This was a quick presentation I made at our local Rockford SpiceCorps. The idea was to show an alternative way of easing the logon process from a maintenance standpoint, specifically for admins who were not script-savvy.

1. GROUP POLICY
PREFERENCES
Easing your way out of logon
scripts
Rob Dunn

2. WHY USE GROUP POLICY
PREFERENCES?
“During your career as an IT professional, you’ve likely mapped
network drives for users. You probably configured them using logon
scripts. This required you to write and debug the logon script, store
the script in a central location, and then run the script by configuring
User objects in Active Directory® directory service or by creating a
Group Policy object (GPO). Think about all the other settings you’ve
configured using logon scripts or similar methods. A simple, central
system to configure and deploy these settings without requiring you
to make scattered changes that are easily forgotten and seldom
documented would certainly help reduce costs and make your job
easier, wouldn’t it?”
-Microsoft

3. WHY USE GROUP POLICY
PREFERENCES OVER LOGON
SCRIPTS?
 Writing and debugging logon scripts can be troublesome for
newcomers
 It takes a moderate amount of coding/logic to specify certain
settings to apply to certain people or computers through scripting
 Scripts typically occur at logon/logoff
 Group Policies are applied periodically throughout the day or
when forced using gpupdate (can be done remotely)
 Group Policy Preferences can be run under the logged on user’s
security context
 Group Policies are easier to navigate and edit for people who
have grown accustomed to a GUI.

4. GROUP POLICY PREFERENCES VS.
SETTINGS. WHAT’S THE DIFFERENCE?
Preferences: Desired settings for a user or computer.
Maybe they will need to be changed later at the console.
Settings: Required settings for a user or computer. The
settings cannot be modified by the end-user.

5. Group Policy Preferences Group Policy Settings
Enforcement
 Preferences are not enforced
 User interface is not disabled
 Can be refreshed or applied once
 Settings are enforced
 User interface is disabled
 Settings are refreshed
Flexibility
 Easily create preference items for
registry settings, files, and so on
 Import individual registry settings or
entire registry branches from a local
or a remote computer
 Adding policy settings requires
application support and creating
administrative templates
 Cannot create policy settings to manage
files, folders, and so on
Local Policy  Not available in local Group Policy  Available in local Group Policy
Awareness  Supports non-Group Policy-aware
applications
 Requires Group Policy-aware
applications
Storage
 Original settings are overwritten
 Removing the preference item does
not restore the original setting
 Original settings are not changed
 Stored in registry Policy branches
 Removing the policy setting restores the
original settings
Targeting and
Filtering
 Targeting is granular, with a user
interface for each type of targeting
item
 Supports targeting at the individual
preference item level
 Filtering is based on Windows
Management Instrumentation (WMI) and
requires writing WMI queries
 Supports filtering at a GPO level
User Interface
 Provides a familiar, easy-to-use
interface for configuring most
settings
 Provides an alternative user interface for
most policy settings

6. WHAT YOU’LL NEED: ADMIN SIDE
Where do the new preferences come from?
Windows Vista (or newer) or Windows 2008 with GPMC installed
Preferences can be edited/viewed using the supported OS’s above.

7. WHAT YOU’LL NEED TO APPLY
PREFERENCES: CLIENT SIDE
 Windows Vista or newer
 Windows Server 2003 SP1+
 Windows XP SP2+
* Windows 7 & Server 2008 already have the needed extensions built in. XMLLite Low-
Level XML Parser is included with IE7+ and/or Server 2003 SP2 /Windows XP SP3
installations.
Info and downloads: Microsoft TechNet - http://goo.gl/cxtun
Windows Networking.com article - http://goo.gl/naKvc
Client Side Extensions* (CSEs) and XMLLite low-level XML Parser*

8. DEPLOYING CSE’S – METHODS
 MS WSUS (Windows Server Update Services – FREE)
 MS System Configuration Center Manager (i.e. SCCM aka SMS
in the old days) or other systems management tool like Altiris or
Zenworks.
 Logon/Logoff Scripts
 Scheduled Tasks
 Manually via PSExec
 Sneakernet

9. DEPLOYING XMLLITE PARSER
If you do have WSUS, you don’t have the option to deploy XMLLite
automatically.
But…some other things you CAN deploy with WSUS, which
subsequently installs XMLLite parser as part of its package:
 IE7+
 XP SP3/Server 2003 SP2
* Installation not needed for Windows Vista or higher
Info and downloads: Microsoft TechNet - http://goo.gl/cxtun

10. WHAT CAN YOU DO WITH GPP?
 ODBC Data Sources
 User and Group Preferences
 Power Settings
 Printers & Mapped Drives
 Scheduled Tasks & Services
 Copy, Update or Remove Files/Folders
 Application Shortcuts
 INI Files/Registry Entries
 VPN Connections (Windows-based)
 Disable USB for specific device types
 Etc.

