Group Policy Preferences, GPO, GPMC, GPME

Group Policy Object Editor (GPedit)

On Microsoft Windows 2000/XP and later, we can edit Group Policy for the local computer using the Group Policy Object Editor tool, which is part of the system. This is a Snap-in to the Microsoft Management Console - MMC, which we can launch either by directly typing gpedit.msc or using mmc.exe (Microsoft Management Console), where we add the Group Policy Object Editor Snap-in. If we use mmc, we can choose whether to connect to the local computer, a different computer on the network, or a domain policy, i.e. a Group Policy Object (GPO).

A small tip for beginners. MMC is a very good tool, we can load all the important snap-ins for domain management (I have 17 of them), and save them. Then we open only one program (with domain admin rights) and have all the necessary tools accessible.

Group Policy Management Console (GPMC)

Along with Windows Server 2003, MS released a new tool for managing Group Policy, called the Group Policy Management Console. On Server 2003, this tool is built into the system, but if we want to manage the domain from a Windows XP station (and it can be a Windows Server 2000 domain), we can download it from MS - Group Policy Management Console with SP1. We can launch it again by directly typing gpmc.msc or by adding the Group Policy Management Snap-in to mmc.

GPMC is used to manage domain GPOs. It contains a list of all group policy objects in the domain, the structure of organizational units (OUs) in the domain, where we can link and enable/disable individual GPOs, supports backup/restore and GPO import. It also includes the Group Policy Results tool, which offers a similar functionality to the gpresult.exe command. That is, it displays how policies were applied for a selected computer and user. And the Group Policy Modeling tool, which simulates policy application (with a variety of settings). GPMC only displays the values from the GPO that have been changed, so it's easy to find out what a given policy does. If we want to edit a GPO, GPEDIT will open, in which the given policy will open.

Group Policy Preferences (GPP)

With the advent of Windows Server 2008, Group Policy was further expanded with Group Policy Preferences. To be able to configure GPP, we need to have the Remote Server Administration Tools (RSAT) installed. It is included in Server 2008 and can be installed on Windows Vista SP1 x86 and x64. RSAT includes a modified version of the Group Policy Management Console along with the Group Policy Management Editor.

To be able to use GPP, we only need a Windows Server 2003 domain. We don't need any server with Windows Server 2008, but we need at least one Windows Vista station from which we will create the policies. By default, GPP will only apply to Server 2008, but for Windows XP SP2 x86 and x64, Windows Vista x86 and x64, and Windows Server 2003 SP1 x86 and x64 there is a Group Policy Preference Client Side Extensions (CSE). CSE can be installed manually or as an optional update from Windows Update kb943729.

If we open GPMC with RSAT and choose edit on a policy, the gpmedit will not open, but the new Group Policy Management Editor (can be run directly as gpme.msc). It has a new division under Computer and User Configuration into Policies and Preferences.

Group Policy Preferences are stored the same way as Policies (together as a GPO) in the SYSVOL folder on domain controllers. But the GPP configuration is stored in XML files, so the client must contain an XML parser.

GPP brings more than 20 new GP extensions. There is also a different way of application. Policies that we have set will be enforced on the station and cannot be changed (the option is grayed out). Whereas preferences can be edited and either re-applied after some time (group policy refresh interval, default 90 minutes) or we can choose the option that they only apply once (Apply once and do not reapply). There is also a feature called Item-level targeting. It allows us to very precisely determine which computers the given GPP should apply to. We can use a variety of conditions in the criteria, such as MAC address, LDAP query, WMI, free disk space, etc. If a policy was applied and the computer/user is no longer within the scope of that policy, all settings are removed. For GPP, the default behavior is that the values remain set (but we can change this by checking Remove this item when it is no longer applied).

Note: Policies are referred to as registry-based settings, their settings are made through the registry. Preferences, on the other hand, can configure more than just the registry.

Some of the possibilities offered by GPP are: mapping network drives, modifying local users and groups, copying files, creating shortcuts, working with the registry, setting environment variables, configuring VPN connections, setting folder properties, and more.

Additional note: In 2014, Microsoft found that storing passwords using Preferences is not secure, so they now block this option. This significantly limits the possibilities. Detailed description in MS14-025: Vulnerability in Group Policy Preferences could allow elevation of privilege: May 13, 2014.

Below I provide two examples of using GPP for operations that were previously performed in a more complicated way.

Mapping a Network Drive

I think it's a common operation in a corporate environment to map some common data storage as a network drive for all (or certain groups of) users. Until recently, this had to be done using a login script. Today we have GPP, which solves this more elegantly.

• launch Group Policy Management (Start > Administrative Tools)
• navigate to the container (OU) where we want to apply the settings
• right-click on it and choose Create a GPO in this domain, and Link it here ...
• enter a name and click OK, this will create a GPO
• right-click on it and choose Edit
• the GPO will open in the Group Policy Management Editor
• expand User Configuration > Preferences > Windows Settings > Drive Maps
• right-click and choose New > Mapped Drive

• choose the parameters for the mapped drive, in practice I found the Create action to work well (I tried Replace, which should first remove the mapped drive if it exists, but I couldn't get it to work properly)

• on the Common tab, check Run in logged-on user's security context (user policy option) so that the drive is mapped with the permissions of the currently logged-in user

• close the windows and we're done

Changing the Local Administrator Password

Note: This method can no longer be used, more info in the article Remote change of local user passwords in Windows.

The second interesting task that we can solve using GPP and previously was a problem, is changing the parameters of the local account (especially the password).

• launch Group Policy Management (Start > Administrative Tools)
• navigate to the container (OU) where we want to apply the settings
• right-click on it and choose Create a GPO in this domain, and Link it here ...
• enter a name and click OK, this will create a GPO
• right-click on it and choose Edit
• the GPO will open in the Group Policy Management Editor
• expand Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
• right-click and choose New >Local User

• fill in the details of the user to be modified, in our case we choose the Update action, because we want to modify an existing account (this is important because the original SID and thus the permissions are preserved)
• since we want to modify the local administrator account, we select it from the list (enter the others manually), we can rename it (which is a good security measure) and set other parameters

• close the windows and we're done

Of course, there is the question of the security of such a setting. The good news is that passwords in GPP are stored encrypted using 256-bit AES encryption. But they are stored in this way in an XML file that anyone can obtain.