Windows Group Policy: Deploying Group Policy
- 2/11/2009
- Keeping Group Policy Up to Date
- Applying and Linking Group Policy Objects
- Using Default Policies
- Using Policy Preferences and Settings
Using Policy Preferences and Settings
So far we’ve discussed how Group Policy has changed, how you can update policy, and how policy is applied, but I haven’t discussed the specific ways in which you can use preferences and settings to help you better manage your network. I’ll remedy that now by detailing uses for both preferences and settings. Because some overlap occurs in management areas for preferences and settings, I’ll also discuss whether using settings or preferences is better suited to a particular task.
Using Policy Settings for Administration
A policy setting is a managed setting that you apply to control configuration, such as to restrict access to the Run dialog box. Most policy settings have three basic states:
Enabled. The policy setting is turned on, and its settings are active. You typically enable a policy setting to ensure that it is enforced. Once enabled, some policy settings allow you to configure additional options that fine-tune how the policy setting is applied.
Disabled. The policy setting is turned off, and its settings are not applied. Typically, you disable a policy setting to ensure that it is not enforced.
Not Configured. The policy setting is not being used. No settings for the policy are either active or inactive and no changes are made to the configuration settings targeted by the policy.
By themselves, these states are fairly straightforward. However, these basic states can be affected by inheritance and blocking (which I touched on briefly and will discuss in detail in Chapter 5). That said, with the following two rules about inheritance and blocking in mind, you’ll be well on your way to success with Group Policy:
If inherited policy settings are strictly enforced, you cannot override them. This means the inherited policy setting is applied regardless of the policy state set in the current GPO.
If inherited policy settings are blocked in the current GPO and not strictly enforced, the inherited policy setting is overridden. This means the inherited policy setting does not apply, and only the policy setting from the current GPO is applied.
Now that you know exactly how to apply individual policy settings, let’s look at the administrative areas to which you can apply Group Policy. Through a special set of policies called Administrative Templates, you can manage just about every aspect of the Windows graphical user interface (GUI), from menus to the desktop, the taskbar, and more. The Administrative Template policy settings affect actual registry settings, so the available policies are nearly identical whether you are working with local Group Policy or domain-based Group Policy. You can use administrative templates to manage:
Control Panel. Controls access to and the options of Control Panel. You can also configure settings for Add Or Remove Programs, Display, Printers, and Regional And Language Options.
Desktop. Configures the Windows desktop, the availability and configuration of Active Desktop, and Active Directory search options from the desktop.
Network. Configures networking and network client options, including offline files, DNS clients, and network connections.
Printers. Configures printer publishing, browsing, spooling, and directory options.
Shared folders. Allows publishing of shared folders and Distributed File System (DFS) roots.
Start menu and taskbar. Configures the Start menu and taskbar, primarily by removing or hiding items and options.
System. Configures policies related to general system settings, disk quotas, user profiles, logon, power management, system restore, error reporting, and more.
Windows components. Configures whether and how to use various Windows components, such as Event Viewer, Task Scheduler, and Windows Updates.
Table 2-1 provides a comprehensive list of administrative areas you can manage using Group Policy. Whether you are working with local Group Policy or Active Directory–based Group Policy, the areas of administration are similar. However, you can do much more with Active Directory–based Group Policy primarily because you cannot use local Group Policy to manage any features that require Active Directory.
