{
	"id": "deae0ecc-8bc2-42ec-9af7-0208146a8008",
	"created_at": "2026-04-06T00:16:03.641258Z",
	"updated_at": "2026-04-10T13:12:58.511143Z",
	"deleted_at": null,
	"sha1_hash": "3cecbbca56c5d8fb1117bc5abf09e9cb0c85327b",
	"title": "Group Policy Preferences",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 749367,
	"plain_text": "Group Policy Preferences\r\nBy Archiveddocs\r\nArchived: 2026-04-05 12:41:19 UTC\r\nGroup Policy Preferences is a collection of Group Policy client-side extensions that deliver preference settings to\r\ndomain-joined computers running Microsoft Windows desktop and server operating systems. Preference settings\r\nare administrative configuration choices deployed to desktops and servers. Preference settings differ from policy\r\nsettings because users have a choice to alter the administrative configuration. Policy settings administratively\r\nenforce setting, which restricts user choice.\r\nGroup Policy Preferences are distributed to domain-joined computers using the Group Policy. The flexibility of\r\nGroup Policy enables it to deliver opaque configuration data to a domain-joined computer running Windows. The\r\nopaque data is then transferred to a Group Policy client side extension at which point the opaque data becomes\r\nrelevant because the client-side extension understands the data.\r\nThis document describes how the Group Policy Drive Maps and Printers client-side extensions process their\r\nconfiguration data. With this knowledge, administrators can more effective design and deploy Group Policy Drive\r\nMap and Printer items in their environment. And, the information presented in this technical reference enables IT\r\nProfessionals to troubleshoot Group Policy Drive Map and Printer processing.\r\nPrerequisite Fundamentals\r\nGroup Policy\r\nGroup Policy is a management technology included in Windows Server that enables you to secure computer and\r\nuser settings. Securing these settings ensures a common computing environment for users and lowers the total cost\r\nof ownership by restricting accidental or deliberate configurations that adversely affect the operating system.\r\nA Group Policy object (GPO) is a logical object composed of two components, a Group Policy container and a\r\nGroup Policy template. Windows stores both of these objects on domain controllers in the domain. The Group\r\nPolicy container object is stored in the domain partition of Active Directory. The Group Policy template is a\r\ncollection of files and folders stored on the system volume (SYSVOL) of each domain controller in the domain.\r\nWindows copies the container and template to all domain controllers in a domain. Active Directory replication\r\ncopies the Group Policy container while the File Replication Service (FRS) or the Distributed File System\r\nReplication (DFSR) service copies the data on SYSVOL.\r\nThe Group Policy container and template together; make the logical object called a Group Policy object. Each\r\nGroup Policy object contains two classes of configuration: user and computer. Computer configuration settings\r\naffect the computer as whole, regardless of the logged on user. User configuration settings affect the currently\r\nlogged on user, and may vary with each user. Some examples of computers settings are power management, user\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 1 of 23\n\nrights, and firewall settings. Examples of user settings include Internet Explorer, display settings, and Folder\r\nRedirection.\r\nGroup Policy objects and their settings apply to computers and user to which they are linked. You can link GPOs\r\nto an Active Directory site, domain, organizational unit, or nested organizational unit. Group Policy objects\r\nseparate from the containers to which they are linked. This separation enables you to link a single GPO to multiple\r\ncontainers. Linking GPOs to many containers enables a single GPO to apply to users or computer within multiple\r\ncontainer. This defines the scope of the GPO. Computer configurations apply to computers within the container or\r\nnested containers. User configurations apply to users in the same fashion.\r\nPolicy settings apply to computers at computer startup and to users during user logon. Windows Server 2012 and\r\nWindows 8 includes a Group Policy service. During computer startup, the Group Policy service queries Active\r\nDirectory for the list of GPOs that are within scope (linked) of the computer object. Again, this includes:\r\nThe site in which the computer resides\r\nThe domain in which the computer is a member\r\nThe parent organizational unit to which the computer is a direct member and any other organizational units\r\nabove the parent OU.\r\nThe Group Policy service decides which GPOs apply to computers (there are many ways to filer GPOs from\r\napplying, which is beyond the scope of this introduction) and applies those policy settings. Client-side extensions\r\n(CSEs) are responsible for applying policy settings contained in the GPOs. A Group Policy client-side extension is\r\na separate component from the Group Policy service that is responsible for reading specific policy setting data\r\nfrom the GPO and applying it to the computer or user. For example, the Group Policy registry client-side\r\nextension reads registry policy setting data from each GPO and then applies that information into the registry. The\r\nsecurity CSE reads and applies security policy settings. The Folder Redirection CSE reads and applies Folder\r\nRedirection policy settings.\r\nGroup Policy processing repeats when the user logs on the computer. The Group Policy service decides the GPOs\r\nthat apply to the user and then applies user policy settings.\r\nIt’s important that you have a firm understanding of how to create, modify, and link Group Policy objects to\r\ncontainers in Active Directory. Group Policy Preferences use the same concepts as Group Policy. In fact, you\r\nmanage Group Policy Preferences the same way that you manage Group Policy. This is a review of Group Policy;\r\nit’s not complete. If you are unfamiliar with how to manage Group Policy or you need a thorough refresher, then\r\nyou can read the Windows Group Policy Resource Kit: Windows Server 2008 and Windows Vista (Microsoft\r\nPress 2008).\r\nClient-side Extensions\r\nA Group Policy client-side extensions is an isolated component that is responsible for processing specific policy\r\nsettings delivered by the Group Policy infrastructure. The format in which each Group Policy client-side extension\r\nsaves data can be unique to each extension. And, the Group Policy infrastructure is unaware of this format, nor\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 2 of 23\n\ndoes it care. Group Policy’s purpose is to deliver settings to the computer where each client-side extension applies\r\ntheir portion of the policy settings from multiple Group Policy objects.