Group Policy Preferences aka GPPs

Posted: November 13, 2009 in Group Policy

The biggest change to group policies since Windows 2000 comes to Windows courtesy of a Microsoft purchase of a company called Desktop Standard. Among several excellent enhancements to group policies comes Group Policy Preferences (GPPs). GPPs allow group policy objects to control a whole new set of Windows settings using Active Directory based GPOs. Along with dozens of new policy settings, GPPs introduce several new concepts to GPOs, namely multiple setting actions, item level targeting and one time application of settings. Each of these individually would make this new mechanism worth a look, but the combination is one of the most powerful tools available to Windows system administrators, and it’s all included in Windows at no additional cost.

Requirements

Before we dig into what GPPs can control and how they control it, let’s go over the requirements for using GPPs. The popular misconception is that GPPs require a significant investment in upgrading the domain, DCs or the entire network to Windows 2008/R2 and Vista/Windows 7. The truth is that the requirements are significantly lower than that. There are two sets of requirements related to using GPPs, the requirements to edit a GPO and to apply a GPO:

  • Editing a GPO with GPPs requires a system running Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ or Windows 7. Therefore, introducing a single machine running any of these operating systems to a network would allow GPOs using GPPs to be created.
  • Applying a GPO with GPPs is supported on the  above mentioned operating systems (Windows Server 2008, Windows Server 2008 R2, Windows Vista SP1+ and Windows 7) but also on Windows XP SP 2+ and Windows 2003 SP2+. In order to use GPPs on Windows XP SP2, Windows 2003 and Vista RTM, the new Client Side Extensions (CSEs) for GPPs must be downloaded and installed. The updated CSEs are included in Windows XP SP3 and Vista SP1.

You’ll notice that there are no requirements for your domain controllers and or other server operating systems!!!

Significant Features

GPPs introduce several unique new features that expand and enhance the usage of group policies and can be used for all GPPs:

  • Item level targeting

This feature, available on the Common tab, allows the construction of a multipart conditional statement that must be met before the setting is applied. Since the condition only applies to one setting, a single GPO can have settings that are applied to different users and computers. The condition parameters include items such as:

  • Computer Name
  • CPU Speed
  • Disk Space
  • Domain
  • Environment Variable
  • IP Address Range
  • Operating System
  • Organizational Unit
  • RAM
  • Site
  • and User

Also available are conditions that query specific registry keys, files, LDAP objects and WMI properties.

  • Apply once

Another feature that can be found on the Common tab and therefore used for the large majority of GPPs, is represented by a checkbox labeled ‘Apply once and do not reapply’. Using this setting allows the administrator to implement a default setting but allow users to modify the setting. This ‘soft’ application of GPO settings is a powerful tool for system administrators.

  • Modification actions

Found on the default and left-most tab of most GPPs is the Action pulldown. This setting provides granular control for the type of action used when applying the setting and contains the following options:

  • Create – This action will create a new object as specified. If an object exists, no action will be taken.
  • Replace – If the specific object exists, it will be removed and a new one created with the specified settings. If the object doesn’t exist, it will be created. This setting is similar to traditional GPOs and force a configuration regardless of existing settings.
  • Update – If the specific object exists, it will be updated with any specified settings. Other settings will not be distributed. If the object doesn’t exist, it will be created.
  • Delete – This action will search for the specific object and delete it.

GPP Extensions

Of the approximately 20 new setting areas (or extensions) introduced with GPP, the majority provide a new, easier method of configuring settings that historically required complex scripts, third party utilities or were not possible at all.

The following extensions can be used to replace tasks traditionally completed with scripts or batch files:

  • Drive maps
  • Printers
  • Environment
  • Files
  • Registry
  • Shortcuts
  • Local Users and Groups

Whereas the following extensions present functionality that is new to GPOs:

  • Start Menu
  • Folder Options
  • Power Options
  • Data Sources
  • Network Shares

The features, functions and elements described here are just examples of the new options available with GPPs. A review of the preferences sections within the GPO will quickly allow any administrator to find settings that address their own issues and optimize systems management in their organization.

hopefully this introduction helps readers understand GPPs a little better and leads some to leverage these very capable tools. If you have found a cool use for GPPs, please comment and share.

About these ads
Comments
  1. Aaron Henson says:

    Can you explain why “Update” will not update files? If source file tempate.dot exists and is modified, GPP will not copy down the new version.

  2. guyyardeni says:

    Aaron,
    I’ve run into the same situation. As far as I can tell the update action behaves a little oddly (or unexpectedly) with files in that it can’t be reliably used to update files.
    As a replacement, I’ve used the replace action with item level targeting to compare versions/dates/sizes/etc.

    Guy

    • Aaron Henson says:

      Can you post an example of your item level targeting options to achieve this?

      • guyyardeni says:

        I’ve used the file match targeting category and using the match type of file version. This version can be added to the property of most files if its not there already and can be used to make the replace action only run if the file version is old.

        Guy

  3. […] For more information about GPPs and what they require, check out my previous blog post: http://rdpfiles.com/2009/11/13/group-policy-preferences-aka-gpps-2/. […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s