Group Policy Preferences


Welcome to the ITFreeTraining video looking
at Group Policy Preferences. Group Policy Preferences in Windows is a system that expands
the original functionality of Group Policy giving the administrator more control over
the computers that they support. Group Policy was originally developed by a
3rd party company and was called PolicyMaker. Microsoft acquired the company that made PolicyMaker.
Using Group Policy Preferences the administrator can replace a lot of the functionality that
would have previously been done with login scripts. Group Policy Preferences was added to Windows
in Windows Server 2008. In order to work, it requires the Client Side Extension – which
is not included in previous operating systems. It is however available for download for Windows
XP, Vista and Windows Server 2003. This can be done through direct download or via Windows
update. To understand how Group Policy Preferences
works, I will open Server manager from the quick launch bar. Once open, I will select
“Group Policy Management” from under the tools menu. To look at how to configure Group
Policy Preferences, I will right click on “Default Domain Policy” and select edit. From “Group Policy Management Editor”
you will notice that under “Computer Configuration” and “User Configuration” there is a container
“Preferences”. If I expand “Preferences” under “Computer Configuration” you can
see all the settings that are under preferences under the two containers “Windows Settings”
and “Control Panel Settings”. If I expand “Windows Settings”, you can
see that there are 7 different areas in which settings can be configured. The first one
is “Environment”. This allows the administrator to create environment variables. These are
dynamic values that applications can use. If I open a command prompt and run the command
“set”, you can see all of the environment variables in the system. Applications can
read this and find out information, like the path of the Windows folder. The administrator
is able to add their own values and change them as required and any application running
on the computer will be able to read them. If I now go back to “Group Policy Management
Editor”, I will select the next container down “Files”. This allows additional files
to be added using Group Policy. For example if you wanted to add the company’s wallpaper
to the local computer you could do this using these settings. In some cases, you may need
to create folders to store files in; this can be done with the next container “Folders”. The next container down is “Ini Files”.
Before the registry, settings were kept in Ini files; some applications still use Ini
files, so you can use this to add settings to these Ini files if you require them. The next container down is the registry, which
allows settings to be added to the registry. Whenever possible it is best to use other
settings in Group Policy like Administrative Templates to configure the registry based
settings. This is because settings configured in Administrative Templates can be reversed
if they are no longer required, where in contrast, settings in the registry are permanent until
they are overwritten or deleted. If there are no Group Policy settings that exist for
the setting that you want to create, this is a useful way to configure the registry. The next container down is “Network Shares”.
This allows network drives to automatically be connected. This was a task that was traditionally
done with login scripts, so you can see how Group Policy is able to replace some of the
functionality that would have been traditionally done with login scripts. The last container allows shortcuts to be
created on the computer. This helps the administrator to customize the computers in their domain. The next section down is “Control Panel
Settings”. This, as the name suggests, allows the administrator to configure options that
would normally be configured in the control panel. There are 9 containers under “Control Panel
Settings” that can be configured. Most are fairly self-explanatory and each interface
for each container is very similar. To get an understanding of the interface, I will
have a closer look at “Local Users and Groups” and use it as an example of how to create
settings. To create new settings, right click the white
space and select the option “Local User” under new. The interface changes slightly
depending on which setting that you are configuring, but there are some options that remain the
same. At the top you have the action which is a
common setting for all Group Policy Preferences. In the pull down menu you have 4 options.
The first option “create”, as the same suggests, creates the setting. If the setting
already exists, it will not be updated. In the case of users, Group Policy Preferences
will not be able to be used to create a new user, in a moment we will see why. The next setting down, “Replace”, will
replace an existing setting. So essentially it deletes the existing item if it exists
and then creates a new one. This is good if you want to update something like a file;
however, care should be taken if it is used with an item that has a unique value. For
example, when a group is created, it will have a unique security identifier associated
with it. Using the replace option re-creates the group and thus a new security identifier
will be created and any membership in the group will be lost. The next option is update. This will create
the item if it does not exist. However, if the item exists it will be updated. In the
case of a group, the group will be updated rather than being re-created and thus the
security identifier will remain the same. The last option “delete” does as the name
suggests and deletes the item if it exists. In this case I will use the update option.