\r\nTo help understand the relationship between the Group Policy infrastructure and the Group Policy client-side\r\nextensions-- consider a postal carrier. The postal carrier collects information from various sources and delivers\r\nthat information to you. The postal carrier has no idea what information they are delivering. The information could\r\nbe a letter, a DVD, or a CD with photos. The postal carrier only knows they are to deliver the information to a\r\nspecific address.\r\nIn this analogy, the Group Policy service is the postal carrier-- it delivers the information without out any\r\nknowledge about the information. The information delivered by the postal carrier represents the different policy\r\nsettings. The Group Policy client-side extension represents the person receiving the information. Addresses can\r\nhave many recipients. Each recipient receives their own mail in an expected format. The Group Policy client side\r\nextension reads its respective policy setting information and performs actions based on information contains in the\r\npolicy settings.\r\nGroup Policy Processing\r\nGroup Policy application is the process of deciding which Group Policy objects that Windows applies to a user or\r\ncomputer and then applying those settings. Understanding Group Policy processing is key to planning and\r\ndeploying Group Policy settings. Misunderstanding Group Policy processing is the most common cause of\r\nunwanted and unexplainable policy settings.\r\nThe key to understanding Group Policy processing is Scope. Scope is simply a collection of all Group Policy\r\nobjects that should apply to a user or computer based on their object’s location in Active Directory. You create\r\nscope by linking Group Policy objects to specific locations within Active Directory.\r\nThe key to understanding Group Policy processing is Scope. Scope is simply a collection of all Group Policy\r\nobjects that should apply to a user or computer based on their object’s location in Active Directory. You create\r\nscope by linking Group Policy objects to specific locations within Active Directory.\r\nGroup Policy provides options that can change the scope of Group Policy object. Changing the scope of Group\r\nPolicy objects affects which policy settings apply and those that do not. You change the scope of Group Policy\r\nusing processing order, filtering, and link options.\r\nScope\r\nGroup Policy processing must identity the scope to which it is applying policy settings. Scope is simply states as\r\nwhere the user or computer object resides within the Active Directory hierarchy. The easiest way to discover the\r\nscope of a user or computer object is to lookup the respective user or computer's distinguished name in Active\r\nDirectory. An object's distinguished name in a directory provides the objects identity and the objects location\r\nwithin the directory. Consider the following distinguished name.\r\nCN=Kim Akers,OU=Human Resources, DC=corp,DC=contoso,DC=com\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 3 of 23\n\nFrom this, the Group Policy service determines the name of the user object, the organizational unit that contains\r\nthe user object, and the domain in which the user object resides.\r\nCN=Jeff Low,OU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=com\r\nLinking\r\nUnderstanding Group Policy scope requires knowing where to link Group Policy objects so they apply to users or\r\ncomputer. To enable a Group Policy object to apply to a user or computer, you associate it with a specific location\r\nwithin Active Directory. Associating a Group Policy object with an object in Active Directory is called linking.\r\nActive Directory has rules that govern where you can link Group Policy objects. Active Directory objects to which\r\nyou can link Group Policy objects include:\r\nSite objects\r\nDomain objects\r\nOrganizational Unit objects\r\nLinking Group Policy objects to these Active Directory objects is strategic in deploying Group Policy. These are\r\ncontainer objects. Container objects, as the name implies, means they can include other objects within them-- they\r\nrepresenting hierarchical grouping of objects in a directory. Site objects can contain computer objects from\r\nmultiple domains. Domain objects can contain multiple Organizational Units, computers and user objects.\r\nOrganizational Unit objects can contain other Organizational Unit objects, computers, and users. Let's look at the\r\ndistinguished name again.\r\nCN=Jeff Low,OU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=com\r\nClose examination of the distinguished name reveals each container object that could potentially apply Group\r\nPolicy settings to the user. The CN=Jeff Low is the user object name. You cannot link Group Policy directly to a\r\nuser object. However, the remaining portion of the name shows the object’s location. Working left to right, you\r\ncan discover each container object that is capable of apply Group Policy to the user.\r\nOU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=com\r\nOU=Research,OU=RandD,DC=corp,DC=contoso,DC=com\r\nOU=RandD,DC=corp,DC=contoso,DC=com\r\nDC=corp,DC=contoso,DC=com\r\nEach of these locations represent the scope of Group Policy. The Group Policy service collects linked Group\r\nPolicy objects from each of these locations in the directory. This represents the scope of Group Policy for the user\r\nor computer.\r\nNotice the order in which Windows collects the list of Group Policy objects? It begins with the OU closest to the\r\nuser and traverses up the directory to the object furthest away from the user, which is typically the domain object.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 4 of 23\n\nThrough linking, you have a list of Group Policy objects that are in scope with the user or computer. However, not\r\nevery GPO in the list should apply to the user or computer.\r\nSecurity Filtering\r\nGroup Policy scope is the list of all Group Policy objects that may be applicable to the user or computer because\r\nof their object's location within Active Directory. Security Filtering determines if the respective user or computer\r\nhas the proper permissions to apply the Group Policy object. A user or computer must have the Read and Apply\r\nGroup Policy permissions for the Group Policy service to consider the Group Policy object applicable to the user.\r\nThe Group Policy services iterates through the entire list of Group Policy objects determining if the user or\r\ncomputer has the proper permissions to the GPO. If the user or computer has the permissions to apply the GPO,\r\nthen the Group Policy service moves that GPO into a filtered list of GPOs. It continues to filter each Group Policy\r\nobject based on permissions until it reaches the end of the list. The filtered list of Group Policy objects contains all\r\nGPOs within scope of the user or computer and are applicable to the user or computer based on permissions.