More Control Through Group Policy Preferences

Expand on your Group Policy investment while leaving some choices in the hands of users

Executive Summary:
Group Policy Preferences augment the existing set of Group Policy functions, adding more functions to what you can already do. Group Policy Preferences Printers lets you easily deploy printers without schema updates or logon scripts, and Group Policy Preferences Power Options brings Vista-like power management to Windows XP systems. Other Group Policy Preferences let you manage devices, services, files on client machines, and users and groups.

Every new version of Windows comes with more to love, especially in the area of Group Policy: more control, more power, and more features that keep you from having to run around from machine to machine to get your job done. Usually, this power arrives built-in to the OS. For instance, when Windows Vista shipped, it brought with it Wired Ethernet policy, Enterprise QoS policy, a new capability for managing printers, and more.

In 2007, Microsoft released Group Policy Preferences, a set of additional Group Policy features. These features augment the existing set of Group Policy functions—adding more functions to what you can already do. Some of the Group Policy Preferences have similar names and potentially overlapping features with the original Group Policy functions, but in this article I'll show you where you can use the new functionality to get more out of your Group Policy investment.

Getting Group Policy Preferences
Group Policy Preferences, in total, encompass 21 features. You would think this many new features would ship as a lot of software. In fact, Group Policy Preferences ship as a single set of client-side extensions (CSEs). When the target computer processes a Group Policy Object (GPO) containing a Group Policy Preferences function, it simply calls the correct extension to do the work.

Windows Server 2008 ships—and Windows 7 will ship—with the Group Policy Preferences CSE; you don't need to do anything for these OSs to process Group Policy Preferences directives. However, you need to update Vista, Windows Server 2003, and Windows XP computers to take advantage of the new technology. Windows 2000 computers aren't able to leverage Group Policy Preferences. For brevity and space constraints, I'll point you to the Newsletter, issue 27, for detailed installation instructions that cover a wide variety of circumstances.

Note that your management console machine must have the updated Group Policy Management Console (GPMC) with its updated Group Policy Editor (GPE). The updated GPMC ships with Server 2008 and is available for Windows Vista SP1 and later if you install Remote Server Administration Toolkit (RSAT), which can be found in the Microsoft Download Center. The updated GPMC isn't available for XP systems.

Group Policy Preferences help you do more than you originally could with Group Policy. With that in mind, let's examine some areas where Group Policy Preferences can help you expand on your Group Policy investment.

Deploying Printers
Deploying printers via Group Policy used to be a dream many administrators shared. This feature finally debuted with Windows Server 2003 R2, although administrators widely criticized it at first. For starters, the feature requires a schema update. It also requires that administrators place an add-on within their startup and logon scripts. And, worst of all, it didn't work consistently.

Deployed Printers policy settings are found in GPE at \Computer Configuration\Policies\Windows Settings\Deployed Printers and \User Configuration\Windows Settings\Deployed Printers. Note that you won't see the Deployed Printers node on a Server 2008 or Vista management station until you load the Print Management components, which you can install by using the RSAT tools; they're under the Feature section within \Remote Server Administration Tools\Role Administration Tools\Print Services Tools.

Compared to Deployed Printers, the Group Policy Preferences Printers feature tends to get most of the limelight. It requires no schema extensions and no startup or logon script updates—it just works. The Group Policy Preferences Printers node is found in two places: \Computer Configuration\Preferences\Control Panel Settings\Printers and \User Configuration\Preferences\Control Panel Settings\Printers. This feature lets you deploy TCP/IP and local printers (user- or computer-side) or shared printers (user-side only).

As long as the Group Policy Preferences client is installed on the target machine, printer deployment is a dream.

Group Policy Preferences aren't available for Windows 2000, so if you need to deploy printers on those systems, you should continue using the older Group Policy Deployed Printers method.

Controlling IE
Group Policy has several ways to manage one of Windows' most popular applications, Microsoft Internet Explorer. The original policy settings can be found under either User Configuration or Computer Configuration at \Policies\Administrative Templates\Windows Components\Internet Explorer. These settings can help you lock down what users can and can't do with IE.

