Creating, Targeting, and Applying Group Policy Preferences

Creating a new Group Policy Preference (GPP) begins in much the same way as creating a new Group Policy. Start the process by launching the Group Policy Management Console (GPMC) on a Windows Vista (or greater) or a Windows Server 2008 (or greater) computer. This may require the installation of the Remote Server Administration Tools, which can be downloaded from Microsoft's Web site. While the settings GPPs can be used by down-level clients as far as Windows XP, the actual creation of the GPP must be done using the GPMC on one of these operating systems (OSs).

Once launched, right click Group Policy Objects and choose New to create a new GPO. Name that GPO and leave its Source Starter GPO field blank. Once created, right-click the new GPO, and choose Edit to bring forward the Group Policy Management Editor (GPME). In this example, we will create a set of GPPs that apply to particular sets of users. To do so, we will use the preferences found under User Configuration. Here, three settings will be configured for users. Although these scenarios may outwardly appear quite complex, they are representative of situations that are likely to arise in your own environment:

• The H drive must be connected to the user's home folder at \server1financehome for all users in the Finance Global Group.
• The TEMP folder must be relocated to C:MyTemp for any users which have the home-grown application named CustomerApp installed on any computer where they login.
• The shared printer at \server2printer1 will be automatically connected for any users on the 3rd floor. This floor has already been configured by network engineers to use an IP subnet which includes addresses from 192.168.3.2 through 192.168.3.254.

Each of these settings will be contained in a single GPP, which will be linked to the Users OU. In this domain, all users are a member of the User

Example 1: Enforcing a Mapped Drive

In this first example, the H: drive for Finance users contains sensitive information and must be segregated onto a separate server. Because of this separation, the GPP needs to verify if the user is a member of the Finance Global Group before connecting the mapped drive. This example is representative of the complex requirements administrators are often asked to encode into login scripts.
To accomplish this with a GPP, right-click User Configuration | Preferences | Windows Settings | Drive Maps and choose New | Mapped Drive. Fill out the resulting wizard screen as shown in Figure 1. You'll see that a location, drive letter, and label can be set, as well as configurations for alternate credentials. The drive can be hidden or displayed depending on your needs.

Figure 1: Creating a mapped drive for finance users.

Important here is the value for the box marked Action. While specific options can be different based on the type of configuration to be done, four options are most generally available:

• Create. This action will configure the preference if the setting does not already exist. If the setting exists, no action is taken.
• Replace. This action deletes and recreates the setting.
• Update. The update action is the most powerful, as it accomplishes the greatest amount of actions. This action creates the setting if it does not exist. If the setting exists, it updates the setting per the preference.
• Delete. This action removes the setting.

This first step configures the action that will be accomplished. The next step is to configure which users will actually receive the preference setting. Remember that this setting is one of three that reside in the same Group Policy Object that will be linked to the Users OU. To target this setting to just those users in that OU who are members of the Finance group, first click the Common tab. In the resulting screen, select the check box next to Item-level targeting, and click Targeting.

This action presents the Targeting Editor. Using this editor, it is possible to individually target each setting to users and/or computers based on a set of parameters. These parameters can be the computer's name, or IP address range, operating system, or installed applications. Twenty-seven parameters are available in total to specifically target each individual setting.

Figure 2: Targeting the mapped drive to only the Finance group.

In this first example, the drive mapping needs to be targeted only to users in the Finance Global Group. Do this by clicking New Item and selecting the Security Group parameter. This will add that parameter to the list as shown in Figure 2. Click the ellipses (…) button to enter the Finance group's name to the parameter. Figure 2 shows how the users in the CONTOSOFinance group have been added to the targeting editor. Click OK twice to complete the wizard and the first example.

Example 2: Setting a New TEMP Folder for an Application

The second example shows how the needs of a specific application can be fulfilled through a GPP. Here, the application called CustomerApp requires a special location for its temporary files, set to C:MyTemp. This is not the default temporary files location for the Windows operating system, and thus should only be configured for those users who have logged onto a computer where this application is located.

By configuring this setting under User Configuration, we can ensure that the remapping of the TEMP folder follows users as they login to multiple computers around the network. Here, any computer that is logged into by a user who receives this policy will have the TEMP folder changed.