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 5 of 23\n\nWMI Filtering\r\nWMI filtering is the final phase of determining the scope of Group Policy objects that apply to a user or computer.\r\nWindows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise\r\nManagement (WBEM). WMI uses the Common Information Model (CIM) industry standard to represent systems,\r\napplications, networks, devices, and other managed components.\r\nGroup Policy provides more filters to control the scope of applicable Group Policy objects. WMI enables you to\r\ncreate queries to interrogate specific features of the computer, operating system, and other managed components.\r\nIn the form of queries, you create criteria that behave like logical expressions-- where the result equates to true or\r\nfalse. You associated, or link these criteria to a Group Policy object. If the criteria evaluates to true, the Group\r\nPolicy object remains applicable to the user and is kept in the filtered list. If the criteria evaluates to false, the\r\nGroup Policy service removes the Group Policy object from the filtered list.\r\nOnce WMI filtering completes, the Group Policy service has a list of filter Group Policy objects. This final list\r\nrepresents all applicable Group Policy objects for the user or computer. Internally, Security and WMI filtering\r\noccur in one cycle.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 6 of 23\n\nProcessing Order\r\nGroup Policy has a specific order in which it applies Group Policy objects. Understanding the order in which\r\nGroup Policy objects apply is important because Group Policy uses the order of application to resolve conflicting\r\npolicy settings among different Group Policy objects linked to different locations within Active Directory.\r\nLocal, Site, Domain, and OU\r\nThe Group Policy service applies the Local Group Policy first, then Group Policy objects from the Site, followed\r\nby Group Policy objects from the domain, and Group Policy objects from organization units. If the targeted user\r\nor computer to receive Group Policy settings, then the Group Policy service applies Group Policy objects from\r\nOUs furthest in lineage from the user to closest in lineage to the user. Consider the filtered list of applicable Group\r\nPolicy objects.\r\nDC=corp,DC=contoso,DC=com\r\nOU=RandD,DC=corp,DC=contoso,DC=com\r\nOU=Research,OU=RandD,DC=corp,DC=contoso,DC=com\r\nOU=Managers,OU=Research,OU=RandD,DC=corp,DC=contoso,DC=com\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 7 of 23\n\nNotice the order of Group Policy objects has changed from the first list. This reordering of Group Policy occurs\r\nduring the Security and WMI filter processing. The Group Policy service builds the first list of GPOs by finding\r\nthe user or computer object and then collecting all linked GPOs as it walks up the directory tree. The GPOs are\r\nlisted backwards from the order they apply because as the Group Policy service adds the newly discovered link\r\nlocation to the bottom of the list. This explains why the domain location is at the bottom of the list.\r\nHowever, when filtering the list for security and WMI filters, the Group Policy service starts at the top of the list,\r\nwhich is the OU closest in lineage to the user or computer object. The service builds a new list (the filtered list) by\r\nplacing the GPOs that pass through the filter into the filtered list. The service inverts the order of the original list,\r\nmaking the domain location at the top of the list. The location closest to the user is at the bottom of the list —the\r\norder Group Policy applies GPOs to users and computers.\r\nConflict Resolution\r\nEach Group Policy object contains the same number of potential policy settings. Therefore, it is possible to have\r\nthe same policy setting defined in multiple Group Policy objects. Conflicts occurs when the same policy setting is\r\nconfigured in multiple Group Policy objects. Like two cars competing for the same space on the road—one wins\r\nand the other loses. Group Policy handles conflicts by using a method known as last-writer-wins. Last-writer-wins\r\nresolves conflicts by declaring the prevailing setting as the setting that Group Policy writes last. Therefore, the\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 8 of 23\n\nGroup Policy object containing the conflicting policy setting that applies last is the setting that wins over all other\r\nsettings.\r\nThe Processing Order section of this document describes that Group Policy objects apply in Local, Site, Domain,\r\nand Organizational Unit order. Based on this processing hierarchy:\r\nPolicy settings in Group Policy objects linked to the Active Directory site resolve policy setting conflicts\r\nbetween the Local Group Policy object and Group Policy objects linked to the Active Directory site.\r\nPolicy settings in GPOs linked to the domain resolve policy setting conflicts between Group Policy objects\r\nlinked to the Active Directory site and GPOs linked to the Active Directory domain.\r\nPolicy settings in GPOs linked to an organizational unit resolve policy setting conflicts between Group\r\nPolicy objects linked to the Active Directory domain and GPOs linked to an organizational Unit.\r\nPolicy settings in GPOs linked to a child organizational unit resolve policy settings conflicts between\r\nGroup Policy objects linked to the child organizational unit and GPOs linked to the parent organizational\r\nunit.\r\nConflict Resolution among GPOs linked at the same Location\r\nGroup Policy enables you to link multiple Group Policy objects at each site, domain, and organization unit\r\nlocations in the directory. Until now, conflict resolution only identified resolutions between conflicting policy\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 9 of 23\n\nsettings linked at two different locations in Active Directory. What about conflicting policy settings in Group\r\nPolicy objects that are linked at the same location?\r\nGroup Policy continues to use the last-writer-wins method for resolving policy setting conflicts among Group\r\nPolicy objects linked as the same location in Active Directory. Understanding how the Group Policy Management\r\nConsole (GPMC) links Group Policy objects to locations in Active Directory explains the processing order of\r\nGroup Policy objects link at the same location in Active Directory.