Using Group Policy preferences for extended control

Using Group Policy preferences for extended control 2010-12-15 15:30 Derek Melber TechNet Chinese webfont Size:T | T

Among the many new technologies introduced in Windows Server 2008 and Windows Vista, the most compelling of these is the Group Policy Preferences (GPP), which can now greatly extend the Administrator's operations on Group Policy. In a Group Policy object (GPO), Group Policy preferences provide more than 3,000 settings in 22 different regions, as well as setting drive and printer mappings and controlling local group memberships.

Ad:51cto Net + the first China App Innovation contest Hot recruit ...

Among the many new technologies introduced in Windows Server 2008 and Windows Vista, the most compelling of these is the Group Policy Preferences (GPP), which can now greatly extend the Administrator's operations on Group Policy. In a Group Policy object (GPO), Group Policy preferences provide more than 3,000 settings in 22 different regions, as well as setting drive and printer mappings and controlling local group memberships. Most importantly, you do not need to install any new infrastructure, because the technology is fully applicable to the existing Active Directory infrastructure and Group Policy environment. You just need to install the Administration tools and client DLLs to get to work. In this article, I'll delve into Group Policy preferences to demonstrate their usefulness and ease of deployment and management.

GPP compatibility in an Active Directory environment that is used to manage GPP, you must include at least one Windows Server 2008 server or Windows Vista Desktop, because only they support the new Group Policy Management Console (GPMC). The GPMC is required to support and manage GPP settings, and the GPMC can also launch a new Group Policy Management Editor (GPME), which will display GPP that can be managed in the editor. However, the situation is very different when you apply the settings associated with GPP, and the operating systems before Windows Server 2008 and Windows Vista are supported. In particular, GPP can support Windows Server 2003 SP1 and Windows XP Professional SP2 and all subsequent operating systems. Figure 1 summarizes the operating systems that can manage GPP and can apply GPP.

Table 1 Operating system support

Operating system	Group Policy preferences can be applied	Group Policy preferences can be managed through GPME
Windows 2000	Not supported	Not supported
Windows XP (x86 and x64)	Supported by SP2 and CSE installers	Not supported
Windows Vista (x86 and x64)	Supported by SP1 and CSE installers	Supported by SP1 and installed RSAT
Windows Server 2003 (x86 and x64)	Supported by SP1 and CSE installers	Not supported
Windows Server (x86 and x64)	Integration	Integration

Policy and preference terms "policy" and "preferences" are critical to mastering the new Group Policy functionality. Policies and preferences are defined based on some of the key management areas of Group Policy, including coercion, flexibility, registry behavior, guidance, and user interface. This is not a detailed list, but these are areas that can be very important to administrators. Let's take a look at the main benefits of preferences in these areas. Figure 2 details the difference between a policy and a preference item.

table  2 Group Policy preferences and policies *

Mandatory The

administrative area	Group Policy Preferences	Group Policy settings
preference is non-mandatory. The user interface is not disabled. Preferences can only be refreshed or applied once. The	setting is mandatory. The user interface is disabled. Settings are refreshed.
flexibility	to easily create preference entries for registry settings and files. Import a single registry setting or an entire registry branch from a local or remote computer.	Adding policy settings requires support for the application and requires the creation of administrative templates. You cannot create policy settings to manage files and folders, and so on.
local policy	is not available in local Group Policy.	is available in local Group Policy.
recognize	supports applications that are not Group Policy aware.	requires an application that recognizes Group Policy.
registry location and Behavior	the original settings are overwritten. Deleting a preference entry does not restore the original settings. The original settings for	are not altered. stored in the Registry Policy Branch. Deleting a policy setting restores the original settings.
guide and filter	The guidance is fine, and each type of guide entry has a user interface. Support is directed at a single preference entry level.	is filtered based on Windows Management Instrumentation (WMI) and requires a WMI query to be written. Supports GPO-level filtering.
user interface	provides a familiar and easy-to-use interface for most configuration operations.	provides an alternative user interface for most policy settings.