Accomplishing this task starts in the same way as the first task, with creating the Environment properties setting within the GPO. Do this by right clicking User Configuration | Preferences | Windows Settings | Environment and selecting New | Environment Variable. The wizard for creating environment variables is less complex than those for drive mappings, as fewer configurations are required. Figure 3 shows an example of how this wizard should look when filled out for this example.

Figure 3: Updating an environment variable for an application.

As before, this step only sets the configuration. The next step is to specifically target this configuration to the right users, a process that is once again done within Item-level targeting. Different this time is the parameter that will be used in targeting the preference setting. This time, click on New Item | MSI Query to create a parameter that searches for the presence of an MSI application on a computer.

In this example, the CustomerApp application was installed via MSI to the same computer where the GMPE is being run. Clicking the ellipses (…) button brings forward the list of installed applications on the computer, where the CustomerApp application can be selected. Selecting this application adds its product code GUID to the parameter as shown in Figure 4.

Figure 4: Targeting the TEMP folder environment variable change to occur only when computers are installed with the CustomerApp application.

Multiple query and target types are available using this parameter. This granularity provides for specific versions of a product or even MSI properties to be matched for rich targeting. Even patches or components of a product can be targeted by changing the value of the target type field. Click OK twice to complete this configuration.

Example 3: Connecting a Printer Based on Location

The final example preference setting is one that has been long desired by Windows administrators: The ability to configure printers based on a user's location. This is a capability that has been possible using traditional login scripts, but was difficult to encode properly into their textual logic. I have seen login scripts geometrically increase in size and complexity as organizations attempt to add location-based printer logic, to the point where they became challenging to debug down the road.

Group Policy Preferences alleviates this once again through its capacity for extremely granular levels of item targeting. Obviously, some differentiation must be made between computers in geographic locations for this type of targeting to work—differentiation that must occur outside the GPP infrastructure. But, if you have a way to isolate sets of computers from each other, this is a handy solution for making location-based configurations such as printer mapping.

In this example, the differentiator between computers is the subnet. Here, network engineers have divided a three-story building into three different subnets, with the first floor using 192.168.1.0, the second floor using 192.168.2.0, and the third floor using 192.168.3.0. This separation by subnet is a common occurrence in many businesses, and often makes for an excellent identifier to use in location-based configurations.

For this third example, the shared printer at \server2printer1 should be connected any time a user logs into a computer on the third floor. Once again, by targeting this preference to users, it is possible to fulfill the needs of roaming users as they login to multiple machines across many locations.

Figure 5: Setting a default printer based on location

Configuring the printer itself happens by right-clicking User Configuration | Preferences | Control Panel Settings | Printers and choosing New | Shared Printer. In the resulting wizard (see Figure 5), the shared printer at \server2printer1 is configured and set to be the default printer.

As before, this step is trivial in its implementation. The real power is in the targeting of this configuration to the right computers, a process that is once again done within Item-level Targeting.

Figure 6: Configuring an IP Address Range parameter.

In this third example, the network IP address is the differentiator between floors. For the third floor of this building, the IP address range of 192.168.3.2 through 192.168.3.254 corresponds to the correct set of desktop computers. As shown in Figure 6, adding a new IP Address Range parameter can be used. Click OK twice to complete the wizard.

Multiple Targeting

To this point, the examples here have discussed how targeting can be accomplished against a single parameter. However situations often arise where multiple parameters are necessary to fulfill the needs of targeting for a preference setting. GPP's Targeting Editor provides a limited set of logic for creating and linking multiple targeting parameters for these complex needs.
GPP's Targeting Editor provides three logic operators and a collection operator for connecting multiple targeting parameters together. Those logic operators are AND, OR, and NOT. The collection operator enables verifying whether the value of each parameter in a group is TRUE. Figure 7 shows how five different targeting parameters can be gathered together for a highly-targeted preference setting.

Figure 7: Aggregating multiple targeting parameters for very precise targeting of a preference setting.

Always remember that this capability for precise targeting of individual GPP settings must be handled with respect to where the Group Policy Object will eventually be located as well. Collections of GPPs are all a component of a GPO, which in and of itself must be linked to an OU if it is to be applied to objects within that OU. Any targeting parameters that are configured within each GPP's settings will be ultimately limited by that OU linkage.