\r\nGPLink Attribute\r\nThe locations that support Group Policy linking, Active Directory sites, domains, and organizational units, do so\r\nbecause each of these objects have a GPLink attribute. The GPLink attribute is a single-valued attribute that\r\naccepts a value of a string data type. While the Active Directory Schema enforces the single-valued nature of the\r\nGPLink attribute, Group Policy uses the attribute as a multivalued attribute. The GPMC writes the value of the\r\nGPLink attribute using the following format.\r\n[distinguishedNameOfGroupPolicyContainer;linkOPtions][…][…]\r\nThe distingushedNameOfGroupPolicyContainer token represents the distinguished name of the Group Policy\r\nContainer. A Group Policy object is a single logical object composed of two components of information. The\r\ncomponent of information stored on the file system is the Group Policy template. The remaining component, the\r\nGroup Policy Container is an object in Active Directory object that lives in the domain partition of Active\r\nDirectory. As previously covered, the distinguished name of a directory object provides the object’s name and\r\nlocation in the directory.\r\nThe linkOptions token is an integer value that defines the link options associated with the Group Policy object.\r\nCurrently, you can enable or disable linked of Group Policy objects. Also, you can configure the link as enforced.\r\nThe linkOptions value is a bit value where combining values varies the configurations.\r\nEnabled0x0\r\nDisabled 0x1\r\nEnforced0x2\r\nDisabling the link of a Group Policy objects prevents the Group Policy service from including that GPO in the list\r\nof GPOs within scope of the targeted user or computer. The distinguishedNameOfGroupPolicyContainer and the\r\nlinkOptions token are enclosed in square brackets ( [ ] ) and separated by a semicolon (;). This represents a singly\r\nlinked Group Policy object. Linking another Group Policy object to the location inserts a new\r\ndistingushedNameOfGroupPolicyContainer and linkOptions combination before the existing combination; it does\r\nnot add the new combination to the end. The linking pattern continues to insert newly linked GPOs at the\r\nbeginning of the value; by moving existing values to the right.\r\nThe Group Policy service reads this long string as a list of values from left to right. The first GPO link entry in the\r\nvalue is the first to apply at this location. The next entry in the value applies afterwards. The process continues\r\nuntil the last GPO in the value applies.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 10 of 23\n\nGroup Policy inherently assigns each GPO precedence based on the order it reads the list—left to right. Therefore,\r\nthe first GPO in the value has the lowest precedence in the list of linked Group Policy objects. The next GPO in\r\nthe value has a higher precedence than the previous GPO because it applies its policy settings after the previous\r\nGPO; by winning any policy setting conflicts between the two GPOs. Each GPO that follows has a higher\r\nprecedence than the Group Policy object before it in the link order. The last GPO in the value has the highest\r\nprecedence because it is the last Group Policy object the Group Policy service applies.\r\nThe best way to understand this is to think of the long string as a list of GPOs. Take the first GPO (the left most\r\nGPO) in the value and place it the list. Take the next links GPO listed and place on top of the list (causing all\r\nothers to move down in the list by one). Continue this process until the last GPO is on top of the list. This final\r\nGPO linked entries list is in precedence order, which means the list is processed from the bottom to the top.\r\nWhen viewed in a list in precedence order, it’s easy to discover that GPOs higher in the list have more precedence\r\nthan GPOs lower in the list. As a result, GPOs lower in the list lose policy setting conflicts and GPOs higher in the\r\nlist win policy setting conflicts.\r\nLink Options\r\nAs previously stated, a Group Policy linked as options of enabled, disabled, and enforced. The enabled and\r\ndisabled options are intuitive to understand. When an enabled link is considered in the scope of Group Policy for\r\nthe targeted user or computer. A disabled linked behaves as if the Group Policy object was never linked.\r\nEnforced\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 11 of 23\n\nThe Enforced link option is the exception to all rules. The Enforced option ensures the settings from the linked\r\nGPO always win conflicts regardless of any other Group Policy object that contains policy settings that may\r\nconflict with those of the linked GPO. The GPMC visually represents an enforced Group Policy link by adding a\r\npadlock to the existing linked policy icon. Group Policy settings from an enforced link always apply, even if the\r\norganizational unit has block policy inheritance enabled\r\nBlock Policy Inheritance\r\nThe last item about Group Policy processing order is Block Policy Inheritance, or simply known as Block\r\nInheritance in the Group Policy Management Console. Each domain and organizational unit in Active Directory\r\nobject contains a GPOptions attribute. This setting enables you to block Group Policy settings linked higher in\r\nthe processing order from applying to users and computers that are typically in containers lower in the processing\r\norder.\r\nFor example, policy settings linked to the domain apply to computers and users within the entire domain,\r\nregardless of their parent organizational unit. However, you can use GPMC to block inheritance on the domain or\r\nan organizational unit to prevent normal Group Policy setting from applying to users and computers within that\r\ncontainer. Blocking policy inheritance on the domain prevents Group Policy settings from GPOs linked to the\r\nActive Directory site from applying to the domain. Blocking policy inheritance on organizational units prevents\r\nnormal Group Policy settings from GPOs linked to sites and domains from applying to the organizational units.\r\nBlock policy inheritance does not prevent Group Policy settings from enforced linked Group Policy objects from\r\napplying to users and computers. Group Policy settings from enforced links apply regardless of the block policy\r\ninheritance status on domain and organizational unit objects.\r\nGroup Policy Preferences\r\nGroup Policy Preferences extends Group Policy. Preferences are not Group Policy settings. Windows stores both\r\nsettings in the registry; however; policy settings have an advantage over preferences—they typically override a\r\npreference.\r\nYou can configure Windows using the user interface. The user interface presents you with choices; you choose the\r\noptions you like; and click OK or close the dialog box. Windows then saves your choices to the registry so it can\r\nrecall those settings later. Settings configurable by the user are known as preferences (notice the lowercase “p”).