Advanced Group Policy Manager when used on Windows Operating Systems offers an expanded set of configurable options called Preferences.
Overview of Group Policy Preferences (GPP)
What is CRUD (Create, Replace, Update, and Delete)?
What is Item-level Targeting?
Examples:
Mapping Drives to Users
Start Menu Configuration for Users
Configure Printers for Users
Overview of Group Policy Preferences (GPP)
Group Policy Preferences (GPP) are an expanded control area available through Advance Group Policy Management (AGPM) Console. GPP is composed of Windows and Control Panel Settings. Windows Settings are mostly system type configurations that administrators would usually configure either manually or with scripts. Control Panel Settings are mostly configurations that a user would set manually or that would be set with a default profile.
As is the case with GPO policies, preferences are available under User Configurations, Computer Configurations, or both.
What is CRUD?
CRUD is an easy way to remember the action options available when applying Group Policy Preferences.
When applying a Preference, the action setting can be set to Create, Replace, Update, or Delete.
Create – The create action is notated by a Green triangle icon. If the preference does not already exits, the preference will be created. If the preference already exists, then no action will be taken. This action will not overwrite anything.
Replace – The replace action is notated by a Red triangle icon. If the preference does not already exist, the preference will be created. If the preference already exists, it will be replaced by this new setting.
Update – The update action is notated by a Yellow triangle icon. If the preference does not already exist, the preference will be created. If a similar preference already exists, then it will be updated. If the preference is associated with a different setting, then no action will be taken.
Delete – The delete action is notated by a red x mark. If the preference exists it will be deleted.
What is Item-level Targeting?
Item-level Targeting is a type of filter. It allows the system administrator to change the scope of individual preferences so they only apply to certain users, computers, or other filtered criteria. A GPO can hold many preferences and some or all of these can have item-level targeting applied to them. The items that the preference is filtered on are called targeting items. Multiple targeting items can be applied to a preference to filter down the criteria even further. Targeting Items receive a TRUE or FALSE value, and multiple targeting items can be combined with logical operations of AND or OR.
When a new property is added to a GPO, after the general tab is populated, navigate to the Common Tab. Check “Item-level targeting” and click
The Targeting Editor Window will open. Choose New Item to display a list of Targeting Items to filter on. There are several powerful Targeting Items such as Computer Name, IP Address Range, Operating System, Organizational Unit, Security Group, Site, and User. For the purpose of this example the Security Group Targeting Item is chosen.
Choose the button to browse AD for a group. In this example the group IGSGFloridaFL-W Administrative Staff is selected. This preference will now only be applied to users who are members of the chosen group.
Additional Targeting Items can be added. In this example the Targeting Item for Operating System is also selected. By default the logic defaults to AND. This targeting filter will now apply to user in the IGSGFloridaFL-W Administrative Staff group that are also logged into Windows 7 computers. By selecting the Item Options pull down menu, the logic can be changed to OR or IS NOT to reflected the desired filter.
It is possible that Targeting logic can become complicated. Targeting collections can help gather groups of logic. In this example the Add Collection button is pressed and when the new collection is true line appears, the previous two Targeting Items are dragged onto the collection item to add them to the collection. Now the combination of the two targeting items are nested within one collection statement.
Mapping Drives for Users
Open Advanced Group Policy Management (AGPM) Console.
Browse to Change Control and find the GPO you’d like to edit. Edit a Pre-Staged GPO Using AGPM Console describes the steps for editing and deploying GPOs.
Navigate to User Configurations -> Preferences – > Windows Settings. Select Drive Maps. In the right most pane, righ-click and choose New -> Mapped Drive.
Choose the appropriate Action. Reference What is CRUD for more information about actions. In this case Update is used. This will force the current mapped drive to be replaced by this configuration, but if the drive letter is assigned to something other than a mapped drive it will not interfere. The location of \\gs\orlandofl-s is selected. The box is checked to assure the drive is reconnected for the users future log ins. The optional Label, in this case Orlando DFS Share, can be defined. Either allow the first available drive letter be chosen, or choose a specific drive letter. In this case the U drive is selected.
Alternative credentials can be provided, and whether the is drive shown or are hidden can be selected. In this case, these options are left as default.
Navigate to the Common tab. There are several options available regarding how the mapped drive is applied, including the ability to use Item-level Targeting. Click when complete to save the map drive preference.
Start Menu Configuration
Open Advanced Group Policy Management (AGPM) Console.
Browse to Change Control and find the GPO you’d like to edit. Edit a Pre-Staged GPO Using AGPM Console describes the steps for editing and deploying GPOs.
Navigate to User Configurations -> Preferences – > Control Panel Settings. Select Start Menu. In the right most pane, right click and choose New -> Start Menu (Windows Vista and Later).
The New Start Menu Properties Window is comprised with many settings that would be available for users in the Start Menu Configuration. In this example, Pictures are set to Don’t Display this item. Click to accept changes.
Configure Printers
Open Advanced Group Policy Management (AGPM) Console.
Browse to Change Control and find the GPO you’d like to edit. Edit a Pre-Staged GPO Using AGPM Console describes the steps for editing and deploying GPOs.
Navigate to User Configurations -> Preferences – > Control Panel Settings. Select Printers. In the right most pane, right click and choose New -> Shared Drive.
For more information about Printer Preference options, including when and how to use TCP/IP and Local Printers, choose Help.
Choose the appropriate Action. Reference What is CRUD for more information about actions.
Create – Create a new shared printer connection. If a local printer with the same name exists, then it does not modify it.
Delete – Remove a shared printer connection with the same share path. The extension performs no action if the shared printer connection does not exist. (This action does not remove the printer driver. It only removes the shared printer connection.)
Replace – Delete and recreate the shared printer connection. The net result of the replace action overwrites all existing settings associated with the shared printer connection. If the shared printer connection does not exist, then the replace action creates a new shared printer connection.
Update – Modify a shared printer connection. The action differs from replace in that it updates the settings defined within the preference item. All other settings remain as they were previously configured. If the shared printer connection does not exist, then the update action creates a new shared printer connection.
In this case Update is used. The Share Path of \\igsbalesgs016\HPCopier (a shared printer off a 2008R2 Print Server) is selected. The box is checked to “Set this printer as the default printer”. The sub-box is checked for “only if a local printer is not present”. This printer should be applied to all users and made the default printer on their system if no local printer was present. Click to accept the settings.
A second new printer is added. In this case Update is again used. The Share Path of \\igsbalesgs012\datc (a shared printer off a 2003R2 Print Server) is selected. The boxes regarding default printer are left unchecked.
Navigate to the Common tab. Select Item-level targeting and click the Targeting button. This printer is only used by the Hydrologic Records Staff in the Orlando office. An Active Directory Group exists called GS\IGSGOrlandoFL-W Hydrologic Records Staff that contains all the Orlando Hydrologic Records Staff. A New Item of type Security Group is added, and the above group name is applied. For more information, reference documentation on Item-level Targeting. Click twice, to accept this new printer configuration.
This group policy, when applied to all the users in the Orlando office will add the HPCopier to all users, and the DatC printer to only the users that are members of the Hydrologic Records group.