Window 8 Group Policy Preferences
Here is a way of rolling-out Windows 8 computers with recommended rather than compulsory settings. The whole concept of Group Policy Settings, is that users cannot change the prescribed environment. On the other hand, Group Policy Preferences, recognises that allowing users to change certain settings has no security implications, and boosts both productivity and morale.
Lest Administrators fear their authority will be undermined they can have both Settings and Preferences; indeed, there is no need to allow any preferences at all if they wish to preserve a draconian image.
Windows 8 Group Policy Preferences
- Creating Windows 8 Group Policy Preferences
- Why Windows 8 Preferences Are Popular
- Benefits of Windows 8 Group Policy Preferences
- What Actions Can Preferences Achieve?
Group Policy Preferences are set with the GPMC (Group Policy Management Console), and apply to Windows 8 clients only in a domain. Thus you won’t see the ‘Preferences’ folder in Gpedit.
There is a subtle difference between traditional Group Policies, and the new flexible Preferences. Think of Group Policies as enforcing settings, whereas Preferences provide a recommended environment that a user is free to change.
Based on a combination of best practice, experience and company guidelines, the domain administrator can create preferences for first logon, thus the users can be productive from the initial launch of Windows 8. Thereafter, based on their likes and disliked each individual can over-ride your suggestions without fear of having their new settings reversed as it would be with a traditional Group Policy.
Lest you think that the administrator and the server has relinquished too much control, preferences are in addition, or as an alternative to traditional Group Policy Settings.
Other benefits include the ability to set preferences for applications and registry settings outside the scope of traditional Group Policy templates. If you need fine-control over who starts with which setting lookout for: ‘Preference item-level targeting’.
Should Group Policy Preferences appear too slack, you can regain control through the ability to ‘refresh’ the users settings. However, by default, and in keeping with the whole spirit of preferences, the principle is to advise, but then let the user chose their own environment.
SolarWinds’ Orion performance monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.
What I like best is the way NPM suggests solutions to network problems. Its also has the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.
As you experiment with Preferences, think laterally; embrace the new technology and you will be pleasantly surprised with extra benefits. For example, there will be less need for Logon Scripts to map drives and printers. This will save you debugging VBScript commands, and there will be fewer problems with permissions or with firewalls blocking logon scripts.
Group Policy Preferences will help you recover from configuration errors. Let us be realistic, with every client roll-out less sooner or later than optimal settings appear, thanks to preferences you can correct these slip-ups before the users start moaning.
Another side-effect is that you can rollout Windows 8 with fewer images, this is because you can fine-tune one main image with settings controlled by Group Policy Preferences.
Possibly, I have saved the biggest benefit of Preferences over Group Policy until last. There are about a dozen preference extensions that are simply not available with the regular Group Policy templates.
Example of Preferences
Map Network Drive
The New Drive example shows a preference for mapping the K: drive to a folder called ‘burrium’ on a network server called ‘buster’. See more on Windows 8 Drive Maps.
With the ‘Files preference extension’ you can create, replace, update, or even delete files on the target computer. I also love the way preferences supports environment variables such as AppData, thus you don’t need to hard-code the paths. One practical use for this combination of folders and environmental variables is for clearing up temp files.
Folders Preference Extension
The Folders preference extension works in the same was as the Files extension. It permits you to create, replace, update, delete, folders, thus it’s easy to clean up users messy folders on their Windows 8 computers.
A classic use of the Folders preference extension is to regularly clean out temporary folders. The extension is flexible and can handle most requirements. Unfortunately, I have not yet found a way of using wildcards in path names, however, you can recursively remove subfolders
Meanwhile the sister configuration: Network Shares supports the Access-based Enumeration (ABE), which prevents users from seeing subfolders where they don’t have any permissions.
Shortcuts Preference Extension
Shortcuts are one of the easiest ways to support users, for example, you can add URL shortcuts to websites. In addition to the Desktop, you can create shortcuts in the Favorites folder.
Internet Setting Preferences
Another obvious way to help users is to pre-populate their browser’s home page with useful websites. If you have the time, and the inclination, you could also configure other tabs in IE10 to make life easier for new users in your organization.
Local Users and Groups Preferences
This caught my eye, the ability to create local accounts complete with passwords on Windows 8 machines.
Other Areas to Configure Preferences
You can also create preference for the Control Panel, Printers, Power Options, Scheduled Tasks and VPN connections for remote access.
See more on Windows 8 Group Policy Preferences.
LEM will alert you to problems such as when a key application on a particular server is unavailable. It can also detect when services have stopped, or if there is a network latency problem. Perhaps this log and event management tool’s most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA. LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches – give LEM a whirl.
Each Group Policy Preference has four options: Create, Delete, Replace and Update.
Each Preference feature also has a ‘Common’ Tab where you can set these extra options:
- Stop processing items in this extension if an error occurs.
- Run in security context of the logged-on user. (user policy option)
- Remove this item when it is no longer applied.
- Apply once and do not reapply.
I like this option for controlling computers, such as laptops but not desktops, and groups of people such as bosses, or temp workers. For any given option seek the ‘Targeting’ button.
Get a Report for Your Preferences
Fortunately, you can see which Group Policy Preferences you have set by creating a reports within the Group Policy Management Console (GPMC). Create a report by starting in the Group Policy Results folder, found at the bottom of the Console tree.
Group Policy Preferences Client-side Extension (CSE)
Fortunately these CSE’s are installed automatically for Windows 7 and Windows 8 so you need to take no action. However, for XP and Vista clients, you need to download Group Policy preferences client-side extension (CSE).
Summary of Windows 8 Group Policy Preferences
Allowing Group Policy Preferences involves a more sympathetic mind-set, from enforcing Policy Settings. The best way forward is to realize that you can have both, thus it’s just a question of degree; will you deploy 90% mandatory settings, and 10% recommended preferences, or will it be more 50:50?
To set ‘Preferences’, you need the GPMC on a Windows Server 2008 domain controller, and not Gpedit on a Windows 8 client.
If you like this page then please share it with your friends