Windows Server 2008 Directory Services, Group Policy Preferences -- Common Options

In the recent installments of our series dedicated to the most prominent features available in Windows Server 2008 Directory Services, we have introduced the concept of Group Policy Preferences. It is important to note that our choice was driven by aspiration for completeness, rather than direct dependency on a specific version of Active Directory, since it is possible, and quite common, to deploy them with domain controllers running the Windows Server 2003 operating system. We've looked at the basic principles behind Windows Server 2008 Directory Services and explained its categorization, which divides preferences into Windows Settings and Control Panel Settings. Now it's time to check out the common options that provide additional functionality and impact settings in both categories.

So far, we have presented basic principles of this technology, as well as described its categorization, which divides preferences into Windows Settings and Control Panel Settings (depending on the type of components, which configuration they control).

This article will focus on a set of common options that provide additional functionality affecting settings in both categories.

While the information presented so far should help you realize the impressive range of changes that can be applied via Group Policy Preferences, their most impressive characteristic is the granularity with which you can manipulate their scope. This capability (known as item-level targeting) is exposed in Group Policy Management Editor console via the Options common to all items section on the Common tab of the Properties dialog box of each individual preference extension. The full listing of common options appearing in this interface is as follows.

Stop processing items in this extension if an error occurs

If you have several items of the same extension type (e.g., several drive map entries) within a given GPO, they are processed in sequence (starting from the bottom of the list, with the top one applied last and therefore taking the precedence in case of a conflict) and independently of the others. By enabling this option, you can alter this default and skip processing the remaining items within the same extension (and the same GPO) if an error is encountered.

Run in logged-on user's security context (user policy option)

Applicable to preferences that are part of User Configuration settings, it designates that associated with it change should be carried by impersonating the current user, instead of the Local System account. The option's checkbox is automatically grayed out for all items appearing in the Computer Configuration section of Group Policy Management Editor. Keep in mind that this particular option has no relevance in regard to Drive Maps and Printers settings, which always follow the context in which they are defined (User or Computer Configuration node).

Remove this item when it is no longer applied

This eliminates a change introduced by a preference setting after their target (a user or computer) is removed from management scope. It might happen as the result of a move to a different Organizational Unit or an exclusion based on item-level targeting or WMI and security group filtering. This does not, however, apply to those that implement Delete action.

Although this option to some extent mitigates the persistent nature of Group Policy Preferences (which, in this aspect, behave differently than Group Policies), it does not imply that resulting configuration reverts to its original state. Rather, it means current settings are removed, which might have undesired consequences. Fortunately the preference items that pose a threat to system stability (e.g., Folder Options, Internet Settings, Power Options, Regional Options, Services, or Start Menu) as well as those for which removal does not make sense (e.g., Immediate Task subitem of Scheduled Tasks) have this option automatically disabled (grayed out).

Keep in mind that enabling this option substitutes originally assigned action with Replace, which first removes and subsequently re-creates a desired setting while the target is in scope. This, in turn, could affect end-user experience, especially during background Group Policy refresh intervals. In addition, any custom modifications to a target component (such as password changes to accounts created via Local Users and Groups extension), will automatically be overwritten when that preference is reapplied.

Apply once and do not reapply

By default, preferences comply with the same set of rules as Group Policy in regard to events that trigger their processing, including computer startup, user logons and periodic refresh intervals following each. This option allows you to alter this behavior such that the corresponding change is applied only once. This is accomplished by recording the GUID associated with that particular preference item. This is determined by identifying the id parameter in its XML file within a GPO-specific folder under SYSVOL share) in the registry hive associated with the target (HKLMSoftwareMicrosoftGroup PolicyClientRunOnce and HKCUSoftwareMicrosoftGroup PolicyClientRunOnce for computer- and user-based settings, respectively.

During the Group Policy processing cycle, these entries are identified and automatically excluded from the refresh. As a result, if any of such settings are modified after their initial deployment, they will retain their new configuration, rather than revert to their previous state defined via Group Policy Preferences. It is important to note that the registry entries are populated even if the target does not belong to the scope determined by item level targeting. They are also not a subject to the Stop processing items in this extension if an error occurs option described above.

Page 2: Item-level targeting

Follow ServerWatch on Twitter

This article was originally published on May 12, 2010
Page 1 of 2

Thanks for your registration, follow us on our social networks to keep up-to-date