Group policy preferences


Published on

This was a quick presentation I made at our local Rockford SpiceCorps. The idea was to show an alternative way of easing the logon process from a maintenance standpoint, specifically for admins who were not script-savvy.

Published in: Technology
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Group policy preferences

  1. 1. GROUP POLICY PREFERENCES Easing your way out of logon scripts Rob Dunn
  2. 2. WHY USE GROUP POLICY PREFERENCES? “During your career as an IT professional, you’ve likely mapped network drives for users. You probably configured them using logon scripts. This required you to write and debug the logon script, store the script in a central location, and then run the script by configuring User objects in Active Directory® directory service or by creating a Group Policy object (GPO). Think about all the other settings you’ve configured using logon scripts or similar methods. A simple, central system to configure and deploy these settings without requiring you to make scattered changes that are easily forgotten and seldom documented would certainly help reduce costs and make your job easier, wouldn’t it?” -Microsoft
  3. 3. WHY USE GROUP POLICY PREFERENCES OVER LOGON SCRIPTS?  Writing and debugging logon scripts can be troublesome for newcomers  It takes a moderate amount of coding/logic to specify certain settings to apply to certain people or computers through scripting  Scripts typically occur at logon/logoff  Group Policies are applied periodically throughout the day or when forced using gpupdate (can be done remotely)  Group Policy Preferences can be run under the logged on user’s security context  Group Policies are easier to navigate and edit for people who have grown accustomed to a GUI.
  4. 4. GROUP POLICY PREFERENCES VS. SETTINGS. WHAT’S THE DIFFERENCE? Preferences: Desired settings for a user or computer. Maybe they will need to be changed later at the console. Settings: Required settings for a user or computer. The settings cannot be modified by the end-user.
  5. 5. Group Policy Preferences Group Policy Settings Enforcement  Preferences are not enforced  User interface is not disabled  Can be refreshed or applied once  Settings are enforced  User interface is disabled  Settings are refreshed Flexibility  Easily create preference items for registry settings, files, and so on  Import individual registry settings or entire registry branches from a local or a remote computer  Adding policy settings requires application support and creating administrative templates  Cannot create policy settings to manage files, folders, and so on Local Policy  Not available in local Group Policy  Available in local Group Policy Awareness  Supports non-Group Policy-aware applications  Requires Group Policy-aware applications Storage  Original settings are overwritten  Removing the preference item does not restore the original setting  Original settings are not changed  Stored in registry Policy branches  Removing the policy setting restores the original settings Targeting and Filtering  Targeting is granular, with a user interface for each type of targeting item  Supports targeting at the individual preference item level  Filtering is based on Windows Management Instrumentation (WMI) and requires writing WMI queries  Supports filtering at a GPO level User Interface  Provides a familiar, easy-to-use interface for configuring most settings  Provides an alternative user interface for most policy settings
  6. 6. WHAT YOU’LL NEED: ADMIN SIDE Where do the new preferences come from? Windows Vista (or newer) or Windows 2008 with GPMC installed Preferences can be edited/viewed using the supported OS’s above.
  7. 7. WHAT YOU’LL NEED TO APPLY PREFERENCES: CLIENT SIDE  Windows Vista or newer  Windows Server 2003 SP1+  Windows XP SP2+ * Windows 7 & Server 2008 already have the needed extensions built in. XMLLite Low- Level XML Parser is included with IE7+ and/or Server 2003 SP2 /Windows XP SP3 installations. Info and downloads: Microsoft TechNet - Windows article - Client Side Extensions* (CSEs) and XMLLite low-level XML Parser*
  8. 8. DEPLOYING CSE’S – METHODS  MS WSUS (Windows Server Update Services – FREE)  MS System Configuration Center Manager (i.e. SCCM aka SMS in the old days) or other systems management tool like Altiris or Zenworks.  Logon/Logoff Scripts  Scheduled Tasks  Manually via PSExec  Sneakernet
  9. 9. DEPLOYING XMLLITE PARSER If you do have WSUS, you don’t have the option to deploy XMLLite automatically. But…some other things you CAN deploy with WSUS, which subsequently installs XMLLite parser as part of its package:  IE7+  XP SP3/Server 2003 SP2 * Installation not needed for Windows Vista or higher Info and downloads: Microsoft TechNet -
  10. 10. WHAT CAN YOU DO WITH GPP?  ODBC Data Sources  User and Group Preferences  Power Settings  Printers & Mapped Drives  Scheduled Tasks & Services  Copy, Update or Remove Files/Folders  Application Shortcuts  INI Files/Registry Entries  VPN Connections (Windows-based)  Disable USB for specific device types  Etc.
