Using Group Policy Preferences to Manage Diversity

Springboard_VistaBanner.jpg

 

This month we’re focusing on managed diversity. This can mean a lot of things to a lot of people, so I’ll explain. In a perfect world, we’d love for you to roll out Windows Vista® to all of your PCs in one sweeping motion. A wave of the hand and all your PCs are running Windows Vista and are positioned for an easier Windows® 7 rollout when the time comes.

We don’t live in that world, though. For starters, many of the PCs in your organization aren’t ready to run Windows Vista. You might need to upgrade some PCs before you can put a modern desktop on them. Also, rolling out Windows Vista is obviously more complex than waving your hand. In reality, a rollout occurs piecemeal, over time.

Just because you can’t roll out Windows Vista as part of one, large effort doesn’t mean you should wait. You can at least start taking advantage of Windows Vista now on the PCs that are ready for it and then transition to Windows Vista on older, less capable PCs as you replace them, instead of downgrading those PCs to Windows XP. This is where the idea of managed diversity comes in to play.

Managed Diversity in the Organization

Organizations can have various hardware platforms, and those environments are typically called heterogeneous. Diversity can mean varied configurations, likely because different departments require different levels of security, compliance requirements, application bundles, and so on. In this article’s case, I’m specifically using diversity to mean different Windows versions in the organization.

Many management tools that Microsoft provides can help you manage diverse Windows versions in your organization. For example, you can use Windows Management Instrumentation (WMI) filtering in Group Policy to target Group Policy Objects (GPOs) at different Windows versions. Logon scripts are one way to configure settings for different Windows versions. A better tool than logon scripts is Group Policy Preferences, however.

Group Policy Preferences have a role similar to logon scripts: You use them to configure settings and manage objects like files and folders. Instead of requiring you to write script code, you configure these settings and manage objects through an easy-to-use interface. What makes preferences ideal for managing diverse Windows versions, configurations, and so on is the simplicity with which you can target (filter) settings. More on this later.

Introducing Preferences

Group Policy administrative settings have a template (.admx file). These templates define the user interfaces for collecting settings and where in the registry to store them. The Policy branches in the registry are secure, preventing Standard User accounts from changing them. When you configure a policy, Windows usually locks or hides the user interface for that setting. As a result, you can configure Group Policy settings with a reasonable assurance that users can’t change those settings.

In contrast, Group Policy Preferences are free form. There are no templates. There isn’t a special location in the registry where Windows writes them. Using preferences, you can write almost any setting to almost any registry key. You can also copy, move, replace, and delete files and folders. You can map network drives, configure environment variables, set up printer connections, schedule tasks, configure power settings, and far more—all within the Preferences folder of the Group Policy Management Editor. Figure 1 shows the preference items you can configure.

Figure 1. Computer and User Preference Items

Thinking of Group Policy Preferences as supplement or replacement for logon scripts is oftentimes a useful analogy. However, Windows doesn’t just apply Group Policy Preferences when the PC starts or users log on to them. Windows applies preferences during the normal Group Policy refresh interval, which is every 90 minutes by default. However, you can configure a preference so that Windows only applies it once. By doing so, you can configure default settings for users, which they can change later, which limits customization of the default installation image prior to deployment.

Windows Server® 2008 includes support for Group Policy Preferences. In Windows Server 2003 environments, you can install the Remote Server Administration Tools for Windows Vista (RSAT). You can download the client for Windows XP, Windows Vista, and Windows Server 2003 from the Microsoft Download Center; alternatively, you can install the client by using Windows Update.

Preferences are Not Policies

For the IT pros that aren’t sure about Group Policy Preferences, I’ll review the purpose of Group Policy Preferences and their differences from regular old policies. Preferences are one of the coolest things to happen to Group Policy in years. To that end, Table 1 further describes the differences between the two.

table1.jpg

Table 1. Preferences vs. Settings

Targeting to Support Managed Diversity

A key difference between policies and preferences, which brings me back to topic of managed diversity, is that policy filtering is substantially different than preferences’ item-level targeting (rules for applying a preference). You can filter GPOs using WMI filters or security groups, and those filters determine whether Group Policy applies the entire GPO. It’s an all or nothing deal. You cannot filter individual policy settings within a GPO. Of course, you can create multiple, similar GPOs that you filter based upon your diverse requirements to work around this limitation, but that can lead to a large number of GPOs to manage.

On the other hand, preferences support item-level targeting—you can target individual preference items within a GPO. For example, a single GPO can contain two preference items, both of which configure similar settings. You can target the first preference item at computers running Windows XP and the second at computers running Windows Vista. Additionally, while Group Policy filtering requires you to write sometimes complex WMI queries, item-level targeting doesn’t use WMI, providing a friendly user interface instead. It’s easy to use. However, you can still filter an entire GPO that contains preferences by using a WMI filter.

Group Policy preference items provide the muscle to configure user and computer settings, but targeting items provide the intelligence to choose a limited selection of users and computers for those settings. The following are examples of how you can use targeting items to support diversity in your environment:

  • Operating system version. You identify a setting that Windows Vista stores in a different location than Windows XP. Create two preference items, one for each operating system. Then, filter each preference item using the Operating System targeting item.
  • Mobile computers. You want to configure VPN connections for mobile users, but you want to apply those VPN connections only to mobile PCs. You can limit the preference item to only mobile PCs by using the Portable Computer targeting item.
  • Performance-based configuration. You have a requirement to configure certain settings based on the performance characteristics of each computer. Faster computers with plenty of free disk space receive one preference item, while slower computers or those with low amounts of free disk space receive another. You can use the CPU Speed and Disk Space targeting item to target each preference item as required.
  • Software prerequisites. You want to configure an application’s settings, but you want to ensure that the application is installed on the computer before configuring it. You can use a combination of the File Match and Registry Match targeting items to check for a specific version of a binary file or an entry in the Uninstall registry key to create a robust way to verify that the application is installed.

Item-level targeting also supports Boolean logic. For example, you can create a targeting item that matches only portable computers that are running Windows Vista with BitLocker® Drive Encryption enabled. Another example is a targeting item that matches only computers running Windows Vista on computers with at least 2 GB of free memory.

Conclusion

Group Policy Preferences is a key tool for managing diverse Windows versions in your organization. Using this tool can help ease the migration to Windows Vista from Windows XP, reducing the urgency to compress the deployment timeline. Migrating to Windows Vista, even gradually, puts you in a better position to rollout Windows 7 when it releases. You can learn more about Group Policy Preferences in the white paper Group Policy Preferences Overview.

Combine Group Policy Preferences with Microsoft Advanced Group Policy Management (AGPM) and you have a real powerhouse. Not only can preferences help you more flexibly manage PCs, AGPM can provide version control and an essential workflow for the process. With AGPM, you can delegate Reviewer, Editor, and Approver roles to different administrators. An editor can change a GPO, but an approver must review and approve the GPO before deploying it in to the production environment. Additionally, AGPM enables you to rollback a GPO containing preferences to an earlier version if some goes awry. For more information about AGPM, see Windows Vista for the Enterprise.

----------------------------------------------------------------------------------

----------------------------------------------------------------------------------

© 2008 Microsoft Corporation. All rights reserved.  Microsoft, BitLocker, Windows, Windows Server and Windows Vista are registered trademarks of Microsoft Corporation in the United States and/or other countries.