Working with Windows Settings Preference Items Using the GPMC

 

This topic describes each of the nine Group Policy Windows Settings preferences and how to configure each using the Group Policy Management Console.

The Group Policy Management Console allows you to configure preferences when you edit any domain-based Group Policy Object. The Preferences node appears under Computer Configuration and User Configuration. The editor displays preference extensions under two categories: Windows Settings and Control Panel Settings.

Applications extension

Group Policy includes the Applications preference extension. For users, this extension allows you to configure settings for a specific version of an application for which you have installed a preference plug-in. The available settings vary with the application and version.

Software developers can create plug-ins for other applications using the Group Policy Software Development Kit (https://go.microsoft.com/fwlink/?LinkId=144).

You can create and configure Application preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Applications**

Important

You must install a preference plug-in before you can create and configure Application preference items.

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new application preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Applications node, point to New, and select an application.

  4. In the Properties dialog box, enter application settings for Group Policy to configure.

  5. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  6. Click OK. The new preference item appears in the results pane.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Drive Maps extension

Group Policy includes the Drive Maps preference extension. For users, this extension allows you to:

  • Create dynamic drive mappings to network shares.

  • Create dynamic drive mappings to network shares using alternate user credentials.

  • Modify mapped drives and their properties.

  • Delete a single mapped drive.

  • Delete all mapped drives or all mapped drives from a designated drive letter onward.

  • Hide or show a single drive or all drives, both mapped and physical.

You can create and configure Mapped Drive preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Drive Maps**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Mapped Drive preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Drive Maps node, point to New, and select Mapped Drive.

  4. In the New Drive Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter drive map settings for Group Policy to configure or remove. (For more information, see "Drive map settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the drive letter already exists.

Create

Create a new mapped drive for users.

Delete

Remove a mapped drive for users.

Replace

Delete and recreate mapped drives for users. The net result of the Replace action is to overwrite all existing settings associated with the mapped drive. If the drive mapping does not exist, then the Replace action creates a new drive mapping.

Update

Modify settings of an existing mapped drive for users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the mapped drive. If the drive mapping does not exist, then the Update action creates a new drive mapping.

Drive map settings

Location

To configure a new drive mapping or recreate a drive mapping, type a fully qualified UNC path for the network share (such as \\server\sharename, \\server\hiddenshare$, or \\server\sharename\foldername).

This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

To modify an existing drive mapping (identified by drive letter), leave this field blank.

This option is available only if the action selected is Create, Replace, or Update.

Reconnect

To save this mapped drive in the user's settings and attempt to restore it at each subsequent logon, select this check box. Otherwise, the drive is mapped, but not saved in the user's settings.

This option is available only if the action selected is Create, Replace, or Update.

Label as

To provide a descriptive label that appears next to the drive letter, type the label in this field.

This field accepts preference processing variables. Press F3 to display a list of variables from which you can select.

This option is available only if the action selected is Create, Replace, or Update.

Drive Letter

Select the mapped drives (identified by drive letter) to configure:

  • To assign the first available drive letter to the mapped drive, select Use first available, starting at, and then select a drive letter at which to begin checking for availability. This option is available only if the action selected is Create, Replace, or Update.

  • To assign a specific drive letter to the mapped drive, select Use, and then select a drive letter. This option is available only if the action selected is Create, Replace, or Update, and if you have typed a location.

  • To modify an existing drive mapping (identified by drive letter), select Existing, and then select a drive letter. This option is available only if the Location field is blank, and the action selected is Update.

  • To delete all drive mappings from a particular drive letter onward, select Delete all, starting at, and then select a drive letter at which to begin deleting drive mappings. Physical drives are skipped without error. This option is available only if the action selected is Delete.

  • To delete a specific mapped drive, select Delete, and then select the drive letter. This option is available only if the action selected is Delete.

Connect as

To implement a drive mapping using credentials other than those of the currently logged on user, type the credentials to be used. This option is available only if the action selected is Create, Replace, or Update.

Security Note

This password is protected by 256-bit Advanced Encryption Standard (AES) encryption and stored as part of the GPO in SYSVOL. This password should be changed on a regular basis and should not be relied on as the sole method of protecting confidential data.

Hide/Show this drive

Configure the visibility of the mapped drive:

  • To make no change to the visibility of the mapped drive, select No change. This does not take precedence over the Hide/Show all drives setting.

  • To prevent the drive from being displayed in Windows Explorer, select Hide this drive. This takes precedence over the Hide/Show all drives setting.

  • To allow this drive to be displayed in Windows Explorer, select Show this drive. This takes precedence over the Hide/Show all drives setting.

This option is available only if the action selected is Create, Replace, or Update.

Hide/Show all drives

Configure the visibility of all mapped and physical drives in Windows Explorer. The options are comparable to those for Hide/Show this drive, but apply globally to all drives.

