Windows Server 2008 Directory Services, Group Policy Preferences -- Common Options
In the recent installments of our series dedicated to the most prominent features available in Windows Server 2008 Directory Services, we have introduced the concept of Group Policy Preferences. It is important to note that our choice was driven by aspiration for completeness, rather than direct dependency on a specific version of Active Directory, since it is possible, and quite common, to deploy them with domain controllers running the Windows Server 2003 operating system. We've looked at the basic principles behind Windows Server 2008 Directory Services and explained its categorization, which divides preferences into Windows Settings and Control Panel Settings. Now it's time to check out the common options that provide additional functionality and impact settings in both categories.
So far, we have presented basic principles of this technology, as well as described its categorization, which divides preferences into
Windows Settings and
Control Panel Settings (depending on the type of components, which configuration they control).
While the information presented so far should help you realize the impressive range of changes that can be applied via Group Policy Preferences, their most impressive characteristic is the granularity with which you can manipulate their scope. This capability (known as item-level targeting) is exposed in Group Policy Management Editor console via the
Options common to all items section on the
Common tab of the
Properties dialog box of each individual preference extension. The full listing of common options appearing in this interface is as follows.
Stop processing items in this extension if an error occurs
If you have several items of the same extension type (e.g., several drive map entries) within a given GPO, they are processed in sequence (starting from the bottom of the list, with the top one applied last and therefore taking the precedence in case of a conflict) and independently of the others. By enabling this option, you can alter this default and skip processing the remaining items within the same extension (and the same GPO) if an error is encountered.
Run in logged-on user's security context (user policy option)
Applicable to preferences that are part of
User Configuration settings, it designates that associated with it change should be carried by impersonating the current user, instead of the
Local System account. The option's checkbox is automatically grayed out for all items appearing in the
Computer Configuration section of Group Policy Management Editor. Keep in mind that this particular option has no relevance in regard to
Drive Maps and
Printers settings, which always follow the context in which they are defined (
Computer Configuration node).
Remove this item when it is no longer applied
This eliminates a change introduced by a preference setting after their target (a user or computer) is removed from management scope. It might happen as the result of a move to a different Organizational Unit or an exclusion based on item-level targeting or WMI and security group filtering. This does not, however, apply to those that implement
Although this option to some extent mitigates the persistent nature of Group Policy Preferences (which, in this aspect, behave differently than Group Policies), it does not imply that resulting configuration reverts to its original state. Rather, it means current settings are removed, which might have undesired consequences. Fortunately the preference items that pose a threat to system stability (e.g.,
Start Menu) as well as those for which removal does not make sense (e.g.,
Immediate Task subitem of
Scheduled Tasks) have this option automatically disabled (grayed out).
Keep in mind that enabling this option substitutes originally assigned action with
Replace, which first removes and subsequently re-creates a desired setting while the target is in scope. This, in turn, could affect end-user experience, especially during background Group Policy refresh intervals. In addition, any custom modifications to a target component (such as password changes to accounts created via
Local Users and Groups extension), will automatically be overwritten when that preference is reapplied.
Apply once and do not reapply
By default, preferences comply with the same set of rules as Group Policy in regard to events that trigger their processing, including computer startup, user logons and periodic refresh intervals following each. This option allows you to alter this behavior such that the corresponding change is applied only once. This is accomplished by recording the GUID associated with that particular preference item. This is determined by identifying the
id parameter in its XML file within a GPO-specific folder under
SYSVOL share) in the registry hive associated with the target (
HKLMSoftwareMicrosoftGroup PolicyClientRunOnce and
HKCUSoftwareMicrosoftGroup PolicyClientRunOnce for computer- and user-based settings, respectively.
During the Group Policy processing cycle, these entries are identified and
automatically excluded from the refresh. As a result, if any of such settings
are modified after their initial deployment, they will retain their new configuration,
rather than revert to their previous state defined via Group Policy Preferences.
It is important to note that the registry entries are populated even if the
target does not belong to the scope determined by item level targeting. They
are also not a subject to the
Stop processing items in this extension
if an error occurs option described above.
Page 2: Item-level targeting