Apr 17 2008

Group Policy Preferences Add Flexibility

Configure users' desktops and settings quickly and easily using Group Policy Preferences.

Group Policy allows administrators to enforce server and desktop settings, providing a comprehensive array of configuration options and, most important, the ability to roll back changes. Despite the introduction of Group Policy as part of Active Directory eight years ago, administrators continue to manage many common aspects of users’ desktop environments with logon scripts — or worse, manually. Network drive mappings, desktop shortcuts and Open Database Connectivity (ODBC) data sources are just a few examples of user settings that are not included natively in Group Policy.

Group Policy Preferences (GPPs) were added to the Group Policy Management Console (GPMC), which comes as part of Windows Server 2008 and the Remote Server Administration Tools (RSAT), following Microsoft’s acquisition of DesktopStandard, a company that specialized in desktop management software.

Preference or Policy?

Group Policy Preferences are contained within Group Policy Objects (GPO), just like standard Group Policy settings. The most important difference between policies and preferences is that preferences are not enforced, and the user can change the configuration via the GUI. Preferences are not reversed, should a GPO no longer apply to a computer or user account. Some configuration tasks, such as printer deployment, can be achieved with preferences or policy. Printer connections cannot be deleted by standard users when deployed with Group Policy; with preferences, they are added once and can be removed by the user. The default behavior of preferences can be changed so that settings are removed should a user or computer fall out of scope.

Figure 1

For both Computer and User Configuration, GPPs are divided into Windows and Control Panel Settings (Figure 1). Windows Settings are generally parts of system configuration that an administrator would either configure manually or by using a script. Control Panel Settings are items that a user might set. As with Group Policy, some preference settings appear only under Computer Configuration, and some only under User Configuration.

Install Client-Side Extensions

Before GPPs can be used on Windows XP or Vista, you need to install the appropriate client-side extensions (CSE). Windows Server 2008 already contains the necessary code.

Windows Vista 32-bit:

Windows XP 32-bit:

You can download RSAT for Windows Vista with SP1, which includes the updated Group Policy Management Console, and create GPPs from a Windows Vista client. The GPOs, in which preferences are stored, don’t need to reside on a Windows Server 2008 domain or domain controller.


Figure 2

Out With Scripts, In With Preferences

Let’s take a look at configuring a GPP to create a mapped network drive, a task that traditionally would have been automated using a logon script. The instructions here require Windows Server 2008, Vista SP1 with GPP CSEs installed, in a test environment with a shared folder on a server in the domain. Log on to a Windows Server 2008 domain controller as domain administrator:

  1. Open Group Policy Management from Start > Administrative Tools.
  2. In the left-hand pane of GPMC, expand Forest > Domains, right-click your domain and select New Organizational Unit from the menu. Call the new OU Desktops and click OK.
  3. Expand your domain in GPMC and you should see the new Desktops OU. Right-click the OU and select Create a GPO in this domain, and Link it here. Call the GPO Preferences and click OK.
  4. Right-click the Preferences GPO, which is now linked to the Desktops OU and select Edit from the menu. The Group Policy Management Editor window will open.
  5. Expand Preferences > Windows Settings under User Configuration, right-click Drive Maps and New > Mapped Drive from the context menu.
  6. Because this a mapped drive that hasn’t existed previously, on the General tab in the properties dialog, set Action to Create from the drop-down menu.
  7. Under Location, enter the UNC path for your shared folder. In this case, the path is \\win2k8\userdata. Optionally you can check Reconnect, which will make the mapped drive persistent. For example, it will appear every time the user logs on. Label as can be used to give the drive a description.
  8. Under Drive Letter, check Use first available, starting at and then select drive letter E from the drop-down as shown in Figure 2.
  9. Select the Common tab and check the second item as shown in Figure 3: Run in logged-on user’s security context (user policy option). Click OK and close the Group Policy Management Editor window.

Figure 3

Running the preference in the context of the user’s security account is especially important when creating a mapped drive, to ensure that the preference’s CSE has access to the shared resource on the domain. If this option is not selected, the CSE runs under the SYSTEM account.

As with standard Group Policy, for this preference to apply to a user account, you need to move an Active Directory user object into the Desktops OU using the Active Directory Users and Computers tool (ADUC). Log on to a workstation where the GPP CSEs have been installed, with the user account you have just moved to the Desktops OU. You should see the new drive appear if you open Computer from the Start menu as shown in Figure 4 (Windows Vista). If you log off and on again, the mapped drive will still appear under Computer as we configured it to be persistent.

Figure 4

Item-Level Targeting

More complex logon scripts are required where user settings, such as mapped drives, are created based on various conditions (for example, a user’s group membership or IP address to determine the user’s location). Windows Management Instrumentation (WMI) is used to create filters in Group Policy to target users or computers based on the results of a WMI query. Item-level targeting allows you to attach a WMI filter to individual preferences inside a single GPO. You can map different network drives for different groups of users with one GPO. With standard Group Policy, a separate GPO needs to be created if you want to apply settings based on the results of a second WMI filter, as the filter applies equally to all standard Group Policy settings in the GPO. Let’s create a preference including a WMI filter, so that a mapped drive is created only for users within a specific IP address range:

  1. Using GPMC, create another mapped drive preference in the Preferences GPO, following the instructions given earlier, but assigned to a different drive letter.
  2. Before completing the procedure, select the Common tab, check Item-level targeting and then click the Targeting button on the right.
  3. In Targeting Editor, click New Item and select IP Address Range from the list. In the lower half of Targeting Editor, enter a start and finish IP address. In this case I’ve entered a range, which is used for the showroom at a branch office in my organization, as shown in Figure 5. Click OK twice.

Figure 5

Go back to your workstation and log on again with the user account, which is located in the Desktops OU. If the workstation’s IP address falls within the range you specified, you will see another mapped drive appear under Computer.

Figure 6

You can create more complex filters by adding collections of items and changing the operators from the Item Options menu. Figure 6 shows a filter that will apply a preference to users who log on from a machine in the London-City AD Site and where both of the following conditions are true: The user must be AD\Administrator, and a product with the given MSI product code must be installed. The filter might look something like this if written using a parenthetical expression:

IF AD Site = London-City AND

IF TRUE (AD User = AD\Administrator AND MSI Exists = {3B410500-1802-488E-9EF1-4B11992E0440})
End IF

IT Takeaway

Where Group Policy is more geared towards core system configuration, Group Policy Preferences provide easy management of user environments. Settings that were previously time-consuming to automate using scripts — such as VPN and dial-up networking connections, scheduled tasks, file extensions, ODBC data sources and regional options — can now be configured in seconds.

GPPs can be used to customize user environments quickly with minimum investment. In small organizations, where quite often administrators don’t have the necessary skills to create and maintain scripts to automate common tasks, GPPs may be of particular benefit. Microsoft has back-ported GPPs to Windows XP and Server 2003, so you can take advantage of the technology with a simple update across your systems. Best of all, Windows Server 2008 is not required to make use of Group Policy Preferences.


Russell Smith is an independent consultant based in the United Kingdom who specializes in Microsoft systems management.