\r\nMapping a shared folder or choosing a default home page is an example of preferences. When you set the home\r\npage using Internet Explorer, you can close the web browser and open it up again and it remembers your home\r\npage. Policy settings differ from preferences because policy settings are enforced on the user or computer. Policy\r\nprevents the user from changing their settings. Typically, users configure preferences.\r\nGroup Policy Preferences enables you to deploy desired configurations to computers and users without limiting\r\nthe user from choosing a different configuration. It is important to remember that while the user can change the\r\nconfiguration, Group Policy Preferences are Group Policy client-side extensions. Group Policy Preferences\r\nrefresh with Group Policy; therefore, Group Policy overwrites any preference settings altered by the user with the\r\nvalue configured in a Group Policy Preference. Replacing a user configured preference setting with one\r\nconfigured using Group Policy Preferences is not the same as Group Policy. A true Group Policy setting enforces\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 12 of 23\n\nthe setting and restricts the user from changing the setting. Users can easily change preference values enabled by\r\nGroup Policy Preferences until the next refresh of Group Policy (which returns the preference settings back to the\r\nvalue configured in the Group Policy Preference item).\r\nClient-side Extensions\r\nGroup Policy Preferences are Group Policy client-side extensions. There are 20 extensions that makes up Group\r\nPolicy Preferences. These extensions include\r\nClient Side Extension Description\r\nGroup Policy Environment Create, modify, or delete environment variables.\r\nGroup Policy Local Users\r\nand Groups\r\nCreate, modify, or delete local users and groups.\r\nGroup Policy Device Settings Enable or disable hardware devices or classes of devices.\r\nGroup Policy Network\r\nOptions\r\nCreate, modify, or delete virtual private networking (VPN) or dial-up\r\nnetworking (DUN) connections.\r\nGroup Policy Drive Maps\r\nCreate, modify, or delete mapped drives, and configure the visibility of all\r\ndrives.\r\nGroup Policy Folders Create, modify, or delete folders.\r\nGroup Policy Network Shares Create, modify, or delete network shares\r\nGroup Policy Files Copy, modify the attributes of, replace, or delete files.\r\nGroup Policy Data Sources\r\nCreate, modify, or delete Open Database Connectivity (ODBC) data source\r\nnames.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 13 of 23\n\nGroup Policy INI Files\r\nAdd, replace, or delete sections or properties in configuration settings (.ini)\r\nor setup information (.inf) files.\r\nGroup Policy Folder Options Create, modify, or delete folders.\r\nGroup Policy Schedule Tasks Create, modify, or delete scheduled or immediate tasks.\r\nGroup Policy Registry\r\nCopy registry settings and apply them to other computers. Create, replace, or\r\ndelete registry settings.\r\nGroup Policy Printers Create, modify, or delete TCP/IP, shared, and local printer connections.\r\nGroup Policy Shortcuts Create, modify, or delete shortcuts.\r\nGroup Policy Internet\r\nSettings\r\nModify user-configurable Internet settings\r\nGroup Policy Start Menu\r\nSettings\r\nModify Start menu options.(Not applicable for Windows 8 and Windows\r\nServer 2012)\r\nGroup Policy Regional\r\nOptions\r\nModify regional options.\r\nGroup Policy Power Options Modify power options and create, modify, or delete power schemes.\r\nGroup Policy Applications Configure settings for applications.\r\nCommon Configurations\r\nMost Group Policy Preference items share a common configuration that enable you to control the scope of Group\r\nPolicy Preference processing for each configured preference item.\r\nStop processing items in this extension if an error occurs on this item\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 14 of 23\n\nEach preference extension can contain one or more preference items. By default, a failing preference item does\r\nnot prevent other preference items in the same extension from processing.\r\nIf the Stop processing items in this extension if an error occurs on this item option is selected, a failing\r\npreference item prevents remaining preference items within the extension from processing. This change in\r\nbehavior is limited to the hosting Group Policy object (GPO) and client-side extension. It does not extend to other\r\nGPOs.\r\nIt’s important to understand that Group Policy Preference extensions process preference items from the top of the\r\nlist and work their way to the bottom. The preference extension only stops processing preference items that follow\r\nthe failing preference item (items appearing below the failing preference items as they appear in the list).\r\nRun in logged-on user's security context (user policy option)\r\nThere are two security contexts in which Group Policy applies user preferences: the SYSTEM account and the\r\nlogged-on user.\r\nBy default, Group Policy processes user preference items using the security context of the SYSTEM account. In\r\nthis security context, the preference extension is limited to environment variables and system resources available\r\nonly to the computer.\r\nIf the Run in logged-on user's security context option is selected, it changes the security context under which\r\nthe preference item is processed. The preference extension processes preference items in the security context of\r\nthe logged-on user. This allows the preference extension to access resources as the user rather than the computer.\r\nThis can be important when using drive maps or other preferences in which the computer may not have\r\npermissions to resources or when using environment variables. The value of many environment variables differ\r\nwhen evaluated in a security context other than the logged-on user.\r\nGroup Policy Preference extensions that need to process in the user’s security context, such as Drive Maps and\r\nPrinters automatically switch to the user’s context and do not need you to adjust this setting.\r\nRemove this item when it is no longer applied\r\nGroup Policy applies policy settings and preference items to users and computers. You decide which users and\r\ncomputers receive these items by linking one or more Group Policy objects (GPOs) to Active Directory sites,\r\ndomains, or organizational units. User and computer objects in these containers receive policy settings and\r\npreference items defined in the linked GPOs because they are within the scope of the GPO.\r\nUnlike policy settings, the Group Policy service does not remove preference settings when the hosting GPO\r\nbecomes out of scope for the user or computer.