Working with Windows Settings Preference Items Using the GPMC

  • Article

 

This topic describes each of the nine Group Policy Windows Settings preferences and how to configure each using the Group Policy Management Console.

The Group Policy Management Console allows you to configure preferences when you edit any domain-based Group Policy Object. The Preferences node appears under Computer Configuration and User Configuration. The editor displays preference extensions under two categories: Windows Settings and Control Panel Settings.

Applications extension

Group Policy includes the Applications preference extension. For users, this extension allows you to configure settings for a specific version of an application for which you have installed a preference plug-in. The available settings vary with the application and version.

Software developers can create plug-ins for other applications using the Group Policy Software Development Kit (https://go.microsoft.com/fwlink/?LinkId=144).

You can create and configure Application preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Applications**

Important

You must install a preference plug-in before you can create and configure Application preference items.

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new application preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Applications node, point to New, and select an application.

  4. In the Properties dialog box, enter application settings for Group Policy to configure.

  5. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  6. Click OK. The new preference item appears in the results pane.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Drive Maps extension

Group Policy includes the Drive Maps preference extension. For users, this extension allows you to:

  • Create dynamic drive mappings to network shares.

  • Create dynamic drive mappings to network shares using alternate user credentials.

  • Modify mapped drives and their properties.

  • Delete a single mapped drive.

  • Delete all mapped drives or all mapped drives from a designated drive letter onward.

  • Hide or show a single drive or all drives, both mapped and physical.

You can create and configure Mapped Drive preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Drive Maps**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Mapped Drive preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Drive Maps node, point to New, and select Mapped Drive.

  4. In the New Drive Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter drive map settings for Group Policy to configure or remove. (For more information, see "Drive map settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the drive letter already exists.

Create

Create a new mapped drive for users.

Delete

Remove a mapped drive for users.

Replace

Delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping.

Update

Modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the mapped drive. If the drive mapping does not exist, then the Update action creates a new drive mapping.

Drive map settings

Location

To configure a new drive mapping or recreate a drive mapping, type a fully qualified UNC path for the network share (such as \\server\sharename, \\server\hiddenshare$, or \\server\sharename\foldername).

This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

To modify an existing drive mapping (identified by drive letter), leave this field blank.

This option is available only if the action selected is Create, Replace, or Update.

Reconnect

To save this mapped drive in the user's settings and attempt to restore it at each subsequent logon, select this check box. Otherwise, the drive is mapped, but not saved in the user's settings.

This option is available only if the action selected is Create, Replace, or Update.

Label as

To provide a descriptive label that appears next to the drive letter, type the label in this field.

This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

This option is available only if the action selected is Create, Replace, or Update.

Drive Letter

Select the mapped drives (identified by drive letter) to configure:

  • To assign the first available drive letter to the mapped drive, select Use first available, starting at, and then select a drive letter at which to begin checking for availability. This option is available only if the action selected is Create, Replace, or Update.

  • To assign a specific drive letter to the mapped drive, select Use, and then select a drive letter. This option is available only if the action selected is Create, Replace, or Update, and if you have typed a location.

  • To modify an existing drive mapping (identified by drive letter), select Existing, and then select a drive letter. This option is available only if the Location field is blank, and the action selected is Update.

  • To delete all drive mappings from a particular drive letter onward, select Delete all, starting at, and then select a drive letter at which to begin deleting drive mappings. Physical drives are skipped without error. This option is available only if the action selected is Delete.

  • To delete a specific mapped drive, select Delete, and then select the drive letter. This option is available only if the action selected is Delete.

Connect as

To implement a drive mapping using credentials other than those of the currently logged on user, type the credentials to be used. This option is available only if the action selected is Create, Replace, or Update.

Security Note

This password is protected by 256-bit Advanced Encryption Standard (AES) encryption and stored as part of the GPO in SYSVOL. This password should be changed on a regular basis and should not be relied on as the sole method of protecting confidential data.

Hide/Show this drive

Configure the visibility of the mapped drive:

  • To make no change to the visibility of the mapped drive, select No change. This does not take precedence over the Hide/Show all drives setting.

  • To prevent the drive from being displayed in Windows Explorer, select Hide this drive. This takes precedence over the Hide/Show all drives setting.

