Chapter 4. Automating Windows 8.1 configuration
Group Policy is a collection of preferences and settings that can be applied to user and computer configurations. Group Policy simplifies administration of common and repetitive tasks as well as tasks that are difficult to implement manually but can be automated. Group Policy is represented logically as an object called a Group Policy Object (GPO). Each GPO is a collection of policy settings and preferences.
Group Policy preferences, which are the focus of this chapter, enable you to automatically configure, deploy, and manage operating system and application settings, including settings for data sources, mapped drives, environment variables, network shares, folder options, and shortcuts. When you are deploying and setting up computers, you’ll find that working with Group Policy preferences is easier than configuring the same settings manually on each computer, in Windows images, or through scripts used for startup, logon, shutdown, and logoff.
In this chapter, I introduce essential tasks for understanding and managing Group Policy preferences. In upcoming chapters, I’ll show you how to put individual policy preferences to work to automate the configuration of your computers running Windows, whether you work in a small, medium, or large enterprise.
Understanding Group Policy preferences
You configure preferences in Active Directory–based Group Policy. Local Group Policy does not have preferences.
Accessing Group Policy in Active Directory
With Active Directory, each site, domain, and organizational unit (OU) can have one or more Group Policy Objects associated with it. You view and edit GPOs in the Group Policy Management Console (GPMC). On Windows-based servers, the GPMC is available as part of the standard installation. On Windows-based desktops, the GPMC is not available by default but is included in the Remote Server Administration Tools (RSAT), which can be installed on Windows-based desktops.
You can download the RSAT for Windows 8.1 by visiting the Microsoft Download Center (http://download.microsoft.com/). After you install the GPMC as part of the RSAT, you can run the GPMC from Server Manager. In Server Manager, select Tools, and then select Group Policy Management.
As shown in Figure 4-1, the left pane of the GPMC has two upper-level nodes by default: Group Policy Management (the console root) and Forest (a node representing the forest to which you are currently connected, which is named after the forest root domain for that forest). When you expand the Forest node, you find additional nodes, including:
Domains. Provides access to the policy settings for domains in the forest being administered. You are connected to your logon domain by default; however, you can add connections to other domains. If you expand a domain, you can access the Default Domain Policy GPO, the Domain Controllers OU (and the related Default Domain Controllers Policy GPO), and GPOs defined in the domain.
Organizational Units. Provides access to the policy settings for OUs in a related domain.
Sites. Provides access to the policy settings for sites in the related forest. Sites are hidden by default.
GPOs found in domain, OU, and site containers in the GPMC are actually GPO links and not GPOs themselves. The actual GPOs are found in the Group Policy Objects container of the selected domain. Notice also that the icons for GPO links have a small arrow at the bottom left, similar to shortcut icons. You can open a GPO for editing by pressing and holding or right-clicking it, and then selecting Edit.
After you’ve selected a policy for editing or created a new policy, use the Group Policy Management Editor to work with the GPOs. As Figure 4-2 shows, the Group Policy Management Editor has two main nodes:
Computer Configuration. Enables you to set policies that should be applied to computers, regardless of who logs on
User Configuration. Enables you to set policies that should be applied to users, regardless of which computer they log on to
Note
Keep in mind that user configuration options set through local policy objects apply only to computers on which the options are configured. If you want the options to apply to all computers that the user might use, you must use domain, OU, or site policies.
You will find separate Policies and Preferences nodes under Computer Configuration and User Configuration. When you are working with policy preferences, you use the Preferences node. The options available under a Preferences node depend on whether you are working with Computer Configuration or User Configuration.
Essentials for working with preferences
Group Policy does not strictly enforce policy preferences, nor does Group Policy store preferences in the policy-related branches of the registry. Instead, Group Policy writes preferences to the same locations in the registry that an application or operating system feature uses to store the related setting. This approach allows you to use preferences with applications and operating system features that aren’t Group Policy–aware.
Preferences do not disable application or operating system features in the user interface to prevent their use. Users can change settings that you’ve configured with policy preferences. However, preferences overwrite existing settings, and there is no way to recover the original settings.
