Group Policy Objects (GPOs) can be used to perform
many functions across a diverse or standard computer and network
infrastructure built on Microsoft Windows and Active Directory Domain
Services. Considering how to best utilize group policies to manage any
one particular environment and deciding on which GPO settings to
leverage can be a lengthy process. To simplify this process and to keep
from rethinking GPO usage each time, a base set of GPOs should be
created and stored as starter GPOs.
A starter GPO is a feature of the
Group Policy infrastructure that first became available with the release
of the Windows Server 2008 Group Policy Management Console. A starter
GPO can contain a set of Group Policy administrative template settings
that have been preconfigured or defined to meet an organization’s
security and/or configuration requirements. When a new GPO is created, a
starter GPO can be leveraged to prepopulate the defined settings into
the new GPO. The benefit is that each time a GPO is needed, it does not
have to be created from scratch and the administrator does not need to
search for each of the settings that are necessary to meet the specific
object of the new GPO. Windows Server 2008 R2 provides several starter
GPOs for Windows XP and Windows Vista systems that have been created to
provide preconfigured security settings to meet the
best-practice recommendations outlined in the Windows Vista and Windows
XP security guides. The remainder of this section outlines common scenarios for GPO usage
to assist administrators with the planning, deployment, and
configuration of GPOs across an organization’s Active Directory
infrastructure.
Policies and Preferences
Windows 2008 Group Policy
introduced a brand-new set of configurable settings known as
Preferences. Group Policy Objects are now organized into Policy settings
and Preference settings, as shown in Figure 1.
Preferences provide many of the features that the Group Policy
infrastructure was lacking in previous versions, and preferences also
provide many functions that were commonly handled with complex logon and
startup scripts, with Registry file import tasks, and by administrators
configuring the default user profile on workstations and servers. Many
preference settings, such as Registry keys and Drive Maps, would have
previously been applied with scripts that required the workstation to be
logged on to or started up on the internal network. With preference
settings in domain group policies, these settings can now be applied
during the Group Policy refresh interval, which can greatly increase the
successful application of these types of settings.
Policy
settings and Preference settings have different characteristics. Policy
settings are enforced and all users are commonly restricted from
changing any configured policy setting. If a policy setting contains a
graphic interface, when configured, the setting is normally grayed out
to the end user, as shown in Figure 2 for the policy-configured Remote
Desktop settings. Policy settings such as software installations and
computer or user scripts are only processed during computer startup or
shutdown and user logon and logoff cycles.
Preference settings are
applied to computers and users the same as policy settings: during
startup, shutdown, and refresh cycles for computers and logon, logoff,
and refresh cycles for users. Preferences settings, however, are
configured but not enforced. As an example of this, using a user printer
preference, a printer can be installed in a user profile and set to be
the default printer but the end user will still retain the ability to
define a different default printer if necessary. Preference settings are
applied during refresh intervals, but certain settings, such as
creating Registry keys and values, might require a computer reboot or
user logoff/logon cycle to actually apply the new setting. One important
point to note is that the domain group policy preferences are supported
on Windows 7, Windows Server 2008, and Windows Server 2008 R2, but
Windows XP, Windows Server 2003, and Windows Vista all need an update to
support preference settings.
Preference settings
are all different, but they each share common administrative
functionality. Each preference setting will either be presented in a
graphic interface similar to, if not exactly, what the end user can see
and access within the user profile. This is one distinction between
preference and policy settings, as most policy settings are enabled,
disabled, or not configured whereas a preference setting can contain
several configuration features. Furthermore, each preference settings
can have multiple items defined within it, each with a separate
configuration value. As an example, a Drive Map preference can have a
setting item of a mapped drive P and a mapped drive U defined within the
single domain group policy preference setting.
In
addition to the specific setting options that are unique to each
preference, such as the drive letter designation for a Drive Map or a
folder path to a Network Share preference, each setting also contains a
set of common options and many also include a preference action.
Preference Actions
Preference actions determine how a
preference setting will be applied to a user or computer. Many
preference settings also contain an option called the preference action.
The most common preference actions include the Create, Replace, Update,
and Delete actions:
Create—
The Create action creates or configures the preference setting if the
setting does not already exist. If the setting already exists, no action
is taken.
Replace— The Replace action deletes and recreates the setting on the computer or within the user profile.
Update—
The Update action creates the setting if it does not exist, but if the
setting already exists, part or all of the setting configurations are
updated to match the preference setting. Update is the default action
and is less intrusive than the Replace action. It can be used to ensure
that the setting is configured as desired, but processing speed will be
optimized because if the setting already matches it will be skipped.
Delete—
The Delete action simply deletes the preference setting from the
computer or user profile. For example, a Delete action can remove a
mapped drive, delete a Registry key, or delete a printer from a computer
or a user profile.
Preference Common Options
Each preference setting
contains a common tab that contains several options that can be enabled
for the particular setting. A list of the common options is shown in Figure 3.
Common options include the ability to process the setting only once,
which is great for setting default configurations for new user profiles
or a new preference setting on existing domain group policies.
Item-Level Targeting
One of the most functional
preference common options is the item-level targeting option. Item-level
targeting allows administrators to define the scope of application for a
particular preference setting item such as a Drive Map. So with
item-level targeting an administrator can create a single domain group
policy and have a single Drive Map preference defined that will apply
different preference setting items to subsets of computers or users
based on the specifications of the item-level target. For example, a
Drive Map preference that defined the G drive for groups can be
configured to map \\server10\Sales to members of the domain security
group named sales, based on the item-level targeting option
configuration settings. The same preference can also define the G drive
to \\server10\HR for members of the domain Human Resources group based
on a different configuration for item-level targeting.