\r\nIf the Remove this item when it is no longer applied option is selected, it changes this behavior. After selecting\r\nthis option, the preference extension decides if the preference item should not apply to targeted users or computers\r\n(out of scope). If the preference extension decides the preference item is out of scope, it removes the settings\r\nassociated with the preference item.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 15 of 23\n\nSelecting this setting changes the preference item’s action to Replace. During Group Policy application, the\r\npreference extension recreates (deletes and creates) the results of the preference item. When the preference item is\r\nout of scope for the user or computer, the results of the preference item are deleted, but not created. Preference\r\nitems can become out of scope by using item-level targeting or by higher-level Group Policy filters such as WMI\r\nand security group filters.\r\nThe Remove this item when it is no longer applied option is not available when you set the preference item\r\naction to Delete.\r\nApply once and do not reapply\r\nPreference items apply when Group Policy refreshes.\r\nBy default, the results of preference items are rewritten each time Group Policy refreshes. This ensures the\r\npreference item results are consistent with what you configured in the Group Policy object.\r\nIf the Apply once and do not reapply option is selected, it changes this behavior, so the preference extension\r\napplies the results of the preference item to the user or computer only once. This option is useful when you do not\r\nwant the results of a preference item to reapply.\r\nItem-level Targeting\r\nGroup Policy provides filters to control which policy settings and preference items apply to users and computers.\r\nPreferences provide an added layers of filtering called targeting. Item-level targeting enables you to control if a\r\npreference item applies to a group of users or computers.\r\nUse item-level targeting to change the scope of individual preference items, so they apply only to selected users or\r\ncomputers. Within a single Group Policy object (GPO), you can include multiple preference items—each\r\ncustomized for selected users or computers and each targeted to apply settings only to the relevant users or\r\ncomputers.\r\nEach targeting item results in a value of either true or false. You can apply multiple targeting items to a preference\r\nitem and select the logical operation (AND or OR) by which to combine each targeting item with the preceding\r\none. If the combined result of all targeting items for a preference item is false, then the settings in the preference\r\nitem are not applied to the user or computer. Using targeting collections, you can also create parenthetical\r\nexpressions.\r\nBattery Present\r\nA Battery Present targeting item allows a preference item to be applied to computers or users only if one or more\r\nbatteries are present in the processing computer. If Is Not is selected, it allows the preference item to be applied\r\nonly if the processing computer does not have one or more batteries present.\r\nIf an uninterruptible power supply (UPS) is connected to the processing computer, a Battery Present targeting item\r\nmay detect the UPS and identify it as a battery.\r\nComputer Name\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 16 of 23\n\nA Computer Name targeting item allows a preference item to be applied to computers or users only if the\r\ncomputer's name matches the specified computer name in the targeting item. If Is Not is selected, it allows the\r\npreference item to be applied only if the computer's name does not match the specified computer name in the\r\ntargeting item.\r\nCPU Speed\r\nA CPU Speed targeting item allows a preference item to be applied to computers or users only if the processing\r\ncomputer's CPU speed is greater than or equal to the value specified in the targeting item. If Is Not is selected, it\r\nallows the preference item to be applied only if the processing computer's CPU speed is less than or equal to the\r\nvalue specified in the targeting item.\r\nDate Match\r\nA Date Match targeting item allows a preference item to be applied to computers or users only if the day or date\r\nmatches that specified in the targeting item. If Is Not is selected, it allows the preference item to be applied only if\r\nthe day or date does not match that specified in the targeting item.\r\nDial-up Connection\r\nA Dial-Up Connection targeting item allows a preference item to be applied to users only if a network connection\r\nof the type specified in the targeting item is connected. If Is Not is selected, it allows the preference item to be\r\napplied only if no network connection of the type specified in the targeting item is connected.\r\nDial-Up Connection targeting items detect whether a type of network connection exists, not whether the user is\r\nlogged on through a connection of that type.\r\nDisk Space\r\nA Disk Space targeting item allows a preference item to be applied to computers or users only if the processing\r\ncomputer's available disk space is greater than or equal to the amount specified in the targeting item. If Is Not is\r\nselected, it allows the preference item to be applied only if the processing computer's available disk space is less\r\nthan or equal to the amount specified in the targeting item.\r\nDomain\r\nA Domain targeting item allows a preference item to be applied to computers or users only if the user is logged on\r\nto or the computer is a member of the domain or workgroup specified in the targeting item. If Is Not is selected, it\r\nallows the preference item to be applied only if the user is not logged on to or the computer is not a member of the\r\ndomain or workgroup specified in the targeting item.\r\nEnvironment Variables\r\nAn Environment Variable targeting item allows a preference item to be applied to computers or users only if the\r\nenvironment variable and value specified in the targeting item are equal. If Is Not is selected, it allows the\r\npreference item to be applied only if the environment variable and value specified in the targeting item are not\r\nequal or if the environment variable does not exist.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 17 of 23\n\nIf you want to restrict the scope of multiple preference items with a complex set of targeting items, you can\r\nsimplify configuration by using an environment variable. For example, create an Environment Variable preference\r\nitem that generates a new environment variable with a value of 1, and apply the targeting items to it. To apply the\r\nsame targeting to other preference items, add an Environment Variable targeting item to those preference items,\r\nand configure it to require a value of 1 for the variable that you created using an Environment Variable preference\r\nitem.