Group Policy related changes in Windows Server 2. If you would like to read the previous parts in this article series please go to: In part 1 of this article series "Starter GPOs" were discussed. In part 2 we dealt with Group Policy Management Console (GPMC) version 2 and its new search, filtering and comment options. Part 3 introduced you to Group Policy Preferences and part 4 will take a closer look at Group Policy Preferences, including Actions, Item level Targeting, Export/Import, Common options, Shortcuts and more. Please note that some of the information in this article series is based on information from the Beta versions of Windows Server 2. Beta 3, RC0 and RC1).
So, some features and dialog boxes may change a bit before the final release. Group Policy Preferences is part of the Release Candidate 1 (RC1) beta release of Windows Server 2.
Introduction. Windows 2003 Group Policies allow the administrators to efficiently manage a group of people accessing a resource. Group policies can be used to control. Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Information about some new Group Policy settings for Internet Explorer Security Zones in Microsoft Windows XP SP2 and in Microsoft Windows Server 2003 SP1.
User Policies/Group Policies - Terminal Services for Windows Server 2003. If you would like to read the previous parts in this article series please go to: Group Policy related changes in Windows Server 2008 - Part 1: What are Starter GPOs? The upcoming Windows Server 2008 operating system brings a lot of new goodies. This article series will focus on the Group Policy related features which will bring.
Actions. For each Group Policy Preference (GPP) setting you can normally choose between 4 different actions (see Figure 1). These actions will determine how the Client Side Extension (CSE) will process the preference item. Figure 1: the General tab of Environment Properties. This is a quick introduction to the available actions: Create = Create a new setting if it doesn't exist on the targeted machine. Replace = Delete the setting if it exists and then set with the new settings ("recreate"). Update (default) = The default action which modifies existing settings. If the settings don't exist they will be set.
Delete = Remove the preference setting on the targeted machine. Note: We will most likely see the Migrate action when Microsoft releases some of the additions to the Applications node (more on this later in this article). Selecting the correct action is crucial, but in most cases the default option (Update) will be perfectly fine. The Common tab and processing order. Let's take a look at the Common tab of GPP settings. This is where we can specify how the CSE will process the particular preference setting (or "item").
Figure 2: the Common tab of Environment Properties. If you click on any GPP Common tab, they all have exactly the same options, and they are as follows (though irrelevant options can be greyed out as shown in Figure 2): "Stop processing items in this extension if an error occurs" changes the default error handling. If any error should occur during GPP processing the default action is to continue with the next preferences in line. To change that behaviour this option can be selected - this will stop processing of remaining preference items in the same extension/category inside the current GPO."Run in logged- on user's security context (user policy option)" changes the default user context.
Normally preferences are processed using the Local System account (SYSTEM), selecting this option will make sure the user context is used instead. Network Drive and Printer Mappings ignore this setting as they always use the user context anyway."Remove this item when it is no longer applied" can remove preference settings when the user or computer falls out of scope of management. But you have to be extremely careful with this option as it may, depending on what actions you take, remove the setting entirely (ex. When selecting this option the "Update" action will be forced on. Example (a small warning)Let's say you have an application which is hardcoded to look into the following part of the registry to determine a particular user setting during start- up (ex. Current User > Software > Windowsecurity. My. Theme = "Default" An admin then decides to give all users a particular visual theme in the application by creating a Registry preference that assigns the "My.
Theme" key a value of "Deep. Purple". He/she also selects the "Remove this item when it is no longer applied" option for the registry preference. Everything works fine for a couple of months and then it is decided that the GPO should be unlinked - the intention is to get the original value back. But, what will happen is that the registry string value "My. Theme" will be deleted entirely - in the worst case leaving the application in a broken state. Therefore it is recommended to test the behaviour of this option thoroughly before using it in a production environment. So, watch out! "Apply once and do not reapply" changes the default behaviour, which generally is to process the preference setting with every background refresh.
It must be said however, that some preferences are only processed during log on by default (ex. Network Drive and Printer Mappings). With this option, the CSE applies the particular preference item once and never again.