Additional IE settings called IE Maintenance are found at \User Configuration\Policies\Windows Settings\Internet Explorer Maintenance. Some of these settings perform policy-style lockout; others let users work around predefined settings.

Group Policy Preferences' Internet Settings adds some new tricks. As Figure 1 shows, the IE settings are found at \User Configuration\Preferences\Control Panel Settings\Internet Settings. Setting preferences for items means that you establish initial settings, but users are able to change them. For instance, you might set your company's web page as the home page for all users, but allow them to change it later if they choose. Preferences are similar to IE Maintenance settings in this way; yet the administrative interface for Group Policy Preferences Internet Settings is exceptionally refreshing: It actually looks like Internet Explorer, which delights most administrators.

Power Management
Vista shipped with some very good power management functions. They're found under \Computer Configuration\Policies\System\Power Management. These settings control sleep settings, what happens when you push various power buttons, when the hard drive should spin down, and more, but they're usable only for Vista.

As Figure 2 shows, the Group Policy Preferences Power Options settings are found under Computer Configuration and User Configuration within \Preferences\Control Panel Settings\Power Options. These settings bring new Group Policy–based power management features to XP. This addition to the power management family brings a hugely desired feature to a large install base. What's more, the UI for configuring Power Options and Power Schemes looks strikingly similar to the XP interface, shortening the learning curve so that administrators can be quickly proficient with this new functionality.

Manipulating Files
Administrators sometimes want to set file security on specific files on desktops and servers. Instead of running out to each machine, they can use Group Policy to do it. Actually getting those files to desktops and servers has been another story altogether. You either need to copy files manually or use a logon script or something similar to do it.

However, with Group Policy Preferences Files, found at \Computer Configuration\Preferences\Windows Settings\Files, you can deliver a file—or multiple files—to a client. And with Group Policy File Security policy settings, located within \Computer Configuration\Policies\Windows Settings\Security Settings\File System, you can set the ACLs on those files. What a magic combination!

Setting Up Services
It's never fun to run around to 100 servers to change the values of a service. That's why Group Policy has a method to control services, located in \Computer Configuration\Policies\Security Settings\System Services. These settings let you set security on the account, such as who can start, stop, and pause the service.

However, with Group Policy Preferences Services (\Computer Configuration\Preferences\Control Panel Settings\Services), you can also change the local system account password, change the recovery options for when a service fails, and change the program that runs if a service fails, or choose to restart the computer if the service fails.

Wrangling the Registry
Setting a single registry value on all your target machines can be a real hassle. Many administrators use logon scripts and other quasi-automatic methods to accomplish this often-desired goal.

Group Policy has always been able to deliver specific registry values to clients using its built-in ADM and ADMX frameworks. You see the results of ADM and ADMX frameworks every time you explore \Computer Configuration\Policies\Administrative Templates or \User Configuration\Policies\Administrative Templates. These Group Policy settings simply set desired registry values on target machines.

ADM and ADMX files can be developed to deliver registry settings for your applications. However, those values can only be delivered to HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER; you can't use them for any other locations. Additionally, ADM and ADMX files can't deliver REG_BINARY values, a popular data type. ADM and ADMX files are also well known to leave behind, or tattoo, settings if the application doesn't use Microsoft's strict logo requirements. So, even if the user falls out of the scope of management or the GPO is deleted or unlinked, the value persists.

The Group Policy Preferences Registry item brings more to the table. These settings are located within \User Configuration\Preferences\Windows Settings\Registry and \Computer Configuration\Preferences\Windows Settings\Registry. This configuration item lets you plunk registry values into just about any area of the registry.

You might want to continue using ADM or ADMX files if you like the idea of administrators being able to select from a range of values. For instance, if you had a custom application that used custom values, you could create an ADM or ADMX file so that administrators could choose a background color of green, red, or peach. These colors might correspond to values 1, 2, and 4.57. A simple drop-down menu could let administrators select the color instead of having to remember the values.

Group Policy Preferences Registry settings don't let you use a range of values. Group Policy Preferences Registry settings simply set the particular registry value; there's no framework to describe a UI for the target application as you can do with ADM and ADMX files.

