3. Practical and Valuable Settings
Group
Policy Preferences offer control over a computer that was only possible
using scripts or third-party tools in the past. Even custom .adm
templates could not accommodate some of the valuable settings that Group Policy Preferences provide. Some of the most useful settings include:
Drive mappings
Printer mappings
File and folder creation, deletion, and management
Local user account password modification
Service account password management
Browser-based registry management
Power scheme management
As
companies try to meet security compliance regulations, make password
management more efficient, and gain a higher return on IT investments,
Group Policy Preferences and these valuable settings will be used
frequently.
4. Reduced Desktop Images
Most
companies have to create, maintain, and support multiple desktop images
to meet the needs of unique departmental, application, and user
environment configurations. In some cases companies must maintain
images on 50 or more desktops.
Group
Policy Preferences offer configuration management over many areas of
the desktop that can dramatically reduce the need to have so many
desktop images. By implementing Group Policy Preferences for
applications, environment variables, files, folders, registry changes,
mail profiles, and data sources, the total number of desktop images can
be reduced by distributing these settings via Group Policy.
5. Reduced Need for Log-on Scripts
Most
companies use log-on scripts to configure user settings and preferences
related to network resources, including network drives and printers.
Log-on scripts are also used to modify registry values, copy files, and
manage folders. Log-on scripts are not reliable mechanisms for
delivering these settings because they run only when a user is logging
on. Users who keep their computers on for nightly maintenance often
simply lock their computers, instead of logging off, before leaving
work. In this scenario, changes to the log-on script are not applied.
A
second issue with log-on scripts is the management of the scripts
themselves. Most log-on scripts are batch files that have limited
capabilities. Third-party tools are available to help you expand script
capabilities, but their inconvenience may outweigh their benefits.
Group
Policy Preferences provide an easy-to-configure interface, granular
targeting, and detailed management of the common log-on script
contents. Many companies have eliminated the log-on script completely
and instead use Group Policy Preferences to perform these
configurations.
6. Working with Any Organizational Unit Design
All
Group Policy Preferences provide the advanced targeting feature called
item-level targeting. This feature allows administrators to target any
Group Policy Preferences setting, on a per-setting basis, using one or
more targeting criteria. These criteria are shown in Figure 4.
7. Preferences vs. Policies
The term preferences has been used in relation to Group Policy to help define another Group Policy term, which is policies.
These two terms are now exposed and used in the Group Policy Management
Editor (GPME) interface to distinguish the two types of settings
available in a GPO.
The most significant
difference between the two terms is that preferences are not enforced.
This means that when Group Policy applies a preference setting, the
user of the computer can alter that setting. Policy settings are not
alterable. This is because the location of the policy in the registry
is secured. Another difference is that policy settings typically dim
the setting in the user interface, preventing the user from making any
modification to the setting.
Other areas where preferences and policies differ include:
Flexibility
Preferences are very flexible, allowing for custom entries through the
use of .adm templates, ADMX files, or Group Policy Registry settings.
Policies are not easily created, because they require application
support to function.
Local Group Policy
Preferences are not included in local Group Policy settings. Policies
are available in both local Group Policy and GPOs in Active Directory
directory service.
Awareness
Preferences are used for applications that are not Group Policy aware,
whereas policies are used to support applications that are Group Policy
aware.
Registry location and behavior
Preferences are used to overwrite the original settings in the registry
and are not removed when the GPO is deleted or when the object falls
out of scope of management. Policies do not modify the original
registry setting, but instead update values under one of the four
Policies subkeys. When the object falls out of scope of management, the
original setting is still intact and again controls the registry
setting.
Targeting and filtering Preferences support item-level targeting. Policies support GPO-level Windows Management Instrumentation (WMI) filtering.
User interface
Preferences are GUI based and user friendly; they usually duplicate the
original interface for the application or feature being controlled.
Policies are mostly text based, and in some cases you must test them to
determine the outcome of the setting.
Table 1 summarizes the differences between preferences and policies within a GPO.
Table 1. Differences between Preferences and Policies
| | Group Policy Preferences Settings | Group Policy Policies Settings |
|---|
| Enforcement | Preferences are not enforced.
The user interface is not disabled.
Settings can be refreshed or applied once. | Settings are enforced.
The user interface is disabled.
Settings are refreshed. |
| Flexibility | You can easily create preference items for registry settings, files, and so on.
You can import individual registry settings or entire registry branches from a local or remote computer. | You cannot create policy settings to manage files, folders, and so on.
Adding policy settings requires application support and creation of administrative templates. |
| Local Group Policy | Not available in local Group Policy. | Available in local Group Policy. |
| Awareness | Applications that are not Group Policy–aware are supported. | Group Policy–aware applications are required. |
| Registry location and behavior | Original settings are overwritten.
Removing the preference item does not restore the original setting. | Original settings are not changed.
Settings are stored in registry Policy branches.
Removing the policy setting restores the original settings |
| Targeting and filtering | Targeting is granular, with a user interface for each type of targeting item.
Supports targeting at the individual preference item level. | Filtering is based on Windows WMI and requires writing WMI queries.
Supports filtering at a GPO level. |
| User interface | Provides a familiar, easy-to-use interface for configuring most settings. | Provides an alternative user interface for most policy settings. |