  • To allow this drive to be displayed in Windows Explorer, select Show this drive. This takes precedence over the Hide/Show all drives setting.

This option is available only if the action selected is Create, Replace, or Update.

Hide/Show all drives

Configure the visibility of all mapped and physical drives in Windows Explorer. The options are comparable to those for Hide/Show this drive, but apply globally to all drives.

Additional considerations

  • Hide/Show this drive options have precedence over Hide/Show all drives. For example, if a Drive Map preference item has the Hide/Show this drive option set to Hide this drive and the Hide/Show all drives option set to Show all drives, then all drives are visible except the drive designated as hidden.

  • You can use a Drive Map preference item to configure the visibility of a physical drive rather than a mapped drive. To do so, select the Update action, leave the Location field blank, select the drive letter of the physical drive, and then configure the Hide/Show this drive and Hide/Show all drives options.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Environment extension

Group Policy includes the Environment preference extension. For computers or users, this extension allows you to:

  • Create persistent user or system environment variables.

  • Modify environment variables. For example:

    • Modify the command prompt (by modifying the PROMPT system variable).

    • Modify the location of the TEMP folder (by modifying the TEMP system variable).

    • Replace the value of the entire PATH variable.

    • Add semicolon-delimited segments to the PATH variable.

    • Delete semicolon-delimited segments from the PATH variable.

    • Change the text case of semicolon-delimited segments of the PATH variable.

  • Delete environment variables.

Note

You can apply an Environment Variable targeting item to other preference items to restrict their application based on the value of the variable.

You can create and configure Environment Variable preference items for any domain-based Group Policy Object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Environment**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Environment Variable preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Environment node, point to New, and select Environment Variable.

  4. In the New Environment Variable Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter environment variable settings for Group Policy to configure or remove. (For more information, see "Environment variable settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the environment variable already exists.

Create

Create a new environment variable or to add a semicolon-delimited segment to the PATH variable for computers or users.

Delete

Remove an environment variable or to delete a semicolon-delimited segment from the PATH variable from computers or users.

Replace

Delete and recreate an environment variable. The net result of the Replace action is to overwrite all existing settings associated with the environment variable. Applying this action to a segment of the PATH variable has no practical effect, other than potentially changing the text case of the segment. If the environment variable does not exist, then the Replace action creates a new environment variable.

Update

Modify settings of an existing environment variable. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the environment variable. Applying this action to a segment of the PATH variable has no practical effect, other than potentially changing the text case of the segment. If the environment variable does not exist, then the Update action creates a new environment variable.

Environment variable settings

User Variable

To cause the environment variable to affect each user independently, select this setting for an Environment preference item under User Configuration. The environment variable is stored in the registry in HKEY_CURRENT_USER.

To cause the environment variable to affect only the default user of the computer, select this setting for an Environment preference item under Computer Configuration.

System Variable

To cause the environment variable to affect all users of the computer, select this setting. The environment variable is stored in the registry in HKEY_LOCAL_MACHINE.

Name

Type a name for the environment variable to which the action is applied. To select the PATH variable, leave this field blank.

PATH

To create or replace the value of the PATH variable or to add or delete a semicolon-delimited segment of the value of the PATH variable, select this check box. This option is available only when System Variable is selected.

Partial

To add or delete a semicolon-delimited segment of the value of the PATH variable, select this check box. This option is available only when System Variable and PATH are selected.

Value

Type the value for the environment variable. This field accepts variables.

If PATH is selected, type a semicolon-delimited list of folder paths for Windows to use to find files.

If Partial is selected, type one segment of the PATH variable, omitting the semicolon delimiter.

Additional considerations

  • If you want to restrict the scope of multiple preference items with a complex set of targeting items, you can simplify configuration by using an environment variable. For example, create an Environment Variable preference item that generates a new environment variable with a value of 1, and apply the targeting items to it. To apply the same targeting to other preference items, add an Environment Variable targeting item to those preference items, and configure it to require a value of 1 for the variable that you created using an Environment Variable preference item.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Files extension

Group Policy includes the Files preference extension. For computers or users, this extension allows you to:

  • Copy a file (or multiple files in one folder) to a new location and then configure the attributes of those files. New subfolders are created as necessary.

  • Delete a file (or multiple files in one folder) and replace it with a copy of a file from a source folder.

  • Modify the attributes of a file (or multiple files in one folder).