Table 2-1. Key Administrative Areas That Can Be Managed with Policy Settings
GROUP POLICY CATEGORY |
DESCRIPTION |
LOCATION IN GROUP POLICY |
Device/Drive installation |
Controls the way device and driver installation works. |
Computer Configuration\Policies\Administrative Templates\System\Device Installation Computer Configuration\Policies\Administrative Templates\System\Drive Installation User Configuration\Policies\Administrative Templates\System\Drive Installation |
Device Installation restriction |
Restricts the devices that can be deployed and used. |
Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions |
Disk quotas |
Configures the way disk quotas are used and whether quotas are enforced, logged, or both. |
Computer Configuration\Policies\Software Settings |
Encrypted data recovery agents |
Configures data recovery agents and their related certificates for use with the Encrypting File System (EFS). |
Computer | User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Encrypting File System |
File and folder security |
Configures security permissions for files and folders. |
Computer Configuration\Policies\Windows Settings\Security Settings\File System |
Folder redirection |
Moves critical data folders for users to network shares where they can be better managed and backed up regularly (domain-based Group Policy only). |
User Configuration\Policies\Windows Settings\Folder Redirection |
General computer security |
Establishes security settings for accounts, event logs, restricted groups, system services, the registry, and file systems. (With local Group Policy, you can only manage general computer security for account policies.) |
Computer Configuration\Policies\Windows Settings\Security Settings |
Internet settings |
Controls the ways Windows Internet Explorer can be used and establishes lockdown settings. |
Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer |
Internet Explorer maintenance |
Configures the browser interface, security, important URLs, default programs, proxies, and more. |
User Configuration\Policies\Windows Settings\Internet Explorer Maintenance |
IP security |
Configures IP security policy for clients, servers, and secure servers. |
Computer Configuration\Policies\Windows Settings\Security Settings\IP Security Policies |
Local security policies |
Configures policy for auditing, user rights assignment, and user privileges. |
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies |
Offline files |
Determines whether and how offline files are used. |
Computer | User Configuration\Policies\Administrative Templates\Network\Offline Files |
Policy-based Quality of Service (QoS) |
Manages network traffic to help improve quality of service for critical applications. |
Computer | User Configuration\Policies\Windows Settings\Policy-based QoS |
Power options |
Configure power management plans and settings for devices. (Windows Vista or later) |
Computer | User Configuration\Policies\Administrative Templates\System\Power Management |
Printer deployment |
Configures printers for use. (Windows Vista or later) |
User Configuration\Policies\Windows Settings\Deployed Printers |
Public key security |
Configures public key policies for autoenrollment, EFS, enterprise trusts, and more. |
Computer | User Configuration\Policies\Windows Settings\Security Settings\Public Key Policies |
Registry security |
Configures security permissions for registry keys. |
Computer Configuration\Policies\Windows Settings\Security Settings\Registry |
Restricted groups |
Controls the membership of both Active Directory–based groups and local computer groups. |
Computer | User Configuration\Policies\Windows Settings\Security Settings\Restricted Groups |
Scripts |
Configures logon/logoff scripts for users and startup/ shutdown scripts for computers. |
Computer | User Configuration\Policies\Windows Settings\Security Settings\Scripts |
Software installation |
Configures automated deployment of new software and software upgrades (domain-based Group Policy only). |
Computer | User Configuration\Policies\Software Settings\Software Installation |
Software restriction |
Restricts the software that can be deployed and used. Local Group Policy does not support user-based software restriction policies, only computer-based software restriction policies. |
Computer | User Configuration\Policies\Windows Settings\Security Settings\Software Restriction Policies |
Start menu |
Defines the available options on and the behavior of the Start menu. |
User Configuration\Policies\Administrative Templates\Start Menu And Taskbar |
System services |
Configures startup state and security permissions for system services. |
Computer Configuration\Policies\Windows Settings\Security Settings\System Services |
Wired networking (IEEE 802.3) |
Configures wired network policies for authentication methods and modes that apply to wired clients (domain-based Group Policy only). Can also be used to validate server certificates, enable quarantine checks, enforce advanced 802.1X settings, and enable single sign on. |
Computer Configuration\Policies\Windows Settings\Security Settings\Wired Network Policies |
Wireless networking (IEEE 802.11) |
Configures wireless network policies for access points, wireless clients, and preferred networks (domain-based Group Policy only). Can also be used to define permitted types of connections and block disallowed types of connections. |
Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network Policies |
Using Policy Preference for Administration
A policy preference is an unmanaged setting that you apply to preconfigure an option for a user, such as to map a network share to a drive. Most policy preferences can be established using one of four different actions:
Create. Creates the preference only if a preference does not already exist.
Replace. Deletes the preference if it exists and then creates it, or creates the preference if it doesn’t yet exist.
Update. Modifies the preference if it exists. Otherwise, creates the preference.
Delete. Deletes the preference if it exists.
As with states for policy settings, these actions are fairly straightforward. However, these basic actions also can be affected by inheritance and blocking. To help you navigate inheritance and blocking, keep these basic rules in mind:
If inherited policy preferences are strictly enforced, you cannot override them. This means the inherited policy preference is applied regardless of the action defined in the current GPO.
If inherited policy preferences are blocked in the current GPO and not strictly enforced, the inherited policy preference is overridden. This means the inherited policy preference does not apply, and only the policy preference from the current GPO is applied.
Unlike policy settings, policy preferences apply only to Active Directory–based Group Policy. When you are working with Active Directory–based Group Policy, you can use policy preferences to configure the items discussed in Table 2-2.
