Group Policy Preferences aka GPPsNovember 13, 2009
The biggest change to group policies since Windows 2000 comes to Windows courtesy of a Microsoft purchase of a company called Desktop Standard. Among several excellent enhancements to group policies comes Group Policy Preferences (GPPs). GPPs allow group policy objects to control a whole new set of Windows settings using Active Directory based GPOs. Along with dozens of new policy settings, GPPs introduce several new concepts to GPOs, namely multiple setting actions, item level targeting and one time application of settings. Each of these individually would make this new mechanism worth a look, but the combination is one of the most powerful tools available to Windows system administrators, and it’s all included in Windows at no additional cost.
Before we dig into what GPPs can control and how they control it, let’s go over the requirements for using GPPs. The popular misconception is that GPPs require a significant investment in upgrading the domain, DCs or the entire network to Windows 2008/R2 and Vista/Windows 7. The truth is that the requirements are significantly lower than that. There are two sets of requirements related to using GPPs, the requirements to edit a GPO and to apply a GPO:
- Editing a GPO with GPPs requires a system running Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ or Windows 7. Therefore, introducing a single machine running any of these operating systems to a network would allow GPOs using GPPs to be created.
- Applying a GPO with GPPs is supported on the above mentioned operating systems (Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ and Windows 7) but also on Windows XP SP 2+ and Windows 2003 SP2+. In order to use GPPs on Windows XP SP2, Windows 2003 and Vista RTM, the new Client Side Extensions (CSEs) for GPPs must be downloaded and installed. The updated CSEs are included in Windows XP SP3 and Vista SP1.
You’ll notice that there are no requirements for your domain controllers and or other server operating systems!!!
GPPs introduce several unique new features that expand and enhance the usage of group policies and can be used for all GPPs:
- Item level targeting
This feature, available on the Common tab, allows the construction of a multipart conditional statement that must be met before the setting is applied. Since the condition only applies to one setting, a single GPO can have settings that are applied to different users and computers. The condition parameters include items such as:
- Computer Name
- CPU Speed
- Disk Space
- Environment Variable
- IP Address Range
- Operating System
- Organizational Unit
- and User
Also available are conditions that query specific registry keys, files, LDAP objects and WMI properties.
- Apply once
Another feature that can be found on the Common tab and therefore used for the large majority of GPPs, is represented by a checkbox labeled ‘Apply once and do not reapply’. Using this setting allows the administrator to implement a default setting but allow users to modify the setting. This ‘soft’ application of GPO settings is a powerful tool for system administrators.
- Modification actions
Found on the default and left-most tab of most GPPs is the Action pulldown. This setting provides granular control for the type of action used when applying the setting and contains the following options:
- Create – This action will create a new object as specified. If an object exists, no action will be taken.
- Replace – If the specific object exists, it will be removed and a new one created with the specified settings. If the object doesn’t exist, it will be created. This setting is similar to traditional GPOs and force a configuration regardless of existing settings.
- Update – If the specific object exists, it will be updated with any specified settings. Other settings will not be distributed. If the object doesn’t exist, it will be created.
- Delete – This action will search for the specific object and delete it.
Of the approximately 20 new setting areas (or extensions) introduced with GPP, the majority provide a new, easier method of configuring settings that historically required complex scripts, third party utilities or were not possible at all.
The following extensions can be used to replace tasks traditionally completed with scripts or batch files:
- Drive maps
- Local Users and Groups
Whereas the following extensions present functionality that is new to GPOs:
- Start Menu
- Folder Options
- Power Options
- Data Sources
- Network Shares
The features, functions and elements described here are just examples of the new options available with GPPs. A review of the preferences sections within the GPO will quickly allow any administrator to find settings that address their own issues and optimize systems management in their organization.
hopefully this introduction helps readers understand GPPs a little better and leads some to leverage these very capable tools. If you have found a cool use for GPPs, please comment and share.