  • Delete a file (or multiple files in one folder).

  • Modify the attributes of, replace, or delete all files with a particular extension in one folder.

  • Modify the attributes of, replace, or delete all files in a particular folder.

Note

To configure folders rather than individual files, use the Folder extension.

You can create and configure File preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Files**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new File preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Files node, point to New, and select File.

  4. In the New File Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter file settings for Group Policy to configure or remove. (For more information, see "File settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the file already exists.

Create

Copy a file (or multiple files in one folder) from a source location to a destination location if it does not already exist at the destination, and then configure the attributes of those files for computers or users.

Delete

Remove a file (or multiple files in one folder) for computers or users.

Replace

Delete a file (or multiple files in one folder), replace it with another file or files, and configure the attributes of those files for computers or users. The net result of the Replace action is to overwrite the files at the destination location. If the file does not exist at the destination, then the Replace action copies the file from the source location to the destination.

Update

Modify settings of an existing file (or multiple files in one folder) for computers or users. This action differs from Replace in that it only updates file attributes defined within the preference item. All other file attributes remain as configured on the file. If the file does not exist, then the Update action copies the file from the source location to the destination.

File settings

Source file(s)

Type the location from which to copy the Source file(s). This location can be a fully qualified UNC path or a path on a local or mapped drive from the perspective of the client. This field can contain variables.

This field can also contain single character (?) and multiple character (*) wildcards, allowing you to copy or modify multiple files.

This option is available only if the action selected is Create, Replace, or Update.

Destination file

Type the location to which to copy a file or the location of the file to be modified. This location can be a fully qualified UNC path or a path on a local or mapped drive from the perspective of the client. Parent folders are created as necessary. You must include the file name, and you can change the file name by providing a different name for it than specified in the Source file(s) field.

This option is available only if the action selected is Create, Replace, or Update and the Source files(s) does not include wildcards.

Destination folder

Type the location of the folder to which to copy files or the location of the files to be modified. This location can be a fully qualified UNC path or a path on a local or mapped drive from the perspective of the client. Parent folders are created as necessary.

This option is available only if the action selected is Create, Replace, or Update and the Source files(s) includes wildcards.

Delete file(s)

To delete a file, type the path for the file from the perspective of the client.

To delete multiple files within a folder, incorporate single character (?) and multiple character (*) wildcards in the file name.

This option is available only if the action selected is Delete.

Suppress errors on individual file actions

To allow multiple files to transfer even if one or more individual files fail to transfer, select this check box. Only errors due to an attempt to replace, delete, or configure attributes of a file are suppressed. Such errors may be due to the file being in use, access being denied, or the source file not being found. With this option selected, such errors can only be detected in the trace file. This option is distinct from the default preference error suppression that can be overridden on the Common tab.

Attributes

To configure file system attributes for the files being transferred, select the appropriate check boxes in the Attributes box. Unchecked attributes are removed from the file at the destination.

Additional considerations

  • Many incremental backup systems use the Archive attribute to determine whether a file or folder has been created or changed and to back up the file or folder. For this reason, Archive is selected by default to select the Archive attribute on any modified folder.

  • If the Common tab option to Remove this item when it is no longer applied is selected, the destination file is deleted if it is a single file. In a multiple file operation, no files are deleted.

  • By default, a file preference item has access to all objects with the SYSTEM Access Control Entry (ACE). To change this item to run with end-user permissions (if under User Configuration), change the security context on the Common tab.

  • A file preference item resets the Read Only attribute of any destination file if necessary to accomplish the specified task.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Folders extension

Group Policy includes the Folders preference extension. For computers or users, this extension allows you to:

  • Create a folder and configure its attributes.

  • Modify a folder and configure its attributes.

  • Delete a folder and its contents.

  • Delete a folder only if it is empty.

  • Delete all files within a folder (such as a temporary files folder) without deleting the folder.

  • Delete all files within a folder without deleting subfolders.

Note

To configure individual files rather than folders, see File Extensions.

You can create and configure Folder preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Folders**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Folder preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Folders node, point to New, and select Folder.

  4. In the New Folder Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter folder settings for Group Policy to configure or remove. (For more information, see "Folder settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the folder already exists.

Create

Create a new folder for computers or users.

Delete

Remove a folder for computers or users.

