New Windows 2008 / 2008 R2 Group Policy Preferences

I found that it is very important to know what is new in Windows 2008 and Windows 2008 R2 Group Policy Preferences, that is why I shared this information that I collected from Microsoft Documentation.

With the release of Windows Server 2008 additional GPO functionality has been included in the operating system for the configuration and management of Group Policy Preferences. These preferences will apply to Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008. If Group Policy Preferences are to be used on an operating system earlier than Windows Vista SP1 or Windows Server 2008, then a download and installation of the Client Side Extension option will be required in order for the preferences to be processed by the client.

The use of Group Policy Preferences (GPP) allows for settings to be applied to a computer as well as allowing the local user to change the settings at a later date. GPP have also been designed to help replace the more complex tasks of drive mapping and environment variable setups without the need for complex logon scripts. An additional feature also allows for “item-level targeting” which as the name suggests allows you to set very granular filters on individual policy items within a GPO, note this is only for GPP options. There are 27 filter criteria that can be used to control each individual item. An example of this usage might be for the generic GPO to have some tightly controlled settings set within the normal policy, for a given OU, however additional options could then be targeted at specific computers allowing additional configuration to take place.

The configurable features in GPP are directed at User and Computers, although some apply to both there are instances when the feature only applies to one type:-

· Environment – The environment extension is per-computer and per-user and lets you configure both system and user environment variables (e.g. %temp%) on a given target system. Note that with all GPP settings, you can choose different actions for this extension. You can create a new environment variable, update or replace an existing one, or delete an existing one.

· Files – Both on a per-computer and per-user extension that lets you distribute files to your end-user computer or user. For example, you might use this to distribute shortcuts to your user’s desktops or data files required for a local desktop application or even delete temporary files that are created by applications from a specific location

· Folders – Both on a per-computer and per-user extension that lets you create, update and delete folder structures on target systems or users. For example, you might use this setting to delete temporary folders that get created on computers.

· INI Files – Both on a per-computer and per-user extension that lets you create, delete or update values within text-based ini files.

· Registry – Both on a per-computer and per-user extension—this extension is powerful in that you can create, delete and update registry keys and values on target systems. Because this extension provides the ability to easily push registry values to computers and users through a GUI interface, and because it supports all the different value types in the registry, this extension effectively eliminates the need for creating custom ADM files for pushing out registry modifications through Administrative Template policy

· Network Shares – A per-computer extension only—this extension lets you create shares on target computers—be they desktops or servers. You can create, delete and update shares, in fact, on any target system. In addition, the extension lets you set a user limit on the share.

· Shortcuts – This is both a per-computer and per-user extension that lets you create and distribute shortcuts to computers and users. You can manage shortcuts to file systems, web URLs and Windows shell objects (e.g. My Computer). This extension does not copy .lnk files around, but rather creates shortcuts on the fly, that meet your specifications. You can specify all of the normal parameters of a shortcut, including the “Start in” field, the icon that appears with the shortcut and any arguments for the target that the shortcut executes.

· Drive Maps – This is a per-user extension that lets you control drive mappings for end users. You can create, delete and update drive mappings to UNC paths and can control which drive letter is mapped (or use next available). You can also choose to hide or show the particular drive letter to the user. This option could be utilized to help remove the need for logon scripts.

· Data Sources – This is a per-computer and per-user extension that lets you manage system or user ODBC data sources used by applications that leverage databases. This extension lets you choose the ODBC driver type, and provide credentials for the connection to the database, which are stored encrypted within the GPO.

· Devices – This is a per-computer and per-user extension that lets you allow or deny use of devices based on the device class. For example, you could use this extension to deny the use of all thumb drives or all CD burners. Better configuration options are available in the Group Policy Object itself when working against Windows Vista clients.

· Folder Options – This is a per-computer and per-user extension that lets you set file extension associations. For example, you can use this extension to associate all .log files with a particular text reader.

· Local User and Groups – This is both a per-computer and per-user extension that provides a variety of control around local user and group accounts. You can create, update, replace or delete users and group accounts from local computers. You can also update the password for accounts local to the computer.

· Network Options – This per-computer and per-user extension lets you manage VPN and Dial-up Networking (DUN) connections on your systems. For example, centrally create a VPN client configuration for all of your corporate users that require VPN-based remote access, and if something changes in your VPN configuration, you can easily update those connections using this feature.

· Power Options – This per-computer and per-user extension lets you configure power management settings on XP/2003 systems. New to Windows Server 2008 R2 is the additional Power Plans for Windows Vista and later clients. By using this feature, you can create a default configuration that users can later change as necessary.

· Printers – This per-computer and per-user extension lets you manage printer mappings. You can use it to install Shared, TCP/IP or Local printers. Shared printers are per-user only. This feature can use this extension along with item-level targeting to map printers based on criteria such as user groups or IP address ranges. The Windows Vista GPO provides native support for deploying printers, however, it only support shared printers and requires AD schema extensions. In contrast, using the Printer extension supports shared, local and TCP/IP printers.

· Services – This is a per-computer extension that lets you control service configuration. While this extension is somewhat redundant to the existing Group Policy security setting that lets you configure service start-up type and security, the GPP version of this feature gives you more control. While you can’t configure service security using this extension, you can configure elements of a service such as the account that it uses to logon to the system (along with password changes to those service accounts) as well as the recovery behavior of the service (e.g. restart after failure or run an external program when the service fails). In addition, this extension supports the ability to perform actions on the service (like stopping and starting it) when the policy is processed.

· Internet Settings – This per-user extension provides additional control over IE 5, 6, 7 and 8 configurations. Although GP already provides both IE Maintenance policy and Administrative Templates settings for controlling IE security and behavior, this GPP extension provides some additional control that these two earlier policy areas do not, such as the ability to configure all of the options on IE’s Tools, Internet Options, Advanced tab as well as more common aspects such as the Connections tab, home page and the size of Temporary Internet Files and browser history.

· Regional Options – This per-user extension provides the ability to control the options available in the Control Panel, Regional Settings applet, such as default user locale, how numbers, currency, data and time are displayed, and the user’s default country location.

· Start Menu – This per-user extension lets you control the configuration of the Start Menu and its various options. From here you can enable or disable items that should appear on the Start Menu, set the size of Start Menu icons and how many programs appear, as well as customizing “Classic Start Menu” behavior. Note that this extension supports Windows XP, Windows Vista and Windows 7.

· Scheduled Tasks – This per-computer and per-user extension lets you create scheduled tasks to execute applications at particular times. It also supports something called an immediate task, which means that you can set an immediate task to execute as soon as Group Policy processes this setting. New to Windows Server 2008 R2 is the additional options to define Schedule tasks and immediate task for Windows Vista and later.


Leave a Reply