Windows Server 2008 Directory Services, Group Policy Preferences -- Common Options

by Marcin Policht

We've looked at the basic principles behind Windows Server 2008 Directory Services and explained its categorization, which divides preferences into Windows Settings and Control Panel Settings. Now it's time to check out the common options that provide additional functionality and impact settings in both categories.

In the recent installments of our series dedicated to the most prominent features available in Windows Server 2008 Directory Services, we have introduced the concept of Group Policy Preferences. It is important to note that our choice was driven by aspiration for completeness, rather than direct dependency on a specific version of Active Directory, since it is possible, and quite common, to deploy them with domain controllers running the Windows Server 2003 operating system.

So far, we have presented basic principles of this technology, as well as described its categorization, which divides preferences into Windows Settings and Control Panel Settings (depending on the type of components, which configuration they control).

This article will focus on a set of common options that provide additional functionality affecting settings in both categories.

While the information presented so far should help you realize the impressive range of changes that can be applied via Group Policy Preferences, their most impressive characteristic is the granularity with which you can manipulate their scope. This capability (known as item-level targeting) is exposed in Group Policy Management Editor console via the Options common to all items section on the Common tab of the Properties dialog box of each individual preference extension. The full listing of common options appearing in this interface is as follows.

Stop processing items in this extension if an error occurs

If you have several items of the same extension type (e.g., several drive map entries) within a given GPO, they are processed in sequence (starting from the bottom of the list, with the top one applied last and therefore taking the precedence in case of a conflict) and independently of the others. By enabling this option, you can alter this default and skip processing the remaining items within the same extension (and the same GPO) if an error is encountered.

Run in logged-on user's security context (user policy option)

Applicable to preferences that are part of User Configuration settings, it designates that associated with it change should be carried by impersonating the current user, instead of the Local System account. The option's checkbox is automatically grayed out for all items appearing in the Computer Configuration section of Group Policy Management Editor. Keep in mind that this particular option has no relevance in regard to Drive Maps and Printers settings, which always follow the context in which they are defined (User or Computer Configuration node).

Remove this item when it is no longer applied

This eliminates a change introduced by a preference setting after their target (a user or computer) is removed from management scope. It might happen as the result of a move to a different Organizational Unit or an exclusion based on item-level targeting or WMI and security group filtering. This does not, however, apply to those that implement Delete action.

Although this option to some extent mitigates the persistent nature of Group Policy Preferences (which, in this aspect, behave differently than Group Policies), it does not imply that resulting configuration reverts to its original state. Rather, it means current settings are removed, which might have undesired consequences. Fortunately the preference items that pose a threat to system stability (e.g., Folder Options, Internet Settings, Power Options, Regional Options, Services, or Start Menu) as well as those for which removal does not make sense (e.g., Immediate Task subitem of Scheduled Tasks) have this option automatically disabled (grayed out).

Keep in mind that enabling this option substitutes originally assigned action with Replace, which first removes and subsequently re-creates a desired setting while the target is in scope. This, in turn, could affect end-user experience, especially during background Group Policy refresh intervals. In addition, any custom modifications to a target component (such as password changes to accounts created via Local Users and Groups extension), will automatically be overwritten when that preference is reapplied.

Apply once and do not reapply

By default, preferences comply with the same set of rules as Group Policy in regard to events that trigger their processing, including computer startup, user logons and periodic refresh intervals following each. This option allows you to alter this behavior such that the corresponding change is applied only once. This is accomplished by recording the GUID associated with that particular preference item. This is determined by identifying the id parameter in its XML file within a GPO-specific folder under SYSVOL share) in the registry hive associated with the target (HKLMSoftwareMicrosoftGroup PolicyClientRunOnce and HKCUSoftwareMicrosoftGroup PolicyClientRunOnce for computer- and user-based settings, respectively.

During the Group Policy processing cycle, these entries are identified and automatically excluded from the refresh. As a result, if any of such settings are modified after their initial deployment, they will retain their new configuration, rather than revert to their previous state defined via Group Policy Preferences. It is important to note that the registry entries are populated even if the target does not belong to the scope determined by item level targeting. They are also not a subject to the Stop processing items in this extension if an error occurs option described above.