MandatoryGPP is not mandatory, so the initial configuration is possible, but the end user is still in a controlled state.FlexibilityGPP makes it easy to add any registry values, files, or folders to the GPO that you manage. In addition, because GPP is built on XML, it can be efficiently copied and pasted into other GPOs.registry Behavior All registry entries can be controlled even if the target computer or user is no longer in the GPO management scope that configures the registry value. When a GPO no longer has an impact on the target object, you can delete the registry value or keep it in its original form. guided Each GPP setting provides more than 25 different guidance filters for control operations, regardless of whether the setting affects the target object. Examples of filters are many, such as IP address ranges, security group memberships, and registry value matching. User interface GPP's user interface is extremely simple and easy to use compared to other settings in the GPO. In most cases, the "Actual configuration Interface" in the GPO is identical, which makes the user feel simple and familiar when configuring the settings.
GPP structure and settings when a GPO is opened in GPME, the distinction between policies and preferences is obvious (as shown in Figure 3 ), which makes it easy for users to see which settings are introduced in the new GPP domain. This requires special attention, because preferences and policies behave differently. When "Computer Configuration" (Computer Configuration) is expanded in Figure 4) or "User Configuration" ( Figure 5) under "Preferences" (preferences) node, you will find that many settings are divided into two categories, control Panel Settings, and Windows Settings (Windows Settings).

Figure 3 GPME separating the policy from the preference

Figure 4 Computer Configuration preferences

Figure 5 User Configuration Preferences

Advanced Configuration

Using the options in the Common tab of each preference item, you can control GPP more finely than other settings in the GPO. The Common tab includes five check boxes for different settings, an option for configuration guidance, and a text box that describes the GPO preferences for logging and troubleshooting.

The default behavior for project Group Policy processing in this extension when an error occurs is to process all settings, even if there are multiple settings with the same client extension (CSE) and one of the settings fails. Enable this option if you want the setup process in a CSE to stop if any one of the settings in the CSE fails. This setting only has the scope of the current GPO.

Run in the security context of the logged-on user (User policy option) when you apply Group Policy settings (settings such as policies and preferences), they are enforced using the Local system account. Obviously, the user context is not available because the local System account can only access system environment variables and local resources. To be able to access user environment variables and network resources, you can enable this option to use the account of the logged-on user to process Group Policy preferences.

Deleting a GPO from a user or computer when this item is no longer applicable does not remove the GPP settings from the registry and does not delete the user or computer when it is detached from the GPO management scope. To enable this option if the preference setting is removed when the GPO no longer applies to user or computer objects (but note that this option does not apply to certain extensions, such as extensions for Internet Explorer).

apply only once and no longer reapply Group Policy has a default refresh interval, which is refreshed approximately every 90 minutes. This refresh is performed so that the new settings can be applied and the old settings can be re-applied without the need for a computer or user to restart or log back on. Enable this setting if the GPP settings you are currently configuring are applied only once and never updated. This mechanism is extremely useful in establishing an array of initial configurations in which GPP can have an impact, and it also allows the user to create a custom environment by changing the settings after logging in without overwriting the original settings.

If these settings are located under User Configuration, GPP applies these settings one time on each computer to which the user is logged on. If this setting is located under Computer Configuration (computer configurations), GPP will be applied once on each computer. Note, however, that this is a one-time application of these settings. To update or reapply these settings, you must first uncheck this option.

guided editor by default, all users and computers that are in the scope of GPO management will receive these settings in the GPO. To apply these settings only to a subset of the default users and computers, you can use guidance. More than 25 different guided projects are available, and they can be used separately or in combination with other projects. Figure 6 shows a complete list of project-level-oriented options.

