You are on page 1of 7

Group Policy Preferences best practices - 4sysops

This is Google's cache of It is a snapshot of the page as it appeared on Jul 15, 2012 18:20:11 GMT. The current page could have changed in the meantime. Learn more Text-only version

Thu 26 Jan 2012

By Kyle Beckman | No Comments | Permalink | Trackback | Previous | Next

This article introduces Group Policy Preferences, explains how they differ from Group Policy settings, compares Preferences to logon scripts, and covers a few Group Policy Preferences gotchas. Kyle Beckman works as a systems administrator in Higher Education in the Southeast United States. He is an MCSE and specializes in Group Policy, Windows Server, and client support. Follow his blog Group Policy, Y'all.

4sysops is looking for Windows admins who want to blog for money - Read more

MaxPowerSoft Active Directory Reports Professional Blackbird Auditor for Active Directory - Real-time Active Directory auditing 3CX Phone System - A Windows-based Business VoIP PBXstrong> All contests

Subscribe via RSS: Subscribe via e-mail:

Follow on Twitter:

Read the article about this poll | View all polls Are you currently using a monitoring solution? Yes - Proprietary free product Yes - Multiple Products Yes - Commercial product Yes - Open Source product Yes - Custom scripts / In-House Solution

1 of 7

7/18/2012 12:36 PM

Group Policy Preferences best practices - 4sysops

No - I don't need one No - Do I need one?


View Results Polls Archive

More than 300 free Windows administration tools Free eBooks for Windows aministrators Read the latest news for Windows aministrators

EMCO Remote Console Remote command tool for Windows Veeam ONE Free Edition Real-time Hyper-V and VMware monitoring CCleaner Improve Windows performance by removing unnecessary files and registry entries Free launcher for portable applications NirLauncher mRemoteNG Open source, multi-protocol, remote connection manager TeraCopy Increase copy speed Remote Desktop Manager Manage remote connections Microsoft Security Compliance Manager (SCM v2) Part 1 ControlUp Real-time monitoring and remote administration SoftPerfect Network Scanner IP, NetBIOS, WMI and SNMP scanner View all free admin tools | Submit a free admin tool

FREE: SolarWinds Diagnostic Tool for the WSUS Agent Driver deployment with Microsoft Deployment Toolkit (MDT) Part 2: Windows driver management Download Windows Server 2012 Beta Essential | Microsoft Deployment Toolkit (MDT) 2012 Update 1 Beta 1 Windows 8 release date | Windows Server 2012 release date | Office 2013 public preview Driver deployment with Microsoft Deployment Toolkit (MDT) Part 1: OS deployment Create and modify registry keys in remote computers using PowerShell Retrieve the registry keys from remote computers via PowerShell Windows Server 2012 editions | Microsoft Assessment and Planning Toolkit 7.0 | Microsoft DirectAccess Connectivity Assistant 2.0 RC FREE: NetWrix Disk Space Monitor System Center 2012 overview of components The introduction of Group Policy Preferences into Group Policy seems to have quite a few people confused. I think that confusion has been compounded by all of the people who skipped Windows Vista, stayed with Windows XP, and are just now starting to implement Windows 7 on the desktop.

2 of 7

7/18/2012 12:36 PM

Group Policy Preferences best practices - 4sysops

Group Policy Preferences So whats all the excitement about anyway? Assuming youre one of those organizations that skipped Windows Vista, youve probably been living in the Windows XP Group Policy Management Console (GPMC) for a while. The first time you fire up the GPMC in Windows 7 and edit a Group Policy Object (GPO), you probably notice a new section under both Computer Configuration and User Configuration. In addition to Policies, you now have Preferences. What are these new Preferences and what do they have to do with Policies? First, lets start by talking about Group Policy.

Group Policy is a way for you to control most of the settings and configurations that exist for a computer or for any user that can log into the computer. Screensaver settings? Theres a Policy for that. Logon/logoff scripts? Theres a Policy for that too! Just about any setting or change you can make by hand can be made in a Group Policy. If youre using Active Directory and are hand-configuring options for every computer and/or user that you support, or hand-mapping drive letters or printers, or even doing something simple like changing the wallpaper, you should seriously consider putting some of that effort toward learning how to use Group Policy so that your computers and users can be configured automatically.

3 of 7

7/18/2012 12:36 PM

Group Policy Preferences best practices - 4sysops

Group Policy Adding the computer to Active Directory gives you the ability to edit these Policies at the Domain level and assign them to computer and user objects in AD. So what do you need to do to start managing Group Policy for your Windows 7 and Windows 2008 R2 systems? Install the latest GPMC and start editing.

Group Policy Preferences

Group Policy Preferences was originally a product called PolicyMaker from Desktop Standard. Microsoft acquired Desktop Standard back in 2006 and, starting with Windows Server 2008, began integrating PolicyMaker into Windows. Windows Server 2008, Windows 7, and Windows Server 2008 R2 already have what they need to use Preferences out of the box. If you still have Windows XP, Vista, or Server 2003, the Client Side Extension (CSE) that will allow you to use Preferences is available as a download. Still running Windows 2000? Sorry, theres no CSE download for Windows 2000. Assuming youre using AD, have the latest GPMC, and are running the latest Windows OS or have installed the CSE for the older version of Windows, here are some of the things you can do with Group Policy Preferences: Create and make changes to environment variables Copy files to the local file system Create/delete folders on the file system Make changes to .ini files Modify the Registry Create/modify/delete network shares Map network drives Create/modify/delete shortcuts Create ODBC entries Make changes to devices in the Device Manager Make changes to file associations Create and make changes to local user accounts Create and make changes to local groups Create VPN and dial-up connections Manage user application settings (requires plug-in written for the application) Modify power options

