Group Policy Preferences: Why Windows Server 2008 Will Change the Way You Work

I confess: I like group policies. They are and have always been a great way of managing computer and user settings ever since their conception and introduction with Windows 2000. Of course, at the beginning management tools were nonexistent. But we were so happy not to have to rely on NT4’s system policies any more that we did not even notice. Then came GPMC, and life started to become truly great. RSOP! Group Policy modelling! Those are great tools for every admin!

Only lately have we begun wondering whether the no-tattooing-approach of group policy is the best of breed for all situations. It has one severe disadvantage: settings disabled by group policy are effectively a no-go-zone for the user: he or she typically cannot change or even see the setting in question. This behavior is exactly what is desired in many cases. But the admin-knows-all-user-knows-nothing approach is not always applicable. In many cases we simply want to provide the users with reasonable default settings and let them fine-tune their personal environment to their liking. In other cases we need to map network drives, populate the desktop with icons or set file type associations. That cannot be done with group policy.

Well, that is not true any more. Recently Microsoft announced they would expand “traditional” group policies with “Group Policy Preferences” (GPP). I personally deem this one of the most important changes in Windows Server 2008.

What Does GPP Do?

To put it simply, GPP adds user environment management tools to every admin’s toolbox. Want to set or change environment variables? GPP is the way to go. Copy file or modify folders? Set registry values? Create local users or groups? Customize the start menu? GPP does it all. And you can configure whether this happens once per user or every time group policy is applied.

How Does it Work?

About a year ago Microsoft acquired the company DesktopStandard along with their product PolicyMaker (PM). PM uses a client-side extension (CSE, a DLL, really) to provide all the new functionality on the group policy client, whereas an additional DLL on the server-side provides the administrative interface. When a user logs on, all the registered CSEs get called by the group policy engine one after the other. Each CSE processes its specific settings. The best-known CSE is the registry CSE that imports all the group policy registry settings into the user’s or computer’s registry hive. DesktopStandard simply added another CSE that processes their specific settings and maps drivers, connects network printers and, simply put, just goes about its work.

Where Does This Work

Here comes the great part: all this new functionality not only works on Server 2008 and Vista, but also on Windows XP SP2 and Server 2003 SP1! You just need to install the CSE DLL on those systems.

What Does This Mean For The Admin?

Without having to rely on third-party tools administrators have an extensive toolbox on their hands that allows them to customize their users’ environment in great detail. Prior to GPP this was often done with custom script frameworks, which are difficult to understand and maintain. Well, those days are gone!

References:

The Group Policy Team Blog
Kurt Roggen’s Blog

, ,

Trackbacks/Pingbacks

  1. Nicholas Dille » Blog Archive » Shadow Keys: A Relict from Ancient Times - July 8, 2008

    […] of relying on shadow keys, I recommend to familiarize and migrate to Group Policy Preferences (see Group Policy Preferences: Why Windows Server 2008 Will Change the Way You Work and Group Policy Preferences in Windows Server 2008) allowing for the proper management of […]

Leave a Reply