Additional considerations

  • Hide/Show this drive options have precedence over Hide/Show all drives. For example, if a Drive Map preference item has the Hide/Show this drive option set to Hide this drive and the Hide/Show all drives option set to Show all drives, then all drives are visible except the drive designated as hidden.

  • You can use a Drive Map preference item to configure the visibility of a physical drive rather than a mapped drive. To do so, select the Update action, leave the Location field blank, select the drive letter of the physical drive, and then configure the Hide/Show this drive and Hide/Show all drives options.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Environment extension

Group Policy includes the Environment preference extension. For computers or users, this extension allows you to:

  • Create persistent user or system environment variables.

  • Modify environment variables. For example:

    • Modify the command prompt (by modifying the PROMPT system variable).

    • Modify the location of the TEMP folder (by modifying the TEMP system variable).

    • Replace the value of the entire PATH variable.

    • Add semicolon-delimited segments to the PATH variable.

    • Delete semicolon-delimited segments from the PATH variable.

    • Change the text case of semicolon-delimited segments of the PATH variable.

  • Delete environment variables.

Note

You can apply an Environment Variable targeting item to other preference items to restrict their application based on the value of the variable.

You can create and configure Environment Variable preference items for any domain-based Group Policy Object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Environment**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Environment Variable preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Environment node, point to New, and select Environment Variable.

  4. In the New Environment Variable Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter environment variable settings for Group Policy to configure or remove. (For more information, see "Environment variable settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the environment variable already exists.

Create

Create a new environment variable or to add a semicolon-delimited segment to the PATH variable for computers or users.

Delete

Remove an environment variable or to delete a semicolon-delimited segment from the PATH variable from computers or users.

Replace

Delete and recreate an environment variable. The net result of the Replace action is to overwrite all existing settings associated with the environment variable. Applying this action to a segment of the PATH variable has no practical effect, other than potentially changing the text case of the segment. If the environment variable does not exist, then the Replace action creates a new environment variable.

Update

Modify settings of an existing environment variable. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the environment variable. Applying this action to a segment of the PATH variable has no practical effect, other than potentially changing the text case of the segment. If the environment variable does not exist, then the Update action creates a new environment variable.

Environment variable settings

User Variable

To cause the environment variable to affect each user independently, select this setting for an Environment preference item under User Configuration. The environment variable is stored in the registry in HKEY_CURRENT_USER.

To cause the environment variable to affect only the default user of the computer, select this setting for an Environment preference item under Computer Configuration.

System Variable

To cause the environment variable to affect all users of the computer, select this setting. The environment variable is stored in the registry in HKEY_LOCAL_MACHINE.

Name

Type a name for the environment variable to which the action is applied. To select the PATH variable, leave this field blank.

PATH

To create or replace the value of the PATH variable or to add or delete a semicolon-delimited segment of the value of the PATH variable, select this check box. This option is available only when System Variable is selected.

Partial

To add or delete a semicolon-delimited segment of the value of the PATH variable, select this check box. This option is available only when System Variable and PATH are selected.

Value

Type the value for the environment variable. This field accepts variables.

If PATH is selected, type a semicolon-delimited list of folder paths for Windows to use to find files.

If Partial is selected, type one segment of the PATH variable, omitting the semicolon delimiter.

Additional considerations

  • If you want to restrict the scope of multiple preference items with a complex set of targeting items, you can simplify configuration by using an environment variable. For example, create an Environment Variable preference item that generates a new environment variable with a value of 1, and apply the targeting items to it. To apply the same targeting to other preference items, add an Environment Variable targeting item to those preference items, and configure it to require a value of 1 for the variable that you created using an Environment Variable preference item.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Files extension

Group Policy includes the Files preference extension. For computers or users, this extension allows you to:

  • Copy a file (or multiple files in one folder) to a new location and then configure the attributes of those files. New subfolders are created as necessary.

  • Delete a file (or multiple files in one folder) and replace it with a copy of a file from a source folder.

  • Modify the attributes of a file (or multiple files in one folder).

  • Delete a file (or multiple files in one folder).

  • Modify the attributes of, replace, or delete all files with a particular extension in one folder.

  • Modify the attributes of, replace, or delete all files in a particular folder.

Note

To configure folders rather than individual files, use the Folder extension.

You can create and configure File preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Files**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new File preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Files node, point to New, and select File.

  4. In the New File Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter file settings for Group Policy to configure or remove. (For more information, see "File settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the file already exists.

Create

Copy a file (or multiple files in one folder) from a source location to a destination location if it does not already exist at the destination, and then configure the attributes of those files for computers or users.

Delete

Remove a file (or multiple files in one folder) for computers or users.