Table 2-2. Key Elements That Can Be Configured with Policy Preferences
CONFIGURATION AREA |
CENTRALIZES CREATION, REPLACEMENT, UPDATING, AND DELETION OF |
LOCATION IN GROUP POLICY |
Applications |
Application settings. Available when you install preference settings for an application. |
User Configuration\Preferences\Windows Settings\Applications |
Data Sources |
Open Database Connectivity (ODBC) data sources |
Computer | User Configuration\Preferences\Control Panel Settings\Data Sources |
Devices |
System devices, including USB ports, floppy drives, and removable media |
Computer | User Configuration\Preferences\Control Panel Settings\Devices |
Drive Maps |
Network shares mapped to drive letters. |
User Configuration\Preferences\Windows Settings\Drive Maps |
Environment |
System and user environment variables |
Computer | User Configuration\Preferences\Windows Settings\Environment |
Files |
Files that can be copied from a source location to a destination location. |
Computer | User Configuration\Preferences\Windows Settings\Files |
Ini Files |
Property values within .ini files. |
Computer | User Configuration\Preferences\Windows Settings\Ini Files |
Folders |
Folders in a particular location on the file system. |
Computer | User Configuration\Preferences\Windows Settings\Folders |
Local Users And Groups |
User and group accounts for the local computer. |
Computer | User Configuration\Preferences\Control Panel Settings\Local Users And Groups |
Network Options |
Virtual Private Networking and Dial-up Networking connections |
Computer | User Configuration\Preferences\Control Panel Settings\Network Options |
Network shares |
Shares, hidden shares, and administrative shares. |
Computer or User Configuration\Preferences\Windows Settings\ |
Printers |
Printer configuration and mapping |
Computer | User Configuration\Preferences\Control Panel Settings\Printers |
Registry |
Registry keys and values. |
Computer | User Configuration\Preferences\Windows Settings\Registry |
Scheduled Tasks |
Scheduled tasks for automation |
Computer | User Configuration\Preferences\Control Panel Settings\Scheduled Tasks |
Services |
System services |
Computer Configuration\Preferences\Control Panel Settings\Services |
Shortcuts |
Shortcuts for file system objects, URLs, or shell objects. |
Computer | User Configuration\Preferences\Windows Settings\Shortcuts |
Through special preferences for Control Panel, you can also manage various aspects of the Windows graphical user interface (GUI). You can use these special preferences to manage:
Folder settings as if you were using the options available in the Folder Options utility in Control Panel. Located in Computer | User Configuration\Preferences\Control Panel Settings\Folder Options.
Internet settings as if you are using the options available in the Internet Options utility in Control Panel. Located in User Configuration\Preferences\Control Panel Settings\Internet Settings.
Power schemes and power management options as if you were using the related utilities in Control Panel. Located in Computer | User Configuration\Preferences\Control Panel Settings\Power Options. (Windows XP only.)
Regional and language settings as if you were using the options available in the Regional And Languages utility in Control Panel. Located in User Configuration\Preferences\Control Panel Settings\Regional Options.
Start menu as if you were using the Start Menu Properties dialog box. Located in User Configuration\Preferences\Control Panel Settings\Start Menu.
Choosing Between Preferences and Settings
Because some management areas overlap between policy preferences and policy settings, you can sometimes perform a particular task in more than one way. For example, using policy settings, you can identify logon scripts that should be used. Within these scripts, you can map network drives, configure printers, create shortcuts, copy files and folders, and perform other tasks. Using policy preferences however, you could perform these same tasks without the need of using logon scripts. So which one should you use? Well, the truth is that there really isn’t one right answer. It depends on what you want to do. In the following sections, I describe some general guidelines for specific areas of overlap.
Controlling Device Installation
Through policy settings, you can control device installation and enforce specific restrictions. The goal is to prevent users from installing specific types of hardware devices. You can specify that certain approved devices can be installed (according to the hardware ID of the device). You can also prevent installation of specific disapproved devices (again according to the hardware ID of the device). These policy settings only apply to Windows Vista or later and are found under Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions.
While restrictions block the installation of a new device or prevent a device from being plugged back in after it has been unplugged, it doesn’t prevent existing devices from being used. Why? The device drivers are already installed and the devices are already available, and because the device or drive isn’t rechecked, it continues to work.
Using policy preferences, you can disable device classes, individual devices, port classes, and individual ports, but you cannot prevent a driver from loading. You disable devices by selecting a device class or device already installed on your management computer. You disable ports by selecting a port class or specific port already in use on your management computer. The related preferences are found under Computer | User Configuration\Preferences\Control Panel Settings\Devices.
