Expanded Control with Group Policy Preferences
At a Glance:
- Operating system compatibility for Group Policy Preferences
- Policies vs. preferences in different management areas
- Setting preferences with the GPME
- Administering Group Policy Preferences
Among the new technologies that Windows Server 2008 and Windows Vista brought, one of the most compelling is Group Policy Preferences (GPPs), which now greatly expands what administrators can do with Group Policy. Group Policy Preferences provide more than 3,000 settings in 22 different areas within a Group Policy Object (GPO) and include setting drive and printer mappings and controlling local group membership. And the great thing is that you don't need to install a new infrastructure since the technology works with your existing Active Directory infrastructure and Group Policy environment. You need only install an administrative tool and client DLL to get this to work. In this article, I'll delve into Group Policy Preferences in order to demonstrate both their usefulness and how easy they are to deploy and administer.
GPPs can only be administered in an Active Directory environment that contains at least one Windows Server 2008 server or Windows Vista desktop, because these are the only ones that can support the new Group Policy Management Console (GPMC). The GPMC is required to support and administer the GPP settings, and it also launches the new Group Policy Management Editor (GPME) that displays the GPPs that can be administered.
The situation is much different, however, when it comes to applying the settings that are associated with GPPs; for this, operating systems before Windows Server 2008 and Windows Vista are supported as well. Specifically, GPPs support Windows Server 2003 SP1 and Windows XP Professional SP2, as well as all operating systems that came after these. Figure 1 summarizes which operating systems can administer GPPs and which can apply GPPs.
|Figure 1 Operating system support
||Can Apply Group Policy Preferences
||Can Manage Group Policy Preferences through GPME
|Windows XP (x86 and x64)
||Supported with SP2 and CSE installation
|Windows Vista (x86 and x64)
||Supported with SP1 and CSE installation
||Supported with SP1 and RSAT installed
|Windows Server 2003 (x86 and x64)
||Supported with SP1 and CSE installation
|Windows Server 2008 (x86 and x64)
Policies and Preferences
The terms "policies" and "preferences" are important to grasp with the new Group Policy capabilities. The definitions of policies and preferences are based upon some key management areas of Group Policy, including enforcement, flexibility, Registry behavior, targeting, and user interface. That's not an exhaustive list, but these are the areas that tend to be most important to administrators.
Let's look at the key benefits preferences provide in these areas. Figure 2 has more information on the differences between policies and preferences.
|Figure 2 Group Policy preferences and policies*
||Group Policy Preferences
||Group Policy Settings
||Preferences are not enforced. User interface is not disabled. Preferences can be refreshed or applied only once.
||Settings are enforced. User interface is disabled. Settings are refreshed.
||Easily create preference items for registry settings, files, and so on. Import individual registry settings or entire registry branches from a local or a remote computer.
||Adding policy settings requires application support and creating administrative templates. Cannot create policy settings to manage files, folders, and so on.
||Not available in local Group Policy.
||Available in local Group Policy.
||Supports non-Group Policy-aware applications.
||Requires Group Policy-aware applications
|Registry Location and Behavior
||Original settings are overwritten. Removing the preference item does not restore the original setting.
||Original settings are not changed. Stored in registry Policy branches. Removing the policy setting restores the original settings.
|Targeting and Filtering
||Targeting is granular, with a user interface for each type of targeting item. Supports targeting at the individual preference item level.
||Filtering is based on Windows Management Instrumentation (WMI) and requires writing WMI queries. Supports filtering at a GPO level.
||Provides a familiar, easy-to-use interface for configuring most settings.
||Provides an alternative user interface for most policy settings.
|*Table courtesy of "Group Policy Preferences Overview" by Jerry Honeycutt
Enforcement GPPs are not enforced; thus initial configurations can be made but the end user is in control.
Flexibility GPPs let you easily add any Registry value, file, or folder to the GPO for management. Also, since GPPs are XML-based, they can be copied and pasted into other GPOs efficiently.
Registry Behavior All Registry entries can be controlled even when the target computer or user is no longer under the scope of management of the GPO where the Registry value is configured. Registry values can be removed or kept in place after the GPO no longer affects the target object.
Targeting Each GPP setting provides more than 25 different targeting filters for controlling whether or not the setting affects the target object. Examples of filters include IP address range, security group membership, and Registry value match.
User Interface The user interface for GPP is dramatically easier and friendlier than for other settings in the GPO. In most cases, the "real configuration interface" is duplicated in the GPO, making configuration of the setting easy and familiar.
GPP Structure and Settings
When a GPO is opened in the GPME, policies and preferences are very clearly separated, as shown in Figure 3, making it easy to see which settings fall within the new GPP arena. This is important to note, as preferences behave differently than policies. When you expand the Preferences nodes under either Computer Configuration (see Figure 4) or User Configuration (see Figure 5), you'll find the numerous settings split into two categories, Control Panel Settings and Windows Settings.
Figure 3 The GPME separates policies from preferences
Figure 4 Computer Configuration Preferences
Figure 5 User Configuration Preferences
You can control GPPs more granularly than other settings in a GPO by using the options available on the Common tab for each preference. The Common tab includes checkboxes for five different settings, an option to configure targeting, and a textbox for describing the GPO preference for documentation and troubleshooting purposes.
Stop Processing Items in this Extension if an Error Occurs The default behavior of Group Policy processing is that all settings will be processed, even if there are multiple settings with the same Client Side Extensions (CSE) and one of those settings fails. If you want to have the processing of the settings within a single CSE stop after one of the settings within that CSE fails, enable this option. This setting only has the scope of the current GPO.
