Leveraging Group Policy Preferences

Leveraging Group Policy Preferences

Group Policy Preferences have been available now for over 6 years from Microsoft. Before that, DesktopStandard provided Group Policy Preferences via a 3rd party tool named PolicyMaker. The power that Group Policy Preferences provide is second to none. The fact that they are free is just the icing on the cake. If they were not available for free, I would still suggest that every Active Directory environment should start using them. In this article I want to explain the main benefits of Group Policy Preferences, so you can use them without apprehension or confusion. Most of the articles that are already published on the subject are at a higher level or focus on just a few settings, here, I want to give you a little of both.

Accessing Group Policy Preferences

Group Policy Preferences are only available in Group Policy Objects (GPOs) that are stored in Active Directory. You can’t configure Group Policy Preferences in a local GPO. Also, you must be using a newer Windows operating system in order to “see” the Group Policy Preferences in the GP editor. The OSs that support editing Group Policy Preferences include:

  • Windows Vista SP1
  • Windows 7
  • Windows Server 2008
  • Windows Server 2008 R2

For Windows Vista SP1 and Windows 7 you will need to obtain the RSAT (Remote Server Admin Tools) and install it locally to have the Group Policy Management Console (GPMC). For more information on this installation and setup, go here (the process is the same for Windows 7, even though the article is for Vista).

Once you have the correct GPMC installed, you will be able to edit any GPO (even those created back in Windows 2000) and configure Group Policy Preferences in them. Of course you will need to right-click on the GPO you want to configure and select Edit. Once in the editor, you will see that there are two new nodes labeled Preferences, one under the Computer Configuration section and one under the User Configuration section. You can see this in Figure 1.

Figure 1: Group Policy Preferences are available under both Computer and User sections in a GPO.

Compatibility of Group Policy Preferences

Now that you have the correct administrative environment, you need to ensure that all of the targets that you want to receive the Group Policy Preference settings are configured properly too. Windows 7 and Windows Server 2008/2008 R2 have the correct files already installed, so you need to get Windows XP, Windows Vista, and Windows Server 2003 updated to support the configurations that Group Policy Preferences provide.

Yes, what is written above is correct. Group Policy Preferences are fully supported back to Windows XP and beyond. It is just that Windows XP and Server 2003 can’t configure them, only receive them. To get the correct files for Group Policy Preferences go to this article.

Settings Available in Group Policy Preferences

Group Policy Preferences have over 20 different areas that can be configured. All in all there are over 3000 individual settings that can be made with preferences, not to mention the customization that is built in to the technology. So, if you are wondering if Group Policy Preferences can configure a setting, chances are good that it can!

Figure 2 and 3 show you the settings areas available for both the Computer and User sections of the GPO.

Figure 2: Group Policy Preferences under Computer Configuration section of GPO.

Figure 3: Group Policy Preferences under User Configuration section of GPO.

For details on what each preference setting does, refer to this article.

There is one note to mention. There is a Group Policy Preference area labeled Applications. This area is dead and will not have any settings in it… ever. The reason is that when the product was owned by DesktopStandard there were settings in here for the Office suite. However, when Microsoft purchased PolicyMaker they had to remove the settings for Office, as Office does not come standard with Windows. It is illegal for Microsoft to provide support/configurations for a product they sell which is not installed by default. Might seem silly, but Microsoft has spent millions defending this and other companies have spent millions trying to achieve this!

Making Group Policy Preference Settings Volatile

Every Group Policy Preference setting comes with an option to make the setting you are configuring volatile. What I mean by volatile is that the setting will be removed if it should no longer apply to the target. For example, let’s assume a printer is set up for when a laptop is located on a specified subnet. When the laptop moves off of the subnet, there is no reason to keep the printer configured, so it will be removed. This volatility allows for settings to be controlled with great accuracy. Also, it allows for settings to not remain on the computer, referred to as tattooing, when the setting should no longer apply.

With every good setting come some drawbacks. If the setting that you configure is a Registry setting or another key OS setting, it might not be a good idea to have the setting removed when it should no longer apply. This might create an unstable system or even blue screen the computer. Instead, you should have multiple policies that address all instances of the setting and what the setting should be. This way the setting is always set to something and the OS will not become unstable.

Making Group Policy Preferences Dynamic

One of the most powerful areas of Group Policy Preferences is item-level targeting (ILT). ILT is a way to evaluate the current state of a computer before policy is applied. If the ILT rules are met, then policy applies, if not, then policy does not apply. There are over 25 different ILT configurations and every Group Policy Preference supports ILT rules. Figure 4 illustrates the list of ILT settings.

Figure 4: ILT settings are available for every Group Policy Preference policy setting.

Solving Common Corporate Network Issues with Group Policy Preferences

Over the years working for DesktopStandard, writing the Group Policy Resource Kit, and helping organizations solve problems, I have developed a list of common tasks that can be accomplished using Group Policy Preferences.

  • Printer installations as laptops move from office to office
  • Resetting of local Administrator account password
  • Ensuring Domain Admins and local Administrator is in the local Administrators group
  • Setting of ODBC settings for mass of desktops
  • Saving money with Power Options
  • Customize any Registry setting and ensure it does not tattoo
  • Changing service account passwords
  • Creating environment variable to track laptops
  • Cleaning up Temporary Internet files
  • File transfer for configuration files
  • Setting folder options for admins to always show hidden files
  • Eliminating logon scripts (mapped drives, printers, Registry, etc.)
  • Setting Advanced Security settings in IE


There is so much that Group Policy Preferences can do, you should not be missing out. Be sure to test all of my suggestions and if you have questions, please email me! I have been working with these settings for over 8 years and there are some amazing cool options that most are not aware of. Of course, my book titled Group Policy Resource Kit covers Group Policy Preferences and their settings, so that is also a good reference. Don’t miss out on ILT and making the settings volatile.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top