What is the difference between a group policy and a group policy preference?
Group Policy Preferences are a set of extensions, introduced in Windows Server 2008, that increase the functionality of Group Policy Objects (GPOs). Show The extensions, which are accessible through the Group Policy Management Console (GPMC), include advanced settings for folders, mapped drives and printers. With Group Policy Preferences, administrators can deploy and manage applications on client computers with configurations targeted to specific users. In many cases, they can replace the use of logon scripts. Although Group Policy Preferences were first implemented in Windows Server 2008, administrators for Windows Server 2003, Windows XP and Windows Vista can use them by installing Group Policy client-side extensions. I recently had a good conversation with a fellow Group Policy MVP about the difference between policies and preferences (i.e. Group Policy Preferences). He asserted that with preferences, the “user can work around the settings (generally.)”. This got me thinking about what the difference really is between a policy and a preference, in the context of Group Policy. At the end of the day, what Group Policy delivers in terms of configurations settings are subject to the rules of the Windows OS security model. This security model is baked deeply into the OS and really covers all aspects of what you can do in Windows. With respect to Group Policy, we’re usually only concerned with managing a subset of those elements of the OS that affect a user or computer. For example, we might use security policy to grant an AD group the ability to remote desktop into all of our corporate desktops. Or we might muck with the registry to impact the behavior of a particular application. In fact, these two examples underscore the foundation of my discussion around policies vs. preferences. Regardless of what we call it, Group Policy has two main jobs in life:
OK, so how does this all relate to “policies” vs. “preferences”? The bottom line is that the distinction between the two is mostly marketing, in my opinion. They needed a name to call the features that were included from the acquisition of the DesktopStandard PolicyMaker product and Preferences sounded good, because many of the things you can configure in Group Policy Preferences — the user is able to change. Take for example, drive mappings. I can define a GPP drive mapping for a given set of users, but there is nothing to stop the user from going into My Computer and removing that mapping. GPP can certainly be configured to re-apply the mapping when GP updates in the background, but there is nothing you can do to prevent the user from deleting the mapping, because Explorer was not explicitly coded to have that feature locked down when delivered by GPP. On the other hand, there are plenty of per-Computer GPP settings (e.g. system environment variables, device restrictions, registry changes to HKLM) that a non-administrative user cannot work around by virtue of basic Windows security permissions. So, as we can see, the distinctions are blurry and do roughly fall based on whether the setting we’re talking about is delivered per-computer, for which Windows security does not typically allow normal users to change, or per-user, which a user typically has access to modify, and whether the setting is being enforced by Windows security, or a particular application. Here’s my bottom line. Regardless of whether you call it a policy or a preference, if it relies on Windows security to keep it enforced, then it won’t be worked around (unless the user is given privileged access to their system). If it relies on an application to keep the setting enforced, and Windows security allows the user to modify or work around the setting, then all bets are off. This holds true for both the official “policies” as well as GP “Preferences”. What are the two types of GPO filtering?Default Group policy settings
To exclude certain users or computers, or to apply filters only to a select few, you can filter the group policies in two ways: Security filtering. WMI filtering.
What are the three types of GPOs?There are three types of GPOs: local, non-local and starter.. Local Group Policy Objects. A local Group Policy Objectrefers to the collection of group policy settings that only apply to the local computer and to the users who log on to that computer. ... . Non-local Group Policy Objects. ... . Starter Group Policy Objects.. What is the difference between Group Policy and Group Policy object?A Group Policy Object (GPO) is a virtual collection of policy settings. A GPO has a unique name, such as a GUID. Group Policy settings are contained in a GPO. A GPO can represent policy settings in the file system and in the Active Directory.
What is a GPP policy?Group Policy Preferences (GPP) allow you to specify computer and user configuration settings. These settings allow granular configuration not available using regular Group Policy.
|