Replace

Delete a file (or multiple files in one folder), replace it with another file or files, and configure the attributes of those files for computers or users. The net result of the Replace action is to overwrite the files at the destination location. If the file does not exist at the destination, then the Replace action copies the file from the source location to the destination.

Update

Modify settings of an existing file (or multiple files in one folder) for computers or users. This action differs from Replace in that it only updates file attributes defined within the preference item. All other file attributes remain as configured on the file. If the file does not exist, then the Update action copies the file from the source location to the destination.

File settings

Source file(s)

Type the location from which to copy the Source file(s). This location can be a fully qualified UNC path or a path on a local or mapped drive from the perspective of the client. This field can contain variables.

This field can also contain single character (?) and multiple character (*) wildcards, allowing you to copy or modify multiple files.

This option is available only if the action selected is Create, Replace, or Update.

Destination file

Type the location to which to copy a file or the location of the file to be modified. This location can be a fully qualified UNC path or a path on a local or mapped drive from the perspective of the client. Parent folders are created as necessary. You must include the file name, and you can change the file name by providing a different name for it than specified in the Source file(s) field.

This option is available only if the action selected is Create, Replace, or Update and the Source files(s) does not include wildcards.

Destination folder

Type the location of the folder to which to copy files or the location of the files to be modified. This location can be a fully qualified UNC path or a path on a local or mapped drive from the perspective of the client. Parent folders are created as necessary.

This option is available only if the action selected is Create, Replace, or Update and the Source files(s) includes wildcards.

Delete file(s)

To delete a file, type the path for the file from the perspective of the client.

To delete multiple files within a folder, incorporate single character (?) and multiple character (*) wildcards in the file name.

This option is available only if the action selected is Delete.

Suppress errors on individual file actions

To allow multiple files to transfer even if one or more individual files fail to transfer, select this check box. Only errors due to an attempt to replace, delete, or configure attributes of a file are suppressed. Such errors may be due to the file being in use, access being denied, or the source file not being found. With this option selected, such errors can only be detected in the trace file. This option is distinct from the default preference error suppression that can be overridden on the Common tab.

Attributes

To configure file system attributes for the files being transferred, select the appropriate check boxes in the Attributes box. Unchecked attributes are removed from the file at the destination.

Additional considerations

  • Many incremental backup systems use the Archive attribute to determine whether a file or folder has been created or changed and to back up the file or folder. For this reason, Archive is selected by default to select the Archive attribute on any modified folder.

  • If the Common tab option to Remove this item when it is no longer applied is selected, the destination file is deleted if it is a single file. In a multiple file operation, no files are deleted.

  • By default, a file preference item has access to all objects with the SYSTEM Access Control Entry (ACE). To change this item to run with end-user permissions (if under User Configuration), change the security context on the Common tab.

  • A file preference item resets the Read Only attribute of any destination file if necessary to accomplish the specified task.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Folders extension

Group Policy includes the Folders preference extension. For computers or users, this extension allows you to:

  • Create a folder and configure its attributes.

  • Modify a folder and configure its attributes.

  • Delete a folder and its contents.

  • Delete a folder only if it is empty.

  • Delete all files within a folder (such as a temporary files folder) without deleting the folder.

  • Delete all files within a folder without deleting subfolders.

Note

To configure individual files rather than folders, see File Extensions.

You can create and configure Folder preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Folders**

For information about how to use this extension to create and configure a preference item, see the following topics:

To create a new Folder preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Folders node, point to New, and select Folder.

  4. In the New Folder Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter folder settings for Group Policy to configure or remove. (For more information, see "Folder settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the folder already exists.

Create

Create a new folder for computers or users.

Delete

Remove a folder for computers or users.

Replace

Delete and recreate a folder for computers or users. The net result of the Replace action is to delete the contents of an existing folder and to overwrite all existing settings associated with the folder. If the folder does not exist, then the Replace action creates a new folder.

Update

Modify an existing folder for computers or users. This action differs from Replace in that it only updates settings defined within the preference item. All other settings remain as configured on the folder. If the folder does not exist, then the Update action creates a new folder.

Folder settings

Path

Type a path for the folder from the perspective of the client. Do not include quotes or a trailing slash. This field can contain variables.

Attributes

To configure file system attributes for the folder, select the appropriate check boxes.

These options are available only when the action selected is Create, Replace, or Update.

Options for Delete or Replace actions

Select a combination of options to control which files and folders are deleted. If the Replace action is selected, the folder is recreated after these options have been processed unless deletion is prevented. The effect of these options varies depending on the combination of options selected. For more information, see "Additional considerations."

These options are available only when the action selected is Replace or Delete.