As it does with policy settings, Group Policy refreshes preferences at a regular interval, which is every 90 to 120 minutes by default. This means that periodically the preferences you’ve configured will be reapplied to a user’s computer. Rather than allowing a refresh, you can prevent Group Policy from refreshing individual preferences by choosing to apply preferences only once.
The way you use policy preferences depends on whether you want to enforce the item you are configuring. To configure an item without enforcing it, use policy preferences, and then disable automatic refreshes. To configure an item and enforce the specified configuration, use policy settings or configure preferences, and then enable automatic refreshes.
Because preferences apply to both computer configuration and user configuration settings, you will find a separate Preferences nodes under Computer Configuration and User Configuration. In both configuration areas, you’ll find two top-level subnodes:
Windows Settings. Used to manage general operating system and application preferences
Control Panel Settings. Used to manage Control Panel preferences
Table 4-1 provides an overview of the available preferences and where they are located within the configuration areas and the top-level subnodes.
Preference Type | Location | Policy Configuration Area(s) |
Applications | Application | Windows Settings | User |
Data Sources | Data Source | Control Panel Settings | Computer and User |
Data Sources | User Data Source | Control Panel Settings | User |
Devices | Device | Control Panel Settings | Computer and User |
Drive Maps | Mapped Drive | Windows Settings | User |
Environment | Environment Variable | Windows Settings | Computer and User |
Files | File | Windows Settings | Computer and User |
Folder Options | Folder Options (at least Windows Vista) | Control Panel Settings | User |
Folder Options | File Type | Control Panel Settings | Computer |
Folder Options | Open With | Control Panel Settings | User |
Folders | Folder | Windows Settings | Computer and User |
Ini Files | Ini File | Windows Settings | Computer and User |
Control Panel Settings | User | |
Internet Settings | Windows Internet Explorer 10 | Control Panel Settings | User |
Local Users And Groups | Local User | Control Panel Settings | Computer and User |
Local Users And Groups | Local Group | Control Panel Settings | Computer and User |
Network Options | Dial-Up Connection | Control Panel Settings | Computer and User |
Network Options | VPN Connection | Control Panel Settings | Computer and User |
Network Shares | Network Share | Windows Settings | Computer |
Power Options | Power Plan (at least Windows 7) | Control Panel Settings | Computer and User |
Printers | Local Printer | Control Panel Settings | Computer and User |
Printers | Shared Printer | Control Panel Settings | User |
Printers | TCP/IP Printer | Control Panel Settings | Computer and User |
Registry | Registry Item | Windows Settings | Computer and User |
Registry | Collection Item | Windows Settings | Computer and User |
Registry | Registry Wizard | Windows Settings | Computer and User |
Regional Options | Control Panel Settings | User |
Scheduled Tasks | Immediate Task (at least Windows 7) | Control Panel Settings | Computer and User |
Scheduled Tasks | Scheduled Task (at least Windows 7) | Control Panel Settings | Computer and User |
Services | Service | Control Panel Settings | Computer |
Shortcuts | Shortcut | Windows Settings | Computer and User |
Start Menu | Start Menu (at least Windows Vista) | Control Panel Settings | User |
Configuring Group Policy preferences
Policy preferences are configured and managed differently from policy settings. You define preferences by specifying a management action, an editing state, or both.
Working with management actions
While you are viewing a particular preference area, you can use management actions to specify how the preference should be applied. Most preferences support the following management actions:
Create. Creates a preference item on a user’s computer. The preference item is created only if it does not already exist.
Replace. Deletes an existing preference item and then re-creates it, or creates a preference item if it doesn’t already exist. With most preferences, you have additional options that control exactly how the Replace operation works. Figure 4-3 shows an example.
Update. Modifies designated settings in a preference item. This action differs from the Replace action in that it updates only settings defined within the preference item. All other settings remain the same. If a preference item does not exist, the Update action creates it.
Delete. Deletes a preference item from a user’s computer. With most preferences, you have additional options that control exactly how the Delete operation works. Often, the additional options will be the same as those available with the Replace operation.
The management action controls how the preference item is applied, or controls the removal of the item when it is no longer needed. Preferences that support management actions include those that configure the following:
Applications
Data sources
Drive maps
Environment
Files
Folders
Ini files
Local users and groups
Network options
Network shares
Printers
Registry items
Scheduled tasks
Shortcuts
Working with editing states
A small set of preferences support editing states, which present graphical user interfaces from Control Panel utilities. With this type of preference, the item is applied according to the editing state of each setting in the related interface. The editing state applied cannot be reversed, and no option is available to remove the editing state when it’s no longer applied.
Preferences that support editing states include those that configure the following:
Folder options
Internet settings
Power options
Regional options
Start menu settings
Because each version of an application and the Windows operating system can have a different user interface, the related options are tied to a specific version. For example, folder option preference items for Internet Explorer 8 and 9 are configured separately from preference items for Internet Explorer 10.
By default, when you are working with preferences that support editing states, every setting in the interface is processed by the client and applied, even if you don’t specifically set the related value. This effectively overwrites all existing settings applied through this interface.
The editing state of each related option is depicted graphically as follows:
A solid green line indicates that the setting will be delivered and processed on the client.
A dashed red line indicates that the setting will not be delivered or processed on the client.
When limited space on the interface prevents underlining, a green circle is displayed as the functional equivalent of the solid green line (meaning that the setting will be delivered and processed on the client), and a red circle is used as the functional equivalent of a dashed red line (meaning that the setting will not be delivered or processed on the client). Figure 4-4 and Figure 4-5 show examples of preference items that use editing states.
You can use the following function keys to manage the editing state of options:
F5. Enables the processing of all settings on the selected tab. This is useful if you disabled processing of some settings and later decide that you want all settings on a tab to be processed.
F6. Enables the processing of the currently selected setting on the selected tab. This is useful if you disabled a setting and later decide you want the setting to be processed.
F7. Disables the processing of the currently selected setting on the selected tab. This is useful to prevent one setting from being processed on the client.
F8. Disables the processing of all settings on the selected tab. This is useful to prevent all settings on a tab from being processed on the client. It is also useful if you want only a few settings to be enabled.
Working with alternative actions and states
A few preferences support neither management actions nor editing states. Preferences of this type include those that configure devices, immediate tasks, and services.
With devices, as shown in Figure 4-6, you use the Action list to enable or disable a particular class and type of device. With immediate tasks, the related preference creates a task. The task runs and then is deleted automatically. With services, you use the related preference to configure an existing service.
Managing preference items
To view and work with preferences, you must open a Group Policy Object for editing in the Group Policy Management Editor, as discussed in Accessing Group Policy in Active Directory earlier in this chapter. Then you can manage preferences for either computers or users by using the following techniques:
If you want to configure preferences that should be applied to computers, regardless of who logs on, double-tap or double-click the Computer Configuration node, double-tap or double-click the Preferences node, and then select the preference area with which you want to work.
If you want to configure preferences that should be applied to users, regardless of which computer they log on to, double-tap or double-click the User Configuration node, double-tap or double-click the Preferences node, and then select the preference area with which you want to work.
Creating and managing a preference item
You manage preference items separately by selecting the preference area, and then working with the related preference items in the details pane. While you are viewing a particular preference area, you can create a related item by pressing and holding or right-clicking an open space in the details pane, pointing to New, and then selecting the type of item to create. Only items for the selected area are available. For example, if you are working with Printers under Computer Configuration, you have the option to create a TCP/IP Printer or Local Printer preference when you press and hold or right-click and point to New.
After you’ve created items for a preference area, you can press and hold or right-click an individual item to display a shortcut menu that allows you to manage the item, as shown in Figure 4-7.
Similar options are displayed on the toolbar when you select an item. In addition to pressing and holding or right-clicking an item and selecting Properties to display its Properties dialog box, you can double-tap or double-click a preference item to display its Properties dialog box. Then you can use the Properties dialog box to view or edit settings for the preference item.
On clients, the Group Policy client processes preference items according to their precedence order. The preference item with the lowest precedence (the one listed last) is processed first, followed by the preference item with the next lowest precedence, and so on until the preference item with the highest precedence (the one listed first) is processed.
Processing occurs in precedence order to ensure that preference items with higher precedence have priority over preference items with lower precedence. If there is any conflict between the settings applied in preference items, the settings written last win. To change the precedence order, select a preference area in the console tree, and then tap or click the preference item that you want to work with in the details pane. You’ll then find additional options on the toolbar, which include:
Move The Selected Item Up
Move The Selected Item Down
To lower the precedence of the selected item, tap or click Move The Selected Item Down. To raise the precedence of the selected item, tap or click Move The Selected Item Up.
Setting Common tab options
All preference items have a Common tab, on which you’ll find options that are common to preference items. Although the exact list of common options can differ from item to item, most preference items have the options shown in Figure 4-8.
These common options are used as follows:
Stop Processing Items In This Extension If An Error Occurs. By default, if processing of one preference item fails, processing of other preference items will continue. To change this behavior, you can select Stop Processing Items In This Extension If An Error Occurs. With this option selected, a preference item that fails prevents the remaining preference items within the extension from being processed for a particular Group Policy Object. This setting doesn’t affect processing in other Group Policy Objects.
Run In Logged-On User’s Security Context. By default, the Group Policy client running on a computer processes user preferences within the security context of either the Winlogon account (for computers running versions of Windows prior to Windows Vista) or the System account (for computers running Window Vista or later). In this context, a preference extension is limited to the environment variables and system resources available to the computer. Alternatively, the client can process user preferences in the security context of the logged-on user. This allows the preference extension to access resources as the user rather than as a system service, which might be required when using drive maps or other preferences for which the computer might not have permissions to access resources or might need to work with user environment variables.
Remove This Item When It Is No Longer Applied. By default, when the policy settings in a Group Policy Object no longer apply to a user or computer, the policy settings are removed because they are no longer set in the Group Policy area of the registry. Default preference items are not removed automatically, however, when a Group Policy Object no longer applies to a user or computer. To change this behavior, you might be able to set this option for a preference item. When this option is selected, the preference extension determines whether a preference item that was in scope is now out of scope. If the preference item is out of scope, the preference extension removes the settings associated with the preference item.
Real World
Generally, preferences that support management actions can be removed when they no longer apply, but preferences that support editing states cannot be removed when they no longer apply. If you select Remove This Item When It Is No Longer Applied, the management action is set as Replace. As a result, during Group Policy processing, the preference extension performs a Delete operation followed by a Create operation. Then, if the preference item goes out of scope (meaning that it no longer applies) for the user or computer, the results of the preference item are deleted (but not created). Item-level targeting can also cause a preference item to go out of scope.
Apply Once And Do Not Reapply. Group Policy writes preferences to the same locations in the registry that an application or operating system feature uses to store the related setting. As a result, users can change settings that were configured by using policy preferences. However, by default, the results of preference items are rewritten each time Group Policy is refreshed to ensure that preference items are applied as administrators designated. You can change this behavior by setting this option. When this option is selected, the preference extension applies the results of the preference item one time and does not reapply the results.
Item-Level Targeting. Item-level targeting allows you to filter the application of a preference item so that the preference item applies only to selected users or computers. When the Group Policy client evaluates a targeted preference, each targeting item results in a True or False value. If the result is True, the preference item applies and is processed. If the result is False, the preference item does not apply and is not processed. When this option is selected, tap or click the Targeting button to display the Targeting Editor, and then configure targeting as appropriate.
Real World
A targeting item is evaluated as a logical expression. The logical expression can include environment variables as long as the environment variables are available in the current user context. After you create your logical expression, you’ll need to ensure that the expression makes sense. In addition, if you hard-code a value when you meant to use an environment variable, the targeting will not work as expected.