Group Policy Preferences
Group Policy preferences enable IT professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. Examples include mapped drives, scheduled tasks, and Start menu settings. For many types of settings, using Group Policy preferences is a better alternative to configuring them in Windows images or using logon scripts.
Organizations typically deploy two types of settings: managed and unmanaged. Managed settings are policy settings that you enforce. You don’t allow users to change policy settings. Policy settings reduce support costs by enforcing standard configurations, help prevent productivity loss, and protect an organization’s assets. Group Policy is the best technology for delivering policy settings to computers running Microsoft Windows®, and if your organization is like most with Microsoft infrastructures, you’ve already adopted Group Policy.
Unmanaged settings are preferences. In contrast to policy settings, you allow users to change preferences after you’ve deployed them. By explicitly deploying preferences rather than accepting the default operating system settings, you create configurations that are more compatible with your IT environment and are specifically tailored to your organization and how its people use their computers. Additionally, deploying some preferences for users is a necessity in locked-down environments, where users can’t change many settings. Organizations deploy preferences a variety of ways, but the most common are default user profiles, registration entry (.reg) files, and logon scripts. Including preferences in Windows images is also common. In any case, most methods for deploying preferences are decentralized and unwieldy.
The key difference between preferences and policy settings is enforcement. Group Policy strictly enforces policy settings. First, Group Policy writes those settings to the Policy branches of the registry, and the access control lists (ACLs) on those branches prevent Standard users from changing them. When a Group Policy-aware application or operating system feature looks for a potentially managed setting, it first looks for the policy setting. If the policy setting doesn’t exist, it looks for the setting elsewhere in the registry. Second, Group Policy-aware applications and operating system features typically disable the user interface for settings that Group Policy is managing, which prevents users from changing them. Finally, Group Policy refreshes policy settings at a regular interval, which is every 90 minutes, by default, but which is configurable by a Group Policy administrator.
In contrast to Group Policy settings, Group Policy does not strictly enforce preferences. Group Policy does not store preferences in the Policy branches of the registry. Instead, it writes preferences to the same locations in the registry that the application or operating system feature uses to store the setting. The implication of this is twofold. First, Group Policy preferences support applications and operating system features that aren’t Group Policy-aware. Second, Group Policy preferences do not cause the application or operating system feature to disable the user interface for the settings they configure. The result is that after deploying preferences using Group Policy, users can still change those settings. Additionally, Group Policy refreshes preferences using the same interval as Group Policy settings by default. However, you can prevent Group Policy from refreshing individual preferences by choosing to apply them only once. This configures the preference one time and allows the user to change it permanently.
Group Policy preferences add to Group Policy a centralized system for deploying preferences. It provides the means to simplify deployment, reduce configuration errors, and reduce IT costs. Rather than using the steps described earlier to deploy mapped drives, for example, you simply create a Group Policy object and edit its Drive Maps preference item. This white paper describes Group Policy preferences—its features, the differences between policy settings and preferences, and the many benefits of using this new technology.
In order for your computers to see and implement the GP Preferences that you set, you must have a client installed on all of your computers. Windows 7, Windows Server 2008, and Windows Server 2008r2 come with the client builtin.
The GP Preferences client is available as a patch via Windows Update and the campus WSUS server. On the WolfTech domain, all computers using the WolfTech WSUS server will automatically have this client installed. We recommend any other WSUS servers on the domain be configured to install this patch as well — please note that the installation of this patch does not appear to require the computer be rebooted.
Downloads for older OS’s:
”’Download”’: GPPCSEs Deployment Script & Files
A bug was discovered that prevents the GP Preferences patch from being deployed via Windows Update when you setup a new system from a Windows XP image w/SP3 integrated. To work around this issue you can create a GPO with a startup script that contains the contents of the zip file above. The script included will deploy the GP Preferences client to your computers, if needed. All you will need to do is modify the ‘strBasePath’ script variable to reflect the UNC path of the directory where you stage the script.
- Create a policy to deploy the GP Preferences client
- Edit the policy: Computer Configuration -> Windows Settings -> Scripts -> Startup -> Properties
- Click Show Files…
- Copy the contents of the archive (download above) to the startup folder
- Edit InstallGPPCSE.vbs
- Find this line: Dim strBasePath : strBasePath = “\\SERVER\SHARE\” ‘NB! with trailing backslash!