While you can disable devices and ports using preferences, this doesn’t prevent device drivers from installing. It also doesn’t prevent a user with appropriate rights from enabling ports or devices in Device Manager. However, as Group Policy by default refreshes policy preferences using the same refresh interval as for policy settings, the preference would be reapplied during the next refresh interval. Therefore, unless you specifically elect to apply the preference once and not reapply it, the preference would be reapplied every 90 to 120 minutes.
Given how these technologies work, the best solution for your environment may depend on your goal. If you want to completely lock things down and prevent specific devices from being installed and used, you may want to use both policy settings and policy preferences to do the job. Policy settings could prevent specific devices from being installed, providing they weren’t already installed. Policy preferences could disable devices already installed, providing that you’ve already installed the device on your management computer so it can be selected.
As a final thought, it is important to point out that the related policy settings apply only to Windows Vista or later, while the related policy preferences apply to any computer on which the client-side extensions for Group Policy Preferences are installed.
Controlling Files and Folders
Through policy settings, you can specify security permissions for files and folders. The goal is to establish specific access control lists (ACLs) for important files and folders. However, the files and folders must already exist on the target computers so that the ACLs can be applied. These policy settings apply to any computer that supports Group Policy and are found under Computer Configuration\Policies\Windows Settings\Security Settings\File System.
Using policy preferences, you can manage files and folders. Preferences for files work differently than preferences for folders. With files, you can create, update, or replace a file on a target computer by copying it from a source computer. You can also delete a file on a target computer. With folders, you can create, update, replace, or delete a folder in a specific location on a target computer. You can also specify whether to delete existing files and subfolders during the create, update, replace, or delete operation.
File and folder preferences apply to any computer on which the client-side extensions for Group Policy Preferences are installed. For files, the related preferences are found under Computer | User Configuration\Preferences\Windows Settings\Files. For folders, the related preferences are found under Computer | User Configuration\Preferences\Windows Settings\Folders.
Here, using policy settings and preferences together gives you the best of both worlds. Through preferences you have an easy way to copy files from a source computer to target computers and to manage folders. Through settings you have an easy way to apply desired security settings. Additionally, with files and folders, you might want to apply preferences only once and not reapply them. Otherwise, the create, update, replace, or delete operations will be reapplied during Group Policy refresh.
Controlling Internet Explorer
Group Policy offers a wide array of settings and preferences for Internet Explorer. There are so many options that even a few experts are confused as to what does what. The key things to focus on are the following:
Policy settings under Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer are primarily meant to control Internet Explorer behavior. These settings configure browser security enhancements and help to lockdown Internet security zones.
Policy settings under User Configuration\Policies\Windows Settings\Internet Explorer Maintenance are used to specify important URLs, such as those for home pages, search, support, favorites, and links. These settings are also used to customize the browser interface by adding custom logos, titles, and buttons to Internet Explorer and to establish default programs, proxies, and more.
Preference settings under User Configuration\Preferences\Control Panel Settings\Internet Settings allow you to configure any of the options available in the Internet Options utility in Control Panel (which essentially includes every user-configurable option).
Because policy settings are managed and policy preferences are unmanaged, you can use policy settings when you want to enforce specific settings for Internet Explorer. Although you can configure Internet Explorer with preferences, the preferences are not enforced and users can change settings. That said, if you apply the preferences so that they are refreshed automatically as part of normal Group Policy refreshes, settings users change may be overwritten by your preferences.
When you want to customize the interface, the settings under Internet Explorer Maintenance are the ones you’ll use. These settings allow you to configure home page URLs, search URLs, support URLs, favorites, and links. They also allow you to add custom logos, titles, and buttons.
Controlling Power Options
When you want to control power management settings, the choice between policy settings and policy preferences is easy. You use policy settings for Windows Vista or later and policy preferences for Windows XP.
Policy settings for Windows Vista or later are found under Computer | User Configuration\Policies\Administrative Templates\System\Power Management.
Policy preferences for Windows XP are located in Computer | User Configuration\Preferences\Control Panel Settings\Power Options.
Controlling Printers
With policy settings, you can deploy printers to computers running any version of Windows that supports Group Policy. This technology establishes a connection to an existing shared printer.
To deploy printers to computers running Windows Vista or later, you can use policy settings under User Configuration\Policies\Windows Settings\Deployed Printers. To deploy printers to computers running earlier versions of Windows, you can push a printer connection to the computer using PushPrinterConnection.exe as a logon or startup script.