  11. 11. WHAT CAN’T YOU DO? Group Policy Preferences are not intended to be able to run processes at startup. You will need to utilize some sort of script or other method to accomplish this (Scripts, Altiris, SCCM, etc.).
  12. 12. EASY TO USE Adding a user group to the local Administrators Group
  13. 13. TARGETING SETTINGS TO COMPUTER OR USER Using the prior method of Group Policy Settings: In Group Policy Settings, this was called WMI Filtering. WMI Filtering required some knowledge of WQL (like SQL). Queries could be written so that policies could be applied to computers or users that fulfilled the criteria specified in the query. For example: RootCimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional“ This would apply the ENTIRE policy only if a computer had Windows XP Professional Installed.
  14. 14. TARGETING SETTINGS TO COMPUTER OR USER USING ITEM LEVEL TARGETING Item Level Targeting allows for granular deployment of preferences and configurations to computer/user objects based upon a number of different criteria:  If a computer has a battery  If an object is a member of a particular security group  If a computer has a specific IP address  If an object is a member of a particular OU (Organizational Unit)  Etc.  …or a combination of (but not limited to) the prior items This can be done using a familiar Windows tree-navigable interface. One policy can contain different settings applied to objects using different criteria. No need for multiple policies applying the same settings to different OS’s (for example).
  15. 15. Examples of criteria you can use for Item Level Targeting
  16. 16. Example 1: Map a drive based on group membership
  17. 17. Example 1: Map a drive based on group membership Create, Replace, Update or Delete mapping Specify alternate credentials (optional, common tab allows further settings)
  18. 18. Example 1: Map a drive based on group membership Map with user permissions Click here for Item-Level Targeting…
  19. 19. Example 1: Map a drive based on group membership
  20. 20. Example 1: Map a drive based on group membership
  21. 21. Example 1: Map a drive based on group membership
  22. 22. Note this is a Control Panel Preference Example 2: Configure Power Management Settings
  23. 23. Note this is a Control Panel Preference Example 2: Configure Power Management Settings
  24. 24. Example 3: Reset Local Administrator Password Computer Configuration
  25. 25. Example 3: Reset Local Administrator Password
  26. 26. Addendum: The F5-F8 Keys A WORD ABOUT F5-F8 KEYS Some preferences have multiple options within a configuration window. IE preferences, power settings and Start Menu options are a good example of these. It is important to note that you can control these preferences within the window either individually, or entirely by using the F5 thru F8 keys on your keyboard. Here’s what they do: F5 – activates all visible options (green) F6 – activates only the option that currently has focus (green) F7 – deactivates only the option that currently has focus (dashed red) F8 – deactivates all visible options (dashed red) These are extremely useful if you only want to configure a single preference out of a large grouping.
  27. 27. Addendum: The F5-F8 Keys A WORD ABOUT F5-F8 KEYS
  28. 28. Variables can be used in some situations: file, registry, and drive operations are good examples. Press ‘F3’ when in an appropriate field to view them. Example: To map a drive to a folder named after the computer on a share…you could use servershare%ComputerName% Note that %LogonUser% is used as the user name variable as opposed to %UserName%; See VARIABLES AVAILABLE FOR USE
  29. 29. SUMMARY  If you have Windows 2008 or Windows Vista (or higher) on your network, you can use Group Policy Preferences through the GPMC.  GPP is typically not always considered a way to secure an object, but to configure default system preferences for a user/computer.  Group Policy SETTINGS are used to disallow system preferences from being altered.  You can specify many preferences within the same policy for a variety of combinations of user and computer objects using Item Level Targeting  Use the F5-F8 keys to enable/disable individual or all options in a window which contain many preferences  Since Group Policies are applied periodically throughout the day by default, many preferences will be set throughout the day as the policy refreshes (some limitations apply with settings set get set when “run in logged-on user’s security context”).  You can replace a lot of the functionality of a logon script with GPP, while easing the burden of maintenance for your IT staff.  You still need a way of running processes at user startup – i.e. via script or other alternative method to GPP.
  30. 30. LINKS Group Policy Preferences: Getting Started (includes downloads for clients): Microsoft Group Policy Home Page: Group Policy Preferences Overview (Doc): 10 things GPP can do better than your current script Environment Variables in GP Preferences
  31. 31. QUESTIONS? Rob Dunn