1. GROUP POLICY PREFERENCES Easing your way out of logon scripts Rob Dunn

2. WHY USE GROUP POLICY PREFERENCES? During your career as an IT professional, youve likely mapped network drives for users. You probably configured them using logon scripts. This required you to write and debug the logon script, store the script in a central location, and then run the script by configuring User objects in Active Directory directory service or by creating a Group Policy object (GPO). Think about all the other settings youve configured using logon scripts or similar methods. A simple, central system to configure and deploy these settings without requiring you to make scattered changes that are easily forgotten and seldom documented would certainly help reduce costs and make your job easier, wouldnt it? -Microsoft 3. WHY USE GROUP POLICY PREFERENCES OVER LOGON SCRIPTS? Writing and debugging logon scripts can be troublesome for newcomers It takes a moderate amount of coding/logic to specify certain settings to apply to certain people or computers through scripting Scripts typically occur at logon/logoff Group Policies are applied periodically throughout the day or when forced using gpupdate (can be done remotely) Group Policy Preferences can be run under the logged on users security context Group Policies are easier to navigate and edit for people who have grown accustomed to a GUI. 4. GROUP POLICY PREFERENCES VS. SETTINGS. WHATS THE DIFFERENCE? Preferences: Desired settings for a user or computer. Maybe they will need to be changed later at the console. Settings: Required settings for a user or computer. The settings cannot be modified by the end-user. 5. Group Policy Preferences Group Policy Settings Enforcement Preferences are not enforced User interface is not disabled Can be refreshed or applied once Settings are enforced User interface is disabled Settings are refreshed Flexibility Easily create preference items for registry settings, files, and so on Import individual registry settings or entire registry branches from a local or a remote computer Adding policy settings requires application support and creating administrative templates Cannot create policy settings to manage files, folders, and so on Local Policy Not available in local Group Policy Available in local Group Policy Awareness Supports non-Group Policy-aware applications Requires Group Policy-aware applications Storage Original settings are overwritten Removing the preference item does not restore the original setting Original settings are not changed Stored in registry Policy branches Removing the policy setting restores the original settings Targeting and Filtering Targeting is granular, with a user interface for each type of targeting item Supports targeting at the individual preference item level Filtering is based on Windows Management Instrumentation (WMI) and requires writing WMI queries Supports filtering at a GPO level User Interface Provides a familiar, easy-to-use interface for configuring most settings Provides an alternative user interface for most policy settings 6. WHAT YOULL NEED: ADMIN SIDE Where do the new preferences come from? Windows Vista (or newer) or Windows 2008 with GPMC installed Preferences can be edited/viewed using the supported OSs above. 7. WHAT YOULL NEED TO APPLY PREFERENCES: CLIENT SIDE Windows Vista or newer Windows Server 2003 SP1+ Windows XP SP2+ * Windows 7 & Server 2008 already have the needed extensions built in. XMLLite Low- Level XML Parser is included with IE7+ and/or Server 2003 SP2 /Windows XP SP3 installations. Info and downloads: Microsoft TechNet - http://goo.gl/cxtun Windows Networking.com article - http://goo.gl/naKvc Client Side Extensions* (CSEs) and XMLLite low-level XML Parser* 8. DEPLOYING CSES METHODS MS WSUS (Windows Server Update Services FREE) MS System Configuration Center Manager (i.e. SCCM aka SMS in the old days) or other systems management tool like Altiris or Zenworks. Logon/Logoff Scripts Scheduled Tasks Manually via PSExec Sneakernet 9. DEPLOYING XMLLITE PARSER If you do have WSUS, you dont have the option to deploy XMLLite automatically. Butsome other things you CAN deploy with WSUS, which subsequently installs XMLLite parser as part of its package: IE7+ XP SP3/Server 2003 SP2 * Installation not needed for Windows Vista or higher Info and downloads: Microsoft TechNet - http://goo.gl/cxtun 10. WHAT CAN YOU DO WITH GPP? ODBC Data Sources User and Group Preferences Power Settings Printers & Mapped Drives Scheduled Tasks & Services Copy, Update or Remove Files/Folders Application Shortcuts INI Files/Registry Entries VPN Connections (Windows-based) Disable USB for specific device types Etc. 11. WHAT CANT YOU DO? Group Policy Preferences are not intended to be able to run processes at startup. You will need to utilize some sort of script or other method to accomplish this (Scripts, Altiris, SCCM, etc.). 