Using Group Policy: Policy or Preference?


If you would like to be notified when Robert Shimonski releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.


Introduction


As Windows administrators, more and more stress is put on management of resources without spending your entire day doing it. Nothing gets you closer to this utopia than using Group Policy. With Windows 7, Windows 2008 and Windows 2008 R2, you can now decide how to deploy Group Policy to make your life easier with a new solution. This is done through deciding whether to use policy or preference options.


New with 7 and 2008 is the use and deployment of Group Policy preferences which we will cover in this article. This will allow you as an administrator to streamline your company’s Windows architecture management by better leveraging Group Policy in a way to remove dependencies on ‘scripts’ to get things done, as well as to streamline login times, how printers are setup and configured and much more.


Although scripting (through WSH, VBScript and PowerShell) is becoming more and more prevalent with each deployment of Windows, Group Policy Preferences actually helps to remove some of this dependency which we will learn about in this article.


Using Policy or Preference Settings Options  


With Windows, scripting is becoming more and more important. This is done in a way to create (for example), a set of dashboard widget updates sent to a central system where all aspects of Windows systems management can be overlooked and controlled. Scripting is also highly depended on for deploying most aspects of any piece of the Windows architecture.


As more dependency is placed on using scripts, there is however a solution in place to remove some of this dependency as well. New with 7 and 2008 is the use and deployment of Group Policy preferences. This is an outstanding solution that every Windows admin using Group Policy should embrace if they are in a position to do so.


When working with Windows systems, especially up to Windows Server 2003 and XP, the focus had been on using login scripts (as an example) to map drives to resources, assign printers or deliver updates as needed. The problem with this solution is that scripts need to be updated, replicated and monitored for their accuracy. Worse, scripts rerun the same tasks every time a user logs into the domain.


To simplify this, consider that every time your workers come in to work in the morning and log into their PCs. They attach to the domain and run the company login script that they are assigned. If they have a drive mapping to a personal share where they keep their data, what is the likeliness that this mapping will change from day to day? It’s not likely and every time the script runs (especially long scripts full of tasks), each resource must be assigned again.


User preferences can be a chore to set up, especially manually. Traditionally, this was done via Login Scripts as an example as well. Mapping printers, storage devices and other resources can take time and if you make a mistake on a script, every user assigned to it will encounter that issue.


Group Policy Deployment and Configuration


Group Policy is a way where every aspect of a user’s interaction with Windows architecture can be assigned, managed and monitored. Although this is not an article on Group Policy, you should understand its basic use which is to give the administrator a way to deploy software, settings and so on to any (and every) user who is allowed to connect to the domain and use resources they are assigned to use.


Figure 1 shows the Group Policy Object (GPO)) Editor where the policies you create can be edited and managed. This can be managed by going to the Active Directory Computers and Users management console (MMC) and by right clicking the main domain object.



Figure 1: Group Policy Object Editor


As you can see, almost any aspect of Windows administration can be controlled from this location. Group Policy is the best technology for delivering policy settings to computers either managed, or unmanaged.


You can use managed or unmanaged policy settings. Here are the major differences. With managed policy settings, the changes are ‘enforced’, whereas with unmanaged they are not. Managed means that the end users that receive the policy cannot interact with them to change them. An example would be to enforce the same desktop wallpaper on all desktops companywide. Preferences are unmanaged. This means that they are not strictly enforced and can be changed.


You can also use *.reg files which are used for management of policy settings. Since Windows system rely heavily on modifying the registry of its systems to maintain settings and changes to those settings, a file such as this can be deployed to quickly change the keys within without having to enter into the database and make the chances manually as seen in Figure 2.



Figure 2: Using Registry Entry Files


Using Preferences and Policy


To use either preferences or basic policy, you need to use the Group Policy Management Console (GPMC). Here, you can make changes to either. With Windows Server 2008, Group Policy preferences are now a part of the console. You can also configure preferences by installing the Remote Server Administration Tools (RSAT) on a Windows 7 desktop.  


To install the GPMC on a Windows Server 2008 system, you can add the feature through Server Manager as seen in Figure 3.



Figure 3: Using Registry Entry Files


Server Manager will open automatically by default when you connect to a Windows Server 2008 system. You can also launch it from the Administrative Tools found in the Start Menu.


Once launched, right click on the Feature icon in the Server Manager and select to Add Features. Once the Add Features Wizard is launched, you can select Group Policy Management from the list and then install it. The GPMC can be launched within the Start Menu as well.


Summary


Group Policy preferences enable IT professionals to configure, deploy, and manage operating system and application settings they previously were not able to manage using Group Policy. In this article we covered the differences between policy and preferences options and how to prepare your system to use them. In the next article in this series, we will cover how to deploy both policy and preference options to help manage your Windows infrastructure.


If you would like to be notified when Robert Shimonski releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.


Links


About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top