This was a quick presentation I made at our local Rockford SpiceCorps. The idea was to show an alternative way of easing the logon process from a maintenance standpoint, specifically for admins who were not script-savvy.
2. WHY USE GROUP POLICY
PREFERENCES?
“During your career as an IT professional, you’ve likely mapped
network drives for users. You probably configured them using logon
scripts. This required you to write and debug the logon script, store
the script in a central location, and then run the script by configuring
User objects in Active Directory® directory service or by creating a
Group Policy object (GPO). Think about all the other settings you’ve
configured using logon scripts or similar methods. A simple, central
system to configure and deploy these settings without requiring you
to make scattered changes that are easily forgotten and seldom
documented would certainly help reduce costs and make your job
easier, wouldn’t it?”
-Microsoft
3. WHY USE GROUP POLICY
PREFERENCES OVER LOGON
SCRIPTS?
Writing and debugging logon scripts can be troublesome for
newcomers
It takes a moderate amount of coding/logic to specify certain
settings to apply to certain people or computers through scripting
Scripts typically occur at logon/logoff
Group Policies are applied periodically throughout the day or
when forced using gpupdate (can be done remotely)
Group Policy Preferences can be run under the logged on user’s
security context
Group Policies are easier to navigate and edit for people who
have grown accustomed to a GUI.
4. GROUP POLICY PREFERENCES VS.
SETTINGS. WHAT’S THE DIFFERENCE?
Preferences: Desired settings for a user or computer.
Maybe they will need to be changed later at the console.
Settings: Required settings for a user or computer. The
settings cannot be modified by the end-user.
5. Group Policy Preferences Group Policy Settings
Enforcement
Preferences are not enforced
User interface is not disabled
Can be refreshed or applied once
Settings are enforced
User interface is disabled
Settings are refreshed
Flexibility
Easily create preference items for
registry settings, files, and so on
Import individual registry settings or
entire registry branches from a local
or a remote computer
Adding policy settings requires
application support and creating
administrative templates
Cannot create policy settings to manage
files, folders, and so on
Local Policy Not available in local Group Policy Available in local Group Policy
Awareness Supports non-Group Policy-aware
applications
Requires Group Policy-aware
applications
Storage
Original settings are overwritten
Removing the preference item does
not restore the original setting
Original settings are not changed
Stored in registry Policy branches
Removing the policy setting restores the
original settings
Targeting and
Filtering
Targeting is granular, with a user
interface for each type of targeting
item
Supports targeting at the individual
preference item level
Filtering is based on Windows
Management Instrumentation (WMI) and
requires writing WMI queries
Supports filtering at a GPO level
User Interface
Provides a familiar, easy-to-use
interface for configuring most
settings
Provides an alternative user interface for
most policy settings
6. WHAT YOU’LL NEED: ADMIN SIDE
Where do the new preferences come from?
Windows Vista (or newer) or Windows 2008 with GPMC installed
Preferences can be edited/viewed using the supported OS’s above.
7. WHAT YOU’LL NEED TO APPLY
PREFERENCES: CLIENT SIDE
Windows Vista or newer
Windows Server 2003 SP1+
Windows XP SP2+
* Windows 7 & Server 2008 already have the needed extensions built in. XMLLite Low-
Level XML Parser is included with IE7+ and/or Server 2003 SP2 /Windows XP SP3
installations.
Info and downloads: Microsoft TechNet - http://goo.gl/cxtun
Windows Networking.com article - http://goo.gl/naKvc
Client Side Extensions* (CSEs) and XMLLite low-level XML Parser*
8. DEPLOYING CSE’S – METHODS
MS WSUS (Windows Server Update Services – FREE)
MS System Configuration Center Manager (i.e. SCCM aka SMS
in the old days) or other systems management tool like Altiris or
Zenworks.
Logon/Logoff Scripts
Scheduled Tasks
Manually via PSExec
Sneakernet
9. DEPLOYING XMLLITE PARSER
If you do have WSUS, you don’t have the option to deploy XMLLite
automatically.