Replace

Delete and recreate a folder for computers or users. The net result of the Replace action is to delete the contents of an existing folder and to overwrite all existing settings associated with the folder. If the folder does not exist, then the Replace action creates a new folder.

Update

Modify an existing folder for computers or users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the folder. If the folder does not exist, then the Update action creates a new folder.

Folder settings

Path

Type a path for the folder from the perspective of the client. Do not include quotes or a trailing slash. This field can contain variables.

Attributes

To configure file system attributes for the folder, select the appropriate check boxes.

These options are available only when the action selected is Create, Replace, or Update.

Options for Delete or Replace actions

Select a combination of options to control which files and folders are deleted. If the Replace action is selected, the folder is recreated after these options have been processed unless deletion is prevented. The effect of these options varies depending on the combination of options selected. For more information, see "Additional considerations."

These options are available only when the action selected is Replace or Delete.

Available options include:

  • Ignore errors for files/folders that cannot be deleted: If this option is cleared, an error is returned if the Folder item attempts to delete a folder that is not empty, a file that is open, a file or folder for which the user does not have permission, or any other file or folder that cannot be deleted. If selected, this option suppresses any error messages that occur because files or folders cannot be deleted.

  • Allow deletion of read-only files/folders: If this option is cleared, the Folder item is prevented from deleting read-only files and folders. If selected, this option clears the read-only attribute of files and folders that this Folder item attempts to delete.

  • Delete all files in the folder(s): If this option is cleared, the Folder item cannot delete files within folders. If selected, this option deletes all files within this folder that are allowed to be deleted. If Recursively delete all subfolders is selected as well, then all files that are allowed to be deleted within all subfolders are also deleted.

  • Recursively delete all subfolders (if emptied): If this option is cleared, the Folder item is prevented from deleting subfolders within the folder. If this option is selected, the lowest level of subfolders is deleted if they are empty, repeating for each parent folder until reaching the folder specified in the Path field. Whether subfolders are empty is evaluated after the option to Delete all files in the folder(s) has been processed.

  • Delete this folder (if emptied): If this option is cleared, the Folder item is prevented from deleting the folder specified in the Path field. If this option is selected, the folder specified in the Path field is deleted if it is empty. Whether this folder is empty is evaluated after the options to Delete all files in the folder(s) and Recursively delete all subfolders have been processed.

Additional considerations

  • Common combinations of options for Delete or Replace actions include:

    • Delete the folder only if it is empty: Select Delete this folder and Allow deletion of read-only files/folders. To prevent an error if the folder contains files and cannot be deleted, select Ignore errors.

    • Delete the folder and all files and subfolders within: Select Delete this folder, Recursively delete all subfolders, Delete all files in the folder(s), and Allow deletion of read-only files/folders.

    • Delete all empty subfolders within the folder: Select Recursively delete all subfolders and Allow deletion of read-only files/folders. To prevent an error if the folder contains files and cannot be deleted, select Ignore errors.

    • Delete all files within the folder, but not subfolders or files within subfolders: Select Delete all files in the folder(s) and Allow deletion of read-only files/folders.

    • Delete all files and subfolders within the folder: Select Recursively delete all subfolders, Delete all files in the folder(s), and Allow deletion of read-only files/folders.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Ini files extension

Group Policy includes the Ini Files preference extension. For computers and groups of computers or for users and groups of users, this extension allows you to:

  • Add a property to a configuration settings (.ini) or setup information (.inf) file.

  • Replace a property in an .ini or .inf file.

  • Delete a property from an .ini or .inf file.

  • Delete a section from an .ini or .inf file.

  • Delete an .ini or .inf file.

Note

To copy any type of file to a new location or to modify its attributes, see the File Extensions.

You can create and configure Ini File preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Ini Files**

For information about how to use this extension to create and configure a preference item, see the following topics:

Each section in an .ini or .inf file uses the following format:

[SectionName]
PropertyName1=PropertyValue1
PropertyName2=PropertyValue2

Before you create an Ini File preference item, you should review the behavior of each action possible with this extension.

To create a new Ini File preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Ini Files node, point to New, and select Ini File.

  4. In the New Ini File Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter configuration settings (.ini) or setup information (.inf) file settings for Group Policy to configure or remove. (For more information, see "Ini file settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the property already exists.

