If you would like to read the previous parts in this article series please go to:
- Group Policy related changes in Windows Server 2008 - Part 1: What are Starter GPOs?
- Group Policy related changes in Windows Server 2008 - Part 2: GPMC Version 2
- Group Policy related changes in Windows Server 2008 - Part 3: Introduction to Group Policy Preferences
In part 1 of this article series "Starter GPOs" were discussed. In part 2 we dealt with Group Policy Management Console (GPMC) version 2 and its new search, filtering and comment options. Part 3 introduced you to Group Policy Preferences and part 4 will take a closer look at Group Policy Preferences, including Actions, Item level Targeting, Export/Import, Common options, Shortcuts and more.
Please note that some of the information in this article series is based on information from the Beta versions of Windows Server 2008 (Beta 3, RC0 and RC1). So, some features and dialog boxes may change a bit before the final release. Group Policy Preferences is part of the Release Candidate 1 (RC1) beta release of Windows Server 2008.
For each Group Policy Preference (GPP) setting you can normally choose between 4 different actions (see Figure 1). These actions will determine how the Client Side Extension (CSE) will process the preference item.
Figure 1: the General tab of Environment Properties
This is a quick introduction to the available actions:
- Create = Create a new setting if it doesn't exist on the targeted machine.
- Replace = Delete the setting if it exists and then set with the new settings ("recreate").
- Update (default) = The default action which modifies existing settings. If the settings don't exist they will be set.
- Delete = Remove the preference setting on the targeted machine.
We will most likely see the Migrate action when Microsoft releases some of the additions to the Applications node (more on this later in this article).
Selecting the correct action is crucial, but in most cases the default option (Update) will be perfectly fine.
The Common tab and processing order
Let's take a look at the Common tab of GPP settings. This is where we can specify how the CSE will process the particular preference setting (or "item").
Figure 2: the Common tab of Environment Properties
If you click on any GPP Common tab, they all have exactly the same options, and they are as follows (though irrelevant options can be greyed out as shown in Figure 2):
"Stop processing items in this extension if an error occurs" changes the default error handling. If any error should occur during GPP processing the default action is to continue with the next preferences in line. To change that behaviour this option can be selected - this will stop processing of remaining preference items in the same extension/category inside the current GPO.
"Run in logged-on user's security context (user policy option)" changes the default user context. Normally preferences are processed using the Local System account (SYSTEM), selecting this option will make sure the user context is used instead. Network Drive and Printer Mappings ignore this setting as they always use the user context anyway.
"Remove this item when it is no longer applied" can remove preference settings when the user or computer falls out of scope of management. But you have to be extremely careful with this option as it may, depending on what actions you take, remove the setting entirely (ex. a registry value), and not just nicely replace with the original value as you might think. When selecting this option the "Update" action will be forced on.
Example (a small warning)
Let's say you have an application which is hardcoded to look into the following part of the registry to determine a particular user setting during start-up (ex. to retrieve the user's chosen visual theme):
Current User > Software > Windowsecurity.com > MyTheme = "Default"
An admin then decides to give all users a particular visual theme in the application by creating a Registry preference that assigns the "MyTheme" key a value of "DeepPurple". He/she also selects the "Remove this item when it is no longer applied" option for the registry preference. Everything works fine for a couple of months and then it is decided that the GPO should be unlinked - the intention is to get the original value back. But, what will happen is that the registry string value "MyTheme" will be deleted entirely - in the worst case leaving the application in a broken state. Therefore it is recommended to test the behaviour of this option thoroughly before using it in a production environment. So, watch out!
"Apply once and do not reapply" changes the default behaviour, which generally is to process the preference setting with every background refresh. It must be said however, that some preferences are only processed during log on by default (ex. Network Drive and Printer Mappings). With this option, the CSE applies the particular preference item once and never again. From that point the user can do whatever he or she wants with the User Configuration preference setting - or, if it is a Computer Configuration preference, the computer will never process the preference setting again.
"Item-Level Targeting" is kind of like WMI filters, but only for the selected preference setting and not the entire GPO (like with WMI filters) or other preferences for that matter. There's more information on ILT later in this article.
Processing order and menu options
The processing order of preference items can be decided manually by an admin - or you can go with the default order, which is normally fine.
The green Up and Down arrows (See Figure 3) offers a method to manually define the processing order of the preferences within a particular category.
Figure 3: Processing order and menu options (for the "Local Users and Groups" category)
This is a quick introduction to the menu options we have in Figure 3:
The "question mark" icon offers help for the open preference category. The help file is actually pretty good and covers most common situations.
The "documents" icon offers a method for displaying the XML data for the selected item(s).
