In Windows 2008 Server and later MS gave us a new and easy way to distribute group policy, named GPO preferences. After running into some weird issues with IE group policy settings through IE maintenance settings, I decided to take a closer look at these preferences.
The GPO preferences are preferences, and the users are able to change the settings afterwards. Depending on what kind of option you choose, they will change back to your setting. Or users who already got the preference once won’t get the updated setting.
I’ll try to explain this behavior in a bit more detail.
Preferences are a great way to distribute registry settings or files (among other things):
They are known as CRUD (Create, Replace, Update, Delete) options:
- Create: it creates a preference if it doesn’t exist already. So if you create a preference registry key “SomeKey” with Value 1, and if that key already exists, the value won’t be changed.
- Replace: This also creates preferences that don’t exist yet (the same as create), but it also replaces the preference. If you were to use preference to distribute a file using replace, group policy first deletes the file if a the file is already there, after which Group Policy will copy the file. This will happen every time group policy is processed.
- Update: This creates preferences if they don’t exist yet, and modifies the preference if it already exists. If the settings is already correctly set, it won’t do anything.
- Delete: delete the preference if it exists.
Using these actions is pretty straightforward, update and replace for instance are always updated, even if the user has changed a setting. A bit like classic Group policy, very useful to distribute all kind of registry settings for which there are no .admx files available. With the default AD GPO setting, these settings will be applied every 90 minutes. This means that when update or replace is chosen, the users will be able to change the settings. But they will change back to the preference after 90 minutes. Only when choosing the create option, the setting will not be reverted back to the chosen setting.
It gets a bit more complicated when you get to the special preference settings. These are:
- Start Menu settings
- Regional and Language settings
- Internet options
- Folder options
- Power options
These are different, and offer no CRUD options. These preferences are applied every time, unless you choose: Apply once and not reapply
In the common tab of these preferences.
This setting does have a side effect though, if you change the GPO, it won’t get applied again, even though it changed. For example, if you change the GPO IE preference to use proxy2.local.net instead of the old setting proxy1.local.net, User1 (who already got the gpo applied once) won’t get the new setting. If you copy the GPO with the proxy1 preference, change the setting to proxy2, unlink the original and link the new GPO (or link another existing GPO setting proxy server through preferences). Now if user1 logs on, the proxy is set to proxy2.local.net. This is a bit weird because this preference setting overwrites all configured preferences, even if they where already set by the user or by a preference GPO.
These special preference settings are good for initial settings, and have some characteristics which can be useful in some environments. If in some cases users need to be allowed to change settings, but only temporary until the next logon. This might be a good case to use preference to update the corresponding registry settings using the update action.
I know that that a lot of people have been struggling with this and always chose to do a workaround. I hope i made life a little bit easier by offering a explanation.
Btw, thanks to Mark Minasi for a quick check!