Application control with Windows Group Policy Preferences
Get total application control with Windows Group Policy Preferences.
Vendors of Windows management software make their living selling you centralized control. These often expensive solutions enable administrators to wield great power over desktop configurations. Using this class of software and a policy-based approach, a single administrator can define the configuration for hundreds or thousands of computers all at once.
Yet while these solutions are powerful, you already have many of these abilities today, for no extra cost – especially for small businesses.
Where? Right inside any Windows infrastructure. With the release of Windows Server 2000, Microsoft introduced Active Directory, and with that came the first version of Group Policy. Evolving with Windows Server, Group Policy has grown to become a powerful tool for centrally controlling the configuration of desktops and servers in an Active Directory environment.
The flexibility of using Group Policy for configuration control grows dramatically with the introduction of Group Policy Preferences (GPP). This new functionality was released at the same time as Windows Server 2008 was released to manufacturing, but it does not require a Windows Server 2008 infrastructure to use. In fact, even if you have customers running Windows XP and Windows Server 2003 today, you can still begin using Group Policy Preferences to manage their systems with very little effort.
GPPS: What do you get?
Traditional Group Policies are relatively inflexible in terms of which on-system elements you can control. While Microsoft includes over 2,500 Group Policy settings with Windows Server 2008, those settings are generally limited to Microsoft’s technologies alone. That means you can use traditional Group Policies right out of the box to manage your Internet Explorer settings, some Windows settings (how many depends on which version of Windows and Windows Server your customers have), as well as others associated with Microsoft’s applications. But, if you want to control the configuration of WinZip, or Adobe Acrobat, or a home-grown application, you would need to custom code these settings on your own.
Group Policy Preferences change that; with GPPs added to Group Policy, you’ll find that your level of customized control increases substantially. The graphical interface used in creating a GPP makes the process of managing an application’s configuration, mapping a drive, or adding a new registry key far easier as well as going far beyond what was possible using traditional Group Policy.
Using a GPP, you can control desktop settings like environment variables, registry values, shortcuts, ODBC data sources, printers, and even elements like scheduled items and the contents of the desktop’s Start menu that have traditionally been painful to control.
Setting any of these configurations on one computer requires only a few clicks in the GUI. But setting them across dozens or hundreds of desktops in a cohesive manner has always been a painful process. For most environments, all of these configurations have been set as part of a login script. This was a necessary evil because traditional Group Policy had no easy way to configure certain desktop configurations like drive mappings.
The problem is that login scripts are challenging to author, require complex scripting knowledge to be successful, and virtually guarantee that a slight coding mistake will quickly corrupt machines. You have to create and deploy custom versions for every customer network. Hardest of all, login scripts only run at login. This means that a global change to the environment can take a long time to propagate as you wait for users to log out and back in again.
GPPs, on the other hand, are built in an easy-to-understand graphical interface, and deployed through Group Policy. This means that they’re much more manageable over the long haul than your old login scripts and they’re faster to customize for each customer you administer.
Mapping a drive made simple
As a simple example, let’s take a look at how that difficult drive mapping can be created as a GPP. To create and apply a new GPP you start in much the same way as creating a traditional Group Policy, but that’s there where the similarities end. All you need to begin is a desktop running Windows Vista 7 or a server running Windows Server 2008. This desktop or server isn’t needed for the actual functionality and deployment of GPPs; however, you do need this version of the Group Policy Management Console (GPMC) to create them.
Start by creating a new Group Policy Object (GPO); edit that GPO and you see the process in a single GUI element. Right-clicking Drive Maps and selecting New > Mapped Drive opens a dialog where you set the properties of the mapped drive. That drive can be mapped based on the user’s credentials or by a completely different account. It can be set to a specific drive or the next available drive. It can even be hidden if necessary. All of these otherwise-complex scripting activities are consolidated into a single, graphical interface.
To apply the GPP to a set of users, go back to the GPME and link its GPO to an Organizational Unit full of users. Users who are assigned that GPO will receive its Group Policies as well as Group Policy Preferences.
The Common tab for each GPP setting offers additional parameters to define how that setting is applied to linked users and computers.
Stop processing items in this extension if an error occurs. Sometimes applying a GPP setting causes an error on an assigned client. Perhaps a registry key already exists, or a network option is misconfigured. Select this and any failing preference item will prevent the remaining preference items in this GPO from processing.
Run in logged-on user’s security context. Generally, a GPO is processed within the security context of the SYSTEM account but it’s better to run some items within the user’s security context – such as files and folders or drive mappings and their associated permissions – so their rights and permissions are respected.
Remove this item when it is no longer applied. GPPs are different from traditional Group Policies in that they are not removed by default when the policy is no longer applied. Checking this box makes a GPP function like a traditional Group Policy so it will be removed when the policy is no longer applied to the computer.
Apply once and do not reapply. This is the primary reason why GPPs are called ‘Preferences’ rather than ‘Policies’. Traditional Group Policies are an enforcement mechanism: If you set a policy, that policy will be regularly refreshed on all applied system. Choose apply once if you want to offer but not enforce the setting if the user makes a change. You could use a GPP to set a list of available printers. The first time the user receives the policies, those printers will be assigned; however, if the user later changes their printers, they will not be reset at the next policy refresh.
