you are practically not given the opportunity to select any properties or parameters. It turns out, from the drop-down list " Action » ( the Action ), you can select an action, allows you to turn the selected class or type of devices ( " Use this device (enable) » ( the Use the this device (the enable) )), or, conversely, turn them off (action " Do not use this device (disable) » ( the Do not use the this device (the disable))). Since the DVD drive will be disabled in this example, the second option is selected from this list. Most likely, the only thing you should pay attention to when using this extension of the client side is the following two text fields. Text field " Subtype apparatus » ( Device class ) must include the name of a particular class of devices to which this policy would apply. Here you can immediately pay attention to the fact that this text field is not subject to manual changes. That is, to select an existing class, you will need to click on the browse button ( ... ), and then from the additional dialog box “ Select a device class or device»Select the required class. In this case, it is “ DVD-ROM drives and CD-ROM drives ” ( DVD / CD-ROM drives ). In turn, the text box " Device type » ( the Device of the type ) allows you to make the necessary information in it, since it is responsible for the name of a specific device that already belongs to you selected in the previous text box class. As you can see in the following illustration, the selected class for me is the class of DVD drives, but I can already specify the type as “ HL-DT-ST DVD-ROM GDR8164B ATA Device"Which is my real drive. In the event that the drives are different on the target computers, you can either specify a different type or leave this field blank altogether so that absolutely all types for the selected device class are disabled. Be sure to keep in mind that you can see a list of device types that will completely match all devices installed on the computer on which you are currently using the GPME snap-in. The dialog boxes for creating a preference item and selecting device types are shown below: Fig. 2. Preference item properties and device type selection dialog
   
   
   
   
   
4. After all the settings mentioned above have been completed (and there are not so many of them), you should think about targeting the level of elements. Consequently, the need to go to the tab " General settings » ( the Common the Options ), check the box on the option " Targeting element level » ( Item-level targeting is ) and click on " Targeting » ( the Targeting ). Since in this example we are interested in the IP-address range in the dialog editor window target from the drop-creating elements, select the element « IP-address range » ( the IP address range) Here, as can be seen in the following illustration, unlike the predecessor system, Windows Server 2012, in version R2 it became possible to use not only the IPv4 range of addresses, but also, due to the growing popularity of IPv6, to use addresses of the sixth version. To determine the IPv6-address range should be set to check the option " Use the IPv6 » ( the Use the IPv6 ), and then, in the text field, enter a range of addresses in the appropriate format. Despite the fact that I have configured only the local address for the channel, for example, we indicate it in this text box. And besides this, just in case, we’ll add a range of IPv4 addresses through the OR operator. In a production environment, this is best done if you still haven’t implemented IPv6 addresses everywhere. In this example, targeting Editor dialog box will appear as follows: Fig. 3. Targeting Editor Dialog Box
   
   
   
   
   
5. When all the required parameters and settings are entered, you can close the Group Policy Management Editor and update the policy settings on the target computers.

It remains to check in the device manager whether it was possible to make the expected changes. After you open the device manager on the target machine, it will be immediately noticeable that despite the fact that the device type in the preference item has not been defined, the DVD drive is still disconnected because the class was specified. Therefore, everything worked out. Fig. 4. The result of applying group policy

Conclusion

From this article, you learned about the principle of operation of the next preference item, which is responsible for the state of specific classes and types of devices on target computers. Using a simple example, it was demonstrated how DVD drives can be disabled on all computers from a certain range of IP addresses. In the next article of this series, we will talk about the next element of Group Policy preference, namely, the configuration of network settings.