Implement Group Policy preferences in AD DS - Windows Server Tutorial

- [Instructor] What are group policy preferences? Well, these are a mechanism that you can use to provide initial values for computer and user configurable options. They provide similar capabilities to startup and logon scripts, such as creating drive mappings and variables. They can be locally reconfigured, unlike with GPO settings. So a user has the option to change a setting, to revert something that you've done. Personally, I exercise caution about using preferences for that very reason. I much prefer to mandate particular settings for my user's devices. There are many available preference settings, applications, drive mappings, folders, registry settings, shortcuts, data sources, folder options, local users and groups, network options, network shares, power options, scheduled tasks, many. You configure preferences by using the group policy management editor in the usual way, and you'll find the preferences node immediately beneath the policies node for both computer configuration and user configuration. One of the interesting things about preferences is that you can target them. Now, we discussed in an earlier session how you could filter the application of group policy objects. That still applies, and let's not forget that a group policy preference is part of a group policy object. It's just not a policy, it's a preference, but it's still contained within that, which is why you can edit it with the same tool, the group policy management editor. But within the group policy preference, you have additional targeting. So you can do what we call item-level targeting. With item-level targeting, you can create a query that yields up a result. So in this instance, in the screenshot, the operating system is Windows 10 Enterprise Edition, and the computer's a member of the security group Contoso Domain Users, and the total RAM is greater than or equal to four gigabytes. With that construction, we know that the preference will only apply where those statements are true. There are many available targeting options, probably too many to list in detail, but we'll run through them quickly. The computer has a battery, or a specific name, or a specific CPU speed, or a certain amount of disk space, or a certain amount of memory. The computer is within a particular IP address range, or running a specific operating system, or in a specific Active Directory site, or the computer uses a specific language setting, or uses a specific processing mode. We can also define that a specific time range is present. The user has a specific name. A certain file is present on the computer, or we can specify to apply by or after a specific date. Finally, we can define whether a user or computer is a member of a specific security group. In the demonstration, I'll show you how to configure and target preferences. So on my domain controller, I'm going to select Group Policy Management. I've created a policy called Abby's Policy, which I've linked only to Abby, which we did earlier. There's also a Sales Group Policy, which has security filtering set to authenticated users. Let's take a look at Abby's Policy. And I'm going to configure the settings of this policy by editing it. That opens up the Group Policy Management editor. Preferences exist for both computer settings and also for user settings. So under Preferences for Computer Settings, we can see that there is the ability to create environment variables, to create files and folders, to create any files, to modify the registry by defining a new registry item and then configuring that item, to create a network shared folder and to create a place of shortcut on maybe the desktop or some other location. Under Control Panel Settings, we can also configure things like data sources, devices, folder options, local users and groups, power options, printers, services, et cetera. Similarly, under User Configuration, we have the ability to define application, to map network drives, once again, to create environment variables, create files and folders, any files and registry settings and again, create shortcuts. I'm going to create a shortcut under the User Configuration and I'm going to change this to Create. I'm going to define it as, let's call it Sales App. It's a file system object. I'm going to specify that that will live on the desktop, so it'll create a shortcut on the desktop and the path that I want it to execute or provide a shortcut to is C/Windows Notepad. Now, I realize that's not any kind of sales app but for demonstration purposes. So that should create a sales app shortcut, pointing to Notepad and place it on the desktop. I'm also going to create a drive mapping and I'm going to say Create and I'm going to specify that as, I can search for a particular path here on the network but I can just enter that Contoso DC/Apps. I'm going to reconnect and I'm going to label this as, well, first use, we'll call this one Drive, let's say, H and label this as Apps and I can select Apply there. Before I do that, I'm going to go on to Common and I can then choose Item Level Targeting and then choose one of the targeting options. So for example, I can specify that the computer name must be Contoso CL1. So I've got an item level targeting configured to create a drive mapping to Contoso DC/Apps. Okay, when I close the editor, those will become effective although it'll be a while before they apply in general. This policy is being security filtered to only apply to Abbey Parsons in the first place so it won't apply to anybody else. So now let's try and see what happens if we flick over to Contoso CL1 and sign in as Abbey. So on my Windows 11 computer, select Other User and sign in as Abbey. Okay, so signed in, Start Menu's displayed and we can see here we've got a couple of scripts, one for Contoso and one that's associated with a group policy which is just for Abbey. And we can see that there's a sales app shortcut on the desktop so that's being picked up. So we'll just check in File Explorer for the presence of the drive mapping under this PC. So you can see Drive H here is called Apps and that's available. If I select that, it'll take me to the apps map network drive so that's all looking pretty good. So everything worked as expected. So that's preferences. In the demonstration, you learned how to configure and target preferences.