\r\nFile Match\r\nA File Match targeting item allows a preference item to be applied to computers or users only if the file or folder\r\nspecified in the targeting item exists, or only if the file exists and is a version within the range specified in the\r\ntargeting item. If Is Not is selected, it allows the preference item to be applied only if the file or folder specified in\r\nthe targeting item does not exist, or only if the version of the file is not within the range specified in the targeting\r\nitem.\r\nIP Address Match\r\nAn IP Address Range targeting item allows a preference item to be applied to computers or users only if the\r\nprocessing computer's IP address is within the range specified in the targeting item. If Is Not is selected, it allows\r\nthe preference item to be applied only if the processing computer's IP address is not within the range specified in\r\nthe targeting item.\r\nLanguage\r\nA Language targeting item allows a preference item to be applied to computers or users only if the locale specified\r\nin the targeting item is installed on the processing computer. Additional options allow you to restrict the targeting\r\nto the user's or computer's locale. If Is Not is selected, it allows the preference item to be applied only if the\r\nprocessing computer's locale does not match the specified locale in the targeting item.\r\nA locale is composed of a language and, in some cases, a geographic area in which the language is spoken or the\r\nalphabet used. For example, French (Canada) is a locale composed of the language French and the geographic\r\narea Canada.\r\nLDAP Query\r\nAn LDAP Query targeting item allows a preference item to be applied to computers or users only if the LDAP\r\nquery returns a value for the attribute specified in the targeting item. If Is Not is selected, it allows the preference\r\nitem to be applied only if the LDAP query does not return a value for the attribute specified in the targeting item.\r\nMAC Address Range\r\nA MAC Address Range targeting item allows a preference item to be applied to computers or users only if any of\r\nthe processing computer's MAC addresses are within the range specified in the targeting item. If Is Not is selected,\r\nit allows the preference item to be applied only if none of the processing computer's MAC addresses are not\r\nwithin the range specified in the targeting item.\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 18 of 23\n\nRange starting points and ending points are inclusive. You can specify a single address by typing the same value in\r\nboth boxes.\r\nMSI Query\r\nAn MSI Query targeting item allows a preference item to be applied to computers or users only if certain aspects\r\nof an MSI installed product, update, or component on the processing computer match the specified criteria in the\r\ntargeting item. If Is Not is selected, it allows the preference item to be applied only if certain aspects of an MSI\r\ninstalled product, update, or component on the processing computer do not match the specified the specified\r\ncriteria in the targeting item.\r\nOperating System\r\nAn Operating System targeting item allows a preference item to be applied to computers or users only if the\r\nprocessing computer's operating system's product name, release, edition, or computer role matches those specified\r\nin the targeting item. If Is Not is selected, it allows the preference item to be applied only if the operating system's\r\nproduct name, release, edition, or computer role does not match those specified in the targeting item.\r\nOrganizational Unit\r\nAn Organizational Unit targeting item allows a preference item to be applied to computers or users only if the user\r\nor computer is a member of the organizational unit (OU) specified in the targeting item. If Is Not is selected, it\r\nallows the preference item to be applied only if the user or computer is a not member of the OU specified in the\r\ntargeting item.\r\nPCMCIA Present\r\nA PCMCIA Present targeting item allows a preference item to be applied to computers or users only if the\r\nprocessing computer has at least one PCMCIA slot present. If Is Not is selected, it allows the preference item to be\r\napplied only if the processing computer does not have any PCMCIA slots present.\r\nA PCMCIA slot is considered present when the drivers for the slot are installed and the slot is functioning\r\ncorrectly.\r\nPortable Computer\r\nA Portable Computer targeting item allows a preference item to be applied to computers or users only if the\r\nprocessing computer is identified as a portable computer in the current hardware profile on the processing\r\ncomputer or if the processing computer is identified as a portable computer with the docking state specified in the\r\ntargeting item. When Is Not is selected, it allows the preference item to be applied only if the processing computer\r\nis not identified as a portable computer in the current hardware profile on the processing computer or if the\r\ndocking state of the processing computer differs from the docking state specified in the targeting item.\r\nProcessing Mode\r\nA Processing Mode targeting item allows a preference item to be applied to computers or users only if the Group\r\nPolicy processing mode or conditions on the processing computer match at least one of those specified in the\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 19 of 23\n\ntargeting item. If Is Not is selected, it allows the preference item to be applied only if the Group Policy processing\r\nmode or conditions on the processing computer do not match any of those specified in the targeting item.\r\nRAM\r\nA RAM targeting item allows a preference item to be applied to computers or users only if total amount of\r\nphysical memory in the processing computer is greater than or equal to the amount specified in the targeting item.\r\nIf Is Not is selected, it allows the preference item to be applied only if the total amount of physical memory in the\r\nprocessing computer is less than the amount specified in the targeting item. Provide the total amount of physical\r\nmemory in megabytes (MB). One gigabyte (GB) of physical memory is entered as 1024. Four gigabytes of\r\nphysical memory are entered as 4096.\r\nRegistry Match\r\nA Registry Match targeting item allows a preference item to be applied to computers or users only if the registry\r\nkey or value specified in the targeting item exists, if the registry value contains the data specified in the targeting\r\nitem, or if the version number in the registry value is within the range specified in the targeting item. If the\r\ntargeting item allows the preference item and if Get value data is selected in the targeting item, then the targeting\r\nitem saves the value data of the specified registry value to the environment variable specified in the targeting item.\r\nIf Is Not is selected, it allows the preference item to be applied only if the registry key or value specified in the\r\ntargeting item does not exist, if the registry value does not contains the data specified in the targeting item, or if\r\nthe version number in the registry value is not within the range specified in the targeting item.\r\nSecurity Group\r\nA Security Group targeting item allows a preference item to be applied to computers or users only if the\r\nprocessing computer or user is a member of the group specified in the targeting item and optionally only if the\r\nspecified group is the primary group for the processing computer or user. If Is Not is selected, it allows the\r\npreference item to be applied only if the processing computer or user is not a member of the group specified in the\r\ntargeting item and optionally only if the specified group is not the primary group for the processing computer or\r\nuser.\r\nSecurity Group\r\nDomain groups\r\nDomain local\r\nGlobal groups\r\nUniversal groups\r\nLocal groups\r\nLocal groups (including built-in groups)\r\nWell-known\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 20 of 23\n\nSite\r\nA Site targeting item allows a preference item to be applied to computers or users only if the processing computer\r\nis in the site in Active Directory specified in the targeting item. If Is Not is selected, it allows the preference item\r\nto be applied only if the processing computer is not in the site in Active Directory specified in the targeting item.\r\nTargeting Collection\r\nThe targeting items applied to a preference item are evaluated as a logical expression. A targeting collection\r\nallows you create a parenthetical grouping within that expression. You can nest one targeting collection within\r\nanother to create more complex logical expressions.\r\nA targeting collection allows a preference item to be applied to computers or users only if the collection of\r\ntargeting items specified results in a value of true. If Is Not is selected, it allows the preference item to be applied\r\nonly if the collection of targeting items specified results in a value of false.\r\nTerminal Session\r\nA Terminal Session targeting item allows a preference item to be applied to users only if the processing user is\r\nlogged on to a terminal services session with the settings specified in the targeting item. If Is Not is selected, it\r\nallows the preference item to be applied only if the user is not logged on to a terminal services session or the user\r\nis logged on to a terminal services session without the settings specified in the targeting item.\r\nTime Range\r\nA Time Range targeting item allows a preference item to be applied to computers or users only if the current time\r\non the end user's computer is within the time range specified in the targeting item. If Is Not is selected, it allows\r\nthe preference item to be applied only if the current time on the end user's computer is not within the range\r\nspecified in the targeting item.\r\nUser\r\nA User targeting item allows a preference item to be applied to users only if the processing user is the user\r\nspecified in the targeting item. If Is Not is selected, it allows the preference item to be applied only if the\r\nprocessing user is not the user specified in the targeting item.\r\nWMI Query\r\nA WMI Query targeting item allows a preference item to be applied to computers or users only if the processing\r\ncomputer evaluates the WMI query as true. If Is Not is selected, it allows the preference item to be applied only if\r\nthe processing computer evaluates the WMI query as false.\r\nProcessing\r\nEarlier, this document explained Group Policy processing. Group Policy Preference client-side extensions adhere\r\nto these same rules. Therefore, linked hierarchy, security and WMI filtering can change the scope of Group Policy\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 21 of 23\n\nobject configured with Group Policy Preferences. By changing the scope, users and computers may or may not\r\nreceive settings or preference items configured in these Group Policy objects.\r\nHowever, Group Policy Preference client-side extensions have their own internal processing. You can configure\r\none or more preference items for a single Group Policy Preference extension to process within a single Group\r\nPolicy object. For example, you can configure a single GPO to contain 10 Drive Map Preference items within a\r\nsingle GPO.\r\nDuring Group Policy processing, the Group Policy infrastructure cycles through a list of Group Policy extensions.\r\nAs it moves to each extension, it shares information relevant for the extension to process its portion of Group\r\nPolicy. Critical components of the information shared with the extensions include a list of Group Policy objects\r\nthat included changes, a list of Group Policy objects that are no longer in scope with the user or computer. Also,\r\nthe Group Policy infrastructure provides information specific to this instance of Group Policy processing such as\r\nif the network connection is considered a slow link.\r\nThe Group Policy Preference extension uses the information about the changed and out-of-scope Group Policy\r\nobjects to process its policy settings. Group Policy Preference client-side extensions process preference items in\r\norder from the top of the list to the bottom of the list.\r\nThe results of processing each preference item vary depending on the action configured in the preference item.\r\nAlso, item-level targeting can prevent the preference item from applying to the user or computer. The Group\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 22 of 23\n\nPolicy Preference client-side extension applies each item in the list until it reaches the end of the list, or exits\r\nbecause of a common configuration settings such as Stop processing items in this extension if an error occurs\r\non this item or Apply once and do not reapply. Once the preference extensions applies all preference items in\r\nthe list, it returns control to the Group Policy service.\r\nSource: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nhttps://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)"
	],
	"report_names": [
		"dn581922(v%3Dws.11)"
	],
	"threat_actors": [],
	"ts_created_at": 1775434563,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3cecbbca56c5d8fb1117bc5abf09e9cb0c85327b.pdf",
		"text": "https://archive.orkl.eu/3cecbbca56c5d8fb1117bc5abf09e9cb0c85327b.txt",
		"img": "https://archive.orkl.eu/3cecbbca56c5d8fb1117bc5abf09e9cb0c85327b.jpg"
	}
}