Planning for an implementation of Group Policy in an enterprise environment involves a number of different tasks and considerations, including the following:
Understanding policies vs. preferences
Designing an OU structure that supports Group Policy
Configuring a central store for policy definition files
Creating and using Starter GPOs
Understanding how to remotely refresh Group Policy
Before you implement Group Policy in your Active Directory environment, you need to understand the difference between policies and preferences. Group Policy allows administrators to deploy two types of settings:
Managed settings These are configuration settings that the organization considers mandatory and that must be strictly enforced. Managed settings are pushed out to targeted user accounts or computers, and they are periodically refreshed to ensure they remain enforced.
An example of a managed setting might be a corporate-branded desktop background that the company requires to be enforced on all employees’ computers.
A standard user (a user without administrative rights) cannot modify a managed setting. And although users who are local administrators on their computers might be able to temporarily change a managed setting, the setting will be reapplied either the next time the user logs on, the next time the computer restarts, or during a periodic background refresh of Group Policy.
Unmanaged settings These are configuration settings that the organization does not consider mandatory but might consider recommended or advisable. Unmanaged settings are pushed out to targeted user accounts or computers, but unlike managed settings, which are always enforced, unmanaged settings can be modified by users if they want to do so.
An example of an unmanaged setting is a mapped drive. Because this setting is unmanaged, a user (even a standard user) can delete the mapped drive. The mapped drive might or might not reappear when the user next logs on, depending upon how the administrator has configured the unmanaged setting.
In Group Policy, managed settings are called policies and unmanaged settings are called preferences. Figure 1 shows that a Group Policy Object (GPO) has several types of policies and preferences, some of them per-machine and the others per-user.
Some of the other differences between policies and preferences include the following:
A policy disables its associated user interface item on the user’s computer; a preference does not.
A policy is removed when the GPO goes out of scope—that is, when the user or computer is no longer targeted by the GPO. A preference, however, remains configured for the targeted user or computer even when the GPO goes out of scope. Another way of saying this is that preferences tattoo the registry on the client computer, while policies do not tattoo the registry on the client computer.
When a policy is applied, the original registry settings on the client computer are not changed. Instead, the policy is stored in a special policy-aware section of the registry on the client. If the policy is later removed, the client’s original registry settings are restored. Another way of saying this is that a policy supersedes the corresponding configuration setting in the user interface on the client. With preferences, however, the original registry settings on the client are overwritten and removing the preference does not restore the original setting. In other words, a preference actually modifies the corresponding configuration setting in the user interface on the client. Because of this difference, policies can be effective only for features of Windows operating systems and applications that are Group Policy–aware, while preferences can be effective for any features of Windows operating systems and applications as long as the appropriate preference extension is loaded.
Policies can be configured in both domain and local GPOs; preferences can be configured only in domain GPOs.
A preference can be applied only once if desired; policies are always periodically refreshed.
Windows 8 and Windows Server 2012 include over 350 new policies administrators can use to manage the new features of these platforms. Some of the new types of policies for these new platforms include policies for managing the following:
BitLocker Volume Encryption
BranchCache (for example, to configure peer-to-peer caching)
Credential provider (for example,to configure Picture Password sign-in)
Desktop personalization (for example,to configure Lock screen and Start screen background)
Device driver setup and compatibility settings
DNSClient settings (for example, to configure smart protocol reordering and response preferences)
External boot options for Windows-to-Go
File History settings
Hotspot authentication
Internet Explorer 10 customization (includes over 150 new settings)
Kerberos armoring
Managing enterprise installation of Windows 8 apps
Folder Redirection (for example, to configure redirection only on a user’s primary computer)
Remote DesktopServices(for example, to configure RDP 8.0 and RemoteFX)
Windows Explorer user-interface settings
Printing (for example, to configure the new v4 simplified print-provider architecture)
Start-screen customization (for example, to configure whether to show Run As Different User on the Start screen)
Sync Your Settings (for example, to sync to SkyDrive)
TCPIP (for example, to configure Internet Protocol version 6 (IPv6) stateless autoconfiguration)
The Trusted Platform Module (TPM)(for example, to configurea backup of TPM to Active Directory)
User interfacecustomization (for example, to turn off switching between recent apps)
User profile roaming (for example, to allowroaming only on a user’s primary computer)
VSS Provider Shadow Copies (for the File Server role service)
Windows PowerShell execution policy
Windows Store (to turn it on or off)
Wireless WAN (for example, to configure cost policies for 3G/4G networks)
