With every additional option added, complexity is increased. As an example, look no further than Group Policy. Back in 2005, life was simple. Group Policy Preferences didn’t yet exist. The next year, Microsoft bought Desktop Standard. Suddenly, we had two ways of doing things. Though a good thing, choosing between two ways can be difficult at times. Let’s look at the differences.
A policy is a specific set of settings within a Group Policy Object. In a nutshell, everything under administrative templates is a policy. These settings are sometimes called registry based policies because they reside in the registry.
For example, any setting that you configure under Computer Configuration will appear in HKEY_LOCAL_MACHINE\SOFTWARE\Policies. Any user side policies will appear at HKEY_CURRENT_USER\Software\Policies.
Every a policy will meet these two criteria:
- Not Tattoo Settings
If you configure a setting (ex: User Config/Administrative Templates/Windows Components/Internet Explorer/Disable changing home page settings) and later remove that setting from the GPO, the computer will also remove setting.
2. Takes Precedence
A policy will always be the default setting once configured. When you configure a specific setting, the user will not be able to override the setting. In the picture below, notice how the home page settings can not be changed:
A preference is pretty much everything that doesn’t fit into the policy list. For example, if I used Group Policy Preferences: Internet settings to configure the homepage – I would be using a preference. To technically be a preference, the setting has to do two things:
1. Tattoo Settings
If I set the homepage using Group Policy Preferences and later removed the GPO with that setting, the homepage setting would not be restored to the default value.
2. Allow Configuration
Any preference must not lock out the user’s ability to change the setting. A preference is what you, the administrator, prefers the value to be. But this value, can still be changed.
Enough with the theory! Give me a real world example!
Let’s look at Trusted Sites in Internet Explorer as an example. If I wanted to configure a specific list of trusted sites and I never wanted a user to change it, I would want to use a policy. Knowing this, I can set User Config/Admin Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List. I would enable this setting and list my trusted sites. Once the policy has been applied, users could no longer edit the trusted sites list. What I gave them is what they get.
Nice right? Maybe…What if you want to let your staff members add to this list? If that is the case, you would want to use a preference. Doing so will list in your default values but still allow users to edit (add/remove) additional websites.
Wrapping it up, here is my one step checklist for picking between a policy and a preference:
Do I care if users change this? If I don’t care, then it should be a preference.