Executive Summary:
Group Policy Preferences augment the existing set of Group Policy functions, adding more functions to what you can already do. Group Policy Preferences Printers lets you easily deploy printers without schema updates or logon scripts, and Group Policy Preferences Power Options brings Vista-like power management to Windows XP systems. Other Group Policy Preferences let you manage devices, services, files on client machines, and users and groups.
|
Every new version of Windows comes with more to love, especially in the area of Group Policy: more control, more power, and more features that keep you from having to run around from machine to machine to get your job done. Usually, this power arrives built-in to the OS. For instance, when Windows Vista shipped, it brought with it Wired Ethernet policy, Enterprise QoS policy, a new capability for managing printers, and more.
In 2007, Microsoft released Group Policy Preferences, a set of additional Group Policy features. These features augment the existing set of Group Policy functions—adding more functions to what you can already do. Some of the Group Policy Preferences have similar names and potentially overlapping features with the original Group Policy functions, but in this article I'll show you where you can use the new functionality to get more out of your Group Policy investment.
Getting Group Policy Preferences
Group Policy Preferences, in total, encompass 21 features. You would think this many new features would ship as a lot of software. In fact, Group Policy Preferences ship as a single set of client-side extensions (CSEs). When the target computer processes a Group Policy Object (GPO) containing a Group Policy Preferences function, it simply calls the correct extension to do the work.
Windows Server 2008 ships—and Windows 7 will ship—with the Group Policy Preferences CSE; you don't need to do anything for these OSs to process Group Policy Preferences directives. However, you need to update Vista, Windows Server 2003, and Windows XP computers to take advantage of the new technology. Windows 2000 computers aren't able to leverage Group Policy Preferences. For brevity and space constraints, I'll point you to the GPanswers.com Newsletter, issue 27, for detailed installation instructions that cover a wide variety of circumstances.
Note that your management console machine must have the updated Group Policy Management Console (GPMC) with its updated Group Policy Editor (GPE). The updated GPMC ships with Server 2008 and is available for Windows Vista SP1 and later if you install Remote Server Administration Toolkit (RSAT), which can be found in the Microsoft Download Center. The updated GPMC isn't available for XP systems.
Group Policy Preferences help you do more than you originally could with Group Policy. With that in mind, let's examine some areas where Group Policy Preferences can help you expand on your Group Policy investment.
Deploying Printers
Deploying printers via Group Policy used to be a dream many administrators shared. This feature finally debuted with Windows Server 2003 R2, although administrators widely criticized it at first. For starters, the feature requires a schema update. It also requires that administrators place an add-on within their startup and logon scripts. And, worst of all, it didn't work consistently.
Deployed Printers policy settings are found in GPE at \Computer Configuration\Policies\Windows Settings\Deployed Printers and \User Configuration\Windows Settings\Deployed Printers. Note that you won't see the Deployed Printers node on a Server 2008 or Vista management station until you load the Print Management components, which you can install by using the RSAT tools; they're under the Feature section within \Remote Server Administration Tools\Role Administration Tools\Print Services Tools.
Compared to Deployed Printers, the Group Policy Preferences Printers feature tends to get most of the limelight. It requires no schema extensions and no startup or logon script updates—it just works. The Group Policy Preferences Printers node is found in two places: \Computer Configuration\Preferences\Control Panel Settings\Printers and \User Configuration\Preferences\Control Panel Settings\Printers. This feature lets you deploy TCP/IP and local printers (user- or computer-side) or shared printers (user-side only).
As long as the Group Policy Preferences client is installed on the target machine, printer deployment is a dream.
Group Policy Preferences aren't available for Windows 2000, so if you need to deploy printers on those systems, you should continue using the older Group Policy Deployed Printers method.
Controlling IE
Group Policy has several ways to manage one of Windows' most popular applications, Microsoft Internet Explorer. The original policy settings can be found under either User Configuration or Computer Configuration at \Policies\Administrative Templates\Windows Components\Internet Explorer. These settings can help you lock down what users can and can't do with IE.
Additional IE settings called IE Maintenance are found at \User Configuration\Policies\Windows Settings\Internet Explorer Maintenance. Some of these settings perform policy-style lockout; others let users work around predefined settings.
Group Policy Preferences' Internet Settings adds some new tricks. As Figure 1 shows, the IE settings are found at \User Configuration\Preferences\Control Panel Settings\Internet Settings. Setting preferences for items means that you establish initial settings, but users are able to change them. For instance, you might set your company's web page as the home page for all users, but allow them to change it later if they choose. Preferences are similar to IE Maintenance settings in this way; yet the administrative interface for Group Policy Preferences Internet Settings is exceptionally refreshing: It actually looks like Internet Explorer, which delights most administrators.
Power Management
Vista shipped with some very good power management functions. They're found under \Computer Configuration\Policies\System\Power Management. These settings control sleep settings, what happens when you push various power buttons, when the hard drive should spin down, and more, but they're usable only for Vista.
As Figure 2 shows, the Group Policy Preferences Power Options settings are found under Computer Configuration and User Configuration within \Preferences\Control Panel Settings\Power Options. These settings bring new Group Policy–based power management features to XP. This addition to the power management family brings a hugely desired feature to a large install base. What's more, the UI for configuring Power Options and Power Schemes looks strikingly similar to the XP interface, shortening the learning curve so that administrators can be quickly proficient with this new functionality.
Manipulating Files
Administrators sometimes want to set file security on specific files on desktops and servers. Instead of running out to each machine, they can use Group Policy to do it. Actually getting those files to desktops and servers has been another story altogether. You either need to copy files manually or use a logon script or something similar to do it.
However, with Group Policy Preferences Files, found at \Computer Configuration\Preferences\Windows Settings\Files, you can deliver a file—or multiple files—to a client. And with Group Policy File Security policy settings, located within \Computer Configuration\Policies\Windows Settings\Security Settings\File System, you can set the ACLs on those files. What a magic combination!
Previous
Register
