Group Policy Preferrals is a arsenal of Group Policy client-side extensions that supply preference settings to domain-joined computers running lutz-heilmann.info Windows desktop computer and also server operating systems. Precommendation settings are bureaucratic configuration selections deployed to desktops and servers. Preference settings differ from policy settings bereason individuals have an option to transform the bureaucratic configuration. Policy settings administratively enpressure setting, which restricts user choice.

You are watching: What is the proper term for associating a group policy to a set of ad ds objects

Group Policy Preferences are dispersed to domain-joined computers using the Group Policy. The versatility of Group Policy permits it to supply opaque configuration information to a domain-joined computer running Windows. The opaque data is then transferred to a Group Policy client side expansion at which suggest the opaque information becomes relevant bereason the client-side extension understands the data.

This record defines just how the Group Policy Drive Maps and Printers client-side extensions process their configuration data. With this knowledge, administrators deserve to more effective architecture and deploy Group Policy Drive Map and also Printer items in their setting. And, the indevelopment presented in this technical reference allows IT Professionals to troubleshoot Group Policy Drive Map and also Printer processing.

Prerequiwebsite Fundamentals

Group Policy

Group Policy is a monitoring technology contained in Windows Server that allows you to secure computer and also user settings. Securing these settings ensures a common computing environment for customers and lowers the full price of ownership by restricting accidental or deliberate configurations that adversely influence the operating mechanism.

A Group Policy object (GPO) is a logical object written of 2 components, a Group Policy container and a Group Policy design template. Windows stores both of these objects on domain controllers in the domajor. The Group Policy container object is stored in the domain partition of Active Directory. The Group Policy template is a arsenal of papers and also folders stored on the system volume (SYSVOL) of each doprimary controller in the domajor. Windows copies the container and layout to all doprimary controllers in a domajor. Active Directory replication duplicates the Group Policy container while the Documents Replication Service (FRS) or the Distributed Documents System Replication (DFSR) organization duplicates the data on SYSVOL.

The Group Policy container and design template together; make the logical object referred to as a Group Policy object. Each Group Policy object contains two classes of configuration: user and computer. Computer configuration settings impact the computer as entirety, regardless of the logged on user. User configuration settings affect the presently logged on user, and also might differ with each user. Some examples of computers settings are power management, user rights, and also firewall settings. Instances of user settings incorporate Web Explorer, display settings, and also Folder Redirection.

Group Policy objects and also their settings use to computers and user to which they are connected. You have the right to connect GPOs to an Active Directory website, domain, organizational unit, or nested organizational unit. Group Policy objects sepaprice from the containers to which they are linked. This separation enables you to link a single GPO to multiple containers. Linking GPOs to many type of containers permits a single GPO to use to customers or computer system within multiple container. This specifies the scope of the GPO. Computer configurations use to computers within the container or nested containers. User configurations apply to users in the very same fashion.

Policy settings apply to computer systems at computer startup and also to users throughout user logon. Windows Server 2012 and Windows 8 contains a Group Policy company. Throughout computer startup, the Group Policy service queries Active Directory for the list of GPOs that are within scope (linked) of the computer object. Aget, this includes:

The site in which the computer resides

The domain in which the computer system is a member

The parent organizational unit to which the computer is a direct member and also any type of other business devices over the parent OU.

The Group Policy organization decides which GPOs apply to computer systems (tbelow are many means to filer GPOs from applying, which is beyond the scope of this introduction) and also uses those policy settings. Client-side extensions (CSEs) are responsible for applying plan settings consisted of in the GPOs. A Group Policy client-side expansion is a sepaprice component from the Group Policy organization that is responsible for reading certain policy establishing data from the GPO and using it to the computer or user. For instance, the Group Policy regisattempt client-side expansion reads registry policy establishing information from each GPO and also then uses that indevelopment into the registry. The security CSE reads and also applies defense policy settings. The Folder Redirection CSE reads and also uses Folder Redirection policy settings.

Group Policy handling repeats when the user logs on the computer system. The Group Policy business decides the GPOs that apply to the user and also then uses user policy settings.

It’s vital that you have a firm expertise of exactly how to develop, modify, and also connect Group Policy objects to containers in Active Directory. Group Policy Preferences use the same concepts as Group Policy. In truth, you manage Group Policy Preferrals the very same means that you control Group Policy. This is a review of Group Policy; it’s not complete. If you are unfamiliar with exactly how to control Group Policy or you need a thostormy refresher, then you deserve to check out the Windows Group Policy Reresource Kit: Windows Server 2008 and Windows Vista (lutz-heilmann.info Press 2008).

Client-side Extensions

A Group Policy client-side extensions is an isolated component that is responsible for handling specific policy settings ceded by the Group Policy facilities. The format in which each Group Policy client-side expansion saves data have the right to be distinctive to each expansion. And, the Group Policy framework is unmindful of this format, nor does it treatment. Group Policy’s purpose is to supply settings to the computer wright here each client-side expansion applies their portion of the policy settings from multiple Group Policy objects.