Available options include:

  • Ignore errors for files/folders that cannot be deleted: If this option is cleared, an error is returned if the Folder item attempts to delete a folder that is not empty, a file that is open, a file or folder for which the user does not have permission, or any other file or folder that cannot be deleted. If selected, this option suppresses any error messages that occur because files or folders cannot be deleted.

  • Allow deletion of read-only files/folders: If this option is cleared, the Folder item is prevented from deleting read-only files and folders. If selected, this option clears the read-only attribute of files and folders that this Folder item attempts to delete.

  • Delete all files in the folder(s): If this option is cleared, the Folder item cannot delete files within folders. If selected, this option deletes all files within this folder that are allowed to be deleted. If Recursively delete all subfolders is selected as well, then all files that are allowed to be deleted within all subfolders are also deleted.

  • Recursively delete all subfolders (if emptied): If this option is cleared, the Folder item is prevented from deleting subfolders within the folder. If this option is selected, the lowest level of subfolders is deleted if they are empty, repeating for each parent folder until reaching the folder specified in the Path field. Whether subfolders are empty is evaluated after the option to Delete all files in the folder(s) has been processed.

  • Delete this folder (if emptied): If this option is cleared, the Folder item is prevented from deleting the folder specified in the Path field. If this option is selected, the folder specified in the Path field is deleted if it is empty. Whether this folder is empty is evaluated after the options to Delete all files in the folder(s) and Recursively delete all subfolders have been processed.

Additional considerations

  • Common combinations of options for Delete or Replace actions include:

    • Delete the folder only if it is empty: Select Delete this folder and Allow deletion of read-only files/folders. To prevent an error if the folder contains files and cannot be deleted, select Ignore errors.

    • Delete the folder and all files and subfolders within: Select Delete this folder, Recursively delete all subfolders, Delete all files in the folder(s), and Allow deletion of read-only files/folders.

    • Delete all empty subfolders within the folder: Select Recursively delete all subfolders and Allow deletion of read-only files/folders. To prevent an error if the folder contains files and cannot be deleted, select Ignore errors.

    • Delete all files within the folder, but not subfolders or files within subfolders: Select Delete all files in the folder(s) and Allow deletion of read-only files/folders.

    • Delete all files and subfolders within the folder: Select Recursively delete all subfolders, Delete all files in the folder(s), and Allow deletion of read-only files/folders.

  • You can use item-level targeting to change the scope of preference items.

  • Preference items are available only in domain-based GPOs.

Ini files extension

Group Policy includes the Ini Files preference extension. For computers and groups of computers or for users and groups of users, this extension allows you to:

  • Add a property to a configuration settings (.ini) or setup information (.inf) file.

  • Replace a property in an .ini or .inf file.

  • Delete a property from an .ini or .inf file.

  • Delete a section from an .ini or .inf file.

  • Delete an .ini or .inf file.

Note

To copy any type of file to a new location or to modify its attributes, see the File Extensions.

You can create and configure Ini File preference items for any domain-based Group Policy object (GPO). You configure the settings by editing a GPO using the Group Policy Management Console. When editing a GPO, you can find this preference extension at the following location:

Computer Configuration or User Configuration

**   └ Preferences**

**      └ Windows Settings**

**         └ Ini Files**

For information about how to use this extension to create and configure a preference item, see the following topics:

Each section in an .ini or .inf file uses the following format:

[SectionName]
PropertyName1=PropertyValue1
PropertyName2=PropertyValue2

Before you create an Ini File preference item, you should review the behavior of each action possible with this extension.

To create a new Ini File preference item

  1. Open the Group Policy Management Console. Right-click the Group Policy Object (GPO) that should contain the new preference item, and then click Edit.

  2. In the console tree under Computer Configuration or User Configuration, expand the Preferences folder, and then expand the Windows Settings folder.

  3. Right-click the Ini Files node, point to New, and select Ini File.

  4. In the New Ini File Properties dialog box, select an Action for Group Policy to perform. (For more information, see "Actions" in this topic.)

  5. Enter configuration settings (.ini) or setup information (.inf) file settings for Group Policy to configure or remove. (For more information, see "Ini file settings" in this topic.)

  6. Click the Common tab and configure any options desired. (For more information, see Configure Common Options.)

  7. Click OK. The new preference item appears in the results pane.

Actions

This type of preference item provides a choice of four actions: Create, Replace, Update, and Delete. The behavior of the preference item varies with the action selected and whether the property already exists.

Create

Add and configure a property in an .ini or .inf file for computers or users. If the file does not exist, it is created.

Delete

Remove a property or a section from an .ini or .inf file, or delete an .ini or .inf file for computers or users.

Replace

Delete and recreate a property in an .ini or .inf file for computers or users. The net result of the Replace action is to overwrite the property. If the property does not exist, then the Replace action creates the property.

Update

This action has the same effect as Replace.

Ini file settings

Important

File Path