Group Policy Preferences

Welcome to the ITFreeTraining course looking into Group Policy preferences and how they operate. Group Policy Preferences in Windows is a system that expands the original functionality of Group Policy giving the administrator more control over the computers that they support.

Show lesson content
Group Policy Preferences
0:14 – Group Policy was originally developed by a third party company that was called PolicyMaker. Microsoft acquired the company that made PolicyMaker. Using the Group Policy Preferences, the administrator can replace a lot of the functionality that would have been previously done with login scripts. Group Policy preferences was added to Windows in Windows Server 2008. In order to work, it requires the client side extension. This is not included in previous operating systems, however is available for download for Windows XP, Vista, and Windows Server 2003. This can be done through direct download or via Windows update.

0:56 – To understand how Group Policy preferences work, I will open Server Manager from the quick launch bar. Once open, I will select Group Policy Management under the Tools menu. To look at how to configure Group Policy Preferences, I will right click on “Default Domain Policy” and select Edit. From “Group Policy Management Editor” you will notice that under “Computer Configuration” and “User Configuration” there is a container called “Preferences”. If I expand “Preferences” under “Computer Configuration” you can see all the settings that are under preferences within the two containers “Windows Settings” and “Control Panel Settings”.

1:39 – When “Windows Settings” is expanded, you will see that there are seven different areas in which settings can be configured. The first one is “Environment”. This allows the administrator to create environment variables. These are dynamic values that applications can use. If I open a command prompt and run the command “set”, you can see all of the environment variables in the system. Applications can read this and find out information, like the path of the Windows folder. The administrator is able to add their own values and change them as required and any application running on the computer will be able to read them. If I now go back to “Group Policy Management Editor”, I will select the next container down “Files”. This allows additional files to be added using Group Policy. For example, if you wanted to add the company’s wallpaper to the local computer you can do this using these settings. In some cases, you may need to create folders to store files in; this can be done with the next container “Folders”.


2:47 – The next container down is “Ini Files”. Before the registry, settings were kept in Ini files; some applications still use Ini files, so you can use this to add settings to those Ini files if you require them. The next container down is the “Registry” which allows settings to be added to the registry. Whenever possible it is best to use other settings in Group Policy like Administrative Templates to configure the registry based settings. This is because settings configured in Administrative Templates can be reversed if they are no longer required, where in contrast, settings in the registry are permanent until they are overwritten or deleted. If there are no Group Policy settings that exist for the setting that you want to create, this is a useful way to configure the registry.

3:36 – The next container down is “Network Shares”. This allows network drives to be automatically connected. Traditionally this was done with login scripts,  so you can see how Group Policy is able to replace some of the functionality that would have been traditionally done with login scripts. The last container allows “Shortcuts” to be created on the computer. This helps the administrator to customize the computer in their domain. The next section down is “Control Panel Settings”. This, as the name suggests, allows the administrator to configure options that would normally be configured in the Control Panel. There are nine containers under “Control Panel Settings” that can be configured. Most are fairly self-explanatory and each interface for each container is very similar. To get an understanding of the interface, I will have a closer look at “Local Users and Groups” and use it as an example of how to create settings.

4:33 – To create new settings, right click in the white space and select the option “Local User” under New. The interface changes slightly depending on which setting that you are configuring, but there are some options that remain the same. At the top, you have the action which is a common setting for all Group Policy Preferences. In the pull-down menu, you have four options. The first option “Create”, as the name suggests, creates the setting. If the setting already exists, it will not be updated. In the case of users, Group Policy preferences will not be able to be used to create a new user, and in a moment we will see why. The next setting down, “Replace”, will replace an existing setting. So essentially it deletes the existing item if it exists and then creates a new one.

5:20 – This is good if you want to update something like a file; however, care should be taken if it is used with an item that has a unique value. For example, when a group is created, it will have a unique security identifier associated with it. Using the replace option re-creates the group and thus a new security identifier will be created and any membership in the group will be lost. The next option is “Update”. This will create the item if it does not exist. However, if the item exists it will be updated. In the case of a group, the group will be updated rather than being re-created and thus the security identifier will remain the same. The last option, “Delete”, does as the name suggests and deletes the item if it exists. In this case, I will use the Update option. For the username, I will enter in ‘Support’. Notice the next option down “Rename to”. Here I will enter in ‘ITSupport’. So, what this will do is find the existing Support group and rename it to ‘ITSupport’ to make it a bit more descriptive.

