Windows 7: Group Policy Preferences
Group Policy preferences let you control computers in a number of ways. Think of them as unmanaged settings for your computers and users.
William R. Stanek
It's hard to understand why not every organization uses Group Policy preferences. Some people just don’t seem to understand the technology, so here’s the full rundown.
You might be wondering what Group Policy preferences are all about. Group Policy preferences differ from Group Policy settings in many ways. If you think of Group Policy settings as set of rules you apply to computers and users, you can think of Group Policy preferences as a set of guidelines you apply to users and computers. You can also think of Group Policy settings as managed settings for computers and users, and Group Policy preferences as unmanaged settings for computers and users.
You use settings to control OS and component configuration. You can also apply settings to prevent users from making certain changes to their computers. You use preferences to establish baselines. Users can change settings applied through preferences, though you can have Group Policy reapply preferences automatically as part of the policy refresh process. So your options are apply once, or reapply with refresh for preferences.
Here are some other factors to keep in mind:
- When you configure Group Policy settings, you typically make changes in policy-based areas of the registry and don’t overwrite original settings. When you configure Group Policy preferences, you make changes in the same areas of the registry used by the OS and applications. These changes overwrite the original settings.
- When you remove a Group Policy setting, the original settings are restored. When you remove a Group Policy preference, it doesn’t restore the original settings.
The bottom line is that Group Policy settings are enforced. Group Policy preferences are not. So if that’s the case, why use preferences?
Unlike Group Policy settings, which apply to both local computer policy and Active Directory policy, Group Policy preferences only apply to Active Directory policy. You use preferences to configure many areas of the OS, including:
- System devices, such as USB ports, floppy drives and removable media
- Network shares and mapping network shares to drive letters
- System and user environment variables
- User and group accounts for the local computer
- VPN and dial-up networking connections
- Printer configuration and mapping
- Registry settings, schedule tasks and system services
- Settings for Folder Options, Internet Options and Regional and Language Options
- Settings for power schemes and power management
- Start Menu properties and menu items
Group Policy preferences can also help you manage files, folders and shortcuts. You can use preferences to create shortcuts and folders on computers. You can also copy files from a source location to a specified file path on computers. Previously you had to configure many of these features with logon, logoff, startup or shutdown scripts or by manually configuring system images. With Group Policy preferences, you might able to replace these types of scripts or manual configuration.
Applying configuration through preferences is easier than you think. For example, if you don’t want your computers to run a service such as FTP or the World Wide Web Publishing, you can configure a preference to disable and stop the service.
Although preferences are unmanaged and not enforced, you can set the preference to be applied each time Group Policy is refreshed. As a result, if a user started the service, it would be stopped and disabled whenever Group Policy is refreshed.
Group Policy preferences let you configure many areas of the OS. They might also let you replace certain types of scripts and manual configuration tasks. Unlike Group Policy settings, which you set to an enabled, disabled or not-configured state, you configure most preferences using one of four actions: Create, Replace, Update or Delete, also known as CRUD.
The Create action creates a preference if there isn’t one already. For example, you can use the Create action to create and set the value of a user environment variable called CurrentOrg. If the variable already exists, the variable value won’t be changed.
The Replace action also creates preferences that don’t yet exist, or deletes and creates preferences that do already exist. For example, you can use the Replace action to replace a file on certain computers. If the file exists, Group Policy removes it from the target location, copies it from a specified source location and overwrites the existing file in a designated target location. If the file doesn’t exist, Group Policy simply copies it from the source location to the designated target location.
The Update action creates preferences that don’t yet exist or modifies preferences if they do exist. For example, you can use the Update action to modify a local group. If the local group exists, you can rename the group and update its settings with the settings you’ve defined for the preference item.
This lets you add users and groups as members, while ensuring the current group membership isn’t modified. However, as with many preferences, you have action modifiers. These act as additional update options. With these update modifiers, you could choose to delete all member users, delete all member groups or perform both actions.
The Delete action deletes preferences if they exist. For example, you could use Delete to delete a specified network share from computers. Action modifiers let you perform other tasks as well, such as deleting all regular shares, all hidden non-administrative shares, all administrative drive letter shares or any combination thereof.
So those are the CRUD actions and how they work. In addition to those preferences you can manage using CRUD, there are also preferences you can manage through an interface similar to the actual Control Panel. These preferences generally have both CRUD actions you can apply and editing states. For ease of reference, these special preferences include:
- Start Menu settings
- Regional and Language settings
- Internet options
- Folder options
- Power options
You can identify special-preference items immediately, as they’re underlined in either a solid-green or a red-dashed line. They could also have an icon depicting a green or red circle. These elements indicate the editing state of a particular item. Green items are delivered and processed. Red items are not yet delivered or processed.
If you’ve worked with Windows for a while, you won’t be surprised to find things aren’t always clear-cut. There are standard preference items with extended interfaces. For example, when you create preference items for scheduled tasks to run in Windows Vista or later, you have the CRUD actions and an extended interface similar to the standard interface used by Windows Vista or later. However, these preference items won’t have green and red editing-state indicators. The green and red indicators tell you that you’re working with a special-preference item.
The best way to learn about special preferences is to start right in. When you’re configuring preferences for the Start Menu, you must specify whether you want to create a preference item for computers running Windows XP or Windows Vista and later. You can then define general settings, including icon size for programs, number of programs to list on the Start Menu, and configuration options for the Classic Start Menu, the simple Start Menu or both.
Preference items for folder options and power options are divided into separate items for computers running Windows XP or those running Windows Vista and later. For Windows XP, you can configure Power options and Power schemes. For Windows Vista and later, you can only configure Power plans.
With Internet options, you can configure settings based on the browser version. There are separate preference items for Internet Explorer 5 and 6, Internet Explorer 7 and Internet Explorer 8. Specify the desired settings using a dialog box similar to the Internet Options dialog box you see when the related browser version installed.
Although most Group Policy preferences only support CRUD management actions, a few also support editing states. You’ll know them as soon as you see them because they have UIs similar to what you’ll find in the relevant OS or application. For example, the Internet Settings preference is specific to the version of Internet Explorer. The Power Options preference is specific to your installed version of the Windows OS.
Here’s a complete list of the other preferences that support editing states:
- Start Menu settings
- Regional and Language settings
- Internet options
- Folder options
- Power options (to include Power Schemes)
The editing state of any particular option will be depicted visually as follows:
- Green means the setting will be delivered and processed by the client.
- Red means the setting will not be delivered or processed by the client.
Or put another way: Green means go (or processed); red means stop (or not processed). When an option is green, you can enable, disable or configure the option to a specific value. This lets you control how the option is used. When an option is red, it’s not applied, so the current value is irrelevant.
Use the function keys to toggle the editing state. To enable all options on the currently selected tab, press F5. To disable all options on the currently selected tab, press F8. To enable current, press F6. To disable current, press F7. Here’s a quick reference:
- F5: Enable All
- F6: Enable Current
- F7: Disable Current
- F8: Disable All
Well, there you have it—a thorough discussion about Group Policy preferences. Hopefully more folks will start using them to master their enterprise systems. As Bob Dylan croons, “You better start swimming or you’ll sink like a stone.”