12. EASY TO USE Adding a user group to the local Administrators Group 13. TARGETING SETTINGS TO COMPUTER OR USER Using the prior method of Group Policy Settings: In Group Policy Settings, this was called WMI Filtering. WMI Filtering required some knowledge of WQL (like SQL). Queries could be written so that policies could be applied to computers or users that fulfilled the criteria specified in the query. For example: RootCimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional This would apply the ENTIRE policy only if a computer had Windows XP Professional Installed. 14. TARGETING SETTINGS TO COMPUTER OR USER USING ITEM LEVEL TARGETING Item Level Targeting allows for granular deployment of preferences and configurations to computer/user objects based upon a number of different criteria: If a computer has a battery If an object is a member of a particular security group If a computer has a specific IP address If an object is a member of a particular OU (Organizational Unit) Etc. or a combination of (but not limited to) the prior items This can be done using a familiar Windows tree-navigable interface. One policy can contain different settings applied to objects using different criteria. No need for multiple policies applying the same settings to different OSs (for example). 15. Examples of criteria you can use for Item Level Targeting 16. Example 1: Map a drive based on group membership 17. Example 1: Map a drive based on group membership Create, Replace, Update or Delete mapping Specify alternate credentials (optional, common tab allows further settings) 18. Example 1: Map a drive based on group membership Map with user permissions Click here for Item-Level Targeting 19. Example 1: Map a drive based on group membership 20. Example 1: Map a drive based on group membership 21. Example 1: Map a drive based on group membership 22. Note this is a Control Panel Preference Example 2: Configure Power Management Settings 23. Note this is a Control Panel Preference Example 2: Configure Power Management Settings 24. Example 3: Reset Local Administrator Password Computer Configuration 25. Example 3: Reset Local Administrator Password 26. Addendum: The F5-F8 Keys A WORD ABOUT F5-F8 KEYS Some preferences have multiple options within a configuration window. IE preferences, power settings and Start Menu options are a good example of these. It is important to note that you can control these preferences within the window either individually, or entirely by using the F5 thru F8 keys on your keyboard. Heres what they do: F5 activates all visible options (green) F6 activates only the option that currently has focus (green) F7 deactivates only the option that currently has focus (dashed red) F8 deactivates all visible options (dashed red) These are extremely useful if you only want to configure a single preference out of a large grouping. 27. Addendum: The F5-F8 Keys A WORD ABOUT F5-F8 KEYS 28. Variables can be used in some situations: file, registry, and drive operations are good examples. Press F3 when in an appropriate field to view them. Example: To map a drive to a folder named after the computer on a shareyou could use servershare%ComputerName% Note that %LogonUser% is used as the user name variable as opposed to %UserName%; See http://goo.gl/d0NpaV VARIABLES AVAILABLE FOR USE 29. SUMMARY If you have Windows 2008 or Windows Vista (or higher) on your network, you can use Group Policy Preferences through the GPMC. GPP is typically not always considered a way to secure an object, but to configure default system preferences for a user/computer. Group Policy SETTINGS are used to disallow system preferences from being altered. You can specify many preferences within the same policy for a variety of combinations of user and computer objects using Item Level Targeting Use the F5-F8 keys to enable/disable individual or all options in a window which contain many preferences Since Group Policies are applied periodically throughout the day by default, many preferences will be set throughout the day as the policy refreshes (some limitations apply with settings set get set when run in logged-on users security context). You can replace a lot of the functionality of a logon script with GPP, while easing the burden of maintenance for your IT staff. You still need a way of running processes at user startup i.e. via script or other alternative method to GPP. 30. LINKS Group Policy Preferences: Getting Started (includes downloads for clients): http://goo.gl/cxtun Microsoft Group Policy Home Page: http://goo.gl/rt2sn Group Policy Preferences Overview (Doc): http://goo.gl/fzpF7 10 things GPP can do better than your current script http://goo.gl/QmSjV Environment Variables in GP Preferences http://goo.gl/d0NpaV 31. QUESTIONS? Rob Dunn http://goo.gl/x79Wv