Create

Add and configure a property in an .ini or .inf file for computers or users. If the file does not exist, it is created.

Delete

Remove a property or a section from an .ini or .inf file, or delete an .ini or .inf file for computers or users.

Replace

Delete and recreate a property in an .ini or .inf file for computers or users. The net result of the Replace action is to overwrite the property. If the property does not exist, then the Replace action creates the property.

Update

This action has the same effect as Replace.

Ini file settings

Important

File Path

Additional considerations

  • The Section Name, Property Name, and Property Value fields are each disabled until you type text in the preceding field.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Network shares extension

Group Policy includes the Network Shares preference extension. For computers, this extension allows you to:

  • Create a share and configure its properties.

  • Modify the folder path for a share by replacing the share.

  • Delete ("un-share") or modify the user limit, Access-Based Enumeration, and comment for:

    • A share.

    • All shares except hidden shares.

    • All hidden shares except administrative drive-letter shares.

    • All administrative drive-letter shares.

    • All shares.

Note

Network Share items create, modify, or delete share points, but do not create or delete the folders to which they point. For a share point to be created, the folder to be shared must already exist on computers to which the Group Policy object is applied. When a share is deleted, the share point leading to the folder is removed, but the folder and its contents are not deleted. For information on how to use a Folder preference item to create or delete folders using Group Policy, see Folders extension.

You can create and configure Network Share preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Network Shares**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Network Share preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Network Shares node, point to New, and select Network Share.

  4. In the New Network Share Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter network share settings for Group Policy to configure or remove. (For more information, see "Network share settings" in this topic.)

  6. Click the Common tab and configure any options desired.

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the share already exists.

Create

Create a new share for computers.

Delete

Remove ("un-share") a share from computers.

Replace

Delete and re-create a share. The net result of the Replace action is to overwrite all existing settings associated with the share. If the share does not exist, then the Replace action creates a new share.

Update

Modify settings of a share. This action differs from Replace because it only updates settings that are defined within the preference item. All other settings remain as configured on the share. If the share does not exist, then the Update action creates a new share.

Network share settings

Note

Share name

User limit

Configure the number of users allowed to be simultaneously connected to the share.

  • To restrict the number of users, select Allow this number of users and enter the maximum to allow.

  • To make the number of users unrestricted, select Maximum allowed.

  • To leave the allowed number of users unchanged when updating a share, select No change.

    Note

    If creating or replacing a share, selecting No change configures the number of users as the maximum allowed.

These options are available only if the action selected is Create, Replace, or Update.

Access-based Enumeration

Configure the visibility of folders within the share.

  • To make folders within the share visible only to those who have read access, select Enable.

  • To make folders within the share visible to all users, select Disable.

  • To leave the visibility of folders within the share unchanged when you update a share, select No change.

This option is available only if the action selected is Create, Replace, or Update.

Additional considerations

  • Network Share items create, modify, or delete share points, but do not create or delete the folders to which they point. For a share point to be created, the folder to be shared must already exist on computers to which the Group Policy object is applied. When a share is deleted, the share point leading to the folder is removed, but the folder and its contents are not deleted.

  • For information on how to use a Folder preference item to create or delete folders using Group Policy, see Folders extension.

  • Access-Based Enumeration options take effect only if the computers hosting shared folders have the Windows Server® 2003 Service Pack 1 or later or Windows Server® 2008 R2 or Windows Server 2008 operating system installed.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Registry extension

Group Policy includes the Registry preference extension. For computers or users, this extension allows you to:

  • Copy multiple registry settings from a computer and apply those settings to other computers.

  • Create, replace, or delete an individual registry value.

  • Create an empty key, delete a key, or delete all values and subkeys in a key.

  • Create collections (folders) to organize Registry preference items in the Group Policy Management Console, and so you can apply the same targeting to multiple Registry items.

  • Create collections in the Group Policy Management Console that mirror the structure of keys in the registry on a selected computer.

You can create and configure Registry preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Registry**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create multiple Registry preference items

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Registry node, point to New, and select Registry Wizard.

  4. Select the computer on which the desired registry settings exist (or on which similar settings you will modify exist), then click Next.

  5. Browse to and select the check box for each key or value from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.

  6. Click Finish. The settings that you selected appear as preference items in the Registry Wizard Values collection.

  7. Right-click the Registry Wizard Values collection in the console tree, click Rename, and type a descriptive name for the collection.

