Among the many new technologies introduced by Windows Server 2008 and Windows Vista, group policy preferences (GPP) are the most notable ), it can now greatly expand the Administrator's operations on group policies. In the Group Policy object (GPO), the Group Policy preferences provide more than 3,000 settings in 22 different regions, including setting the driver and printer ing and controlling the local group members. Most importantly, you do not need to install any new infrastructure because this technology is fully applicable to the existing Active Directory infrastructure and group policy environment. You only need to install administrative tools and client DLL to start working. In this article, I will conduct an in-depth study on group policy preferences to demonstrate their practicality and ease of deployment and management.
GPP compatibility must contain at least one Windows Server 2008 Server or Windows Vista desktop in the Active Directory environment used to manage GPP, because only these servers support the new Group Policy Management Console (GPMC ). GPMC must be used to support and manage GPP settings, and GPMC can also start a new Group Policy Management Editor (GPME) to display GPP that can be managed in the editor. However, the configuration associated with the application and GPP is very different. In this case, the Windows Server 2008 and Windows Vista operating systems are also supported. In particular, GPP supports Windows Server 2003 SP1, Windows XP Professional SP2, and all subsequent operating systems.Figure 1Summarizes the operating systems that can manage GPP and apply GPP.
Table 1 Operating System Support |
Operating System |
You can apply group policy preferences. |
You can use the GPME management group policy preferences |
Windows 2000 |
Not Supported |
Not Supported |
Windows XP x86 and x64) |
Supported by SP2 and CSE installers |
Not Supported |
Windows Vistax86 and x64) |
Supported by SP1 and CSE installers |
Supported by SP1 and installed RSAT |
Windows Server 2003x86 and x64) |
Supported by SP1 and CSE installers |
Not Supported |
Windows Server 2008x86 and x64) |
Integration |
Integration |
Policy and preference terms "policy" and "Preferences" are critical for new group policy functions. Policies and preferences are defined based on some key management areas of group policies, including mandatory, flexibility, registry behavior, orientation, and user interfaces. This is not a detailed list, but these are areas that may be very important to administrators. Let's take a look at the main advantages of preferences in these regions.Figure 2Describes in detail the differences between policies and preferences.
Table 2 group policy preferences and Policies * |
Management area |
Group policy preferences |
Group Policy Settings |
Mandatory |
Preferences are not mandatory. The user interface is not disabled. The preference can only be refreshed or applied once. |
The setting is mandatory. The user interface is disabled. Set to be refreshed. |
Flexibility |
Easily create preference entries for registry settings and files. Import a single registry setting or the entire registry branch from a local or remote computer. |
To add policy settings, you must support the application and create a management template. You cannot create policy settings to manage files and folders. |
Local Policy |
Unavailable in local group policy. |
Available in local group policy. |
Recognition |
Applications that support non-identifiable group policies. |
Applications that need to recognize group policies. |
Registry location and Behavior |
The original settings are overwritten. Deleting a preference entry does not restore the original settings. |
The original settings are not modified. Stored in the Registry Policy Branch. Deleting policy settings restores the original settings. |
Orientation and screening |
Guidance is very fine. Each type of guidance entry has a user interface. Supports guidance at the level of a single preference entry. |
Filter Based on Windows Management Instrumentation (WMI) and write WMI queries. Supports filtering at the GPO level. |
User Interface |
Provides a familiar and easy-to-use interface for most configuration operations. |
Provides an alternative user interface for most policy settings. |
MandatoryGPP is not mandatory. Therefore, you can perform initial configuration, but the end user is still in a controllable state.FlexibilityGPP allows you to easily add any registry value, file, or folder to the managed GPO. In addition, GPP is built based on XML, so it can be efficiently copied and pasted to other GPO.Registry BehaviorAll Registry Entries can be controlled, even if the target computer or user is no longer within the GPO management range where the registry value is configured. When GPO no longer affects the target object, you can delete the registry value or keep it in the original position.OrientationEach GPP setting provides more than 25 different guidance filters for control operations, regardless of whether the setting affects the target object ). There are many examples of filters, such as IP address range, security group members, and registry value matching.User InterfaceThe GPP user interface is extremely simple and easy to use compared with other settings in GPO. In most cases, the "actual configuration interface" in GPO is identical, which makes the user feel simple and familiar with configuration settings.
GPP structure and settings when GPO is enabled in GPME, the distinction between policies and preferences is very obvious, as shown inFigure 3As shown in). This allows you to easily understand the settings introduced in the new GPP field. Pay special attention to this because preferences and policies have different behaviors. When the "Computer Configuration" Computer Configuration is expanded)Figure 4) Or "User Configuration" User Configuration)Figure 5).
Figure 3GPME separates policies from preferences
Figure 4Computer Configuration preferences
Figure 5User Configuration preferences
Advanced Configuration
Compared with other settings in GPO, you can control GPP more precisely by using the options in the Common tab of each preference. The Common tab contains five check boxes for different settings, a configuration-oriented option, and a text box that describes GPO preferences for record and troubleshooting.
Stop processing projects in this extension when an error occursThe default action of Group Policy Processing is to process all settings, even if multiple settings have the same "client extension" (CSE) and one of them fails. Enable this option if you want to stop any of the settings in a CSE when they fail. This setting only has the current GPO range.
Run the user policy option in the security context of logged-on users)When applying group policy settings, such as policies and preferences), they are implemented using a local system account. Obviously, because the local system account can only access system environment variables and local resources, the user context is unavailable. To allow access to user environment variables and network resources, you can enable this option to process group policy preferences using the logged-on user account.