But…some other things you CAN deploy with WSUS, which
subsequently installs XMLLite parser as part of its package:
IE7+
XP SP3/Server 2003 SP2
* Installation not needed for Windows Vista or higher
Info and downloads: Microsoft TechNet - http://goo.gl/cxtun
10. WHAT CAN YOU DO WITH GPP?
ODBC Data Sources
User and Group Preferences
Power Settings
Printers & Mapped Drives
Scheduled Tasks & Services
Copy, Update or Remove Files/Folders
Application Shortcuts
INI Files/Registry Entries
VPN Connections (Windows-based)
Disable USB for specific device types
Etc.
11. WHAT CAN’T YOU DO?
Group Policy Preferences are not intended to be able to run
processes at startup. You will need to utilize some sort of script or
other method to accomplish this (Scripts, Altiris, SCCM, etc.).
13. TARGETING SETTINGS TO COMPUTER
OR USER
Using the prior method of Group Policy Settings:
In Group Policy Settings, this was called WMI Filtering. WMI Filtering
required some knowledge of WQL (like SQL). Queries could be written
so that policies could be applied to computers or users that fulfilled the
criteria specified in the query.
For example:
RootCimV2; Select * from Win32_OperatingSystem where
Caption = "Microsoft Windows XP Professional“
This would apply the ENTIRE policy only if a computer had Windows
XP Professional Installed.
14. TARGETING SETTINGS TO COMPUTER
OR USER USING ITEM LEVEL
TARGETING
Item Level Targeting allows for granular deployment of preferences and
configurations to computer/user objects based upon a number of different
criteria:
If a computer has a battery
If an object is a member of a particular security group
If a computer has a specific IP address
If an object is a member of a particular OU (Organizational Unit)
Etc.
…or a combination of (but not limited to) the prior items
This can be done using a familiar Windows tree-navigable interface.
One policy can contain different settings applied to objects using different
criteria. No need for multiple policies applying the same settings to different
OS’s (for example).
17. Example 1: Map a drive based on group membership
Create, Replace, Update or
Delete mapping
Specify alternate credentials
(optional, common tab
allows further settings)
18. Example 1: Map a drive based on group membership
Map with user
permissions
Click here for Item-Level
Targeting…
26. Addendum: The F5-F8 Keys
A WORD ABOUT F5-F8 KEYS
Some preferences have multiple options within a configuration window.
IE preferences, power settings and Start Menu options are a good
example of these.
It is important to note that you can control these preferences within the
window either individually, or entirely by using the F5 thru F8 keys on
your keyboard. Here’s what they do:
F5 – activates all visible options (green)
F6 – activates only the option that currently has focus (green)
F7 – deactivates only the option that currently has focus (dashed red)
F8 – deactivates all visible options (dashed red)
These are extremely useful if you only want to configure a single
preference out of a large grouping.
28. Variables can be used in some situations:
file, registry, and drive operations are good
examples. Press ‘F3’ when in an
appropriate field to view them.
Example: To map a drive to a folder
named after the computer on a
share…you could use
servershare%ComputerName%
Note that %LogonUser% is used as the
user name variable as opposed to
%UserName%;
See http://goo.gl/d0NpaV
VARIABLES AVAILABLE FOR USE
29. SUMMARY
If you have Windows 2008 or Windows Vista (or higher) on your network, you
can use Group Policy Preferences through the GPMC.
GPP is typically not always considered a way to secure an object, but to
configure default system preferences for a user/computer.
Group Policy SETTINGS are used to disallow system preferences from being
altered.
You can specify many preferences within the same policy for a variety of
combinations of user and computer objects using Item Level Targeting
Use the F5-F8 keys to enable/disable individual or all options in a window
which contain many preferences
Since Group Policies are applied periodically throughout the day by default,
many preferences will be set throughout the day as the policy refreshes
(some limitations apply with settings set get set when “run in logged-on user’s
security context”).
You can replace a lot of the functionality of a logon script with GPP, while
easing the burden of maintenance for your IT staff.
You still need a way of running processes at user startup – i.e. via script or
other alternative method to GPP.
30. LINKS
Group Policy Preferences: Getting Started (includes downloads for
clients):
http://goo.gl/cxtun
Microsoft Group Policy Home Page:
http://goo.gl/rt2sn
Group Policy Preferences Overview (Doc):
http://goo.gl/fzpF7
10 things GPP can do better than your current script
http://goo.gl/QmSjV
Environment Variables in GP Preferences
http://goo.gl/d0NpaV