Additional considerations

  • You can modify the settings in the individual Registry preference items created by the Registry Wizard. For more information, see Configure Registry Item Options.

  • You can reorganize Registry preference items and collections by dragging them into collections that you create. The structure of collections of Registry preference items has no impact on the position of keys and values in the Windows registry. For more information, see Collect Registry Items.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

To create a new Registry preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Registry node, point to New, and select Registry Item.

  4. In the New Registry Item dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter registry settings for Group Policy to configure or remove. (For more information, see "Registry settings" in this topic.)

  6. Click the Common tab and configure any options desired.

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the registry key or value already exists.

Create

Create a new registry value or key for computers or users.

Delete

Remove a registry value or a registry key and all of its values and subkeys for computers or users.

Replace

Delete and recreate a registry value or key for computers or users. If the target is a registry value, the net result of the Replace action is to overwrite all existing settings associated with the registry value. If the target is a registry key, the net result is to delete all values and subkeys in the key, leaving only a default value name with no data. If the registry value or key does not exist, then the Replace action creates a new registry value or key.

Update

Modify settings of an existing registry value or key for computers or users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured in the registry value or key. If the registry value or key does not exist, then the Update action creates a new registry value or key.

Registry settings

You can click the Browse button next to the Key Path field to navigate to the registry value or key to be configured.

If the registry value or key that you want to configure exists on this computer, click to browse to the value or key. The remaining fields in the Properties dialog box are populated based on your selection. You can edit the values in those fields.

To select a key without specifying a value (or if the value does not yet exist), click the key in the tree at the top of the window, and then click Select.

Hive

If you did not browse to a value or key, select the hive for the registry key.

  • HKEY_CLASSES_ROOT is an alias for HKEY_LOCAL_MACHINE\Software\Classes.

  • HKEY_CURRENT_USER is an alias for HKEY_USERS\logged-on user's hive. HKEY_USERS\.Default is used when HKEY_CURRENT_USER is configured under computer configuration.

  • HKEY_LOCAL_MACHINE is the default option for computer policy. These settings affect all users of the computer.

  • HKEY_USERS is the default option for user policy. These settings affect individual users.

  • HEKY_CURRENT_CONFIG is an alias for HEKY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current.

Key Path

If you did not browse to a value or key, type the key path. Do not include the hive or a leading or trailing slash.

This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

Value name

To configure a value, either select the Default checkbox to configure the default value for the key or type the name of the value to configure. To configure only a key, leave this field blank.

This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

Value type

To configure a value, select the value type. To configure only a key, leave this field blank.

This option is available only if the action selected is Create, Replace, or Update and if you have entered a Value name.

Value data

To configure value data, type the data for the registry value. To configure only a key, leave this field blank.

This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

This option is available only if the action selected is Create, Replace, or Update and if you have selected a Value type.

Additional considerations

  • Using the Registry Wizard, you can create multiple Registry preference items based upon registry settings that you select. For more information, see Create Multiple Registry Items Using the Registry Wizard.

  • You can organize Registry preference items by dragging them into collections that you create. The structure of collections of Registry preference items has no impact on the position of keys and values in the Windows registry. For more information, see Collect Registry Items.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

To create a new collection of Registry preference items

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Registry node or a collection folder beneath the node, point to New, and select Collection Item.

  4. Type a name for the collection folder.

  5. The new collection folder appears in the console tree.

  6. Right-click the collection folder, point to New, and click Registry Item or Collection Item to create a registry item or a subfolder within this collection folder, or drag existing Registry items or collections into this collection folder.

Additional considerations

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Shortcuts extension

Group Policy includes the Shortcuts preference extension. For computers or users, this extension allows you to:

  • Create a shortcut.

  • Modify the properties of a shortcut.

  • Delete a shortcut.

You can create and configure Shortcut preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Shortcuts**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Shortcut preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Shortcuts node, point to New, and select Shortcut.

  4. In the New Shortcut Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter shortcut settings for Group Policy to configure or remove. (For more information, see "Shortcut settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the shortcut already exists.

Create

Create a new shortcut for computers or users.

Delete

Remove a shortcut for computers or users.