Restricting Devices
Every administrator needs to control which devices can and can't be brought into the network. Items such as USB keys or external disk drives are often excellent candidates to restrict so they can't be used to transport data in and out of a company. Vista shipped with a new range of Group Policy device restrictions, which are found at \Computer Configuration\Policies\System\Device Installation\Device Installation Restrictions. These settings let you prevent specific device IDs on your target Vista machines.

The existing XP population had no way to perform anything similar, but the Group Policy Preferences Devices node now provides some of that device control on XP systems. The Devices node is available for both Computer Configuration and User Configuration at \Preferences\Control Panel Settings\Devices. Although the Group Policy Device Installation Restrictions settings work only for Vista, the Group Policy Preferences method works for all its supported OSs (XP SP2 and later).

It should be noted, however, that the two technologies work fundamentally differently. Group Policy Device Installation Restrictions prevent users from installing drivers for new hardware, so when you restrict a specific device from your Vista machines, the driver is actually blocked from being utilized. This strategy works great for USB memory sticks and other things that are typically unplugged and plugged back in a lot because during the next check, the restriction blocks the device.

But Group Policy Device Installation Restrictions don't always work as expected with devices that are already installed and in use on the machine, such as hard disk drives, SCSI cards, and scanners. Those device drivers are already installed, and you don't usually unplug those items and put them back in. Therefore, the driver isn't ever rechecked and the device isn't restricted—even if the policy setting is applied.

The Group Policy Preferences Devices extension works differently. It disables the actual device or port instead of preventing the driver from loading. Therefore, if a device is already installed, it can simply be disabled to prevent its use. It should be noted, however, that because it only disables the device, it doesn't prevent the device driver from installing. As Figure 3 shows, any user with appropriate rights—usually local Administrators—can simply re-enable the device. But, because regular users don't have access to this ability, this preference setting can help get you on the road to restricting devices right away: As soon as the GPO with the Group Policy Preferences Devices item is received, the device is immediately restricted.

Handling Users and Groups
Administrators often want to dictate which users and groups are permissible on target computers. Additionally, some administrators want to ensure that some group memberships within Active Directory (AD) are strictly enforced. The Group Policy settings to achieve such control are located within \Computer Configuration\Policies\Security Settings\Restricted Groups. These settings strictly control group membership of either local groups or AD-based groups.

However, many admins need to control which users can be part of specific local groups. The Group Policy Preferences Local Users and Groups option is under both the User and Computer nodes under \Preferences\Control Panel Settings\Local Users and Groups, which means it's very flexible. You can also use it to add a new user account—complete with all account settings—to the computers of your choice. The Local Users and Groups extension can also delete local groups and cherry-pick specific users to delete from groups, which is useful, say, if you want to pluck just one user out of the local Administrators group.

Note, however, that the Local Users and Groups extension works only for local users and groups, not AD-based groups as the Group Policy Restricted Groups function does.

Customizing the Start Menu
Managing the user experience is one of the core strengths of Group Policy, and handling the way the Start menu works has traditionally been an area that administrators have taken advantage of. You can find the Group Policy Start menu policy settings in \User Configuration\Administrative Templates\Start Menu and Taskbar.

Administrators enjoy the functionality of the Group Policy Start menu policy settings, but this method isn't perfect. The ability to set a baseline preference configuration of items is missing. Also, because using Group Policy Start Menu and Taskbar settings actually restricts the OS—and forces users to accept the change—these policy settings can be seen as heavy-handed.

On the other hand, the Group Policy Preferences Start Menu settings, found at \User Configuration\Preferences\Control Panel Settings\Start Menu, are preferences, which means they can act more like suggestions for the user. If users doesn't like your Start menu settings, you can give them the option to change them if they so choose. You can change this behavior later by using the Apply once and do not reapply option for the Group Policy Preferences item.

Many Options for Control
The original set of Group Policy settings take us quite far, but as the demands of administrators grow, so does the demand for new functionality. Group Policy Preferences add more functionality that administrators want while preserving the value of their original Group Policy investment.

The original Group Policy settings and Group Policy Preferences are meant to be used together—not one against the other. If you have your own "better together" story with Group Policy and Group Policy Preferences and want to share, I look forward to hearing from you at

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.