Monday, November 9, 2009

Manage Temporary Internet Files with Group Policy

Temporary Internet Files should be proactively managed to help reduce security risks. In addition it can help with other issues as well, such as the Outlook attachment opening issue: "Can't create file: filename. Right-click the folder you want to create the file in, and then click Properties on the shortcut menu to check your permissions for the folder."

  • Get the Group Policy Client Side Extensions for all of your machines.
  • Depending on your machine SP level you may also need to install XMLLite. Check out this site for a list of requirements depending on the SP level:
  • Both can be pushed using your favorite method (third party, group policy, manually, etc)
  • At this point you can begin to push the new Group Policy objects
  • Open Group Policy Management (note that you cannot manage these new GPO's from Windows XP, they can only be managed from Vista, 7, or 2008)
  • This can be done several ways depending on your preferences. I did it by computer role / operating system.
  • In Active Directory I have all Terminal Servers in one OU, Workstations in another OU, Laptops in another, etc. As such it made sense to link the GPO by the computers role and operating system
  • It is important (to some extent) that the operating system be specified with this. For instance XP and Vista do not have the same paths to the Temporary Internet Files
    • Windows 2000, XP, 2003 = C:\Documents and Settings\%LogonUser%\Local Settings\Temporary Internet Files
    • Windows Vista, 7, 2008 = C:\Users\%LogonUser%\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • User Configuration - Preferences - Windows Settings - Folders
  • New Folder - Replace - proper pathing to TIF location (depending on which OS you are targeting)
    • Check the following:
    • "Recursively delete all subfolders"
    • "Delete all files in the folder"
    • "Allow deletion of read-only files/folders
    • "Ignore errors for files/folders that cannot be deleted"
  • Common Tab - Item-level targeting
  • Targeting Button - New Item - Operating System
  • Set the operating system (notice that you can add multiples and right click it change the AND to OR, for instance if you want it to read Windows Server 2003 OR Windows Server 2003 R2)

Ensure that you have the GPO linked to the proper Active Directory OU and that if you link it to an OU with computers in it rather than users that you enable loopback policy - merge.

No comments:

Post a Comment