Delete a project when it is no longer applicableGPP settings are not deleted from the Registry when GPO is deleted from a user or computer. GPP settings are not deleted when the user or computer is removed from the GPO management scope. You can enable this option to delete preference settings when GPO no longer applies to users or computer objects, but note that this option does not apply to certain extensions, such as extensions for Internet Explorer ).
Apply only once instead of re-applyThe Group Policy has a default refresh interval, which is refreshed every 90 minutes. This refresh is performed to enable the new settings to be applied and the old settings to be applied again without the need for a computer or user to restart or log on again. If the GPP setting currently being configured is applied only once to the computer and never updated, you can enable this setting. This mechanism is extremely useful when creating an initial configuration array that can have an impact on GPP. It also allows users to create a custom environment by changing the settings after logon, instead of overwriting the original settings.
If these settings are in the "User Configuration" User Configuration), GPP will apply these settings once on each computer that the User logs on. If the setting is in the Computer Configuration, GPP will apply once on each Computer. Note that this is a one-time application of these settings. To update or re-apply these settings, you must deselect this option.
Guide EditorBy default, all users and computers in the GPO management scope will receive these settings in GPO. To apply these settings only to a subset of the default user and computer, you can use orientation. There are more than 25 different guiding projects available; they can be used independently or in combination with other projects.Figure 6Displays a complete list of project-level guidance options.
Figure 6Project-level orientation is used to dynamically control GPP settings for users and computer objects
DescriptionDescription) text box is used to record the settings, options, and guiding items of each GPP setting. This is the text that will be seen when you select a specific preference setting in GPME, without the need to edit the GPP settings themselves, as shown inFigure 7.
Manage GPP
GPP is managed in the same way as other GPO settings. The only difference is that they must be managed by a computer running Windows Server 2008 or Windows Vista SP1.
Figure 8When you create new policy settings for drive ing, the new drive Properties dialog box opens.
Suppose you want to configure a drive ing in the "User Configuration" User Configuration "section of GPO. Its preference Settings are in "User Configuration" User Configuration) | "Preferences" Preferences) | "Windows Settings" Windows Settings) | "Drive Maps" Drive ing. By right-clicking "Drive Maps" Drive ing), you can select "New-Mapped Drive" to create a New policy, as shown in figureFigure 8. Enter information for ing the drive, such as location, local drive label, and drive letter.
In this case, you can map the drive to every user in the GPO range, or you can restrict the users who receive the settings by configuring project-level orientation. You shall establish project-level guidance for users who can control the ing of received drives based on the identity of Security Group members, run a quick check to check whether they have a specific program (.exe) file on their computer. The second check is performed because the shared folder you map contains files that are only useful when using the program file for access.
To create these project-level orientation settings, click the Common tab in the "New Drive Properties" New Drive Properties) dialog box. Click the option next to "Item-level targeting" project-level orientation), and then click "Targeting" orientation. This will open the "Item-level targeting" project level orientation) dialog box. Click the "Item Options" option) drop-down list, and then click "Security Group ). Click "Browse") to configure the corresponding group and the HR users in the example. For more information, seeFigure 9).
Now you need to configure the path to the. exe file. Select "File Match" from the "Match type" drop-down list) to add matching conditions. Then, enter the path of the file, in this example, C: \ Program Files \ ACME \ HRBenefits.exe. Note: Both Drive Maps and Printers are refreshed according to the foreground GPO policy. For more information about foreground and background policy refreshing, see GPP document Group Policy Processing .)
After that, the mapped drive will be displayed whenever the user logs out again, provided that the user is a member of the HR Security Group and has the HRBenefits.exe file on his computer. If these conditions are not met, the drive letter is not displayed.
Figure 9Project-level guidance options can be merged
Group policy preferences
Here is a brief list of problems I have solved using GPP:
-
Fix members in the local administrator group on each desktop to include Domain administrators and local administrator accounts, but do not delete existing members.
-
Make sure that the current user of the desktop does not have its own user account in the local administrator group.
-
Control the power options for each desktop computer to save as much power as possible.
-
Update the service configuration area on the server that runs a specific service so that the Service Startup Mode is always "automatic ".
-
The printer is dynamically mapped so that portable computer users can obtain the correct printer when accessing branch 1. At the same time, when it accesses branch 2, it can also obtain the correct printer at this location.
Summary
You can easily manage and deploy group policy preferences. Since this technology is compatible with Windows Server 2003 SP1 and Windows XP SP2, almost all companies can benefit from the new settings and new features they introduce. This reduces implementation costs and enables administrators to more effectively control the desktops they need to work on.
By combining good group policy deployment design with project-level orientation, administrators can be granted the ability to create dynamic desktop and server configurations. Of the more than 25 types of project-level guidance conditions provided, almost each setting is controlled for the most appropriate scenario. For more information about group policies, see the Group Policy resource toolkit. You can also access the Windows Server group policies website.
Derek MelberHe is an independent consultant, trainer, and writer. Derek is responsible for promoting Microsoft technologies, including Active Directory, group policies, security, and desktop management. Derek regularly compiles online and printed publications. He has prepared more than 10 technical books, including The Microsoft Windows Group Policy Resource Kit published by Microsoft in 2008)
You can contact Derek through the derekm@braincore.net.
Original article address
Source: TechNet