Page 2: Item-level targeting

Follow ServerWatch on Twitter

Item-level targeting

Item-level targeting provides significantly enhanced granularity in defining criteria that must be satisfied for a preference item to take effect. Such criteria are evaluated on per-item level, rather a per-GPO basis, as is the case with traditional filtering mechanisms that take into account such factors as a security group membership or an outcome of a WMI-based query. Conditions considered when performing these evaluations include the following. With a few exceptions that we will point out, they are applicable to both computer and user-based preferences:

  • Battery Present - checks for the presence of a battery on a target computer, facilitating deployment of distinct preferences to laptops, if different from those applied to desktops and servers.
  • Computer Name - makes application of a group policy preference item dependent on the NetBIOS (as determined by the value of COMPUTERNAME environment variable) or DNS name (which involves translating it into a corresponding IP address and comparing its value to addresses assigned to local network adapters) of the target computer. It is possible to use wildcards, with ? and * designating, respectively, any single and multiple characters.
  • CPU Speed - restricts the scope of the corresponding preference setting to computers with a processor faster than the value defined here. This can be assigned either directly (by providing a number representing clock speed in MHz) or by leveraging one of System Defined Variables, selected from the list displayed by pressing F3 while the cursor is present in the greater than or equal to listbox.
  • Date Match - assigns a schedule, including frequency (Weekly, Monthly or On date) of deploying the preference setting to a target computer.
  • Dial-Up Connection - makes deployment contingent on the connected status of a specific dial-up connection. The list of available connection types is fairly long and includes Telephone modem accessed through a COM port, Virtual Private Network (VPN), Frame Relay, PPP over Ethernet (PPoE) and Any. This option is applicable only to User Configuration preferences.
  • Disk Space - accommodates scenarios where a preference item has a disk space dependency, allowing you to specify the minimum amount of free space (in GB) on an arbitrarily selected drive, identified either as System (which is determined by checking the value of SYSTEMDRIVE environment variable) -- if applicable -- or by the drive letter. The latter includes mapped network drives.
  • Domain - uses the NetBIOS domain name (which can be specified explicitly or assigned via System Defined Variables) to restrict the application of the corresponding preference item depending on whether the target computer or user are its members. This is determined by comparing the value you provide against the DOMAINNAME environment variable.
  • Environment Variable - targets users or computers based on values of either the user or system environment variables. Here as well you can specify them directly or leverage System Defined Variables. Note that this particular item presents interesting opportunities in regard to customizing the scope of GPP deployment, which involves defining environment variables that uniquely identify intended recipients.
  • File Match - takes into consideration either the existence of a file/folder (based on the Path textbox entry) or checks whether that file's version is within specified range, which accommodates values between 0 and 65535.
  • IP Address Range - allows you to set starting and ending boundaries of the IP address range that is compared against the IP address of a target computer. This gives you a considerably more flexible alternative to Active Directory Site-linked GPO deployments.
  • Language - determines whether a preference item is applicable depending on the user's or computer's locale, which combines a language and a corresponding geographic area where that language is spoken. Since this can be either a user or a computer characteristic, you have an option to designate an appropriate one by selecting the System or User checkbox. The latter is not available when using Computer Configuration. Alternatively, it is also possible to use a Native option, which relies on the version stamping resource of NTDLL.DLL file.
  • LDAP Query - runs a subtree, no chase-referrals search for user or computer objects in Active Directory based on an arbitrary LDAP filter. Its configuration involves specifying that filter, a Binding (designating the LDAP: or GC: protocol and a container where the search will be conducted), as well as an Attribute to be returned from the query. You also have an option to assign the value of returned attribute to an Environment variable. This, however, is limited strictly to ADSTYPE_DN_STRING, ADSTYPE_CASE_EXACT_STRING, ADSTYPE_CASE_IGNORE_STRING, ADSTYPE_PRINTABLE_STRING, ADSTYPE_NUMERIC_STRING, ADSTYPE_OBJECT_CLASS, or ADSTYPE_BOOLEAN data types.

  • MAC Address Range - allows you to designate a target computer by defining a range of MAC addresses that include those assigned to its network adapters.
  • MSI Query - defines targeting criteria that take into consideration properties of Windows Installer packages present on the target computer. These definitions combine Query type (such as Target exist, Version match, Get property, Match property, Get information or Match information) with Target type (such as Product, Patch or Component). Assigning appropriate values to each is simplified by a Select a Product dialog box (invoked via the Browse ... command button), which allows you to select among products, patches and components installed on the local computer on that the Group Policy Management Editor is running.
  • Operating System - identifies target computer based on Product (Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, or Windows Server 2008), Edition (this varies with the OS version, but may include, Standard, Enterprise, Web, 64-bit Enterprise, or 64-bit Datacenter), Release (Service Pack level), and Computer Role (such as Workstation, Member Server, or Domain Controller).
  • Organizational Unit - checks direct or indirect membership of a computer or user object in a designated Organizational Unit.
  • PMCIA Present - identifies a target computer based on the existence of at least one PCMCIA slot (which, in addition to Battery Present and Portable Computer options, might be helpful when targeting laptop computers). The identification is determined based on the presence of relevant drivers and the status of the corresponding hardware components.
  • Portable Computer - an option intended specifically for laptops that serves as an alternative to Battery Present and PMCIA Present, which also allows you to identify whether the target computers is in docked or undocked state.
  • Processing Mode - makes application of preference item dependent on the Group Policy processing mode. This mode can take the value of Synchronous (which means that computer or user Group Policy processing must be completed before subsequent actions, such as user logon or user desktop display are allowed), Asynchronous (permitting such actions while Group Policy processing is still in effect), or Background (taking place after initial computer startup or user logon in 90 to 120 minutes intervals). For each of them, you can also further narrow down the scope based on Processing conditions, which include Forced refresh (typically accomplished by invoking gpupdate with /force switch), Link transition (a change in link speed), No changes (unchanged version number of Group Policy Object), RSoP transition (a change in RSoP logging), Slow link (presence of slow network connection), Safe boot (operating in safe mode), or Verbose logging (highest level of logging enabled).
  • RAM - determines the scope by comparing amount of physical memory against an arbitrary threshold (in MB).
  • Registry Match - applies a Match type (including Key exists, Value exists, Match value data, and Get value data) against a specified registry location (key or value) to determine whether preference item should be applied. The last of these options also provides the ability to store the matching value in an environment variable.
  • Security Group - checks membership of a target user or computer in a designated domain-based, local or well-known group. It is also possible to make the processing contingent on that group being designated as the primary.
  • Site - evaluates the Active Directory Site membership of a target computer account.
  • Terminal Session - facilitates scenarios where group policy processing should be dependent on whether a user is logged on via a Terminal Services session (rather than interactively to the console). You can further narrow down the scope by specifying Type of protocol (which, by default, includes only Terminal Services option), and a session Parameter, such as Application name, Client name, Initial program, Session name, Working directory or Client TCP/IP address.
  • Time Range - matches local time on a target computer against an arbitrarily defined interval, allowing you to apply a preference item only during specific times.
  • User - available only for User Configuration items, identifies target users by their names (wildcards are allowed) or SIDs (in which case wildcards are not permitted).
  • WMI Query - uses WQL (WMI Query Language) to evaluate scope of the preference item processing. You must specify the actual Query, which takes the form of a SELECT statement) and WMI Namespace (set by default to Rootcimv2). In addition, you have an option to designate a WMI Property returned by the query, which will be assigned to an arbitrary environment variable (identified by Variable name entry).

Note that each of these targeting items can be grouped into collections (via Add Collection toolbar button), combined with others using Boolean operators (And, Or, Is, or Is Not), and labeled (for documentation and search purposes). Effectively, this gives you ability to construct elaborate sets of criteria that result in wide range of processing conditions.

Hopefully this overview provides a better understanding of configuration options that govern behavior of Group Policy Preferences.

Follow ServerWatch on Twitter

This article was originally published on Wednesday May 12th 2010
Mobile Site | Full Site