Replace

Delete and recreate a shortcut for computers or users. The net result of the Replace action is to overwrite the existing shortcut. If the shortcut does not exist, then the Replace action creates a new shortcut.

Update

Modify settings of an existing shortcut for computers or users. This action differs from Replace in that it only updates shortcut settings defined within the preference item. All other settings remain as configured in the shortcut. If the shortcut does not exist, then the Update action creates a new shortcut.

Shortcut settings

Name

Type a display name for the shortcut. If modifying or deleting a shortcut, the name entered must match the name of the existing shortcut.

Target Type

Select the type of target to which the shortcut points. If modifying or deleting a shortcut, the target type selected must match that of the existing shortcut.

If the shortcut can be addressed:

  • Using a Windows path (such as a file, folder, drive, share, or computer), click File System Object.

  • Using a URL (such as a Web page, Web site, or FTP site), click URL.

  • As an object within the Windows shell (such as a printer, desktop or control panel item, file, folder, share, computer, or network resource), click Shell Object.

Location

Select the location where the shortcut is to appear on the computers targeted by this preference item. Locations other than All Users are relative to the logged-on user. If modifying an existing shortcut, the location selected must match that of the existing shortcut. This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

To place the shortcut in a subfolder at the location, enter the subfolder path in the Name field followed by the display name. (For example, to place a shortcut with the display name My Shortcut in the MyCorp subfolder of Explorer Favorites, type MyCorp\My Shortcut for the Name and select Explorer Favorites for Location.)

If selecting <Specify full path>, type the full path followed by the display name in the Name field. (For example, to place a shortcut with the display name My Shortcut in the MyCorp subfolder of Program Files, type %ProgramFilesDir%\MyCorp\My Shortcut for the Name and select <Specify full path> for Location.)

Target Path

Enter a local path, UNC path, or drive letter to which the shortcut will lead. This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

This option is available only if the Target Type selected is File System Object and the action is Create, Replace, or Update.

Target URL

Enter a URL to which the shortcut will lead. This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

This option is available only if the Target Type selected is URL and the action is Create, Replace, or Update.

Target Object

Select the shell object (such as a printer, desktop or control panel item, file, folder, share, computer, or network resource) to which the shortcut will lead.

This option is available only if the Target Type selected is Shell Object and the action is Create, Replace, or Update.

Arguments

Type any arguments to be used when opening the target file or folder.

This option is available only if the Target Type selected is File System Object and the action is Create, Replace, or Update.

Start in

To specify a working directory that contains files required by the target, type the path for the folder. Do not include quotes or a trailing slash. This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

This option is available only if the Target Type selected is File System Object and the action is Create, Replace, or Update.

Shortcut key

To provide a keyboard shortcut for launching the shortcut, click the Shortcut key field and press the key combination. (To remove the keyboard shortcut, press DELETE or BACKSPACE.)

This option is available only if the action is Create, Replace, or Update.

Run

Select the size of the window in which to open the target of the shortcut.

This option is available only if the Target Type selected is File System Object or Shell Object and the action is Create, Replace, or Update.

Comment

To display a tooltip when the mouse pointer pauses on the shortcut, type the text for the tooltip. This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

This option is available only if the Target Type selected is File System Object or Shell Object and the action is Create, Replace, or Update.

Icon file path and Icon index

To specify an icon for the shortcut other than the default for the type, browse to an icon file and select an icon. (You can also type the full path for an icon file, and then type an icon index.) Do not include quotes. The Icon file path field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

These options are available only if the action is Create, Replace, or Update.

Additional considerations

  • Because mapped drives exist only for users, if any path in the configuration for a shortcut includes a mapped drive, the Shortcut preference item must be under User Configuration, the drive letter must exist before the Shortcut item is processed, and Run in logged-on user's security context must be selected on the Common tab.

  • By default, variables in the Target path are resolved by Group Policy before the shortcut is created or modified. To include the variable rather than its resolved value in the shortcut (so that the variable is resolved in the environment on the computers to which this Shortcut item is applied), use unresolved variable syntax, such as %<ProgramFiles>% in place of %ProgramFiles%.

    Because unresolved variable syntax is resolved in the environment of computers to which the Shortcut item is applied, use only environment variables (rather than preference processing variables).

  • User specific paths resolve to .default when applying a shortcut item to the computer.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.