The introduction of Group Policy Preferences into Group Policy seems to have quite a few people confused. I think that confusion has been compounded by all of the people who skipped Windows Vista, stayed with Windows XP, and are just now starting to implement Windows 7 on the desktop.

Group Policy Preferences

Group Policy Preferences

So what’s all the excitement about anyway? Assuming you’re one of those organizations that skipped Windows Vista, you’ve probably been living in the Windows XP Group Policy Management Console (GPMC) for a while. The first time you fire up the GPMC in Windows 7 and edit a Group Policy Object (GPO), you probably notice a new section under both Computer Configuration and User Configuration. In addition to Policies, you now have Preferences. What are these new “Preferences” and what do they have to do with Policies? First, let’s start by talking about Group Policy.

Group Policy introduction

Group Policy is a way for you to control most of the settings and configurations that exist for a computer or for any user that can log into the computer. Screensaver settings? There’s a Policy for that. Logon/logoff scripts? There’s a Policy for that too! Just about any setting or change you can make by hand can be made in a Group Policy. If you’re using Active Directory and are hand-configuring options for every computer and/or user that you support, or hand-mapping drive letters or printers, or even doing something simple like changing the wallpaper, you should seriously consider putting some of that effort toward learning how to use Group Policy so that your computers and users can be configured automatically.

Group Policy

Group Policy

Adding the computer to Active Directory gives you the ability to edit these Policies at the Domain level and assign them to computer and user objects in AD. So what do you need to do to start managing Group Policy for your Windows 7 and Windows 2008 R2 systems? Install the latest GPMC and start editing.

Group Policy Preferences

Group Policy Preferences was originally a product called PolicyMaker from Desktop Standard. Microsoft acquired Desktop Standard back in 2006 and, starting with Windows Server 2008, began integrating PolicyMaker into Windows. Windows Server 2008, Windows 7, and Windows Server 2008 R2 already have what they need to use Preferences out of the box. If you still have Windows XP, Vista, or Server 2003, the Client Side Extension (CSE) that will allow you to use Preferences is available as a download. Still running Windows 2000? Sorry, there’s no CSE download for Windows 2000.

Assuming you’re using AD, have the latest GPMC, and are running the latest Windows OS or have installed the CSE for the older version of Windows, here are some of the things you can do with Group Policy Preferences:

  • Create and make changes to environment variables
  • Copy files to the local file system
  • Create/delete folders on the file system
  • Make changes to .ini files
  • Modify the Registry
  • Create/modify/delete network shares
  • Map network drives
  • Create/modify/delete shortcuts
  • Create ODBC entries
  • Make changes to devices in the Device Manager
  • Make changes to file associations
  • Create and make changes to local user accounts
  • Create and make changes to local groups
  • Create VPN and dial-up connections
  • Manage user application settings (requires plug-in written for the application)
  • Modify power options
  • Manage local printers
  • Map network printers
  • Manage scheduled tasks
  • Manage services
  • Manage Regional Options
  • Make changes to Start Menu settings
  • Make changes to some IE settings

Group Policy Preferences - Settings

Group Policy Preferences – Settings

Group Policy Preferences vs. logon scripts

If you’re experienced with Group Policy, you’re probably noticing that a lot of the options mentioned above are also available in the Policy area of a GPO or can be managed by logon scripts. One of the great things about Windows is there’s always more than one way to do something. If you or your IT shop’s expertise is in scripting, you don’t need to reinvent the wheel and start from scratch if you already have infrastructure that is working for you. But what if you don’t have all of those scripts already written? Preferences are a great way to accomplish the same goal without having to spend a lot of time or money learning something completely new.

Scripting isn’t something you can usually learn overnight. It’s a big hurdle for a lot of people. It’s also something that doesn’t usually have a standard. Ask three people to write a script to map a few drives based on group membership, fix permissions on a folder, and make a registry edit, and you’re probably going to end up with three wildly different scripts. Is that bad? Not necessarily, but if your scripts have a thousand lines of code (or more), you probably sweat every time someone makes an edit. One misplaced character or typo and the whole thing can stop working. And you do have every line of those scripts documented in the event that the person who wrote them is unavailable, right?

Preferences also follow the same refresh rules for Group Policy (every 90 minutes with a random offset of up to 30 minutes). With scripts, they only run at system startup/shutdown and user logon/logoff. Group Policy Preferences also have built-in logging to the Windows Event Log, another area where scripts can lag behind unless the scripts are very robust.

Group Policy Preferences vs. Group Policy settings

How do Group Policy Preferences compare to comparable Group Policy settings? The biggest difference between the two is enforcement. With a Policy, settings are enforced; in most cases, the user interface is either grayed out or gone completely so that the user can’t change the setting. With Preferences, the setting is applied once and can be changed later by the user. One caveat: if you’re using Replace a lot in your Preferences, your users are probably going to figure out that if they make a change to certain settings, those settings are going to change back in an hour or so when Policy refreshes for the computer.

Preferences also aren’t limited by the need for ADM or AMDX files. If you have an application that requires a license file to be copied to the computer, all you need to do is configure a Preference to copy the file. If you need to set an option that is stored in the Registry, such as the network name for a database server, you can browse the local Registry and create a Preference with the setting. Preferences don’t require your applications to have any awareness of Group Policy. As long as the configuration can be edited in the Registry, be made by copying a file over, you can use Preferences.

Group Policy Preferences gotchas

Policies are stored in a separate Policy area of the Registry. If you remove a setting in Policy, it will revert back to the original setting on the computer (or in the user’s account). With Preferences, the setting will stay unless you explicitly create a Preference that deletes it.

Mapping printers? Make sure you set the options for the Point and Print Restrictions for either the Computer (at Computer Configuration > Policies > Administrative Templates > Printers) or the User (at User Configuration > Policies > Administrative Templates > Control Panel > Printers). If you don’t, your printer mappings will fail if the computer is unable to copy print drivers to the local system.

Make sure the Client Side Extension for Group Policy Preferences is installed for XP, Vista, and 2003. If the CSE isn’t installed, those versions of Windows will completely ignore the settings in your Preferences when processing Group Policy.

Replace mode isn’t necessarily your friend. I’ve been burned by Replace mode several times. I can’t underscore enough that you should use Replace sparingly. Replace usually has the effect of running a Delete and then a Create. For example, if you map printers with the Replace option, Group Policy will delete the connection and reconnect to the printer. That may not sound like a big deal, but if your user wants that printer to be his/her default, you’ll have problems. Every time the Replace command runs, the user will lose that printer as the default if they have other printers on the system. I’ve also found that using Replace when you’re creating a local user account causes that user account’s SID to be regenerated.

If user options aren’t working correctly, you might need to check the “Run in logged-on user’s security context (user policy option).” Preferences run as the System account. Preferences that use network resources, such as mapping printers or network drives, need the user’s privileges to run properly. Checking this box ensures that the proper credentials are used.

Copying files? Check your network share permissions. If the local computer is getting the file, you’ll need to make sure that the Domain Computer has at least read access to the network share. The same is true if the user’s security context will be copying the file; make sure the user has at least read access.

Last, but not least, Microsoft maintains a list of currently available hotfixes for Group Policy. There is a section specifically for Preferences that may be of help if you’re having issues with a specific feature.