To assist understand also the partnership between the Group Policy framework and the Group Policy client-side extensions-- consider a postal carrier. The postal carrier collects indevelopment from assorted sources and delivers that information to you. The postal carrier has no principle what information they are transporting. The information could be a letter, a DVD, or a CD through photos. The postal carrier just knows they are to provide the information to a particular resolve.

In this analogy, the Group Policy company is the postal carrier-- it delivers the indevelopment without out any kind of understanding around the indevelopment. The indevelopment ceded by the postal carrier represents the various policy settings. The Group Policy client-side extension represents the person receiving the information. Addresses have the right to have actually many type of recipients. Each recipient receives their very own mail in an expected format. The Group Policy client side expansion reads its particular plan setting indevelopment and also perdevelops actions based upon information consists of in the policy settings.

Group Policy Processing

Group Policy application is the procedure of deciding which Group Policy objects that Windows applies to a user or computer system and also then applying those settings. Understanding Group Policy handling is essential to planning and also deploying Group Policy settings. Misknowledge Group Policy handling is the a lot of widespread cause of undesirable and also unexplainable plan settings.

The essential to knowledge Group Policy processing is Scope. Scope is sindicate a collection of all Group Policy objects that need to apply to a user or computer based upon their object’s area in Active Directory. You develop scope by linking Group Policy objects to specific locations within Active Directory.

The crucial to expertise Group Policy processing is Scope. Scope is ssuggest a arsenal of all Group Policy objects that must apply to a user or computer based upon their object’s place in Active Directory. You create scope by linking Group Policy objects to specific locations within Active Directory.

Group Policy gives choices that have the right to change the scope of Group Policy object. Changing the scope of Group Policy objects affects which plan settings use and also those that do not. You readjust the scope of Group Policy making use of processing order, filtering, and connect options.

Scope

Group Policy handling have to identification the scope to which it is using plan settings. Scope is simply claims as wright here the user or computer system object stays within the Active Directory hierarchy. The easiest method to discover the scope of a user or computer system object is to lookup the respective user or computer"s distinguished name in Active Directory. An object"s distinguiburned name in a catalog offers the objects identification and also the objects place within the brochure. Consider the complying with distinguimelted name.

CN=Kim Akers,OU=Person Resources, DC=corp,DC=contoso,DC=comFrom this, the Group Policy service determines the name of the user object, the organizational unit that contains the user object, and the doprimary in which the user object resides.

CN=Jeff Low,OU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=comLinking

Understanding Group Policy scope calls for learning where to link Group Policy objects so they apply to individuals or computer. To permit a Group Policy object to apply to a user or computer, you associate it through a specific place within Active Directory. Associating a Group Policy object with an item in Active Directory is referred to as linking.

Active Directory has rules that govern wright here you have the right to attach Group Policy objects. Active Directory objects to which you can connect Group Policy objects include:

Site objects

Domain objects

Organizational Unit objects

Linking Group Policy objects to these Active Directory objects is strategic in deploying Group Policy. These are container objects. Container objects, as the name means, implies they can incorporate other objects within them-- they representing hierarchical grouping of objects in a brochure. Site objects can contain computer objects from multiple domain names. Domajor objects can contain multiple Organizational Units, computer systems and user objects. Organizational Unit objects have the right to contain other Organizational Unit objects, computers, and also individuals. Let"s look at the distinguiburned name aget.

CN=Jeff Low,OU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=comClose examicountry of the distinguished name reveals each container object that can potentially apply Group Policy settings to the user. The CN=Jeff Low is the user object name. You cannot connect Group Policy directly to a user object. However, the continuing to be percent of the name mirrors the object’s place. Working left to right, you have the right to find each container object that is qualified of apply Group Policy to the user.

OU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=comOU=Research,OU=RandD,DC=corp,DC=contoso,DC=comOU=RandD,DC=corp,DC=contoso,DC=comDC=corp,DC=contoso,DC=comEach of these places reexisting the scope of Group Policy. The Group Policy service collects linked Group Policy objects from each of these places in the magazine. This represents the scope of Group Policy for the user or computer.

Notice the order in which Windows collects the list of Group Policy objects? It starts with the OU closest to the user and traverses up the directory to the object furthest ameans from the user, which is generally the domajor object. Thturbulent linking, you have actually a list of Group Policy objects that are in scope with the user or computer system. However, not eextremely GPO in the list should apply to the user or computer system.

*

Security Filtering

Group Policy scope is the list of all Group Policy objects that may be applicable to the user or computer because of their object"s place within Active Directory. Security Filtering determines if the respective user or computer system has actually the appropriate permissions to use the Group Policy object. A user or computer system need to have actually the Read and also Apply Group Policy permissions for the Group Policy service to take into consideration the Group Policy object applicable to the user.

The Group Policy solutions iteprices with the whole list of Group Policy objects determining if the user or computer has the appropriate perobjectives to the GPO. If the user or computer has actually the permissions to use the GPO, then the Group Policy business moves that GPO into a filtered list of GPOs. It continues to filter each Group Policy object based upon pergoals until it reaches the finish of the list. The filtered list of Group Policy objects includes all GPOs within scope of the user or computer system and are applicable to the user or computer system based on pergoals.

*

WMI Filtering

WMI filtering is the last phase of determining the scope of Group Policy objects that apply to a user or computer system.

Windows Management Instrumentation (WMI) is the lutz-heilmann.info implementation of Web-Based Enterpclimb Management (WBEM). WMI supplies the Common Information Model (CIM) market traditional to recurrent devices, applications, networks, tools, and various other managed components.

Group Policy provides even more filters to regulate the scope of applicable Group Policy objects. WMI enables you to develop queries to interrogate particular attributes of the computer, operating system, and various other managed components. In the develop of queries, you create criteria that behave like logical expressions-- wbelow the outcome equates to true or false. You connected, or link these criteria to a Group Policy object. If the criteria evaluates to true, the Group Policy object remains applicable to the user and also is retained in the filtered list. If the criteria evaluates to false, the Group Policy service gets rid of the Group Policy object from the filtered list.

Once WMI filtering completes, the Group Policy company has actually a list of filter Group Policy objects. This last list represents all applicable Group Policy objects for the user or computer system. Internally, Security and WMI filtering take place in one cycle.

*

Processing Order

Group Policy has a certain order in which it uses Group Policy objects. Understanding the order in which Group Policy objects apply is vital bereason Group Policy offers the order of application to deal with conflicting plan settings among various Group Policy objects attached to different locations within Active Directory.

Local, Site, Domajor, and OU

The Group Policy company uses the Local Group Policy first, then Group Policy objects from the Site, complied with by Group Policy objects from the doprimary, and also Group Policy objects from organization systems. If the targeted user or computer system to obtain Group Policy settings, then the Group Policy business uses Group Policy objects from OUs furthest in family tree from the user to closest in family tree to the user. Consider the filtered list of applicable Group Policy objects.

DC=corp,DC=contoso,DC=comOU=RandD,DC=corp,DC=contoso,DC=comOU=Research,OU=RandD,DC=corp,DC=contoso,DC=comOU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=com

*

Notice the order of Group Policy objects has actually adjusted from the initially list. This reordering of Group Policy occurs throughout the Security and also WMI filter handling. The Group Policy service builds the initially list of GPOs by finding the user or computer system object and also then collecting all attached GPOs as it walks up the directory tree. The GPOs are detailed backwards from the order they use because as the Group Policy organization adds the recently discovered connect place to the bottom of the list. This explains why the domajor place is at the bottom of the list.

However, when filtering the list for defense and also WMI filters, the Group Policy organization starts at the height of the list, which is the OU closest in lineage to the user or computer system object. The organization builds a brand-new list (the filtered list) by placing the GPOs that pass with the filter into the filtered list. The organization inverts the order of the original list, making the domain area at the top of the list. The place closest to the user is at the bottom of the list —the order Group Policy applies GPOs to individuals and also computer systems.

Conflict Resolution

Each Group Policy object contains the exact same number of potential plan settings. Because of this, it is possible to have the exact same policy setting identified in multiple Group Policy objects. Conflicts occurs as soon as the exact same policy establishing is configured in multiple Group Policy objects. Like 2 cars completing for the exact same space on the road—one wins and the other loses. Group Policy handles conflicts by utilizing a technique recognized as last-writer-wins. Last-writer-wins resolves disputes by declaring the prevailing setting as the establishing that Group Policy writes last. Because of this, the Group Policy object containing the conflicting plan setting that uses last is the setting that wins over all other settings.

*

The Processing Order area of this document describes that Group Policy objects use in Local, Site, Domain, and Organizational Unit order. Based on this processing hierarchy:

Policy settings in Group Policy objects attached to the Active Directory site settle plan establishing disputes in between the Local Group Policy object and Group Policy objects linked to the Active Directory site.

Policy settings in GPOs linked to the doprimary deal with policy establishing conflicts between Group Policy objects attached to the Active Directory website and also GPOs attached to the Active Directory domajor.

Policy settings in GPOs linked to an organizational unit deal with plan setting disputes in between Group Policy objects linked to the Active Directory domain and GPOs connected to an organizational Unit.

Policy settings in GPOs linked to a son business unit resolve policy settings disputes between Group Policy objects attached to the child business unit and also GPOs attached to the parent organizational unit.

Conflict Resolution among GPOs linked at the same Location

Group Policy enables you to attach multiple Group Policy objects at each site, domajor, and also organization unit locations in the catalog. Until now, dispute resolution only determined reremedies in between conflicting policy settings attached at 2 various locations in Active Directory. What about conflicting plan settings in Group Policy objects that are linked at the same location?

Group Policy proceeds to use the last-writer-wins technique for reresolving policy establishing problems among Group Policy objects attached as the exact same place in Active Directory. Understanding exactly how the Group Policy Management Console (GPMC) web links Group Policy objects to areas in Active Directory describes the processing order of Group Policy objects attach at the same place in Active Directory.

GPLink Attribute

The places that assistance Group Policy linking, Active Directory sites, domains, and business devices, perform so bereason each of these objects have actually a GPLink attribute. The GPLink attribute is a single-valued attribute that accepts a worth of a string data type. While the Active Directory Schema enpressures the single-valued nature of the GPLink attribute, Group Policy provides the attribute as a multivalued attribute. The GPMC writes the worth of the GPLink attribute using the complying with format.

<…><…>The distingushedNameOfGroupPolicyContainer token represents the distinguiburned name of the Group Policy Container. A Group Policy object is a solitary logical object written of two components of indevelopment. The component of information stored on the file system is the Group Policy layout. The remaining component, the Group Policy Container is an object in Active Directory object that lives in the domajor partition of Active Directory. As formerly extended, the distinguished name of a directory object gives the object’s name and place in the magazine.

The linkOptions token is an integer worth that specifies the attach choices connected with the Group Policy object. Right now, you can permit or disable connected of Group Policy objects. Also, you can configure the connect as enforced. The linkOptions worth is a bit value wbelow combining values varies the configurations.

Enabled0x0Disabled 0x1Enforced0x2Disabling the attach of a Group Policy objects stays clear of the Group Policy organization from including that GPO in the list of GPOs within scope of the targeted user or computer system. The distinguishedNameOfGroupPolicyContainer and the linkOptions token are enclosed in square brackets ( < > ) and also separated by a semicolon (;). This represents a singly linked Group Policy object. Linking another Group Policy object to the place inserts a brand-new distingushedNameOfGroupPolicyContainer and also linkOptions combination prior to the existing combination; it does not include the brand-new combicountry to the end. The linking pattern proceeds to insert newly linked GPOs at the beginning of the value; by relocating existing values to the appropriate.

The Group Policy company reads this lengthy string as a list of values from left to appropriate. The first GPO link enattempt in the value is the initially to apply at this place. The following entry in the value uses after that. The procedure continues till the last GPO in the value applies.

Group Policy naturally asindicators each GPO precedence based on the order it reads the list—left to best. Thus, the initially GPO in the worth has the lowest precedence in the list of connected Group Policy objects. The following GPO in the worth has a greater precedence than the previous GPO because it applies its plan settings after the previous GPO; by winning any kind of policy setting conflicts in between the 2 GPOs. Each GPO that adheres to has actually a higher precedence than the Group Policy object before it in the link order. The last GPO in the worth has actually the greatest precedence bereason it is the last Group Policy object the Group Policy company uses.

The best way to understand also this is to think of the lengthy string as a list of GPOs. Take the initially GPO (the left most GPO) in the value and place it the list. Take the following links GPO noted and also location on peak of the list (leading to all others to move down in the list by one). Continue this process until the last GPO is on height of the list. This final GPO linked entries list is in precedence order, which implies the list is processed from the bottom to the optimal.

*

When perceived in a list in precedence order, it’s easy to uncover that GPOs greater in the list have more precedence than GPOs reduced in the list. As a result, GPOs lower in the list shed plan establishing disputes and also GPOs greater in the list win plan establishing conflicts.

Link Options

As previously proclaimed, a Group Policy connected as choices of allowed, disabled, and also applied. The allowed and disabled options are intuitive to understand also. When an permitted attach is considered in the scope of Group Policy for the targeted user or computer system. A disabled connected behaves as if the Group Policy object was never before attached.

Enforced

The Enrequired connect choice is the exemption to all rules. The Enrequired option ensures the settings from the connected GPO always win problems regardmuch less of any various other Group Policy object that has policy settings that might dispute via those of the connected GPO. The GPMC visually represents an implemented Group Policy connect by adding a padlock to the existing linked plan icon. Group Policy settings from an enforced connect constantly apply, also if the business unit has block plan inheritance enabled

Block Policy Inheritance

The last item around Group Policy handling order is Block Policy Inheritance, or simply well-known as Block Inheritance in the Group Policy Management Consingle. Each domajor and business unit in Active Directory object includes a GPOptions attribute. This establishing enables you to block Group Policy settings connected higher in the handling order from using to users and computers that are commonly in containers reduced in the handling order.

For example, policy settings attached to the doprimary apply to computers and customers within the whole domain, regardless of their parent business unit. However before, you have the right to usage GPMC to block inheritance on the domain or an business unit to prevent normal Group Policy setting from using to users and computers within that container. Blocking plan inheritance on the doprimary avoids Group Policy settings from GPOs linked to the Active Directory site from using to the doprimary. Blocking policy inheritance on organizational units prevents normal Group Policy settings from GPOs connected to sites and domain names from applying to the business systems.

Block policy inheritance does not prevent Group Policy settings from applied connected Group Policy objects from using to individuals and computer systems. Group Policy settings from enforced web links apply regardless of the block plan inheritance status on domain and organizational unit objects.

Group Policy Preferences

Group Policy Preferrals extends Group Policy. Precommendations are not Group Policy settings. Windows stores both settings in the registry; however; plan settings have an benefit over preferences—they generally override a choice.

You deserve to connumber Windows utilizing the user interface. The user interface presents you with choices; you select the options you like; and click OK or close the dialog box. Windows then saves your selections to the registry so it can recontact those settings later. Setups configurable by the user are known as choices (notification the lowercase “p”). Mapping a shared folder or picking a default house page is an instance of preferences. When you set the house web page making use of Web Explorer, you can close the web internet browser and also open up it up aget and it remembers your home page. Policy settings differ from preferences bereason policy settings are imposed on the user or computer system. Policy prevents the user from transforming their settings. Generally, customers configure choices.

Group Policy Preferrals allows you to deploy wanted configurations to computer systems and users without limiting the user from choosing a different configuration. It is necessary to remember that while the user deserve to readjust the configuration, Group Policy Preferences are Group Policy client-side extensions. Group Policy Preferrals refresh through Group Policy; therefore, Group Policy overwrites any kind of preference settings altered by the user through the value configured in a Group Policy Precommendation. Replacing a user configured preference establishing via one configured making use of Group Policy Preferences is not the same as Group Policy. A true Group Policy setting enforces the setting and restricts the user from altering the setting. Users can conveniently adjust choice values permitted by Group Policy Preferrals until the following refresh of Group Policy (which returns the preference settings earlier to the value configured in the Group Policy Precommendation item).

Client-side Extensions

Group Policy Precommendations are Group Policy client-side extensions. There are 20 extensions that makes up Group Policy Preferrals. These extensions include

Client Side Extension

Description

Group Policy Environment

Create, modify, or delete atmosphere variables.

Group Policy Local Users and Groups

Create, modify, or delete neighborhood customers and teams.

Group Policy Device Settings

Enable or disable hardware gadgets or classes of tools.

Group Policy Netjob-related Options

Create, modify, or delete virtual personal networking (VPN) or dial-up netfunctioning (DUN) relations.

Group Policy Drive Maps

Create, modify, or delete mapped drives, and configure the visibility of all drives.

Group Policy Folders

Create, modify, or delete folders.

Group Policy Netjob-related Shares

Create, modify, or delete netoccupational shares

Group Policy Files

Copy, modify the features of, relocation, or delete papers.

Group Policy File Sources

Create, modify, or delete Open Database Connectivity (ODBC) data source names.

Group Policy INI Files

Add, replace, or delete sections or properties in configuration settings (.ini) or setup indevelopment (.inf) files.

Group Policy Folder Options

Create, modify, or delete folders.

Group Policy Schedule Tasks

Create, modify, or delete scheduled or instant tasks.

Group Policy Registry

Copy registry settings and also use them to other computers. Create, rearea, or delete regisattempt settings.

Group Policy Printers

Create, modify, or delete TCP/IP, mutual, and also neighborhood printer relations.

Group Policy Shortcuts

Create, modify, or delete shortcuts.

Group Policy Web Settings

Modify user-configurable Web settings

Group Policy Start Menu Settings

Modify Start menu alternatives.(Not applicable for Windows 8 and also Windows Server 2012)

Group Policy Regional Options

Modify local options.

Group Policy Power Options

Modify power alternatives and create, modify, or delete power schemes.

Group Policy Applications

Configure settings for applications.

Typical Configurations

Many Group Policy Precommendation items share a widespread configuration that enable you to control the scope of Group Policy Preferral processing for each configured preference item.

Soptimal handling items in this expansion if an error occurs on this item

Each preference extension have the right to contain one or even more choice items. By default, a failing choice item does not proccasion other preference items in the very same extension from processing.

If the Sheight handling items in this expansion if an error occurs on this item alternative is schosen, a failing choice item prevents remaining choice items within the expansion from handling. This readjust in actions is restricted to the hosting Group Policy object (GPO) and also client-side expansion. It does not extend to various other GPOs.

It’s crucial to understand that Group Policy Preferral extensions procedure preference items from the height of the list and also occupational their way to the bottom. The preference expansion just stops handling choice items that follow the failing preference item (items showing up below the failing choice items as they appear in the list).

Run in logged-on user"s defense context (user policy option)

There are 2 defense contexts in which Group Policy uses user preferences: the SYSTEM account and also the logged-on user.

By default, Group Policy processes user preference items using the protection conmessage of the SYSTEM account. In this security context, the choice extension is restricted to setting variables and also device sources easily accessible just to the computer.

If the Run in logged-on user"s protection context choice is selected, it alters the defense context under which the choice item is processed. The preference expansion processes preference items in the protection context of the logged-on user. This permits the preference extension to accessibility sources as the user rather than the computer. This deserve to be essential once using drive maps or other choices in which the computer might not have actually pergoals to sources or when utilizing atmosphere variables. The value of many environment variables differ as soon as evaluated in a defense conmessage other than the logged-on user.

Group Policy Preferral extensions that need to procedure in the user’s protection context, such as Drive Maps and Printers automatically switch to the user’s conmessage and also carry out not need you to change this establishing.

Rerelocate this item when it is no longer applied

Group Policy uses policy settings and choice items to individuals and also computer systems. You decide which individuals and also computers get these items by linking one or more Group Policy objects (GPOs) to Active Directory sites, domain names, or business devices. User and also computer objects in these containers receive policy settings and choice items defined in the attached GPOs bereason they are within the scope of the GPO.

Unfavor plan settings, the Group Policy business does not rerelocate preference settings as soon as the hosting GPO becomes out of scope for the user or computer system.

If the Rerelocate this item once it is no longer applied option is selected, it changes this actions. After selecting this choice, the choice extension decides if the preference item must not use to targeted customers or computer systems (out of scope). If the preference expansion decides the choice item is out of scope, it gets rid of the settings associated via the preference item.

Selecting this setting transforms the choice item’s action to Replace. During Group Policy application, the preference expansion recreates (deletes and creates) the results of the choice item. When the preference item is out of scope for the user or computer, the outcomes of the choice item are deleted, but not developed. Preferral items deserve to become out of scope by using item-level targeting or by higher-level Group Policy filters such as WMI and security team filters.

The Remove this item when it is no much longer applied option is not easily accessible once you set the preference item activity to Delete.

Apply when and also do not reapply

Preference items apply as soon as Group Policy refreshes.

By default, the results of preference items are recomposed each time Group Policy refreshes. This ensures the preference item results are continual with what you configured in the Group Policy object.

If the Apply as soon as and also perform not reapply option is selected, it alters this habits, so the choice expansion applies the outcomes of the preference item to the user or computer system only as soon as. This alternative is advantageous as soon as you do not desire the results of a choice item to reapply.

Item-level Targeting

Group Policy provides filters to manage which policy settings and preference items apply to customers and computers. Preferences carry out an added layers of filtering dubbed targeting. Item-level targeting allows you to regulate if a preference item applies to a group of customers or computer systems.

Use item-level targeting to readjust the scope of individual preference items, so they use only to schosen users or computer systems. Within a single Group Policy object (GPO), you can include multiple preference items—each customized for schosen users or computers and also each targeted to apply settings just to the appropriate individuals or computer systems.

Each targeting item outcomes in a worth of either true or false. You have the right to use multiple targeting items to a preference item and pick the logical operation (AND or OR) by which to combine each targeting item through the coming before one. If the linked outcome of all targeting items for a preference item is false, then the settings in the choice item are not used to the user or computer system. Using targeting collections, you can also create parenthetical expressions.

Battery Present

A Battery Present targeting item enables a choice item to be used to computer systems or users only if one or even more batteries are present in the processing computer system. If Is Not is schosen, it enables the preference item to be used just if the processing computer system does not have actually one or even more batteries existing.

If an uninterruptible power supply (UPS) is connected to the processing computer, a Battery Present out targeting item may detect the UPS and also determine it as a battery.

Computer Name

A Computer Name targeting item enables a preference item to be used to computer systems or individuals only if the computer"s name matches the stated computer name in the targeting item. If Is Not is selected, it enables the choice item to be used only if the computer"s name does not enhance the mentioned computer system name in the targeting item.

CPU Speed

A CPU Speed targeting item enables a preference item to be applied to computer systems or users just if the processing computer"s CPU speed is higher than or equal to the worth mentioned in the targeting item. If Is Not is schosen, it allows the preference item to be applied just if the processing computer"s CPU speed is much less than or equal to the worth stated in the targeting item.

Date Match

A Date Match targeting item enables a choice item to be used to computers or users only if the day or date matches that specified in the targeting item. If Is Not is schosen, it enables the choice item to be used only if the day or date does not match that stated in the targeting item.

Dial-up Connection

A Dial-Up Connection targeting item allows a choice item to be used to individuals only if a network link of the form mentioned in the targeting item is linked. If Is Not is schosen, it enables the choice item to be used just if no netoccupational link of the kind stated in the targeting item is linked.

Dial-Up Connection targeting items detect whether a form of network-related link exists, not whether the user is logged on with a link of that type.

Disk Space

A Disk Space targeting item allows a preference item to be applied to computer systems or users just if the processing computer"s available disk area is higher than or equal to the amount mentioned in the targeting item. If Is Not is selected, it allows the choice item to be applied just if the handling computer"s easily accessible disk space is much less than or equal to the amount stated in the targeting item.

Domain

A Domain targeting item permits a choice item to be used to computers or customers only if the user is logged on to or the computer is a member of the domajor or workgroup specified in the targeting item. If Is Not is selected, it enables the choice item to be applied just if the user is not logged on to or the computer is not a member of the doprimary or workteam mentioned in the targeting item.