11. WHAT CAN’T YOU DO?
Group Policy Preferences are not intended to be able to run
processes at startup. You will need to utilize some sort of script or
other method to accomplish this (Scripts, Altiris, SCCM, etc.).

12. EASY TO USE
Adding a user group to the local Administrators Group

13. TARGETING SETTINGS TO COMPUTER
OR USER
Using the prior method of Group Policy Settings:
In Group Policy Settings, this was called WMI Filtering. WMI Filtering
required some knowledge of WQL (like SQL). Queries could be written
so that policies could be applied to computers or users that fulfilled the
criteria specified in the query.
For example:
RootCimV2; Select * from Win32_OperatingSystem where
Caption = "Microsoft Windows XP Professional“
This would apply the ENTIRE policy only if a computer had Windows
XP Professional Installed.

14. TARGETING SETTINGS TO COMPUTER
OR USER USING ITEM LEVEL
TARGETING
Item Level Targeting allows for granular deployment of preferences and
configurations to computer/user objects based upon a number of different
criteria:
 If a computer has a battery
 If an object is a member of a particular security group
 If a computer has a specific IP address
 If an object is a member of a particular OU (Organizational Unit)
 Etc.
 …or a combination of (but not limited to) the prior items
This can be done using a familiar Windows tree-navigable interface.
One policy can contain different settings applied to objects using different
criteria. No need for multiple policies applying the same settings to different
OS’s (for example).

15. Examples of criteria you can use for Item Level Targeting

16. Example 1: Map a drive based on group membership

17. Example 1: Map a drive based on group membership
Create, Replace, Update or
Delete mapping
Specify alternate credentials
(optional, common tab
allows further settings)

18. Example 1: Map a drive based on group membership
Map with user
permissions
Click here for Item-Level
Targeting…

19. Example 1: Map a drive based on group membership

20. Example 1: Map a drive based on group membership

21. Example 1: Map a drive based on group membership

22. Note this is a Control
Panel Preference
Example 2: Configure Power Management Settings

23. Note this is a Control
Panel Preference
Example 2: Configure Power Management Settings

24. Example 3: Reset Local Administrator Password
Computer Configuration

25. Example 3: Reset Local Administrator Password

26. Addendum: The F5-F8 Keys
A WORD ABOUT F5-F8 KEYS
Some preferences have multiple options within a configuration window.
IE preferences, power settings and Start Menu options are a good
example of these.
It is important to note that you can control these preferences within the
window either individually, or entirely by using the F5 thru F8 keys on
your keyboard. Here’s what they do:
F5 – activates all visible options (green)
F6 – activates only the option that currently has focus (green)
F7 – deactivates only the option that currently has focus (dashed red)
F8 – deactivates all visible options (dashed red)
These are extremely useful if you only want to configure a single
preference out of a large grouping.

27. Addendum: The F5-F8 Keys
A WORD ABOUT F5-F8 KEYS

28. Variables can be used in some situations:
file, registry, and drive operations are good
examples. Press ‘F3’ when in an
appropriate field to view them.
Example: To map a drive to a folder
named after the computer on a
share…you could use
servershare%ComputerName%
Note that %LogonUser% is used as the
user name variable as opposed to
%UserName%;
See http://goo.gl/d0NpaV
VARIABLES AVAILABLE FOR USE

29. SUMMARY
 If you have Windows 2008 or Windows Vista (or higher) on your network, you
can use Group Policy Preferences through the GPMC.
 GPP is typically not always considered a way to secure an object, but to
configure default system preferences for a user/computer.
 Group Policy SETTINGS are used to disallow system preferences from being
altered.
 You can specify many preferences within the same policy for a variety of
combinations of user and computer objects using Item Level Targeting
 Use the F5-F8 keys to enable/disable individual or all options in a window
which contain many preferences
 Since Group Policies are applied periodically throughout the day by default,
many preferences will be set throughout the day as the policy refreshes
(some limitations apply with settings set get set when “run in logged-on user’s
security context”).
 You can replace a lot of the functionality of a logon script with GPP, while
easing the burden of maintenance for your IT staff.
 You still need a way of running processes at user startup – i.e. via script or
other alternative method to GPP.

30. LINKS
Group Policy Preferences: Getting Started (includes downloads for
clients):
http://goo.gl/cxtun
Microsoft Group Policy Home Page:
http://goo.gl/rt2sn
Group Policy Preferences Overview (Doc):
http://goo.gl/fzpF7
10 things GPP can do better than your current script
http://goo.gl/QmSjV
Environment Variables in GP Preferences
http://goo.gl/d0NpaV

31. QUESTIONS?
Rob Dunn
http://goo.gl/x79Wv