Figure 6 Project-level targeting GPP settings that are used to dynamically control user and computer objects

Description The Description text box is used to record settings, options, and guided items for each GPP setting. This is the text you will see when you select a particular preference setting in GPME, without having to edit the GPP settings themselves, as shown in Figure 7 .

Manage GPP

GPP is managed in the same way as other GPO settings. The only difference is that they must be managed by a computer running Windows Server 2008 or Windows Vista SP1, as described previously.

Figure 8 When you create a new policy setting for drive mapping, the new Drive Properties dialog box opens

Suppose you want to configure a drive mapping in the User Configuration section of the GPO. The preferences settings are in User Configuration | Preferences "(Preferences) |" Windows Settings "(Windows Settings) |" Drive maps. By right-clicking the drive maps setting, you can select New-mapped Drive (the newly mapped drives) to create a new policy, as shown in Figure 8 . Provides a space for you to enter information for mapping drives, such as location, local drive labels, and drive letter.

At this point, you can choose to apply the drive map to each user within the scope of the GPO, or you can restrict who receives the setting by configuring item-level targeting. You should establish project-level guidance for users who control the can receive drive mappings based on security group memberships and see if they have a specific program (. exe) file on their computer by running a quick check. The second check is performed because the shared folder you are mapping currently contains files that are only useful if you are using the program file for access.

To establish these project-level-guided settings, click the Common tab in the new Drive Properties dialog box. Then click the complex option next to item-level targeting (project level guided), and then click the Targeting button. This opens the Item-level targeting (Project level Orientation) dialog box. Click the Item Options drop-down list and then click Security Group. Next click Browse to configure the appropriate group and HR users in the sample (see Figure 9).

You now need to configure the path to the. exe file. Select "File Match" from the "Match type" drop-down list to add a match condition. Then type the path to the file, in this case C:\Program Files\acme\hrbenefits.exe. (Note: "Drive Maps" and "Printers" (printers) are refreshed according to the foreground GPO policy.) For more information about foreground and background policy refreshes, see GPP article Group Policy processing . ）

Thereafter, the mapped drive is displayed whenever the user logs on again after logging off, but only if the user is a member of the HR security group and has a HRBenefits.exe file on his computer. If these conditions are not met, the drive letter will not be displayed.

Figure 9 Project-level orientation options can be combined

Group Policy preferences come to the rescue

Here is a brief list of some of the issues I've solved with GPP:

• Fix the members of the local Administrators group on each desktop to include Domain Admins and local administrator accounts, but do not delete existing group memberships.

• Make sure that the current user of the desktop does not have their own user account in the local Administrators group.

• Control the Power options for each desktop computer to conserve power as much as possible.

• Update the service configuration area on all servers running a particular service so that the service startup mode is always automatic.

• Dynamically map the printer so that the correct printer is available when a laptop user accesses branch office 1. Also, when it accesses branch office 2, the correct printer for that location is available.

Summarize

Group Policy Preferences make it easy to manage and deploy. Because this technology is compatible with both Windows Server 2003 SP1 and Windows XP SP2, almost all companies can benefit from the new settings and new features they introduce. This reduces implementation costs and enables administrators to more effectively control the desktops they need to carry out their work.

By combining a good Group Policy deployment design with project-level guidance, you can give administrators the ability to create dynamic desktop and server configurations. Of the more than 25 project-level guidance provided, almost every setting is controlled for the most appropriate situation. For more information about Group Policy, see Group Policy Resource Kit , or visit web site Windows Server Group Policy .

Derek Melber is an independent consultant, trainer and writer. Derek is responsible for promoting Microsoft technologies, primarily Active Directory, Group Policy, security, and desktop management. Derek regularly compiles online and printed publications, and he has authored more than 10 technical books, including Microsoft's Microsoft Windows Group Policy Resource Kit, published in 2008 (Microsoft W Indows Group Policy Resource Kit)

You can contact Derek via [email protected] .

Original address

Article Source: TechNet Chinese Web

Using Group Policy preferences for extended control