As a tool to manage end user desktops, Group Policy is very powerful, but how many times have you wanted to manage a users printer settings or drive mappings and not been able to do it outside of a script? How about the challenge of copying a set of files or a registry change for a set of computers? Again Group Policy isn’t the best answer and we are forced to scripting. Well let me introduce you to a new feature in Windows Server:
Windows Server 2008 Group Policy Preferences
Who’s it for? IT Professionals who manage desktop systems.
What is it? Group Policy Preferences allows IT Professionals to manage operating system and application settings via centralized Policy previously unavailable via Group Policy.
What can I do with Group Policy Preferences? There are too many items to list here (over 20 new policy extensions) but some of the items available for configuration are:
· Create, replace, update and delete files, folders, and .ini files on destination computers.
· Create, replace, update, and delete network drive mappings.
· Create, replace, update, and delete registry settings on multiple computers.
· Configure ODBC data sources! That’s right you can create, replace, update, and delete for both user and Computer ODBC data sources. This is one item that regular Group Policy lacks.
· Remote networking options such as VPN Connections and Dial Up Networking and then target the configuration specifically at mobile PC’s in your environment.
This sounds an awful lot like Group Policy. What’s the difference?
It really comes down to enforcement. Group policy strictly enforces policy settings. When Group Policy is processed settings are written to the policy areas of the registry and then secured via ACL that prevents users from changing them. If a user does change the setting, periodic policy refresh intervals reset the settings.
Group Policy Preferences do not strictly enforce preferences. Preferences are not written in the policy branches in the registry, they are written to the same locations in the registry that the setting would be written to if the user themselves made the change. Because of this model, preferences can support features and applications that are typically not Group Policy aware. Group Policy preference settings are also not secured via ACL’s that prevents the user from changing the setting. This allows you to set a particular preference one time and then allow the user to change it, or you can have the preference refreshed using the same interval used by Group Policy.
There are also significant differences in how you are able to filter or target Group Policy Preferences. In regular Group Policy you are limited to filtering using WMI and those filters determine whether the entire GPO (Group Policy Object) is applied. You cannot specify individual settings within a GPO. Group Policy Preferences support item-level targeting. Imagine a policy that has 50 settings and each setting can be targeted on criteria such as IP address, if that machine is a laptop or desktop, security group membership and so on. Group Policy Preferences then becomes a very powerful tool to manage desktops.
How do I get Group Policy Preferences? Group Policy Preferences are available in the GPMC on Windows Server 2008 systems and also available to run on Windows Vista with the release of the Remote Server Administration Tools.
What systems can I use Group Policy Preferences on? In order to take advantage of Group Policy Preferences, the following clients require the installation of the Client Side Extensions (CSE’s) that have been released as separate downloads (hyper link leads to the download site for the CSE). Windows Server 2008 ships with these extensions already installed.
· Windows XP 32 Bit
· Windows XP x64 Edition
· Windows Server 2003 32 Bit
· Windows Server 2003 x64 Edition
· Windows Vista 32 Bit
· Windows Vista x64 Edition
In closing: Group Policy Preferences comes at no added cost and are available to use with NO TRAINING to the IT Professional. A simple user interface allows for easy configuration of policy preferences helping to decrease the configuration errors that are common when deploying and managing desktop systems. With over 20 available settings with the flexibility to filter and apply settings to specific users, groups, computer types and more the IT Professional has a new tool that will help reduce the reliance on logon scripts and fine-tune settings for users and computers in users organizations.
Check out the screencast on Edge.
The essential resource for Group Policy Preferences is the Group Policy Preferences White Paper.
A FAQ is also available.
We had a chance to try managing desktops with this group policy preferences in windows 2008.
It was a big pain for us to configure many things. Group policy preferences can only use item level targeting and you can't apply targeting at the gpo level.
For example, if you want to filter all items within a group policy by users in a selected AD group, you have to set targeting manually on every item within that group policy.
To overcome such problems I can suggest using desktop authority http://www.scriptlogic.com/products/desktopauthority that includes special technology called "validation logic".
It can easily apply settings on profile level and all included items within the profile automatically.