The red "Stop sign" icon offers the option to disable the currently selected preference item. That means that the CSE will not process the item at all. The icon changes to a green "Stop sign" when a preference item is disabled. Clicking the green icon will re-enable the preference.
You might wonder how GPPs actually work - and you may already have guessed it. Preferences work kind of the same way as normal Group Policy technology, the CSE takes what it needs from SYSVOL and makes sure to apply the settings on the client (in most cases in context of the SYSTEM account).
Figure 4: The different Group Policy Preferences categories
GPPs are actually "just" folders and files - yes, you guessed it: XML formatted files - added to SYSVOL. A "Preferences" folder is created below either the "\User" (for User Configuration preferences) or the "\Machine" (for Computer Configuration preferences) folder within a GPO in SYSVOL. And for each preference category (see Figure 4) a folder is created below the "Preferences" folder (see Figure 5).
Figure 5: A folder is created for each enabled Group Policy Preference category
Below each category folder you will find an XML file for each Preference setting you have, containing the relevant configuration options etc. - simple and very efficient!
Item Level Targeting
Item Level Targeting (ILT) is an additional "filter" to those you have on the GPO itself (WMI and security group filters), which applies to the particular GP Preference item within the GPO only - not the entire GPO as with the existing filtering options. So, for instance, if you create a GPO which has a GPP item creating a share on client you can set a kind of filter on that particular item alone, to make sure you only hit computers/users that apply to the ILT setting(s) you have defined. Within a single GPO you can have multiple preference items, each with its own targeting option(s).
With ILT you can use logical functions, like And/Or and Is/Is Not. You can create Collections of logical functions to make it all very flexible and in an extremely user friendly way. ILT is slightly faster than WMI filters as they use built-in APIs of the operating system instead of WMI.
This is a complete list of conditions you can use in ILT "filters":
Battery Present, Computer Name, CPU Speed, Date Match, Dial-Up Connection, Disk Space, Domain
Environment Variable, File Match, IP Address Range, Language, LDAP Query, MAC Address Range, MSI Query, Operating System, Organizational Unit, PCMCIA Present, Portable Computer, Processing Mode, RAM, Registry Match, Security Group, Site, Terminal Session, Time Range, User and/or a custom WMI Query. Impressive, right?
Additionally you can add both labels and comments to collections or ILT items for better overview - targeting can get pretty complex in larger environments.
Figure 6 shows the "Targeting Editor" with 2 collections, each collection with multiple Boolean ILT items (or 'queries') - one of the collections must come out true for the particular preference setting to apply to the user or the computer object.
Figure 6: The Targeting Editor
ILT provides us with ultimate control of who gets what preference item.
Exporting & Importing Group Policy Preferences
Your GPPs can be exported to XML very easily. Just right click a preference, choose Copy and then Paste to your desktop or some other folder - and an XML document will be created. This document includes everything you need to import the GPP into another GPO (or environment for that matter). To import an XML document all you have to do is to Copy and Paste the document info the Preference area in the Group Policy Management Editor. Even Drag & Drop works for importing and exporting - it is almost too easy.
If you open the XML document (by using Notepad, XML Notepad, Internet Explorer or whatever) you will quickly be able to spot the preference settings - including ILT configuration. If you're up for it, just copy the ITL section to other policies where you need the exact same "filter" - it's very easy to work with actually. This tip might be helpful if you have a certain ILT "filter" which must apply to a lot of different preference items.
Shortcuts, colors & variables
Some "hidden" (maybe too hidden?) options are available in different locations within the GPPs GUI. You may have wondered what the green lines (see Figure 7 below) or circles (see Figure 8 further down) represent.
Figure 7: Folder Options Properties and colored lines
A green line below a setting, ex. "Hide extensions for known file types" on the Folder Options preference shown above, indicates that it must be processed by the CSE. A stippled red line means that the setting will not be processed by the CSE, no matter what the configured value is. Below Internet Explorer Properties you'll find the same use of colors - however this time it is not lines, but circles - the meaning of the colors is exactly the same.
Figure 8: Internet Explorer Properties and colored circles
Here's a quick introduction to some shortcuts that make it easy to set whether or not a preference item (or all items) should be processed by the CSE:
F5: Define all settings in this dialog box - Enable the processing of all settings in the dialog window. Very useful if you have disabled some settings and you then want to "reset" the form.
F6: Define the currently selected setting - Enable the processing of a single setting in the dialog windows. Useful if you disabled one setting using F7 and you want to re-enable the item.
F7: Don't define the currently selected setting - Disables the processing of a single setting in the dialog window. Useful if you want to "bypass" one setting from being updated or changed on the client
F8: Don't define any setting in this dialog box - Disables the processing of all settings in the dialog window. Useful if you want to prevent all settings on one tab from being set on the client.
