- By William Stanek
Managing preference items
To view and work with preferences, you must open a Group Policy Object for editing in the Group Policy Management Editor, as discussed in “Accessing Group Policy in Active Directory” earlier in this chapter. Then you can manage preferences for either computers or users by using the following techniques:
- If you want to configure preferences that should be applied to computers, regardless of who logs on, double-tap or double-click the Computer Configuration node, double-tap or double-click the Preferences node, and then select the preference area with which you want to work.
- If you want to configure preferences that should be applied to users, regardless of which computer they log on to, double-tap or double-click the User Configuration node, double-tap or double-click the Preferences node, and then select the preference area with which you want to work.
Creating and managing a preference item
You manage preference items separately by selecting the preference area, and then working with the related preference items in the details pane. While you are viewing a particular preference area, you can create a related item by pressing and holding or right-clicking an open space in the details pane, pointing to New, and then selecting the type of item to create. Only items for the selected area are available. For example, if you are working with Printers under Computer Configuration, you have the option to create a TCP/IP Printer or Local Printer preference when you press and hold or right-click and point to New.
After you’ve created items for a preference area, you can press and hold or right-click an individual item to display a shortcut menu that allows you to manage the item, as shown in Figure 4-7.
Similar options are displayed on the toolbar when you select an item. In addition to pressing and holding or right-clicking an item and selecting Properties to display its Properties dialog box, you can double-tap or double-click a preference item to display its Properties dialog box. Then you can use the Properties dialog box to view or edit settings for the preference item.
On clients, the Group Policy client processes preference items according to their precedence order. The preference item with the lowest precedence (the one listed last) is processed first, followed by the preference item with the next lowest precedence, and so on until the preference item with the highest precedence (the one listed first) is processed.
Figure 4-7 Manage preference items by using the Group Policy Management Editor and the shortcut menu.
Processing occurs in precedence order to ensure that preference items with higher precedence have priority over preference items with lower precedence. If there is any conflict between the settings applied in preference items, the settings written last win. To change the precedence order, select a preference area in the console tree, and then tap or click the preference item that you want to work with in the details pane. You’ll then find additional options on the toolbar, which include:
- Move The Selected Item Up
- Move The Selected Item Down
To lower the precedence of the selected item, tap or click Move The Selected Item Down. To raise the precedence of the selected item, tap or click Move The Selected Item Up.
Setting Common tab options
All preference items have a Common tab, on which you’ll find options that are common to preference items. Although the exact list of common options can differ from item to item, most preference items have the options shown in Figure 4-8.
Figure 4-8 Set additional processing options on the Common tab.
These common options are used as follows:
Stop Processing Items In This Extension If An Error Occurs By default, if processing of one preference item fails, processing of other preference items will continue. To change this behavior, you can select Stop Processing Items In This Extension If An Error Occurs. With this option selected, a preference item that fails prevents the remaining preference items within the extension from being processed for a particular Group Policy Object. This setting doesn’t affect processing in other Group Policy Objects.
Run In Logged-On User’s Security Context By default, the Group Policy client running on a computer processes user preferences within the security context of either the Winlogon account (for computers running versions of Windows prior to Windows Vista) or the System account (for computers running Window Vista or later). In this context, a preference extension is limited to the environment variables and system resources available to the computer. Alternatively, the client can process user preferences in the security context of the logged-on user. This allows the preference extension to access resources as the user rather than as a system service, which might be required when using drive maps or other preferences for which the computer might not have permissions to access resources or might need to work with user environment variables.
Remove This Item When It Is No Longer Applied By default, when the policy settings in a Group Policy Object no longer apply to a user or computer, the policy settings are removed because they are no longer set in the Group Policy area of the registry. Default preference items are not removed automatically, however, when a Group Policy Object no longer applies to a user or computer. To change this behavior, you might be able to set this option for a preference item. When this option is selected, the preference extension determines whether a preference item that was in scope is now out of scope. If the preference item is out of scope, the preference extension removes the settings associated with the preference item.
Apply Once And Do Not Reapply Group Policy writes preferences to the same locations in the registry that an application or operating system feature uses to store the related setting. As a result, users can change settings that were configured by using policy preferences. However, by default, the results of preference items are rewritten each time Group Policy is refreshed to ensure that preference items are applied as administrators designated. You can change this behavior by setting this option. When this option is selected, the preference extension applies the results of the preference item one time and does not reapply the results.
Item-Level Targeting Item-level targeting allows you to filter the application of a preference item so that the preference item applies only to selected users or computers. When the Group Policy client evaluates a targeted preference, each targeting item results in a True or False value. If the result is True, the preference item applies and is processed. If the result is False, the preference item does not apply and is not processed. When this option is selected, tap or click the Targeting button to display the Targeting Editor, and then configure targeting as appropriate.