From that point the user can do whatever he or she wants with the User Configuration preference setting - or, if it is a Computer Configuration preference, the computer will never process the preference setting again."Item- Level Targeting" is kind of like WMI filters, but only for the selected preference setting and not the entire GPO (like with WMI filters) or other preferences for that matter. There's more information on ILT later in this article. Processing order and menu options The processing order of preference items can be decided manually by an admin - or you can go with the default order, which is normally fine. The green Up and Down arrows (See Figure 3) offers a method to manually define the processing order of the preferences within a particular category. Figure 3: Processing order and menu options (for the "Local Users and Groups" category)This is a quick introduction to the menu options we have in Figure 3: The "question mark" icon offers help for the open preference category. The help file is actually pretty good and covers most common situations.
The "documents" icon offers a method for displaying the XML data for the selected item(s). The red "Stop sign" icon offers the option to disable the currently selected preference item. That means that the CSE will not process the item at all. The icon changes to a green "Stop sign" when a preference item is disabled. Clicking the green icon will re- enable the preference. SYSVOL You might wonder how GPPs actually work - and you may already have guessed it.
Preferences work kind of the same way as normal Group Policy technology, the CSE takes what it needs from SYSVOL and makes sure to apply the settings on the client (in most cases in context of the SYSTEM account). Figure 4: The different Group Policy Preferences categories.
GPPs are actually "just" folders and files - yes, you guessed it: XML formatted files - added to SYSVOL. A "Preferences" folder is created below either the "\User" (for User Configuration preferences) or the "\Machine" (for Computer Configuration preferences) folder within a GPO in SYSVOL. And for each preference category (see Figure 4) a folder is created below the "Preferences" folder (see Figure 5). Figure 5: A folder is created for each enabled Group Policy Preference category. Below each category folder you will find an XML file for each Preference setting you have, containing the relevant configuration options etc. Item Level Targeting. Item Level Targeting (ILT) is an additional "filter" to those you have on the GPO itself (WMI and security group filters), which applies to the particular GP Preference item within the GPO only - not the entire GPO as with the existing filtering options.
So, for instance, if you create a GPO which has a GPP item creating a share on client you can set a kind of filter on that particular item alone, to make sure you only hit computers/users that apply to the ILT setting(s) you have defined. Within a single GPO you can have multiple preference items, each with its own targeting option(s). With ILT you can use logical functions, like And/Or and Is/Is Not.
You can create Collections of logical functions to make it all very flexible and in an extremely user friendly way. ILT is slightly faster than WMI filters as they use built- in APIs of the operating system instead of WMI. This is a complete list of conditions you can use in ILT "filters": Battery Present, Computer Name, CPU Speed, Date Match, Dial- Up Connection, Disk Space, Domain. Environment Variable, File Match, IP Address Range, Language, LDAP Query, MAC Address Range, MSI Query, Operating System, Organizational Unit, PCMCIA Present, Portable Computer, Processing Mode, RAM, Registry Match, Security Group, Site, Terminal Session, Time Range, User and/or a custom WMI Query. Impressive, right?
Additionally you can add both labels and comments to collections or ILT items for better overview - targeting can get pretty complex in larger environments. Figure 6 shows the "Targeting Editor" with 2 collections, each collection with multiple Boolean ILT items (or 'queries') - one of the collections must come out true for the particular preference setting to apply to the user or the computer object.
Figure 6: The Targeting Editor. ILT provides us with ultimate control of who gets what preference item. Exporting & Importing Group Policy Preferences. Your GPPs can be exported to XML very easily. Just right click a preference, choose Copy and then Paste to your desktop or some other folder - and an XML document will be created.
This document includes everything you need to import the GPP into another GPO (or environment for that matter). To import an XML document all you have to do is to Copy and Paste the document info the Preference area in the Group Policy Management Editor. Even Drag & Drop works for importing and exporting - it is almost too easy. Tip: If you open the XML document (by using Notepad, XML Notepad, Internet Explorer or whatever) you will quickly be able to spot the preference settings - including ILT configuration.
If you're up for it, just copy the ITL section to other policies where you need the exact same "filter" - it's very easy to work with actually. This tip might be helpful if you have a certain ILT "filter" which must apply to a lot of different preference items.