For the username I will enter in Support. Notice the next option down “Rename to”.
Here I will enter in ITSupport. So what this will do is find the existing Support group
and rename it to ITSupport to make it a bit more descriptive. For the full name and description I will enter
in ITSupport. Note the password fields below this are grayed out. Previously in Group Policy
Preferences, a password could be configured here. However, due to a vulnerability, the
password could be compromised and thus this option was removed. This is why any of the
options that involve creating a user will not work. Since a password cannot be configured,
the password will be configured to be blank. Since the password is blank, the password
will not meet the minimum requirements for a password and thus the computer will not
allow the user to be created. If you work with group policy preferences and users, keep
this in mind. Below this you can configure general settings
for the user account. For example, making the user change the password when they next
login or even disabling the account. You can see that even though you cannot create user
accounts, there are a lot of options that are still available. If I exit out of here, notice that the user
account has been added. When applied to a computer, if a local user called “support”
is found, it will be renamed to ITSupport. However, since we were not able to configure
a password, the user account ITSupport will not be created unless it already exists. To have a look at some of the other options
that are available in Group Policy Preferences, I will select the container “Network Options”.
To create a new setting, I will once again right click the white space on the right hand
side and select “New Connection” under the “New” menu. The settings that can be configured will appear
just like before. At the top, I will select the action “Create”. The action pull down
is common for all Group Policy Preferences. Under this, the other settings have changed
and there are also different tabs. So I can save the setting without getting
any errors, I will enter in a “Connection name” and an “IP Address”. Once the
values have been entered in, I will next select the “Common” tab. This tab is the same
for all Group Policy Preferences and has a lot of useful options that allow the administrator
a lot more control over how the settings are applied. The first option is “Stop processing items
in this extension if an error occurs”. Normally if there is a preference setting that fails,
the other settings will still be applied. If this option is ticked, the processing will
stop. The next option, “Run in logged-on user’s
security context (user policy option)” is grayed out. This is because I am currently
editing “Computer Configuration”. If I was editing “User Configuration” this
option would be available. If this option is ticked, when applying user settings they
will be applied as the current user. If the option is not ticked, the settings will be
applied using the system user. This means settings are limited to environment variables
and system resources on the computer. The next option is “Remove this item when
it is no longer applied.” If this option is ticked, and if the Group Policy no longer
applies to that user or computer, it will be removed. This may be for a number of different
reasons. For example the Group Policy is removed or the security on that Group Policy is changed. The next option down, “Apply once and do
not reapply” will apply to the setting once only. This is useful in certain situations.
For example, you may want the user to have a selection of network drives. However, you
want to give the user the freedom to remove the network drive if they want. If this option
is selected, the network will be applied the first time, but if the user decided to remove
it, it would not be connected again. The last option “Item-level targeting”,
allows the setting to be targeted. If ticked, the targeting is configured by pressing the
targeting button. In the “Targeting Editor”, if I select “New Item” notice how many
different options can be configured. In this case the settings are being targeted
towards creating a VPN Connection on a computer. There are many different ways to achieve this.
For example, if you wanted to create the VPN Connection on only laptops and all the laptops
in your company started with the letter L, you could use the option Computer Name. A common way an administrator will target
settings is to use a group. This can be done using the option “Security Group”. Using
a group allows the administrator to easily add and remove users and computers from the
group and thus control which users and computers will receive the setting. In this particular case, I will select the
option “IP Address Range”. This allows the setting to be applied to computers that
have a particular IP Address. In this case I will configure a start and end IP Address.
Any computer in that IP Address range will be allocated this setting. If you want to
configure a single IP Address, set the start and end IP Address to the same IP Address. This concludes Group Policy Preferences. There
are a lot of settings that can be configured and I have only looked at a few. It is worth
the time for the administrator to look through these settings to see what they can configure. Thanks for watching this video from ITFreeTraining.
I look forward to seeing you in other videos from us. Until then, thanks for watching.

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *