With every additional option added, complexity is increased. As an example, look no further than Group Policy. Back in 2005, life was simple. Group Policy Preferences didn’t yet exist. The next year, Microsoft bought Desktop Standard. Suddenly, we had two ways of doing things. Though a good thing, choosing between two ways can be difficult at times. Let’s look at the differences.
Policies:
A policy is a specific set of settings within a Group Policy Object. In a nutshell, everything under administrative templates is a policy. These settings are sometimes called registry based policies because they reside in the registry.
For example, any setting that you configure under Computer Configuration will appear in HKEY_LOCAL_MACHINE\SOFTWARE\Policies. Any user side policies will appear at HKEY_CURRENT_USER\Software\Policies.
Every a policy will meet these two criteria:
- Not Tattoo Settings
If you configure a setting (ex: User Config/Administrative Templates/Windows Components/Internet Explorer/Disable changing home page settings) and later remove that setting from the GPO, the computer will also remove setting.
2. Takes Precedence
A policy will always be the default setting once configured. When you configure a specific setting, the user will not be able to override the setting. In the picture below, notice how the home page settings can not be changed:
Preferences:
A preference is pretty much everything that doesn’t fit into the policy list. For example, if I used Group Policy Preferences: Internet settings to configure the homepage – I would be using a preference. To technically be a preference, the setting has to do two things:
1. Tattoo Settings
If I set the homepage using Group Policy Preferences and later removed the GPO with that setting, the homepage setting would not be restored to the default value.
2. Allow Configuration
Any preference must not lock out the user’s ability to change the setting. A preference is what you, the administrator, prefers the value to be. But this value, can still be changed.
Enough with the theory! Give me a real world example!
Let’s look at Trusted Sites in Internet Explorer as an example. If I wanted to configure a specific list of trusted sites and I never wanted a user to change it, I would want to use a policy. Knowing this, I can set User Config/Admin Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page/Site to Zone Assignment List. I would enable this setting and list my trusted sites. Once the policy has been applied, users could no longer edit the trusted sites list. What I gave them is what they get.
Nice right? Maybe…What if you want to let your staff members add to this list? If that is the case, you would want to use a preference. Doing so will list in your default values but still allow users to edit (add/remove) additional websites.
Wrapping it up, here is my one step checklist for picking between a policy and a preference:
Do I care if users change this? If I don’t care, then it should be a preference.
Another super helpful post. Thanks! One thing that’s been plaguing my Win 8 deployments is the 2 “Other User” options at the startup screen. I understand that one is for local logon and the other for a domain logon. I’d like to remove the local “other user” to lessen confusion for my clients. The local “other user” asks for an email address and I suppose it’s supposed to tie to an MS account. My school isn’t using OneDrive or any of the Win 8 cloud features yet. Web searches have only showed me posts about disabling local login so far, which I don’t want to do, as I want to let them to continue to log into locally cached domain accounts when they are off network. Any tips on getting rid of the other ominous “other user”?
🙂 Thanks!
Enable Computer Configuration\policies\windows settings\security settings\local policies\security options
Interactive logon Do not display the last user name.
Nice article Joseph but there seems to be one major flaw and that is you cannot set Trusted Sites with GPP unfortunately. Why I don’t know.
Thanks Micky! You can do it with GPP but you have to use registry preferences. Weird… I know…
Here is a guide on that: https://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/