Item-level targeting. This final checkbox enables great flexibility in targeting GPP settings to the right users and computers; Click Targeting to filter the policy in up to 27 different ways, applying a GPP setting to specific computers by characteristics like available disk space, resident files on the system, a time range, or operating system, among others. This precise targeting is crucial to defining GPP settings for the right locations.
Complete application control
Every IT environment has an application which contains ‘that checkbox’; some application configuration that immediately causes a problem. You know that when the user checks that box, it usually drives a phone call to the help desk. If there were only a way to ensure that that box were never checked…
Using GPPs, there is. Virtually every checkbox in every application corresponds to a key and value somewhere in the registry. If you want to control the checkbox, you need to control the registry. GPPs allow you to do this.
If you have a customer using WinZip and you know that when users use WinZip Classic as opposed to the WinZip Wizard, you get more support calls, you can use GPP to enforce the setting that users find easier.
The settings users see in the WinZip interface are stored in the Windows registry as a REG_STRING in the location HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinZip\Wizard. The value of the Wizard key is set to 0 when users use WinZip Classic, and 1 when users choose the WinZip Wizard.
You can use this information to create a GPP that configures this registry value for your users. As before, do this by creating a new GPO and choosing to Edit it in the Group Policy Management Editor (GPME). Navigate to either Computer Configuration (if you wish to apply this to all the PCs) or User Configuration (if you wish to apply it to specific users), and then drill down to Preferences > Windows Settings > Registry and right-click Registry to select New > Registry Item.
Set the Action to Update, so that any existing key values are updated. You can fill in the Hive, Key Path, Value name, Value type, and Value data automatically by clicking the ‘…’ button and drilling down to the correct location if you are running the GPME on a computer where the key exists. Otherwise type the details into the correct fields.
The next step is to target this GPP to the right users and computers. Since this GPP specifically adjusts settings that relate to WinZip, you want to ensure it only applies to computers which have WinZip installed. On the Common tab, check the Item-level targeting checkbox then, click Targeting to open the Targeting Editor.
To configure targeting for this setting, click the New Item button and select File Match. Computers which have WinZip installed also have the WINZIP32.EXE file in the location C:\Program Files\WinZip\WINZIP32.EXE. Set the file match criteria’s Match type to ‘File exists’ and enter this path. Close the policy then apply the GPO to an Organizational Unit in your Active Directory.
This process is relatively trivial when you know what registry entries to modify, but how do you find out which registry value corresponds to which GUI checkbox?’ You could manually watch the registry as you click through checkboxes and look for values that change, but registry comparison tools like the freeware WinINSTALL LE (scalable.com/WinINSTALL_LE.aspx) make this process much easier.
Use the Discover options to identify differences between two snapshots of a computer system. Create an initial snapshot of the system before checking a box or entering a value into the application’s GUI, then run it again after making the change. WinINSTALL LE will highlight what elements – file, registry, shortcuts, services – have changed between the two snapshots. Use this to populate your GPP.
Application installation + Application control = Complete manageability
GPPs alone offer huge improvements to the manageability of your environment. Adding their flexible control to the Group Policy installation of applications further enables you to automate the configuration of your environment. And you can go even further.
Group Policy’s Software Installation feature enables you to rapidly deploy software to any number of computers in a domain with little effort. Combining the rapid installation of software with the automated configuration of their settings gives you complete control over the entire desktop infrastructure for each of your customers. The process involves two steps. First, you must determine how to install that software ‘silently’, meaning without prompting the user for information during the installation. The second and much easier half is to plug that packaged piece of software into Group Policy for distribution.
The pay-for management tools do still have advantages over any freeware tools. While Group Policy and Group Policy Preferences provide large levels of customization, there is no centralized reporting. It is difficult to identify which computers have and have not applied their settings. For complex environments that require added management flexibility, upgrading to a for-cost solution may be necessary. For the rest of your customers, however, you’ve got much of what you need to take control built right into their existing Windows infrastructure.
Mapping a drive: the User Configuration node in the Group Policy Management Editor shows the list of items available to configure.
Creating a mapped drive with a GPP requires little more than adding its settings to a wizard.
A GPP setting’s Common tab exposes options for how the setting is applied to linked users and computers.
The item-level targeting options for a GPP setting let you target it to specific users and computers.
Resources to help you configure silent installation for a variety of software tools:
Automating Software Deployment for the Small IT Shop
Greg Shield’s two-part series on setting up distribution of packages software through Group Policy in Issue #9 and #10 of the Windows Administration in Realtime e-journal:
Part 1: http://nexus.realtimepublishers.com/tips/Software_Deployment/Automating_Software_Deployment_for_the_Small_IT_Shop_-_Part_One.php
Part 2: http://nexus.realtimepublishers.com/tips/Software_Deployment/Automating_Software_Deployment_for_the_Small_IT_Shop_-_Part_Two.php
Third-party Tools and Extensions for Group Policy
Microsoft’s comprehensive list of tools that extend Group Policy functionality and manageability: