Windows Server 2008 Group Policy Preferences: The End Of The Login Script?

Microsoft has, almost quietly (unless you were in ITForum Barcelona), released a new feature into Windows Server 2008 (and Vista SP1) that in my mind is amongst the best features in Windows Server 2008.

This new feature is something called "Group Policy Preferences". This is technology that Microsoft got from their acquisition of DesktopStandard. Why are Group Policy Preferences so cool? Because they allow you to do all the things with Group Policy that you want to today but just can’t. Now you can do all of the stuff that you currently need to do in a Login script from Group Policy.

This feature has a huge potential. Over the years Group Policy has become a best practice for configuring environments where possible. Notice the phrase "where possible". Group Policy does a decent job at configuring static settings but just isn’t fit for managing dynamic settings. Group Policy settings in this regards are also quite limited in the fact that it basically does registry settings. And if a particular registry setting isn’t in the default set of Administrative Templates then adding this custom registry settings into Group Policy is more than a hassle than you would like.
So what can you actually configure with Group Policy Preferences? Just a few examples:

Managing Drive Mappings
This allows you to create, replace, update, and delete network drive mappings.

Mapping Printers

Managing printer connections just became easier. The Printers preference extension enables you to easily create, update, replace, or delete shared printers, TCP/IP printers, and local printers to multiple, targeted users or computers.

Managing Shortcuts
Here’s a easy way to create a Start Menu. This allows you to create, replace, update, and delete three types of shortcuts on multiple, targeted users and computers.

Managing Environment Variables
This enables you to manage user and system environment variables or update the path.

Managing The Entire Registry
Finally! The Registry preference extension provides a flexible and easy-to-use way to create, replace, update, and delete registry settings on multiple computers, including all the different registry types: REG_SZ, REG_DWORD, REG_BINARY, REG_MULTI_SZ, and REG_EXPAND_SZ. Also very cool: you can import one or more registry settings from the local computer or from a remote computer for easy addition of registry configuration items.

Files and Folders
With this item you can create, replace, update, delete, and even clean up folders on targeted computers.

Managing ODBC Connections
The Data Sources preference extension provides a way to create, replace, update, and delete data sources for users and computers.

Managing INI files
The Ini File preference extension provides the ability to create, update, replace, and delete individual properties from .ini flies.

Again these are just a few of the examples. There’s a lot more you can do. Think about managing settings like: Devices (disable USB ports per user, computer etc), Network settings (for example create VPN connections), Regional Options, Scheduled Tasks and yes, you can even manage the dreaded Folder Options.
Now this is already a very cool feature set as far as I’m concerned but it seems to get even better. ALL these “preference extensions” can be filtered a multitude of ways. These filters can be combined in almost any way you like. Here’s some of the criteria you can filter on:

• Environment variable
• OU
• IP Address Range
• Time Range
• Operating System Version
• LDAP query
• WMI Query
• User
• Group
• And many more

Combining the powerful features with this extreme granualar filtering options makes Group Policy Preferences an extremely powerful way to manage all kinds of settings. The Logon script could become an endangered species. Products like RES Powerfuse, Appsense Environment Manager and the likes of those have run into some fierce competition.
But wait… there has to be a catch, right? It must be available to MDOP customers only or something like that right? NO! Group Policy Preferences are available in plain Windows Server 2008. Group Policy Preferences support the following platforms:

Windows XP SP2
Windows Vista
Windows Server 2003 SP1
Windows Server 2008

The only caveat (al though I do not think this is a big issue) is that you need to install the Group Policy Preferences client-side extension (CSE) to be able to use Group Policy Preferences. Note that this pertains to the client side. Kind of like the Active Directory pack for Windows 98 back in the day. There’s no configuration that needs to be done on the (Windows) Server (2008) side.

So there you have it. Group Policy Preferences are coming in Windows Server 2008 and it has huge potential with advanced features like location based printing and advanced ODBC connection management. The support for WindowsXP and Windows Server 2003 supports upgrade schemes for people just upgrading their domain and using Group Policy Preferences to manage the rest of the environment. Group Policy Preferences looks to be a great addition to different kinds of environments ranging from desktop environments, to Server Based Computing environments to VDI environments.

Even though this is a feature that was first introduced in the November CTP release of Windows Server 2008 (which isn't publicly available) you can read all about it in the very good Microsoft Group Policy Preferences White Paper. Check out that white paper because there's a lot more information in there than in this article. If you want to play around with Group Policy Preferences, you'll have to wait for Windows Server 2008 RC1.

Filed under: Articles Leave a comment
Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.