In many cases it's very useful to be able to use variables for setting different/individual values per user/computer, etc. Hitting the F3 button brings up a list of available common variables (see Figure 9). The option "Resolve Variable" should normally be checked as this will translate the variable when the preference is processed on the client side - or else it will just represent the variable name, ex. "%AppDataDir%", which is rarely what you would need.
Figure 9: Selection dialog with common Variables (F3 key)
Unfortunately I cannot cover the entire GPP technology in these articles, but let me briefly mention some additional possibilities:
Logging & tracing
It is possible to set up detailed logging of CSE behavior - each preference category has its own logging options (ex. "Data Sources Policy Processing", "Environment Policy Processing", "Registry Policy Processing" etc.). A group policy (or a registry hack) can be applied to make the different CSEs log what is going on behind the scenes. Sometimes troubleshooting inside log files is the only way to success, but by default logging is not turned on. You will find the logging and tracing policy settings below:
Computer Configuration | Policies | Administrative Templates | System | Group Policy | Logging and tracing
The Windows Application log includes event information for each GPP category, too. Each category has its own event source, making Event log filtering easy.
Settings & results reports
A great effort has been made to allow administrators to generate settings reports within GPMC as with "old style" group policies. This keeps documentation tasks very simple and offers a great overview of what each policy does.
The same goes for Group Policy Results reports - they will include preferences, however Item-Level Targeting configurations are not calculated (probably because they use local APIs instead of WMI).
At this point in time there is no official statement from Microsoft about Application preference, which we also had with DesktopStandard PolicyMaker (see Figure 10). Content for the Application preference, which is empty by default, will most likely be available as a separate download sometime in the future.
Figure 10: Application preferences with PolicyMaker
If you are worried about how passwords for user accounts, service accounts, scheduled task logon accounts, etc, are stored (knowing that simple XML files are used for preferences), I can tell you that they are encrypted. I do not know the algorithm used (yet), but I can tell you that "password" translates to "wWHIrHyXsbFpBhpQ/fMKbwEEg3Ko0Es+RskCj/W6F8I" and "Password" translates to "VPe/o9YRyz2cksnYRbNeQmFQgz60no44B/3YywYtmYU" - who would have guessed that?
I'll try to get the detailed information and post it later - so far all I can say is that it is a good sign that a small change in the clear text string (lower case "p" changed to upper case "P") gives a huge change in the encryption string.
Policy and preference overlaps
As you may have seen we have some overlaps between regular policies and preferences. For instance overlaps exist for Internet Explorer settings, Printer deployment, Power Options, File Security, Device Restrictions and Service settings - but don't panic! Look at this as new opportunities instead of trouble - customizing your environment, exactly the way you want it, will be even more flexible with these technologies side by side.
How do I get this stuff?
The most incredible thing, when it comes to Group Policy Preferences, is perhaps the fact that it's provided to you close to FREE from Microsoft.
All you need is a Windows Server 2003 or 2008 domain environment, a single Windows Vista with Service Pack 1 and the Remote Server Administration Toolkit (RSAT) loaded. You can then use the Vista SP1 machine to edit GPOs and include preferences of your choice. A Windows Server 2008 can of course be used as Group Policy management station as well.
To make preferences work on corporate computers they need to have the CSE client installed. Such a client will be available for download for Windows XP and up (the CSE is built-in to Windows Server 2008). The CSE client (a small MSI file) can be installed by using Group Policy Software Installation (GPSI). Windows 2000 does not support the use of Microsoft GPPs. Also note that preferences are not available in local policies.
Windows Server 2008 and GPMC version 2 does bring some wonderful new features related to Group Policy. Some are tiny improvements, others are huge improvements. A large part of it can definitely be very useful for administrators in most environments out there.
Group Policy Preferences should give us simpler configuration via common user interfaces, reduced need to create and maintain complex configuration scripts, flexibility (an administrator can initially configure a preference item, but allow the end user to change the settings later), you will need fewer images and of course additional configuration and security options (mentioned in part 3 of this article series) - and we do not even have to spend a lot of money to get it!
Since this article was published Microsoft has released the required Group Policy Preference Client Side Extensions. These are the links:
- GPP CSEs for Windows Vista (KB943729)
- GPP CSEs for Windows Vista x64 Edition (KB943729)
- GPP CSEs for Windows Server 2003 (KB943729)
- GPP CSEs for Windows Server 2003 x64 Edition (KB943729)
- GPP CSEs for Windows XP (KB943729)
- GPP CSEs for Windows XP x64 Edition (KB943729)
If you would like to read the previous parts in this article series please go to: