Windows Server 2008 Directory Services, Group Policy Preferences -- Common Options
May 12, 2010
In the recent installments of our series dedicated to the most prominent features
available in Windows Server 2008 Directory Services, we have introduced the
concept of Group
Policy Preferences. It is important to note that our choice was driven
by aspiration for completeness, rather than direct dependency on a specific
version of Active Directory, since it is possible, and quite common, to deploy
them with domain controllers running the Windows Server 2003 operating system.
So far, we have presented basic principles of this technology, as well as described its categorization, which divides preferences into This article will focus on a set of common options that provide additional functionality affecting settings in both categories.
Windows Settings and
Control Panel Settings (depending on the type of components, which configuration they control).
While the information presented so far should help you realize the impressive range of changes that can be applied via Group Policy Preferences, their most impressive characteristic is the granularity with which you can manipulate their scope. This capability (known as item-level targeting) is exposed in Group Policy Management Editor console via the
Options common to all items section on the
Common tab of the
Properties dialog box of each individual preference extension. The full listing of common options appearing in this interface is as follows.
Stop processing items in this extension if an error occurs
If you have several items of the same extension type (e.g., several drive map entries) within a given GPO, they are processed in sequence (starting from the bottom of the list, with the top one applied last and therefore taking the precedence in case of a conflict) and independently of the others. By enabling this option, you can alter this default and skip processing the remaining items within the same extension (and the same GPO) if an error is encountered.
Run in logged-on user's security context (user policy option)
Applicable to preferences that are part of
User Configuration settings, it designates that associated with it change should be carried by impersonating the current user, instead of the
Local System account. The option's checkbox is automatically grayed out for all items appearing in the
Computer Configuration section of Group Policy Management Editor. Keep in mind that this particular option has no relevance in regard to
Drive Maps and
Printers settings, which always follow the context in which they are defined (
Computer Configuration node).
Remove this item when it is no longer applied
This eliminates a change introduced by a preference setting after their target (a user or computer) is removed from management scope. It might happen as the result of a move to a different Organizational Unit or an exclusion based on item-level targeting or WMI and security group filtering. This does not, however, apply to those that implement
Although this option to some extent mitigates the persistent nature of Group Policy Preferences (which, in this aspect, behave differently than Group Policies), it does not imply that resulting configuration reverts to its original state. Rather, it means current settings are removed, which might have undesired consequences. Fortunately the preference items that pose a threat to system stability (e.g.,
Start Menu) as well as those for which removal does not make sense (e.g.,
Immediate Task subitem of
Scheduled Tasks) have this option automatically disabled (grayed out).
Keep in mind that enabling this option substitutes originally assigned action with
Replace, which first removes and subsequently re-creates a desired setting while the target is in scope. This, in turn, could affect end-user experience, especially during background Group Policy refresh intervals. In addition, any custom modifications to a target component (such as password changes to accounts created via
Local Users and Groups extension), will automatically be overwritten when that preference is reapplied.
Apply once and do not reapply
By default, preferences comply with the same set of rules as Group Policy in regard to events that trigger their processing, including computer startup, user logons and periodic refresh intervals following each. This option allows you to alter this behavior such that the corresponding change is applied only once. This is accomplished by recording the GUID associated with that particular preference item. This is determined by identifying the
id parameter in its XML file within a GPO-specific folder under
SYSVOL share) in the registry hive associated with the target (
HKLMSoftwareMicrosoftGroup PolicyClientRunOnce and
HKCUSoftwareMicrosoftGroup PolicyClientRunOnce for computer- and user-based settings, respectively.
During the Group Policy processing cycle, these entries are identified and
automatically excluded from the refresh. As a result, if any of such settings
are modified after their initial deployment, they will retain their new configuration,
rather than revert to their previous state defined via Group Policy Preferences.
It is important to note that the registry entries are populated even if the
target does not belong to the scope determined by item level targeting. They
are also not a subject to the
Stop processing items in this extension
if an error occurs option described above.
Page 2: Item-level targeting
Follow ServerWatch on Twitter
Item-level targeting provides significantly enhanced granularity in defining criteria that must be satisfied for a preference item to take effect. Such criteria are evaluated on per-item level, rather a per-GPO basis, as is the case with traditional filtering mechanisms that take into account such factors as a security group membership or an outcome of a WMI-based query. Conditions considered when performing these evaluations include the following. With a few exceptions that we will point out, they are applicable to both computer and user-based preferences:
Battery Present - checks for the presence of a battery on a target computer, facilitating deployment of distinct preferences to laptops, if different from those applied to desktops and servers.
Computer Name - makes application of a group policy preference item dependent on the NetBIOS (as determined by the value of
COMPUTERNAME environment variable) or DNS name (which involves translating it into a corresponding IP address and comparing its value to addresses assigned to local network adapters) of the target computer. It is possible to use wildcards, with
* designating, respectively, any single and multiple characters.
CPU Speed - restricts the scope of the corresponding preference
setting to computers with a processor faster than the value defined here. This
can be assigned either directly (by providing a number representing clock speed
in MHz) or by leveraging one of
System Defined Variables, selected
from the list displayed by pressing
F3 while the cursor is present
greater than or equal to listbox.
Date Match - assigns a schedule, including frequency (
On date) of deploying the preference setting to a target computer.
Dial-Up Connection - makes deployment contingent on the
connected status of a specific dial-up connection. The list of available connection types is fairly long and includes
Telephone modem accessed through a COM port,
Virtual Private Network (VPN),
PPP over Ethernet (PPoE) and
Any. This option is applicable only to
User Configuration preferences.
Disk Space - accommodates scenarios where a preference item has a disk space dependency, allowing you to specify the minimum amount of free space (in GB) on an arbitrarily selected drive, identified either as
System (which is determined by checking the value of
SYSTEMDRIVE environment variable) -- if applicable -- or by the drive letter. The latter includes mapped network drives.
Domain - uses the NetBIOS domain name (which can be specified explicitly or assigned via
System Defined Variables) to restrict the application of the corresponding preference item depending on whether the target computer or user are its members. This is determined by comparing the value you provide against the
DOMAINNAME environment variable.
Environment Variable - targets users or computers based on values of either the user or system environment variables. Here as well you can specify them directly or leverage
System Defined Variables. Note that this particular item presents interesting opportunities in regard to customizing the scope of GPP deployment, which involves defining environment variables that uniquely identify intended recipients.
File Match - takes into consideration either the existence of a file/folder (based on the
Path textbox entry) or checks whether that file's version is within specified range, which accommodates values between
IP Address Range - allows you to set starting and ending boundaries of the IP address range that is compared against the IP address of a target computer. This gives you a considerably more flexible alternative to Active Directory Site-linked GPO deployments.
Language - determines whether a preference item is applicable depending on the user's or computer's locale, which combines a language and a corresponding geographic area where that language is spoken. Since this can be either a user or a computer characteristic, you have an option to designate an appropriate one by selecting the
User checkbox. The latter is not available when using
Computer Configuration. Alternatively, it is also possible to use a
Native option, which relies on the version stamping resource of
LDAP Query - runs a subtree, no chase-referrals search for user or computer objects in Active Directory based on an arbitrary LDAP filter. Its configuration involves specifying that filter, a
Binding (designating the
GC: protocol and a container where the search will be conducted), as well as an
Attribute to be returned from the query. You also have an option to assign the value of returned attribute to an
Environment variable. This, however, is limited strictly to
ADSTYPE_BOOLEAN data types.
- MAC Address Range - allows you to designate a target computer by defining a range of MAC addresses that include those assigned to its network adapters.
MSI Query - defines targeting criteria that take into consideration properties of Windows Installer packages present on the target computer. These definitions combine
Query type (such as
Get information or
Match information) with
Target type (such as
Component). Assigning appropriate values to each is simplified by a
Select a Product dialog box (invoked via the
Browse ... command button), which allows you to select among products, patches and components installed on the local computer on that the Group Policy Management Editor is running.
Operating System - identifies target computer based on
Windows Server 2003,
Windows Server 2003 R2,
Windows Vista, or
Windows Server 2008),
Edition (this varies with the OS version, but may include,
64-bit Enterprise, or
Release (Service Pack level), and
Computer Role (such as
Member Server, or
Organizational Unit - checks direct or indirect membership of a computer or user object in a designated Organizational Unit.
PMCIA Present - identifies a target computer based on the existence of at least one PCMCIA slot (which, in addition to
Battery Present and
Portable Computer options, might be helpful when targeting laptop computers). The identification is determined based on the presence of relevant drivers and the status of the corresponding hardware components.
Portable Computer - an option intended specifically for laptops that serves as an alternative to
Battery Present and
PMCIA Present, which also allows you to identify whether the target computers is in docked or undocked state.
Processing Mode - makes application of preference item dependent on the Group Policy processing mode. This mode can take the value of
Synchronous (which means that computer or user Group Policy processing must be completed before subsequent actions, such as user logon or user desktop display are allowed),
Asynchronous (permitting such actions while Group Policy processing is still in effect), or
Background (taking place after initial computer startup or user logon in 90 to 120 minutes intervals). For each of them, you can also further narrow down the scope based on
Processing conditions, which include
Forced refresh (typically accomplished by invoking
Link transition (a change in link speed),
No changes (unchanged version number of Group Policy Object),
RSoP transition (a change in RSoP logging),
Slow link (presence of slow network connection),
Safe boot (operating in safe mode), or
Verbose logging (highest level of logging enabled).
RAM - determines the scope by comparing amount of physical memory against an arbitrary threshold (in MB).
Registry Match - applies a
Match type (including
Match value data, and
Get value data) against a specified registry location (key or value) to determine whether preference item should be applied. The last of these options also provides the ability to store the matching value in an environment variable.
Security Group - checks membership of a target user or computer in a designated domain-based, local or well-known group. It is also possible to make the processing contingent on that group being designated as the primary.
Site - evaluates the Active Directory Site membership of a target computer account.
Terminal Session - facilitates scenarios where group policy processing should be dependent on whether a user is logged on via a Terminal Services session (rather than interactively to the console). You can further narrow down the scope by specifying
Type of protocol (which, by default, includes only
Terminal Services option), and a session
Parameter, such as
Working directory or
Client TCP/IP address.
Time Range - matches local time on a target computer against an arbitrarily defined interval, allowing you to apply a preference item only during specific times.
User - available only for
User Configuration items, identifies target users by their names (wildcards are allowed) or SIDs (in which case wildcards are not permitted).
WMI Query - uses WQL (WMI Query Language) to evaluate scope of the preference item processing. You must specify the actual
Query, which takes the form of a
SELECT statement) and WMI
Namespace (set by default to
Rootcimv2). In addition, you have an option to designate a WMI
Property returned by the query, which will be assigned to an arbitrary environment variable (identified by
Variable name entry).
Note that each of these targeting items can be grouped into collections (via
Add Collection toolbar button), combined with others using Boolean operators (
Is Not), and labeled (for documentation and search purposes). Effectively, this gives you ability to construct elaborate sets of criteria that result in wide range of processing conditions.
Hopefully this overview provides a better understanding of configuration options that govern behavior of Group Policy Preferences.
Follow ServerWatch on Twitter