Run in Logged-on User's Security Context (User Policy Option) When Group Policy settings (policies and preferences alike) apply, they apply using the local System account. Since the local System account only has access to the system environment variables and local resources, obviously the user context is not available. In order for the user environment variables and network resources to be accessed, this option can be enabled to process Group Policy Preferences using the logged-on user's account.
Remove This Item when It Is No Longer Applied GPP settings are not deleted from the registry when the GPO is removed from the user or computer, nor are they deleted when the user or computer falls out of scope of management of the GPO. In order to have preferences settings removed when the GPO no longer applies to the user or computer object, this option can be enabled (though it should be noted that this option is not available for some extensions, such as those for Internet Explorer).
Apply Once and Do Not Reapply Group Policy has a default refresh interval, which is approximately every 90 minutes. This refresh is implemented so that new settings can be applied, and old settings reapplied, without the computer or user needing to restart or re-logon. If the GPP setting you are configuring should only apply one time to the computer and never update, you can enable this setting. This is an excellent mechanism for establishing an initial array of configurations that GPP can affect, while still allowing the user to create a customized environment by changing the settings after logon and not have them overwritten.
If the settings fall under the User Configuration, GPP will apply these settings once on each computer the user logs onto. If the setting falls under the Computer Configuration, GPP will apply the setting once per computer. Note, however, that this is a one-time-only application of these settings. In order to update or re-apply these settings, you must uncheck this option first.
Item-Level Targeting By default, all users and computers that fall under the scope of management of the GPO will receive the settings within the GPO. In order to have these settings apply to only a subset of the default users and computers, targeting can be used. More than 25 different targeting items are available; they can be used alone or in conjunction with other items. Figure 6 shows the full list of item-level targeting options.
Figure 6 Item-level targeting is used to dynamically control GPP settings on user and computer objects
Description The Description textbox lets you document the settings, options, and targeting items for each GPP setting. This is the text that will be seen when the particular preference setting is selected within the GPME, without having to edit the GPP setting itself, as shown in Figure 7.
Administration of GPPs is the same as that of other GPO settings. The only catch, as noted earlier, is that they must be administered from a computer running Windows Server 2008 or Windows Vista SP1.
Figure 8 New Drive Properties dialog box opens when you create a new policy setting for Drive Mapping
Suppose you want to configure a drive mapping under the User Configuration portion of the GPO. The Preference setting for this is located at User Configuration | Preferences | Windows Settings | Drive Maps. By right-clicking on the Drive Maps setting, you can select New—Mapped Drive which will create a new policy, as shown in Figure 8. Here you input the information to map the drive, such as Location, a label for the drive locally, and a Drive Letter.
At this point, you have a choice to have the drive mapping apply to every user that falls under the scope of management of the GPO, or you can limit the users that receive the setting by configuring item-level targeting. You should set up item-level targeting that controls which users receive the drive mapping based on security group membership and by running a quick check to see if they have a specific program (.exe) file located on their computer. You perform this second check because the shared folder you're mapping contains files that are useful only when accessed with that program file.
To make these item-level targeting settings, click on the Common tab in the New Drive Properties dialog box. Then, click the checkbox next to Item-level targeting and then on the Targeting button. This opens the Item-level targeting dialog box. Click the dropdown list for Targets and click on Security Group. Then, click on Browse, which will let you configure the proper group, HR Users in the example (see Figure 9).
Now you'll want to configure the path to the .exe file. Select File Match from the Target dropdown list to add the criteria. Then type the path of the file, C:\Program Files\ACME\HRBenefits.exe, for this example. (Note: Drive Maps and Printers both adhere to foreground GPO policy refresh. For more information on foreground and background policy refresh, refer to the GPP article, Group Policy Processing
After this, the next time a user logs off and then back on, the mapped drive will appear, provided he is a member of the HR security group and has the HRBenefits.exe file on his computer. If those criteria are not met, the drive letter will not appear.
Figure 9 Item-level targeting options can be combined
Group Policy Preferences to the Rescue
Here is a short list of some of the problems I have solved using GPPs:
- Fixing the membership of the local Administrators group on every desktop to include Domain Admins and the local Administrator account, but not deleting the existing members of the group.
- Ensuring that the current user of the desktop does not have his user account located in the local Administrators group.
- Controlling power options on every desktop computer for big electricity savings.
- Updating the service configuration area on every server running a specific service so that the service startup mode is always Automatic.
- Mapping printers dynamically such that when laptop users visit Branch office 1, they get the proper printers. Likewise, when they visit Branch office 2, they get the correct printers for that location.
Summing It Up
Group Policy Preferences are easy to administer and deploy. Since the technology is compatible with Windows Server 2003 SP1 and Windows XP SP2, nearly all companies can take advantage of the new settings and the power they bring. This reduces the cost of implementation and allows the administrators the control over the desktops they need to perform their job efficiently.
Combining a good Group Policy deployment design with item-level targeting gives administrators the ability to create dynamic desktop and server configurations. With more than 25 item-level targeting criteria available, nearly every setting can be controlled to apply only when appropriate. You'll find more information on Group Policy in the Group Policy Resource Kit
and also at the Windows Server Group Policy
is an independent consultant, trainer, and author. Derek evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security, and desktop management. Derek regularly contributes to online and print publications, and has written more than 10 technology books, including The Microsoft Windows Group Policy Resource Kit
(Microsoft Press, 2008). You can reach Derek at firstname.lastname@example.org