6:30 – For the full name and description, I will enter in ‘ITSupport”. Note the password fields below are greyed out. Previously in Group Policy preferences, a password could be configured here. However, due to a vulnerability, the password could be compromised and thus this option was removed. This is why any of the options that involve creating a user will not work. Since a password cannot be configured, the password will be configured to be blank. Since the password is blank, the password will not meet the minimum requirements for a password and thus the computer will not allow the user to be created. If you work with group policy preferences and users, keep this in mind. Below this, you can configure general settings for the user account. For example, making the user change the password when they next login or even disabling the account. Even though it’s not possible to create user accounts, there are a lot of choices that are still available.

7:30 – Closing out of this window, you will notice that the account has been added. When applied to a computer, if a local user called “Support” is found, it will be renamed to ITSupport. However, due to the fact that we were unable to configure a password, the user account ITSupport will not be created unless it already exists. In order to check out some of the other options that are available in Group Policy Preferences, I will select the container “Network Options”. In order to create a new setting, we need to once again right click the white space on the right-hand side and select “VPN Connection” under the New menu.

8:10 – The settings that can be configured will be present at the top, as before. At the top, I will select the option “Create”. The action pull down is common for all Group Policy Preferences. So I can save the setting without getting any errors, I will enter in a “Connection name” and an “IP Address”. Once the values have been entered in, I will next select the “Common” tab. This tab is the same for all Group Policy Preference and has a lot of useful selections and functions that enable an administrator to have a lot more control over how the settings are applied.

8:49 – The first option is “Stop processing items in this extension if an error occurs”. Normally if there is a preference setting that fails, the other settings will still be applied. If this option is ticked, the processing will stop. The next option, “Run in logged-on user’s security context (user policy option)” is grayed out. This is because I am currently editing “Computer Configuration”. If I was editing “User Configuration” this option would be available. If this option is ticked, when applying user settings they will be applied as the current user. If the option is not ticked, the settings will be applied using the system user. This means settings are limited to environment variables and system resources on the computer.

9:36 – The next option is “Remove this item when it is no longer applied.” If this option is checked, and the Group policy were to no longer to apply to that user or computer, it will be removed. This may be for a number of different reasons. For example, the Group Policy is removed or the security on that Group Policy is changed. The following option, “Apply once and do not reapply” will apply to the setting once only. This is useful in certain situations. For example, you may want the user to have a selection of network drives. However, you want to give the user the freedom to remove the network drive if they want. If this option is selected, the network will be applied the first time. However, if the user decides to remove it, it would not be reconnected automatically.

10:27 – The last option “Item-level targeting”, allows the settings to be targeted. If checked, the targeting is configured by pressing the button labeled “Targeting…”. A new window will appear titled “Targeting Editor”. In this window, if “New Item” is selected, there will be many different options that can be configured. In this case, the settings are being targeted toward creating a new VPN connection on the associated computers. There are many different ways to achieve this. For example, if you wanted to create the VPN connection on only laptops, and all the laptops in your company started with the letter L, you could use the option “Computer Name”.

11:03 – A common way an administrator will target settings is to use a Group. This can be accomplished using the option “Security Group”. Using a group allows the administrator to easily add and remove users and computers from the group and thus control which users and computers will receive the setting. In this particular case, I will select the option “IP Address Range”. This enables the setting to be applied to computers that have a particular IP Address. In our case, I will configure a start and end IP Address. Any computer in that IP Address range will be allocated this setting. If you want to configure a single IP Address, set the start and end IP Address to be the same IP Address.

11:50 – This concludes our video on Group Policy Preferences. There are a lot of settings that can be configured and we’ve only addressed a few. It is well worth the time for an administrator to take a thorough look and examine all the many settings that Group Policy offers. Thanks for watching this video from ITFreeTraining. I look forward to seeing you in other videos from us. Until then, thanks for watching.

“Group Policy Preferences Getting Started Guide” https://technet.microsoft.com/en-us/library/cc731892(v=ws.10).aspx
“Configure Common Options” https://technet.microsoft.com/en-au/library/cc772371.aspx

Trainer: Austin Mason http://ITFreeTraining.com
Voice Talent: HP Lewis http://hplewis.com
Companion Document: Phillip Guld https://philguld.com
Video Production: Kevin Luttman http://www.KevinLuttman.com
Quality Assurance: Brett Batson http://www.pbb-proofreading.uk

Lesson tags: 70-410-windows-server
Back to: 70-410 Installing and Configuring Windows Server 2012 > Group Policy

Installing and Configuring Windows Server 2012