- Change strBasePath variable to the UNC path where the script files are stored
- Add ‘InstallGPPCSE.vbs’ as the startup script for the policy.
Using the Group Policy Management Console provided with Remote Server Administration Toolkit (RSAT) on a Windows 7 or Windows Server 2008r2 box you will have new options that weren’t there under XP/2003.
Adding a shared printer from a Windows Print Server via Group Policy Preferences
- Open Group Policy Management, edit the policy you wish to use for mapping the printer
- User Configuration -> Preferences -> Control Panel Settings -> Printers
- Right-click on Printers and select New -> Shared Printer
- This option is available only as a User Setting. Options for both Computer and User are TCPIP and Local.
- Set Action
- ”’Create:”’ Creates a new shared printer. If there is an existing printer with the same name, it will do nothing.
- ”’Replace:”’ Deletes and re-creates an existing shared printer. If the shared printer does not exist, it will create it.
- ”’Update:”’ Modifies an existing shared printer. Similar to ”Replace”, but this option will only update settings that are defined by the Policy Preference. If the shared printer does not exist, it will create it.
- Manually give path (\\SERVER\queue) for the shared printer, or click on “…” to browse the Directory for the printer.
- Additional options here to set this shared printer as the default
- Option to map shared printer to a local port on the computer
- Older applications might only be able to print to LPT1:
- Common tab Options
- Stop processing if error occurs:
- Run in logged-on user’s security context: <It will do this by default for User Preferences>
- Remove this item when is is no longer applied <you need to use the ”Replace” option to do this>
- Apply once and do not re-apply:
- Item-level targeting: <See Below>
- Once finished, hit OK. Gpupdate and restart machines affected by policy.
Map a drive via Group Policy Preferences
- Create a GPO
- Under security filters add the user or group you want to apply policy to.
Note:since this preference is in the User settings you must use users account to apply the policy – No computers
- Edit the GPO
- Go under USER Configuration -> Preferences -> Drive Maps
- Right click and choose new->mapped drive
- Action: Create
- Location: map to dfs path. ex \\wolftech.ad.ncsu.edu\cnr\projects\tip
- Drive Letter : pick a drive letter
- Click to Show all drives
If you want end users to have the ability to delete the map drive … go to Common Items -> Apply once and do not reapply.
Note: if you create this policy at the top of your ou the user will see their drives on any computer in the OU. If you want to prevent that, create the policy at a lower level.
Also if you want to exclude one person out of a guard dog created group… Add the user name under the GPO delegation tab. Then after they show up in the list click on Advance and change the security setting for that user to deny. This will prevent the policy from applying.
Note: if you have laptops users complaining that they are loosing drives. First disable the Wireless adapters configuration tool under services. Then start the Windows Zero Configuation service. If you are still having issues update the wireless drivers. In my case it fixed 3 Intel 3945ABG laptops.
Item-Level Targeting (which is always under the “Common” tab) appears to be the hidden jewel of Group Policy Preferences. Item-Level Targeting allows you to specify a custom filter set for each individual setting within the Preferences portion of the GPO.
- Any individual filtering item can be evaluated true (Is) or false (Is Not).
- Filtering items can be group with ANDs and ORs.
- Collections are used to provide paranthetical groupings.
This allows the filters to be as simple or as complex as you want them to be:
Simple Example: “the user is a member of the security group WOLFTECH\Domain Admins”
Complex Example: “this collection is true (the CPU speed is greater than or equal to 1000 MHz AND the day of the week is Sunday) OR this collection is false (free disk space is greater than or equal to 80GB on the X: drive AND the portable compluter docking state is Undocked)”
- Just about all drive mappings can be done in a single GPO filtered off of security groups
- Finer grain control over when to apply certain settings to mobile devices
- MAC Address range can be used to apply only to virtual machines
- User context printers filtering by site or IP address allow physical proximity printer targeting for laptops
- Scheduled tasks can be set to run only while on campus, while docked
- Battery Present
- Computer Name
- CPU Speed
- Date Match
- Dial-Up Connection
- Disk Space
- Environment Variable
- File Match
- IP Address Range
- LDAP Query
- MAC Address Range
- MSI Query
- Operating System
- Organizational Unit
- PCMCIA Present
- Portable Computer
- Processing Mode
- Registry Match
- Security Group
- Terminal Session
- Time Range
- WMI Query