TechMentor 2008 Preview: The New Group Policy Preferences
Derek Melber shows how you can eliminate logon scripts, become more secure and even save money with the new Group Policy Preferences in Vista and Windows Server 2008.
EDITOR'S NOTE: This article is a preview of just some of what Derek will cover in his upcoming TechMentor conference sessions. If you're attending TechMentor San Francisco (March 30-April 3), be sure to attend Derek's group policy-focused sessions throughout the conference (TF18, TW30, TT32, TS44 and TF48) as well as Derek's full-day pre-conference workshop "Dominate and Rule Your World Using Group Policy" (TPR4 and TPR8). If you haven't yet registered for a TechMentor 2008 conference, go here to find out more about TechMentor San Francisco and here for information on TechMentor Orlando (May 12-16).
Microsoft has spent a lot of money and effort bringing new technology to Windows Vista and Windows Server 2008, and it really shows when it comes to Group Policy. One of the most impressive new features is Group Policy Preferences, offering technology now built into Group Policy that lets you control aspects of a desktop and server that you only dreamed about in the past -- it brings a lot to the table, and it's all good.
Where You Can Use Group Policy Preferences
When Microsoft offers great, new technology, rarely is it backward-compatible. In this case, it delivered both! Microsoft has made Group Policy Preferences available to downlevel clients. You can deliver Group Policy Preferences to Windows XP SP2, Windows Server 2003 SP1, Vista and Windows Server 2008.
One downside is that the only clients that can manage a GPO that contains Group Policy Preferences are Windows Server 2008 and Vista SP1. But while not perfect, this news isn't all that bad. The reason for it is that Group Policy Preferences rely on the new Group Policy Management Console (GPMC) and the updated Group Policy Management Editor (GPME), which is associated with the GPMC.
Eliminating Logon Scripts
I always hate when a technology over-promises and under-delivers. In the case of eliminating logon scripts, Group Policy Preferences is a total solution. For most companies, the logon script that they use is long, complex and not all that fun to administer. From my experience, the logon scripts for most companies include configurations for:
- Mapping drive letters to network shares.
- Mapping printers to networked printers.
- Modifying Registry values.
- Copying files to the local computer from a network location.
- Deleting files from local folders.
- Configuring INI or INF files stored on the local computer.
If your logon script does more than this, which is very possible, there are other settings which might be beneficial for you too, but these are the primary settings that I have seen.
You might be thinking that if a GPO can do the same thing as the existing logon script, why even consider modifying the settings from something that exists to something new? Well, the reason is that the Group Policy Preferences are more than just settings: If you dig one level deeper, you will see that Group Policy Preferences also come with item-level targeting options.
Item-level targeting gives the administrator control over making a setting available or not, based on the current state of the computer. For example, consider printers. If you have a laptop user traveling to a branch office, does your current logon script account for the fact that the user is not sitting in the regular cube back at corporate headquarters? Well, item-level targeting can! You can configure the item-level targeting to pivot on the IP address range that the laptop is within or even the Active Directory site that the user is associated with when in the branch office. Printers can be added or deleted as the laptop user moves from one environment to the other.
This item-level targeting is available for all of the Group Policy Preferences settings. There are over 25 different settings that can be configured to control whether or not the setting will apply after determining the current state of the computer.
Every company wants to save money, especially large organizations that have tens of thousands of desktops. One easy way to save money is when the users are not in the office, but they leave their computer running. Of course, they are not making money when they are home sleeping, but their computer is still eating up valuable electricity back at the office.
There are a few solutions to this dilemma. First, there could be a mandatory policy implemented that states that all desktops need to be shutdown before leaving the office. This seems like a potentially good option, except that updates and maintenance are often done on desktops during the middle of the night. If the desktop is not turned on, these essential updates and maintenance tasks will not be performed.
Another solution is to have the user configure the power options such that the computer will go to sleep or be placed in a low-power state after so many minutes of non-use. The problem with this solution is that during the main working hours, the computer is constantly going to sleep, even when the user is sitting next to it and might need it immediately to perform a task. It is common for a computer to not be used for up to 30 to 45 minutes, but the user is still in the office and needs the computer for tasks.
As a better solution, Group Policy Preferences provide a mechanism to control the power options on the computer, but in a way that allows normal production to continue, while still saving money. This is accomplished by combining the item-level targeting with the Group Policy Preferences Power Options policy. The idea is simple, yet powerful. The Time Range item-level target can be set to not put the computer to sleep during normal working hours, but as soon as the normal working hours range is passed, the computer is put to sleep. Then, when the computer should be awake for the nightly maintenance, the item-level target can be set to not have the computer sleep for a few hours in the middle of the night. The 24-hour clock can be managed, having the computer awake or asleep at the right time.
Studies have proven that these settings in this combination can save up to $75 per year, per computer. If you are controlling these settings on many thousands of desktops for your organization, this could mean tens of thousands of dollars per year in savings.
As one of the hottest topics and catch words in the IT world today, it is no wonder the Microsoft has put so much emphasis on security for its desktops and servers. What it has done in Group Policy Preferences is far from small and borders on genius. The settings that are available in Group Policy Preferences will change the way you control your desktops and servers!
There are three important security settings that exist for you to configure:
- Local Users: This setting lets you control any local user, including the built-in Administrator account. This might not sound all that exciting until you find out that you can change the password via Group Policy Preferences. Now, you can have unique and updated passwords for all desktops in the entire company.
- Local Groups: This sounds like the old-style Restricted Groups that have been in Group Policy for a long time. The difference here is that the settings made for the policy append to the existing members of the group, but don't replace them. So when targeting the local Administrators group on all desktops, for example, you can ensure that the Domain Admins group is included, but on the other hand can ensure that the user of the computer does not have their user account included in the Administrators group.
- Services: This policy allows you to alter the password for the service account associated with any service running on the computer. It is no longer a limitation that you need to connect to a computer to change the password -- Group Policy can do this for you now.
And That's Just for Starters...
Microsoft has put a lot of effort into providing some amazing settings in the new Group Policy Preferences for Vista and Windows Server 2008. The settings provide ultimate control over logon script settings, power option settings and security-related settings. By implementing these policies you can gain better control over your desktops and servers, cutting spending along the way, as well as reducing administration efforts.
For more on how to use Group Policy Preferences and other new features of Group Policy, be sure to catch my sessions at the upcoming TechMentor 2008 conferences.
Derek Melber (MCSE, MVP, CISM) is president of BrainCore.Net AZ, Inc., as well as an independent consultant and speaker, as well as author of many IT books. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security and desktop management. As one of only 8 MVPs in the world on Group Policy, Derek’s company is often called upon to develop end-to-end solutions regarding Group Policy for companies. Derek is the author of the The Group Policy Resource Kit by MSPress, which is the defacto book on the subject.