Who Doesn't Prefer Sushi?
Windows Server 2008's Group Policy Preferences makes balancing your security needs with users' preferences a little easier.
- By Greg Shields
On an airplane, I prefer the window seat. My buddy Moby prefers that sushi stays in the ocean. My editor at Redmond
prefers that I get this column in on time. We all have our own preferences for how we interact with the world around us.
The same holds true when configuring our desktops and notebooks. Some of your users will prefer a black background because it's easier to find their icons. You might prefer that your users map their home folder to the H: drive. They might prefer the F: drive. As systems admins, the hardest part of our jobs can be finding that happy medium between pleasing our security needs while giving our users a comfortable computing environment.
This has been difficult with traditional Group Policy due to the mechanics of its application. We could force firewall settings that protect our users. We could require users to click through a legal notice before they log into their desktops. Traditional Group Policy has always mandated a setting, instead of letting us merely "suggest" one.
Windows Server 2008's new Group Policy Preferences (GPP) feature changes all that. Server 2008 RC1 and Group Policy have reformulated the way we enforce desktop configurations among our users.
Serving up Settings
Consider how you administer policy settings in Server 2003. Server 2003 policies -- those with the green dot in the Group Policy Management Console (GPMC) -- are the ones you get right out of the box. You can see these settings by default within the GPMC interface. You can use them to control configurations within targeted workstations and servers. Removing them automatically turns the settings back to their original state.
Server 2003 preferences are usually those you create and mark with a red dot in the GPMC. Preferences with Server 2003 often meant creating a custom Administrative Template, a cumbersome process for many administrators. Worst of all, applying one to a machine would "tattoo" that change onto its registry. If you removed the Group Policy, the setting stuck around.
Because of these complexities, many admins today still use log-on scripts as their primary tool for managing certain workstation configurations. Log-on scripts aren't the greatest solution, but they get the job done well enough.
What Do You Prefer?
Group Policy Preferences is an exciting addition to Group Policy that will eliminate much of the need for custom Administrative Templates and log-on scripts. Using GPP, if you need to set a drive letter to a file share, you can do that right from within the GPMC's GUI. It also supports dropping shortcuts onto users' desktops, configuring registry keys and a host of other common customizations. Custom ADM or batch file scripting is no longer necessary. You can now create each of these configurations using wizards within the GPMC.
Unlike the old-school preferences, GPP also benefits from the ability to make these settings optional. If you want to apply but not enforce a particular setting, simply set it to "Apply once and do not reapply." This lets you suggest a setting, but also lets your users change it later to suit their own desired desktop experience. On the other hand, if you need to enforce particular preferences you can do that as well.
Even more exciting is the ability to target individual preferences to different groups, all within the same GPO. By doing this, you can create multiple preferences in the same GPO, and target them based on characteristics of the user or computer.
Of particular interest is the ability to create, modify or remove specific registry entries through the GPMC's GUI interface. These custom registry settings were the source of many custom Administrative Templates back in Server 2003. With GPP, now you can do nearly any registry addition or modification as a preference.
This is especially helpful when you need to configure a setting for an app where no Administrative Template exists. Here's how it works: Let's say that you've installed the Java Runtime Environment on all of your workstations, but you don't want its icon to appear in the system tray. The registry key that controls this is:
The value for HideSystemTrayIcon should be changed from 0 to 1 to make it disappear. Doing this with GPP is as easy as creating a GPO, navigating to Computer Configuration \ Preferences \ Windows Settings \ Registry, then creating a New Registry Item that updates the value's data (see Figure 1).
[Click on image for larger view.]
|Figure 1. You can now use Group Policy Preferences to change a registry value.
Your next question may be, "How did you know which registry key actually controls this behavior?" I use registry comparison tools like Active Registry Monitor to take a snapshot of the registry before and after changing that particular configuration in the application's GUI. Registry-comparison tools like Active Registry Monitor will show me what registry keys and values have changed between the two snapshots. Because I know most changes to configurations within an application's GUI are stored as a value in the registry, I can use tools like this to sniff out the registry values I want to suggest-or enforce-and encode them into GPP.
I'd still love to sit down with a bottle of sake and a California Roll with my buddy Moby. I can set the stage to someday make that happen, but at the same time, he may prefer not to show up for dinner. The same holds true with GPP.
Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.