Planning Domain Group Policy Objects
Group Policy Objects (GPOs) can be used to perform many functions across a diverse or standard computer and network infrastructure built on Microsoft Windows and Active Directory Domain Services. Considering how to best utilize group policies to manage any one particular environment and deciding on which GPO settings to leverage can be a lengthy process. To simplify this process and to keep from rethinking GPO usage each time, a base set of GPOs should be created and stored as starter GPOs.
A starter GPO is a feature of the Group Policy infrastructure that first became available with the release of the Windows Server 2008 Group Policy Management Console. A starter GPO can contain a set of Group Policy administrative template settings that have been preconfigured or defined to meet an organization's security and/or configuration requirements. When a new GPO is created, a starter GPO can be leveraged to prepopulate the defined settings into the new GPO. The benefit is that each time a GPO is needed, it does not have to be created from scratch and the administrator does not need to search for each of the settings that are necessary to meet the specific object of the new GPO. Windows Server 2008 R2 provides several starter GPOs for Windows XP and Windows Vista systems that have been created to provide preconfigured security settings to meet the best-practice recommendations outlined in the Windows Vista and Windows XP security guides. The remainder of this section outlines common scenarios for GPO usage to assist administrators with the planning, deployment, and configuration of GPOs across an organization's Active Directory infrastructure.
Policies and Preferences
Windows 2008 Group Policy introduced a brand-new set of configurable settings known as Preferences. Group Policy Objects are now organized into Policy settings and Preference settings. Preferences provide many of the features that the Group Policy infrastructure was lacking in previous versions, and preferences also provide many functions that were commonly handled with complex logon and startup scripts, with Registry file import tasks, and by administrators configuring the default user profile on workstations and servers. Many preference settings, such as Registry keys and Drive Maps, would have previously been applied with scripts that required the workstation to be logged on to or started up on the internal network. With preference settings in domain group policies, these settings can now be applied during the Group Policy refresh interval, which can greatly increase the successful application of these types of settings.
Policy settings and Preference settings have different characteristics. Policy settings are enforced and all users are commonly restricted from changing any configured policy setting. If a policy setting contains a graphic interface, when configured, the setting is normally grayed out to the end user. Policy settings such as software installations and computer or user scripts are only processed during computer startup or shutdown and user logon and logoff cycles.
Preference settings are applied to computers and users the same as policy settings: during startup, shutdown, and refresh cycles for computers and logon, logoff, and refresh cycles for users. Preferences settings, however, are configured but not enforced. As an example of this, using a user printer preference, a printer can be installed in a user profile and set to be the default printer but the end user will still retain the ability to define a different default printer if necessary. Preference settings are applied during refresh intervals, but certain settings, such as creating Registry keys and values, might require a computer reboot or user logoff/logon cycle to actually apply the new setting. One important point to note is that the domain group policy preferences are supported on Windows 7, Windows Server 2008, and Windows Server 2008 R2, but Windows XP, Windows Server 2003, and Windows Vista all need an update to support preference settings.
Preference settings are all different, but they each share common administrative functionality. Each preference setting will either be presented in a graphic interface similar to, if not exactly, what the end user can see and access within the user profile. This is one distinction between preference and policy settings, as most policy settings are enabled, disabled, or not configured whereas a preference setting can contain several configuration features. Furthermore, each preference settings can have multiple items defined within it, each with a separate configuration value. As an example, a Drive Map preference can have a setting item of a mapped drive P and a mapped drive U defined within the single domain group policy preference setting.
In addition to the specific setting options that are unique to each preference, such as the drive letter designation for a Drive Map or a folder path to a Network Share preference, each setting also contains a set of common options and many also include a preference action.
Preference Actions
Preference actions determine how a preference setting will be applied to a user or computer. Many preference settings also contain an option called the preference action. The most common preference actions include the Create, Replace, Update, and Delete actions:
- Create: The Create action creates or configures the preference setting if the setting does not already exist. If the setting already exists, no action is taken.
- Replace: The Replace action deletes and recreates the setting on the computer or within the user profile.
- Update: The Update action creates the setting if it does not exist, but if the setting already exists, part or all of the setting configurations are updated to match the preference setting. Update is the default action and is less intrusive than the Replace action. It can be used to ensure that the setting is configured as desired, but processing speed will be optimized because if the setting already matches it will be skipped.
- Delete: The Delete action simply deletes the preference setting from the computer or user profile. For example, a Delete action can remove a mapped drive, delete a Registry key, or delete a printer from a computer or a user profile.
Preference Common Options
Each preference setting contains a common tab that contains several options that can be enabled for the particular setting. Common options include the ability to process the setting only once, which is great for setting default configurations for new user profiles or a new preference setting on existing domain group policies.
Item-Level Targeting
One of the most functional preference common options is the item-level targeting option. Item-level targeting allows administrators to define the scope of application for a particular preference setting item such as a Drive Map. So with item-level targeting an administrator can create a single domain group policy and have a single Drive Map preference defined that will apply different preference setting items to subsets of computers or users based on the specifications of the item-level target. For example, a Drive Map preference that defined the G drive for groups can be configured to map \\server10\Sales to members of the domain security group named sales, based on the item-level targeting option configuration settings. The same preference can also define the G drive to \\server10\HR for members of the domain Human Resources group based on a different configuration for item-level targeting.
In this tutorial:
- Group Policy Management for Network Client
- Windows Group Policies
- Domain Group Policies
- Group Policy Feature Set
- User Configuration Policy Node
- Planning Workgroup and Standalone Local Group Policy Configuration
- Planning Domain Group Policy Objects
- Domain GPOs
- Active Directory Site GPOs
- Managing Computers with Domain Policies
- Managing User Account Control Settings
- Creating a Software Restriction Policy
- Creating Application Control Policies (AppLocker)
- Deploying Printers Windows Server 2008
- Mapping Drives Using Preferences User Drive Maps Extension
- Configuring Basic Firewall Settings with Group Policy
- Configuring Windows Update Settings
- Configuring Power Options Using Domain Policies
- Managing Users with Policies
- Configuring Folder Redirection
- Removable Storage Access
- Managing Active Directory with Policies
- Configuring Restricted Groups for Domain Security Groups
- Extending Group Policy Functionality
- Synchronous Foreground Refresh
- GPO Modeling and GPO Results in the GPMC
- Managing Group Policy from Administrative or Remote Workstations