Environment Variables

An Environment Variable targeting item allows a preference item to be applied to computers or users only if the environment variable and also value mentioned in the targeting item are equal. If Is Not is selected, it enables the preference item to be used just if the environment variable and also value stated in the targeting item are not equal or if the atmosphere variable does not exist.

If you want to restrict the scope of multiple preference items via a complex collection of targeting items, you deserve to simplify configuration by making use of an setting variable. For example, create an Environment Variable preference item that generates a new setting variable through a value of 1, and apply the targeting items to it. To use the same targeting to other choice items, include an Environment Variable targeting item to those preference items, and also connumber it to require a value of 1 for the variable that you created utilizing an Environment Variable preference item.

Data Match

A Data Match targeting item allows a choice item to be applied to computers or customers just if the file or folder mentioned in the targeting item exists, or only if the file exists and also is a variation within the selection stated in the targeting item. If Is Not is schosen, it enables the preference item to be applied just if the file or folder specified in the targeting item does not exist, or only if the version of the file is not within the range specified in the targeting item.

IP Address Match

An IP Address Range targeting item enables a preference item to be applied to computers or individuals just if the processing computer"s IP deal with is within the range stated in the targeting item. If Is Not is selected, it permits the choice item to be used just if the processing computer"s IP deal with is not within the selection specified in the targeting item.

Language

A Language targeting item enables a choice item to be applied to computers or users just if the locale specified in the targeting item is set up on the handling computer. Further options enable you to restrict the targeting to the user"s or computer"s locale. If Is Not is selected, it permits the preference item to be applied just if the handling computer"s locale does not match the specified locale in the targeting item.

A locale is created of a language and, in some instances, a geographical area in which the language is spoken or the alphabet provided. For example, French (Canada) is a locale created of the language French and the geographical area Canada.

LDAP Query

An LDAP Query targeting item permits a preference item to be applied to computer systems or individuals only if the LDAP query retransforms a value for the attribute specified in the targeting item. If Is Not is schosen, it permits the choice item to be used only if the LDAP query does not rerotate a value for the attribute stated in the targeting item.

MAC Address Range

A MAC Address Range targeting item permits a preference item to be used to computers or users just if any kind of of the processing computer"s MAC addresses are within the range specified in the targeting item. If Is Not is schosen, it allows the choice item to be used just if namong the handling computer"s MAC addresses are not within the variety stated in the targeting item.

Range starting points and also ending points are inclusive. You deserve to specify a single attend to by inputting the same value in both boxes.

MSI Query

An MSI Query targeting item enables a choice item to be applied to computer systems or individuals only if specific aspects of an MSI installed product, upday, or component on the handling computer match the mentioned criteria in the targeting item. If Is Not is schosen, it permits the choice item to be used just if certain elements of an MSI installed product, update, or component on the handling computer system do not match the stated the mentioned criteria in the targeting item.

Operating System

An Operating System targeting item permits a choice item to be applied to computer systems or customers just if the processing computer"s operating system"s product name, release, edition, or computer duty matches those specified in the targeting item. If Is Not is schosen, it permits the choice item to be applied just if the operating system"s product name, release, edition, or computer duty does not enhance those specified in the targeting item.

Organizational Unit

An Organizational Unit targeting item enables a choice item to be used to computers or individuals only if the user or computer system is a member of the organizational unit (OU) stated in the targeting item. If Is Not is schosen, it allows the preference item to be applied just if the user or computer system is a not member of the OU mentioned in the targeting item.

PCMCIA Present

A PCMCIA Present targeting item permits a preference item to be used to computers or individuals only if the processing computer contends leastern one PCMCIA slot present. If Is Not is selected, it permits the preference item to be applied only if the processing computer does not have actually any kind of PCMCIA slots current.

A PCMCIA slot is considered present when the drivers for the slot are set up and the slot is functioning effectively.

Portable Computer

A Portable Computer targeting item permits a choice item to be used to computers or users only if the handling computer system is identified as a portable computer system in the current hardware profile on the processing computer system or if the processing computer is figured out as a portable computer via the docking state specified in the targeting item. When Is Not is schosen, it enables the choice item to be used just if the processing computer is not figured out as a portable computer system in the present hardware profile on the processing computer or if the docking state of the processing computer differs from the docking state stated in the targeting item.

Processing Mode

A Processing Mode targeting item enables a choice item to be applied to computer systems or individuals only if the Group Policy handling mode or conditions on the processing computer complement at least one of those specified in the targeting item. If Is Not is schosen, it enables the preference item to be used just if the Group Policy processing mode or problems on the processing computer system perform not enhance any kind of of those specified in the targeting item.

RAM

A RAM targeting item enables a preference item to be applied to computers or individuals only if complete amount of physical memory in the processing computer system is greater than or equal to the amount stated in the targeting item. If Is Not is selected, it allows the preference item to be used just if the total amount of physical memory in the handling computer system is less than the amount stated in the targeting item. Provide the total amount of physical memory in megabytes (MB). One gigabyte (GB) of physical memory is entered as 1024. Four gigabytes of physical memory are gone into as 4096.

Registry Match

A Registry Match targeting item allows a preference item to be used to computers or customers only if the regisattempt essential or worth specified in the targeting item exists, if the registry worth includes the data stated in the targeting item, or if the variation number in the registry worth is within the range specified in the targeting item. If the targeting item allows the choice item and if Get worth data is schosen in the targeting item, then the targeting item conserves the worth information of the specified regisattempt value to the environment variable mentioned in the targeting item. If Is Not is schosen, it permits the choice item to be used just if the registry key or value stated in the targeting item does not exist, if the registry value does not has the data stated in the targeting item, or if the variation number in the regisattempt worth is not within the variety specified in the targeting item.

Security Group

A Security Group targeting item permits a preference item to be applied to computer systems or individuals just if the handling computer or user is a member of the group stated in the targeting item and also optionally just if the mentioned group is the primary team for the processing computer or user. If Is Not is schosen, it enables the preference item to be applied just if the processing computer or user is not a member of the group specified in the targeting item and also optionally just if the mentioned group is not the primary team for the processing computer system or user.

Security Group

Domain groups

Domajor local

Global groups

Universal groups

Local groups

Local teams (consisting of integrated groups)

Well-known

Site

A Site targeting item permits a choice item to be used to computer systems or users just if the processing computer system is in the website in Active Directory mentioned in the targeting item. If Is Not is selected, it allows the preference item to be applied only if the processing computer system is not in the site in Active Directory stated in the targeting item.

Targeting Collection

The targeting items used to a preference item are evaluated as a logical expression. A targeting arsenal permits you develop a parenthetical grouping within that expression. You have the right to nest one targeting repertoire within one more to develop more complicated logical expressions.

A targeting collection allows a preference item to be applied to computer systems or users just if the arsenal of targeting items mentioned outcomes in a value of true. If Is Not is schosen, it permits the preference item to be used just if the collection of targeting items specified results in a worth of false.

Terminal Session

A Terminal Session targeting item allows a preference item to be used to individuals only if the handling user is logged on to a terminal services session through the settings specified in the targeting item. If Is Not is schosen, it allows the preference item to be used only if the user is not logged on to a terminal solutions session or the user is logged on to a terminal services session without the settings specified in the targeting item.

Time Range

A Time Range targeting item enables a choice item to be applied to computers or users only if the current time on the end user"s computer is withwhile variety specified in the targeting item. If Is Not is selected, it permits the choice item to be applied only if the current time on the end user"s computer system is not within the range specified in the targeting item.

User

A User targeting item permits a preference item to be applied to individuals just if the processing user is the user stated in the targeting item. If Is Not is schosen, it allows the choice item to be used only if the handling user is not the user mentioned in the targeting item.

WMI Query

A WMI Query targeting item enables a choice item to be applied to computers or customers only if the handling computer evaluates the WMI query as true. If Is Not is schosen, it enables the preference item to be used only if the handling computer evaluates the WMI query as false.

Processing

Earlier, this document defined Group Policy processing. Group Policy Preferral client-side extensions adright here to these same rules. As such, connected hierarchy, defense and also WMI filtering deserve to adjust the scope of Group Policy object configured via Group Policy Precommendations. By transforming the scope, customers and computer systems might or may not get settings or choice items configured in these Group Policy objects.

However before, Group Policy Preferral client-side extensions have their very own interior handling. You can connumber one or more choice items for a solitary Group Policy Precommendation expansion to process within a single Group Policy object. For example, you can configure a solitary GPO to contain 10 Drive Map Precommendation items within a solitary GPO.

*

Throughout Group Policy processing, the Group Policy facilities cycles via a list of Group Policy extensions. As it moves to each expansion, it shares information relevant for the extension to procedure its percent of Group Policy. Critical components of the information common with the extensions include a list of Group Policy objects that consisted of alters, a list of Group Policy objects that are no longer in scope through the user or computer. Also, the Group Policy framework offers information particular to this instance of Group Policy handling such as if the network-related connection is considered a sluggish connect.

The Group Policy Precommendation extension provides the indevelopment around the changed and also out-of-scope Group Policy objects to process its plan settings. Group Policy Preferral client-side extensions process choice items in order from the optimal of the list to the bottom of the list.

See more: Life Is Short Death Is Sure ; Sin The Cause, Christ The Cure

The results of handling each preference item vary relying on the activity configured in the choice item. Also, item-level targeting deserve to proccasion the preference item from using to the user or computer. The Group Policy Precommendation client-side extension applies each item in the list until it reaches the finish of the list, or exits bereason of a prevalent configuration settings such as Stop processing items in this extension if an error occurs on this item or Apply once and do not reapply. Once the preference extensions uses all choice items in the list, it returns manage to the Group Policy organization.