次の方法で共有


GP Policy vs. Preference vs. GP preferences

Wow! What a confusing title. So, why did I use this?

Your feedback tells us there is some confusion over our terminology for our new extension, Group Policy preferences. And I aim to clear up this confusion in this post.

In the beginning of Group Policy evolved out of what was called "System Policies." These were what we now call the Administrative Template extension or registry-based policy settings. These settings are considered to be "true" policy settings as opposed to what was then termed "preference" settings. What is the difference between GP policy settings and preferences?

GP policy settings will:

  1. not tattoo. In other words, when a Group Policy object (GPO) goes out of scope, the policy setting is removed allowing the original configuration value to be used.
  2. supersede an application's configuration setting. In other words, when a GP policy is configured to a value, the application is aware of that value and always uses it over the configurable value.
  3. be recognized by an application. In other words, the display of the configuration item under control of a GP policy setting will be unavailable through the user interface. This is where graying out a configuration item on a menu, not displaying a dialog box, or providing a pop-up message explaining the current feature is under administrator control is used to inform the user they can't configure an option.

Preference settings will:

  1. tattoo. In other words, when a GPO goes out of scope, the preference value will remain in the registry. An administrator is responsible for making sure these values are set to disable, prior to the GPO going out of scope, if the administrator wants the preference setting removed. The preference setting will not be replaced with the original application configuration value.
  2. overwrite an application's configuration setting. This is accomplished by overwriting the original user configured-value for the application. No effort is made to retain the original value before overwriting the value with the preference setting. And, as was noted in 1, the overwritten value will not be removed when the GPO goes out of scope.
  3. not be recognized by an application. In other words, the application's user interface will allow a user to change the configuration item. Most importantly, the Group Policy engine only recognizes when a GPO changes, not when the preference value has been changed. This means the preference setting will be applied once and not automatically reapplied if the user changes the value of the configuration item.

There was a desire to create a registry-based setting that was a melding of the GP policy settings with the preference settings which became the GP preferences. Unlike, preference settings, GP preference settings' behavior is configurable to act differently than a preference setting depending on the options you select.

GP preference settings will:

  1. tattoo, by default. In other words, when a Group Policy object (GPO) goes out of scope, the GP preference setting will be remain in the registry.

    However, you can change the behavior of the GP preference setting by selecting the "Remove this item when it is no longer applied" option for a specific GP preference setting. After selecting this option, the GP preference setting will be removed when the GPO goes out of scope.

  2. overwrite an application's configuration setting. This is accomplished by overwriting the original user configured-value for the application. The original value will not be retained when the application's configuration setting is overwritten by the GP preference setting.

    If the option to "Remove this item when it is no longer applied" has been selected, the GP preference setting will be removed. The application will use the default configuration value, not a previously set user configuration value.

  3. not be recognized by an application. In other words, the application's user interface will allow a user to change the configuration item. By default, the GP preference setting will be automatically reapplied at every GP refresh, not when the application's configuration value has been changed by the user.

    Now the administrator can select the "Apply once and do not reapply" option. This will change the GP preference setting's behavior to only apply the GP preference setting value once and not apply again, even if the user has changed the application's configuration value.

When dealing with registry-based settings the differences between preference settings and GP preferences are subtle. The biggest difference I want to call out here is that while preference settings are always used in connection with registry-based settings, GP preferences can configure more than just registry-based settings. For more information check out the paper providing an overview of Group Policy preferences, https://go.microsoft.com/fwlink/?LinkId=103735.

Judith Herman, Group Policy Programming Writer

Comments

  • Anonymous
    January 01, 2003
    Source: The SoftGrid Team Blog There’s been a lot of interest in whether we are releasing a supported

  • Anonymous
    January 01, 2003
    There’s been a lot of interest in whether we are releasing a supported Administrative (ADM) Template

  • Anonymous
    January 01, 2003
    Have you read my recent Redmond Magazine column discussing the new Group Policy Preferences feature to be found with (but not requiring) the release of Server 2008, but are still confused about what it does? If so, Microsoft puts together a list that

  • Anonymous
    January 01, 2003
    1 - Group Policy is Hype Hype comes from people. Technology doesn't hype itself. Group Policy is

  • Anonymous
    January 01, 2003
    Hi, Yesterday on an XP Pro machine (running SP2 & IE6...) I was trying to give a GPP demonstration. Before I could install the CSEs, the CSE installer popped up telling me to XMLLite as a pre-req before I was allowed to install the CSEs. This has confused a few people here because there is no mention of XMLLite in nearly all of the GPP documentation, only on the CSE download page will you see it if you take the time to read the entire page. http://support.microsoft.com/?kbid=943729 I have only found XMLLite in Microsoft Download Catalog under a Zune product category. Is there any way to get it into WSUS besides the Zune category? I'd like to get this onto all of our Server 2003 boxes, but only the CSEs show up on WSUS and not XMLLite. Thank you.

  • Anonymous
    May 05, 2009
    Where is the setting to remove the Apply once on the client so the policy can be applied again.  If I set "apply once" setting and than need to change tlhe value, it will not apply the updated value unless I create a whole new GPO.  For testing and troubleshooting, I would like to be able to reset on the client so the same gpp can be applied again.

  • Anonymous
    August 12, 2015
    Due to IE10 published, I’ll conclude the methods that how to add trust sites in to IE of the version