-
Group Policy Preferences
-
Group Policy Prerogative
-
Group Policy YesNoMaybe
-
Group Policy Choices
EXPLANATION
Group Policy is a feature of the
Microsoft Windows NT family of operating systems that controls the
working environment of user accounts and computer accounts. Group Policy
provides centralized management and configuration of operating systems,
applications, and users' settings in an Active Directory environment. A
version of Group Policy called Local Group Policy also allows Group
Policy Object management on standalone and non-domain computers.
In the beginning of Group Policy evolved out of what was called
"System Policies." These were what we now call the Administrative
Template extension or registry-based policy settings. These settings are
considered to be "true" policy settings as opposed to what was then
termed "preference" settings. What is the difference between GP policy
settings and preferences?
GP policy settings will:
- not tattoo. In other words, when a Group Policy
object (GPO) goes out of scope, the policy setting is removed allowing
the original configuration value to be used.
- supersede an application's configuration setting.
In other words, when a GP policy is configured to a value, the
application is aware of that value and always uses it over the
configurable value.
- be recognized by an application. In other words,
the display of the configuration item under control of a GP policy
setting will be unavailable through the user interface. This is where
graying out a configuration item on a menu, not displaying a dialog box,
or providing a pop-up message explaining the current feature is under
administrator control is used to inform the user they can't configure an
option.
Preference settings will:
- tattoo. In other words, when a GPO goes out of
scope, the preference value will remain in the registry. An
administrator is responsible for making sure these values are set to
disable, prior to the GPO going out of scope, if the administrator wants
the preference setting removed. The preference setting will not be
replaced with the original application configuration value.
- overwrite an application's configuration setting.
This is accomplished by overwriting the original user configured-value
for the application. No effort is made to retain the original value
before overwriting the value with the preference setting. And, as was
noted in 1, the overwritten value will not be removed when the GPO goes
out of scope.
- not be recognized by an application. In other
words, the application's user interface will allow a user to change the
configuration item. Most importantly, the Group Policy engine only
recognizes when a GPO changes, not when the preference value has been
changed. This means the preference setting will be applied once and not
automatically reapplied if the user changes the value of the
configuration item.
There was a desire to create a registry-based setting that was a
melding of the GP policy settings with the preference settings which
became the GP preferences. Unlike, preference settings, GP preference
settings' behavior is configurable to act differently than a preference
setting depending on the options you select.
GP preference settings will:
-
tattoo, by default. In other words, when a Group Policy object (GPO) goes out of scope, the GP preference setting will be remain in the registry.
However, you can change the behavior of the GP preference setting by
selecting the "Remove this item when it is no longer applied" option for
a specific GP preference setting. After selecting this option, the GP
preference setting will be removed when the GPO goes out of scope.
-
overwrite an application's configuration setting.
This is accomplished by overwriting the original user configured-value
for the application. The original value will not be retained when the
application's configuration setting is overwritten by the GP preference
setting.
If the option to "Remove this item when it is no longer applied" has
been selected, the GP preference setting will be removed. The
application will use the default configuration value, not a previously
set user configuration value.
-
not be recognized by an application. In other
words, the application's user interface will allow a user to change the
configuration item. By default, the GP preference setting will be
automatically reapplied at every GP refresh, not when the application's
configuration value has been changed by the user.
Now the administrator can select the "Apply once and do not reapply"
option. This will change the GP preference setting's behavior to only
apply the GP preference setting value once and not apply again, even if
the user has changed the application's configuration value.
When dealing with registry-based settings the differences between
preference settings and GP preferences are subtle. The biggest
difference I want to call out here is that while preference settings are
always used in connection with registry-based settings, GP preferences
can configure more than just registry-based settings. For more
information check out the paper providing an overview of Group Policy
preferences,
http://go.microsoft.com/fwlink/?LinkId=103735.