Setting Up Services
It's never fun to run around to 100 servers to change the values of a service. That's why Group Policy has a method to control services, located in \Computer Configuration\Policies\Security Settings\System Services. These settings let you set security on the account, such as who can start, stop, and pause the service.
However, with Group Policy Preferences Services (\Computer Configuration\Preferences\Control Panel Settings\Services), you can also change the local system account password, change the recovery options for when a service fails, and change the program that runs if a service fails, or choose to restart the computer if the service fails.
Wrangling the Registry
Setting a single registry value on all your target machines can be a real hassle. Many administrators use logon scripts and other quasi-automatic methods to accomplish this often-desired goal.
Group Policy has always been able to deliver specific registry values to clients using its built-in ADM and ADMX frameworks. You see the results of ADM and ADMX frameworks every time you explore \Computer Configuration\Policies\Administrative Templates or \User Configuration\Policies\Administrative Templates. These Group Policy settings simply set desired registry values on target machines.
ADM and ADMX files can be developed to deliver registry settings for your applications. However, those values can only be delivered to HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER; you can't use them for any other locations. Additionally, ADM and ADMX files can't deliver REG_BINARY values, a popular data type. ADM and ADMX files are also well known to leave behind, or tattoo, settings if the application doesn't use Microsoft's strict logo requirements. So, even if the user falls out of the scope of management or the GPO is deleted or unlinked, the value persists.
The Group Policy Preferences Registry item brings more to the table. These settings are located within \User Configuration\Preferences\Windows Settings\Registry and \Computer Configuration\Preferences\Windows Settings\Registry. This configuration item lets you plunk registry values into just about any area of the registry.
You might want to continue using ADM or ADMX files if you like the idea of administrators being able to select from a range of values. For instance, if you had a custom application that used custom values, you could create an ADM or ADMX file so that administrators could choose a background color of green, red, or peach. These colors might correspond to values 1, 2, and 4.57. A simple drop-down menu could let administrators select the color instead of having to remember the values.
Group Policy Preferences Registry settings don't let you use a range of values. Group Policy Preferences Registry settings simply set the particular registry value; there's no framework to describe a UI for the target application as you can do with ADM and ADMX files.
Restricting Devices
Every administrator needs to control which devices can and can't be brought into the network. Items such as USB keys or external disk drives are often excellent candidates to restrict so they can't be used to transport data in and out of a company. Vista shipped with a new range of Group Policy device restrictions, which are found at \Computer Configuration\Policies\System\Device Installation\Device Installation Restrictions. These settings let you prevent specific device IDs on your target Vista machines.
The existing XP population had no way to perform anything similar, but the Group Policy Preferences Devices node now provides some of that device control on XP systems. The Devices node is available for both Computer Configuration and User Configuration at \Preferences\Control Panel Settings\Devices. Although the Group Policy Device Installation Restrictions settings work only for Vista, the Group Policy Preferences method works for all its supported OSs (XP SP2 and later).
It should be noted, however, that the two technologies work fundamentally differently. Group Policy Device Installation Restrictions prevent users from installing drivers for new hardware, so when you restrict a specific device from your Vista machines, the driver is actually blocked from being utilized. This strategy works great for USB memory sticks and other things that are typically unplugged and plugged back in a lot because during the next check, the restriction blocks the device.
But Group Policy Device Installation Restrictions don't always work as expected with devices that are already installed and in use on the machine, such as hard disk drives, SCSI cards, and scanners. Those device drivers are already installed, and you don't usually unplug those items and put them back in. Therefore, the driver isn't ever rechecked and the device isn't restricted—even if the policy setting is applied.
The Group Policy Preferences Devices extension works differently. It disables the actual device or port instead of preventing the driver from loading. Therefore, if a device is already installed, it can simply be disabled to prevent its use. It should be noted, however, that because it only disables the device, it doesn't prevent the device driver from installing. As Figure 3 shows, any user with appropriate rights—usually local Administrators—can simply re-enable the device. But, because regular users don't have access to this ability, this preference setting can help get you on the road to restricting devices right away: As soon as the GPO with the Group Policy Preferences Devices item is received, the device is immediately restricted.
Handling Users and Groups
Administrators often want to dictate which users and groups are permissible on target computers. Additionally, some administrators want to ensure that some group memberships within Active Directory (AD) are strictly enforced. The Group Policy settings to achieve such control are located within \Computer Configuration\Policies\Security Settings\Restricted Groups. These settings strictly control group membership of either local groups or AD-based groups.
However, many admins need to control which users can be part of specific local groups. The Group Policy Preferences Local Users and Groups option is under both the User and Computer nodes under \Preferences\Control Panel Settings\Local Users and Groups, which means it's very flexible. You can also use it to add a new user account—complete with all account settings—to the computers of your choice. The Local Users and Groups extension can also delete local groups and cherry-pick specific users to delete from groups, which is useful, say, if you want to pluck just one user out of the local Administrators group.
Note, however, that the Local Users and Groups extension works only for local users and groups, not AD-based groups as the Group Policy Restricted Groups function does.
Customizing the Start Menu
Managing the user experience is one of the core strengths of Group Policy, and handling the way the Start menu works has traditionally been an area that administrators have taken advantage of. You can find the Group Policy Start menu policy settings in \User Configuration\Administrative Templates\Start Menu and Taskbar.
Administrators enjoy the functionality of the Group Policy Start menu policy settings, but this method isn't perfect. The ability to set a baseline preference configuration of items is missing. Also, because using Group Policy Start Menu and Taskbar settings actually restricts the OS—and forces users to accept the change—these policy settings can be seen as heavy-handed.
On the other hand, the Group Policy Preferences Start Menu settings, found at \User Configuration\Preferences\Control Panel Settings\Start Menu, are preferences, which means they can act more like suggestions for the user. If users doesn't like your Start menu settings, you can give them the option to change them if they so choose. You can change this behavior later by using the Apply once and do not reapply option for the Group Policy Preferences item.
Many Options for Control
The original set of Group Policy settings take us quite far, but as the demands of administrators grow, so does the demand for new functionality. Group Policy Preferences add more functionality that administrators want while preserving the value of their original Group Policy investment.
The original Group Policy settings and Group Policy Preferences are meant to be used together—not one against the other. If you have your own "better together" story with Group Policy and Group Policy Preferences and want to share, I look forward to hearing from you at www.GPanswers.com.