Create the group policy
If you do not install Credential Provider software on users’ workstations to allow them to access the domain help account, you must set up a group policy to determine the configuration of a user’s desktop environment.
To create a group policy for use with an SKA:
Create the help account policy. Name the group policy Help SKA.
For example, on Windows 2022:
Open .
Under the forest domain sub-section, right-click the domain object, then select Create a GPO in this domain, and Link it here ….
The dialog appears.
Name the group policy
Help SKA.Right-click on the Help SKA policy you just created, then select Edit.
The snap-in appears.
Ensure the help account policy is applied only to the Help SKA group.
Warning
Failure to perform this step will result in the Help Account Policy being applied to every user – making it almost impossible to log back into the domain.
In the snap-in, while the Policy is selected, navigate to Actions > Properties.
Select the Security tab.
Click Add, type
Help SKA, then click OK to add the Help SKA group.Select the Help SKA group. Under the permissions for this group, ensure that the Allow checkbox is selected in the Apply Group Policy row.
Select the Authenticated Users group. Under the permissions for this group, clear the Allow checkbox in the Apply Group Policy row.
Click OK to apply the policy.
Restrict the help user’s rights by configuring the group policy settings as described in:
All other settings should be left in the "Not configured" state.
See Microsoft’s documentation for detailed steps on how to create a group policy.
This group policy is now in effect every time the help user logs into the domain. Should it appear that the group policy is not applying properly, check to ensure that your workstations are using a primary DNS server that supports dynamic updates.
Active Directory 2012, 2016, 2019, and 2022 group policy settings
Policy | Setting | |
|---|---|---|
Windows Components | ||
> Internet Explorer | ||
Disable AutoComplete for forms | Enabled | |
> AutoPlay Policies | ||
Turn off Autoplay | Enabled | |
Turn off Autoplay on: All drives | ||
Start Menu and Taskbar | ||
Remove user’s folders from the Start Menu | Enabled | |
Remove links and access to Windows Update | Enabled | |
Remove common program groups from Start Menu | Enabled | |
Remove Documents icon from Start Menu | Enabled | |
Remove programs on Settings menu | Enabled | |
Remove Network Connections from Start Menu | Enabled | |
Remove Favorites menu from Start Menu | Enabled | |
Remove Search link from Start Menu | Enabled | |
Remove Help menu from Start Menu | Enabled | |
Remove Run menu from Start Menu | Enabled | |
Remove Pictures icon from Start Menu | Enabled | |
Remove Music icon from Start Menu | Enabled | |
Remove Network icon from the Start Menu | Enabled | |
Add Logoff to the Start Menu | Enabled | |
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate command | Enabled | |
Prevent changes to Taskbar and Start Menu Settings | Enabled | |
Remove access to the context menus for the taskbar | Enabled | |
Do not keep history of recently opened documents | Enabled | |
Turn off personalized menus | Enabled | |
Force classic Start Menu | Enabled | |
Remove Balloon Tips on Start Menu items | Enabled | |
Remove pinned programs list from the Start Menu | Enabled | |
Remove frequent programs list from the Start Menu | Enabled | |
Remove All Programs list from the Start Menu | Enabled | |
Remove the "Undock PC" button from the Start Menu | Enabled | |
Hide the notification area | Enabled | |
Do not display any custom toolbars in the taskbar | Enabled | |
Desktop | ||
Hide and disable all items on desktop | Enabled | |
Remove My Documents icon on the desktop | Enabled | |
Remove Computer icon on the desktop | Enabled | |
Remove Recycle Bin icon from desktop | Enabled | |
Don’t save settings at exit | Enabled | |
> Desktop | ||
Disable Active Desktop | Enabled | |
Control Panel | ||
Prohibit access to the Control Panel and PC settings | Enabled | |
> Personalization | ||
Enable screen saver | Disabled | |
System | ||
Don’t display Getting Started welcome screen at logon | Enabled | |
Custom user interface | Enabled | |
Interface filename: %logonserver%\sysvol\runurl.exe -cfg %logonserver%\sysvol\runurl.cfg | ||
Run only specified Windows applications | Enabled | |
List of allowed applications: runurl.exe | ||
> Ctrl+Alt+Del Options | ||
Remove Task Manager | Enabled | |
Remove Lock Computer | Enabled | |
Remove Change Password | Enabled | |
Active Directory 2008R2 group policy settings
Policy | Setting | |
|---|---|---|
Windows Components | ||
> Internet Explorer | ||
Disable AutoComplete for forms | Enabled | |
Turn off Managing Phishing filter | Enabled | |
Select phishing filter mode: Off | ||
> AutoPlay Policies | ||
Turn off Autoplay | Enabled | |
Turn off Autoplay on: All drives | ||
Start Menu and Taskbar | ||
Remove user’s folders from the Start Menu | Enabled | |
Remove links and access to Windows Update | Enabled | |
Remove common program groups from Start Menu | Enabled | |
Remove Documents icon from Start Menu | Enabled | |
Remove programs on Settings menu | Enabled | |
Remove Network Connections from Start Menu | Enabled | |
Remove Favorites menu from Start Menu | Enabled | |
Remove Search link from Start Menu | Enabled | |
Remove Help menu from Start Menu | Enabled | |
Remove Run menu from Start Menu | Enabled | |
Remove Pictures icon from Start Menu | Enabled | |
Remove My Music icon from Start Menu | Enabled | |
Remove Network icon from the Start Menu | Enabled | |
Add Logoff to the Start Menu | Enabled | |
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate command | Enabled | |
Prevent changes to Taskbar and Start Menu Settings | Enabled | |
Remove access to the context menus for the taskbar | Enabled | |
Do not keep history of recently opened documents | Enabled | |
Turn off personalized menus | Enabled | |
Force classic Start Menu | Enabled | |
Remove Balloon Tips on Start Menu items | Enabled | |
Remove pinned programs list from the Start Menu | Enabled | |
Remove frequent programs list from the Start Menu | Enabled | |
Remove All Programs list from the Start Menu | Enabled | |
Remove the "Undock PC" button from the Start Menu | Enabled | |
Hide the notification area | Enabled | |
Do not display any custom toolbars in the taskbar | Enabled | |
Desktop | ||
Hide and disable all items on desktop | Enabled | |
Remove My Documents icon on the desktop | Enabled | |
Remove Computer icon on the desktop | Enabled | |
Remove Recycle Bin icon from desktop | Enabled | |
Don’t save settings at exit | Enabled | |
> Desktop | ||
Disable Active Desktop | Enabled | |
Control Panel | ||
Prohibit access to the Control Panel | Enabled | |
> Personalization | ||
Enable screen saver | Disabled | |
System | ||
Don’t display Getting Started welcome screen at logon | Enabled | |
Custom user interface | Enabled | |
Interface filename: %logonserver%\sysvol\runurl.exe -cfg %logonserver%\sysvol\runurl.cfg | ||
Run only specified Windows applications | Enabled | |
List of allowed applications: runurl.exe | ||
> Ctrl+Alt+Del Options | ||
Remove Task Manager | Enabled | |
Remove Lock Computer | Enabled | |
Remove Change Password | Enabled | |