I always say that Microsoft does some awesome things and some not so awesome things. Windows Me… not so great. Group Policy Preferences… AMAZING! If you have not heard of Group Policy Preferences you have probably not been paying much attention to what has been going on, but you are not too late! Group Policy Preferences are Group Policy settings, but with new options and features. They include over 3000+ settings and can control areas of the operating system that no one ever thought were possible. The benefits do not just stop there either. Group Policy Preferences can be set for Windows XP SP2 and Windows Server 2003 SP1 computers, as well as Windows Vista and Windows Server 2008. I am sure that most of you are running at least one of these operating systems for the majority of your network, so do not wait… implement them today! Let me show you how to get them up and running.
Group Policy Basics: Two parts
In order to fully grasp the concept of what needs to be done with Group Policy Preferences, let us first look at how Group Policy is divided. The first part is deployment and on the other implementation. For starters, let me say that Group Policy technology is not agent based. So, there will be no need for any agents to be distributed. It is very important to understand that there will not be any performance degradation by just deploying the capability of your computers to use and implement Group Policy Preferences.
The first part of Group Policy is the “server side” component. This is, in essence, the “administrative” console. Since Windows XP was launched, we have been using the Group Policy Management Console (GPMC) and the Group Policy Object Editor (GPOE), which is built into the GPMC. This interface allows you to see the various Group Policy settings such as; security options, software settings and finally, Administrative Templates. The GPMC can be installed on any operating system past Windows 2000. As I stated above, Windows 2000 can not administer or receive Group Policy Preference settings. The catch here is that the GPMC that supports Group Policy Preferences must be running on a Windows Server 2008 or Windows Vista computer.
I did not mention ANYTHING about the Windows domain version; this can be achieved on Windows 2000 if you want.
The second part of Group Policy deals with the “client side” component. The client side extension (CSE) is a DLL that sits on the computer that is going to receive the Group Policy setting. There are many CSEs, and now, with Group Policy Preferences there are 38 of them! For comparison’s sake, Windows XP SP2 came with about 15! Since it is a DLL (not an EXE or other file that executes by itself), there is no activity until the DLL is initiated by something else. The Group Policy processing on the target machine will deliver any new Group Policy settings to the DLL, which then applies the setting to the computer.
Getting the GPMC Installed Correctly
For those of you who feel that you have GPMC already, please read this portion anyway. I have seen too many administrators get frustrated due to the fact that they do not have the correct GPMC installed. Let me be as clear as I can about the rules of engagement in order to run the GPMC that supports Group Policy Preferences:
You must be running the GPMC on a computer that is running Windows Vista SP1 or Windows Server 2008. The computer that is running the GPMC must be connected to the Windows Active Directory domain.
If you decide to use Windows Server 2008 as the administrative computer for Group Policy Preferences, you will not have to install anything to get the tool on the box. Windows Server 2008 comes with GPMC availability, but maybe not visibly so. If you do not see the Group Policy Management Console on your list of Administrative Tools, you might need to enable the Group Policy Management feature. This will make the GPMC available on the computer. You will need to do this via the Server Manager console. Once in the Server Manager console, you will select the Features option on the left list of options. You can the Server Manager in Figure 1.
Figure 1: Server Manager allows you to add uninstalled or disabled features on Windows Server 2008
If you want to use Vista as your administrative computer, then you will need to perform a few more tasks first. Firstly, you will need to install the Service Pack 1. This will actually uninstall the older version of the GPMC that comes with the Release to Manufacturer version of Vista. The end result is that you are left with no version of GPMC at all. Secondly, you must install the Remote Server Administrative Tools (RSAT) (You can easily download it from Microsoft’s website). Thirdly, you must enable the GPMC on the Vista computer by adding the Windows feature.
If you want step by step instructions on getting the GPMC on a Vista computer, read my other article on the subject on WindowSecurity.com.
When you have the new GPMC installed, you can administer Group Policy Preferences. Just edit any GPO from the GPMC and expand the Preferences node under the Computer or User Configuration node. From there, you will be able to configure any of the settings as shown in Figure 2.
Figure 2: The new GPMC and GPME allow you to see and configure Group Policy Preferences
Getting the CSE Installed Correctly
Now that you have the administrative part of the Group Policy Preferences installed, you are ready to get the target computers prepared. Remember, the following operating systems can be a target for a Group Policy Preference setting:
- Windows XP SP2
- Windows Server 2003 SP1
- Windows Vista
- Windows Server 2008
If you have a Windows Server 2008 computer as a target, you do not need to install the CSE, it is there by default!
There are a few options available in order to install CSE. First of all, you can perform a manual installation by downloading the KB943729 article installations for the CSEs. Here are those article references:
A second option would be to use WSUS to download and install the CSEs. You will need to go into the optional downloads, where you find the CSEs.
Once you install the CSEs, you only need to have a Group Policy Preference configured in a GPO that is targeted to the computer. The setting will now apply and you are using Group Policy Preferences!
There are two steps that you need to perform to get Group Policy Preferences installed and deployed. First of all, you need to get the GPMC installed on a Windows Server 2008 or Windows Vista computer. From here you can configure any of the Group Policy Preference settings. Second, you need to install the CSE on each computer that will be receiving the Group Policy Preference setting. This is either installed manually or you can use WSUS to perform the installation. In either case, once you have the Group Policy Preference set in a GPO and the CSE installed, the Group Policy Preferences will apply! With over 3000 settings to choose from, there is no reason to move forward with Group Policy Preferences.