4 of 7

7/18/2012 12:36 PM

Group Policy Preferences best practices - 4sysops

Manage local printers Map network printers Manage scheduled tasks Manage services Manage Regional Options Make changes to Start Menu settings Make changes to some IE settings

Group Policy Preferences Settings

Group Policy Preferences vs. logon scripts

If youre experienced with Group Policy, youre probably noticing that a lot of the options mentioned above are also available in the Policy area of a GPO or can be managed by logon scripts. One of the great things about Windows is theres always more than one way to do something. If you or your IT shops expertise is in scripting, you dont need to reinvent the wheel and start from scratch if you already have infrastructure that is working for you. But what if you dont have all of those scripts already written? Preferences are a great way to accomplish the same goal without having to spend a lot of time or money learning something completely new. Scripting isnt something you can usually learn overnight. Its a big hurdle for a lot of people. Its also something that doesnt usually have a standard. Ask three people to write a script to map a few drives based on group membership, fix permissions on a folder, and make a registry edit, and youre probably going to end up with three wildly different scripts. Is that bad? Not necessarily, but if your scripts have a thousand lines of code (or more), you probably sweat every time someone makes an edit. One misplaced character or typo and the whole thing can stop working. And you do have every line of those scripts documented in the event that the person who wrote them is unavailable, right? Preferences also follow the same refresh rules for Group Policy (every 90 minutes with a random offset of up to 30 minutes). With scripts, they only run at system startup/shutdown and user logon/logoff. Group Policy Preferences also have built-in logging to the Windows Event Log, another area where scripts can lag behind unless the scripts are very robust.

5 of 7

7/18/2012 12:36 PM

Group Policy Preferences best practices - 4sysops

Group Policy Preferences vs. Group Policy settings

How do Group Policy Preferences compare to comparable Group Policy settings? The biggest difference between the two is enforcement. With a Policy, settings are enforced; in most cases, the user interface is either grayed out or gone completely so that the user cant change the setting. With Preferences, the setting is applied once and can be changed later by the user. One caveat: if youre using Replace a lot in your Preferences, your users are probably going to figure out that if they make a change to certain settings, those settings are going to change back in an hour or so when Policy refreshes for the computer. Preferences also arent limited by the need for ADM or AMDX files. If you have an application that requires a license file to be copied to the computer, all you need to do is configure a Preference to copy the file. If you need to set an option that is stored in the Registry, such as the network name for a database server, you can browse the local Registry and create a Preference with the setting. Preferences dont require your applications to have any awareness of Group Policy. As long as the configuration can be edited in the Registry, be made by copying a file over, you can use Preferences.

Group Policy Preferences gotchas

Policies are stored in a separate Policy area of the Registry. If you remove a setting in Policy, it will revert back to the original setting on the computer (or in the users account). With Preferences, the setting will stay unless you explicitly create a Preference that deletes it. Mapping printers? Make sure you set the options for the Point and Print Restrictions for either the Computer (at Computer Configuration > Policies > Administrative Templates > Printers) or the User (at User Configuration > Policies > Administrative Templates > Control Panel > Printers). If you dont, your printer mappings will fail if the computer is unable to copy print drivers to the local system. Make sure the Client Side Extension for Group Policy Preferences is installed for XP, Vista, and 2003. If the CSE isnt installed, those versions of Windows will completely ignore the settings in your Preferences when processing Group Policy. Replace mode isnt necessarily your friend. Ive been burned by Replace mode several times. I cant underscore enough that you should use Replace sparingly. Replace usually has the effect of running a Delete and then a Create. For example, if you map printers with the Replace option, Group Policy will delete the connection and reconnect to the printer. That may not sound like a big deal, but if your user wants that printer to be his/her default, youll have problems. Every time the Replace command runs, the user will lose that printer as the default if they have other printers on the system. Ive also found that using Replace when youre creating a local user account causes that user accounts SID to be regenerated. If user options arent working correctly, you might need to check the Run in logged-on users security context (user policy option). Preferences run as the System account. Preferences that use network resources, such as mapping printers or network drives, need the users privileges to run properly. Checking this box ensures that the proper credentials are used. Copying files? Check your network share permissions. If the local computer is getting the file, youll need to make sure that the Domain Computer has at least read access to the network share. The same is true if the users security context will be copying the file; make sure the user has at least read access. Last, but not least, Microsoft maintains a list of currently available hotfixes for Group Policy. There is a section specifically for Preferences that may be of help if youre having issues with a specific feature.

6 of 7

7/18/2012 12:36 PM

Group Policy Preferences best practices - 4sysops


Leave a Comment

Subscribe RSS


Related Deny and allow workstation logons with Group Policy (0) Folder Redirection Part 5: Best practices (1) Folder Redirection Part 4: Group Policy configuration (0) Folder Redirection Part 3: Explanation of folder permissions (4) Folder Redirection Part 2: Setting up your file server (0) More: group policy

No Comments Leave a Comment

Leave a Comment

Comments are moderated. No insults please! If your comment doesn't show up within a day please contact me.

Name (required) Mail (will not be published) (required) Website

Notify me of followup comments via e-mail

2006-2012, 4sysops

7 of 7

7/18/2012 12:36 PM