With policy preferences, you can map and configure printers. These preferences include options for configuring local printers as well as for mapping both TCP/IP and shared network printers. These policy preferences apply to any computer on which the client-side extensions for Group Policy Preferences are installed.
As printer preferences are much more versatile than printer settings, you’ll probably want to use preferences to deploy printers. That said, if you’ve already configured printers to be deployed using policy settings, you don’t need to switch to policy preferences and redeploy the printers.
Controlling Registry Keys and Values
Through policy settings, you can specify security permissions for registry keys. The goal is to establish specific access control lists (ACLs) for important registry keys. However, the registry keys must already exist on the target computers so that the ACLs can be applied. These policy settings apply to any computer that supports Group Policy and are found under Computer Configuration\Policies\Windows Settings\Security Settings\Registry.
Using policy preferences, you can create, update, replace, or delete registry keys. The related preferences are found under Computer | User Configuration\Preferences\Windows Settings\Registry. Although you can modify just about any registry key, it is contradictory to widely manage registry values through preferences. Why? Policy settings defined within the administrative templates set registry values for you so that you don’t have to modify the registry directly. You can install additional administrative templates to manage the registry settings of other applications. If administrative templates aren’t available for a particular application, you can create your own custom administrative template to manage the registry settings for the application.
Because of the conflicting goals, I recommend using policy preferences to manage individual registry keys and only in a limited number of situations. When you need to work with multiple or many registry keys, you should use preexisting administrative templates or consider creating your own custom administrative templates. Additionally, with registry keys, you might want to apply preferences only once and not reapply them. Otherwise, the create, update, replace, or delete operation will be reapplied during Group Policy refresh.
Controlling the Start Menu
When it comes to the Start menu, there is a lot of overlap between what you can configure with policy settings and what you can configure with policy preferences. With this in mind, you use policy settings and policy preferences to work with the Start menu in very different ways.
Through policy settings, you can control the options available on the Start menu and define the behavior of various Start menu options. With over 70 settings to choose from under User Configuration\Policies\Administrative Templates\Start Menu And Taskbar, there are many possibilities. You can specify that you want to clear the history of recently opened documents when a user logs off or that drag and drop is disabled on the Start menu. You can lock the taskbar, remove system tray icons, and turn off notifications.
Policy preferences for working with the Start menu are located in User Configuration\Preferences\Control Panel Settings\Start Menu. With policy preferences, you manage the options and behavior of the Start menu as if you were using the Start Menu Properties dialog box. You can configure both the standard Start menu and the classic Start menu. There are, however, no options for configuring the taskbar.
Controlling System Services
When you want to control system services, the choice between policy settings and policy preferences is easy. You can use policy settings to:
Configure the service startup mode
Specify the access permissions for services (which control who can start, stop, and pause the service)
Policy settings for services are locatd under Computer Configuration\Policies\Windows Settings\Security Settings\System Services.
You can use policy preferences to:
Configure the service startup mode
Configure a service action that can be used to start a stopped service, stop a started service, or stop and restart a service
Specify the account under which the service runs and set the password for this account
Specify recovery actions that determine how the service responds to failure
Policy preferences for services are located under Computer Configuration\Preferences\Control Panel Settings\Services.
Because policy settings are managed and policy preferences are unmanaged, you can use policy settings when you want to enforce specific startup modes and access permissions. Although you can configure services with preferences, the preferences are not enforced and users can change settings. If you apply the preferences so that they are refreshed, settings users change may be overwritten by your preferences.
Controlling Users and Groups
When you want to control users and groups, the choice between policy settings and policy preferences is easy. You use policy settings when you want to restrict the membership of either a group defined in Active Directory or a group on the local computer. You do this by specifying the members of the group and the groups of which the group is a member. The related policy settings are found in Computer | User Configuration\Policies\Windows Settings\Security Settings\Restricted Groups.
You use policy preferences to create, replace, update, or delete users and groups on the local computer. With local user accounts, you can also:
Rename existing user accounts
Set user account passwords
Set status flags for user accounts
Status flags can be used to require users to change passwords at next log on, disable the account, or set an expiration date.
With local groups, you can also:
Rename existing groups
Add or remove the current user as a member
Delete member users, member groups, or both
Policy preferences for local users and groups are located under Computer | User Configuration\Preferences\Control Panel Settings\Local Users And Groups.