What's New in Group Policy

Preferences vs. Policy Settings

Windows Server 2008 includes the new Group Policy preferences built-in to the Group Policy Management Console (GPMC). Additionally, administrators can configure preferences by installing the Remote Server Administration Tools (RSAT) on a computer running Windows Vista Service Pack 1 (SP1) and Windows 7.

In contrast to Group Policy settings, Group Policy does not strictly enforce preferences. Group Policy does not store preferences in the Policy branches of the registry. Instead, it writes preferences to the same locations in the registry that the application or operating system feature uses to store the setting. The implication of this is twofold.

• Group Policy preferences support applications and operating system features that arent Group Policy-aware.
• Group Policy preferences do not cause the application or operating system feature to disable the user interface for the settings they configure. The result is that after deploying preferences using Group Policy, users can still change those settings. Additionally, Group Policy refreshes preferences using the same interval as Group Policy settings by default. However, you can prevent Group Policy from refreshing individual preferences by choosing to apply them only once. This configures the preference one time and allows the user to change it permanently.

Group Policy preferences support item-level targetingyou can target individual preference items within a GPO. For example, a single GPO can contain two preference items, both of which configure power policies. You can target the first preference item at desktop PCs and the second at mobile PCs.

Benefits of Group Policy Preferences

Improving IT Productivity

Group Policy preferences extends the Group Policy feature set with over 20 new extensions, helping you get more done with tools that are already very familiar to you. It also enables you to configure and deploy settings at a central source, rather than repackaging and redeploying the settings when you update configurations. You simply edit the GPO that contains the preference items you want to update. Preferences provide a central location from which you can completely manage user and computer configurations.

Reducing Need for Logon Scripts

Although Group Policy preferences might not eliminate the need for logon scripts, it significantly reduces their need. The most common tasks performed by logon scripts are installing printers, mapping network drives, configuring registry settings, and copying files and folders. Often, these tasks require complex scripting, testing, and debugging.

Limiting Configuration Errors

Configuration errors during and after deployment are often a significant source of support calls and escalations that lead to higher deployment costs. Group Policy preferences significantly help reduce these costs. First, preferences allow you to configure items with a higher level of precision than other tools. For example, you can configure a single Internet Explorer option without touching other settings. Other deployment methods often change more options than you intend. Second, you can configure items without knowing their detailswhere to find them in the registry or what they represent. Instead, Group Policy preferences collects preference items using clear, familiar, easy-to-use dialog boxes that prevent you from needing to know how Windows stores the value in the registry. You can configure a Start menu setting by selecting an option in a preference item instead of having to know what value to store in the registry and where to store it. And, Group Policy preferences all but eliminate the need to use default user profiles to deploy settings. Often you deploy far more with a default user profile than you need to deploy, and this can lead to unreliable configurations.

Enhancing End-User Satisfaction

More consistent, reliable configurations make users happy by maintaining or even increasing their productivity. Additionally, using Group Policy preferences to configure users and computers, you can make using Standard user accounts more palatable to users. Group Policy preferences use the local System account by default, enabling it to configure settings that users cant configure. By configuring these settings on behalf of users, you can often avoid the issue altogetherwhich is proactive IT.

Minimizing Image Maintenance

Using Group Policy preferences with a thin-image strategy, you can significantly reduce the time and cost of maintaining disk images. Instead of updating images to reflect configuration changes, you can deploy a generic image and then update Group Policy preferences. This approach reduces engineering and testing time and costs significantly.

Reducing Overall Image Count

Group Policy preferences, in combination with a thin-image strategy, helps you reduce the number of disk images you must develop and maintain. If you build thick images, you often create unique images for different groups of users in the organization. Instead, you can build and deploy a generic image for each group, and then configure users and computers uniquely by targeting preference items.

Starter GPO

Starter Group Policy objects derive from a Group Policy object (GPO), and provide the ability to store a collection of Administrative Template policy settings in a single object. You can import and export Starter GPOs, which makes them easy to distribute to other environments. When you create a new GPO from a Starter GPO, the new GPO has all of the Administrative Template policy settings and their values that were defined in the Starter GPO. With R2 you get selection of starter groups for client computers in different environments.

Before beginning this exercise take some time to review the Using your Practice-Lab section of the website.

In this tutorial you will be introduced to you to Windows Server 2008 R2 group policy management. Follow the exercise below to get some hands on understanding of this technology and view Microsoft Technet to gain some additional information.

Overview

In This Exercise you will create a drive mapping using GPO preferences. The Drive Maps preference extension provides the ability to create, replace, update, and delete network drive mappings. This extension enables you to map network drives without writing logon scripts. Additionally, mapped network drives deployed using the Drive Maps preference extension work more consistently than those deployed using logon scripts.

Step 1 From the Practice-Labs application start and launch access to the Domain Controller device.

Click Start , from the Run menu or search bar type gpmc.msc and the Group Policy Management Console snap in should appear.

Step 2

Expand Forest: PRACTICELABS.COM expand Domains , then expand the domain Practicelabs.com , then click on group policy objects .Right click this and choose new .

Give the new policy the name Mapped Drive and click OK .

Right click the new policy and select Edit

Expand User Configuration , then Preferences and Windows Settings .

Select Drive Maps and right click then choose New Mapped Drive .

On the General Tab in the action pane choose Create .

In the Location textbox type the unc path \\plabdm01\shared_data

( Note : The share will be created later in this exercise on the Domain Server Practice-Lab device)

Choose a drive letter i.e. Z:

Choose the Common tab. You need to tick the Item-level targeting checkbox to enable the button. Once you open Targeting , click new item and then select Security Group .

When the new dialog window appears, click the button next to the Group textbox in the bottom panel.

Type in the security group Domain Admins and then click Check Names , then press OK

Click OK to confirm and you will be taken back to the new drive properties dialog.

Click OK

Close the editor and link the GPO Mapped Drive to the domain.

Step 3

To link the GPO by right the PRACTICE.LABS domain and right click.

Then select link GPO from the menu.

Select the Mapped Drive group policy object and click OK.

Testing the configuration

Step 1 From the Practice-Labs application start and launch access to the Domain Server device.

Open Windows Explorer to confirm that the drive has been mapped.

You can deploy multiple Drive Maps preference items within a single GPO. You can also target individual Drive Maps preference items to specific departments, locations, and so on. Using Group Policy preferences to deploy mapped network drives provides just as much flexibility as scripting but with less work and with fewer problems.

Summary

Think about the configurations you could use in a single GPO with item-level targeting on different settings defined Create multiple GPP mapped drives in one GPO and have them apply based on Group membership (easier than scripting!).

Have different GPP applied to targets depending on what time it is (working hours vs. non-working hours!). Create and deploy different printers/shortcuts/files depending on the users site or IP address. Apply GPP on a given date in a certain time range. Copy files based on the users language. Its very useful and saves a lot of work.

Learn more about this and similar topics

If you are interested in more topics like the above have a look at the topics in our Windows Server 2008 Practice-Labs courses:

• Microsoft 70-640 - Windows Server 2008 Active Directory Configuration
• Microsoft 70-642 - Windows Server 2008 Network Infrastructure Configuration
• Microsoft 70-643 - Windows Server 2008 Applications Infrastructure Configuration
• Microsoft 70-646 - Windows Server 2008, Server Administrator
• Microsoft 70-647 - Windows Server 2008, Enterprise Administrator

Alternatively look at purchasing access to our Practice-Lab library that covers all of our supported technologies.

If you wish to comment on this Practice-Lab send an email to Support@Practice-IT.co.uk with your feedback.