Are Group Policy preferences re-written during group policy refres

Discussion in 'Active Directory' started by y2k, Nov 15, 2006.

  1. y2k

    y2k Guest

    I've been investigating the difference between policies and preferences
    recently and somebody said that if you create a preference (ie an ADM file
    that writes to a registry hive outside of HKLM\Software\Policies or
    HKCU\Software\Policies) that these entries are only made once. That if the
    user overwrites it then it will not revert back next time the policy
    refreshes. Is this true? If so, how does the policy keep track of what PC's
    it's already applied it to? What happens if I have 10 PC's and I implement a
    preference - so the preference is then applied to all 10 PC's. But what
    happens if more PC's are added into the scope of that preference, will they
    not get the preference seing that it's only applied once?

    Also, because a true policy needs to be written to HKLM\Software\Policies
    (assuming it's for computer configuration, not user configuration) does this
    mean that I'm limited to creating true policies only for applications that
    are aware of this key? Say I need to write to HKLM\Software\SAP - if I write
    this to HKLM\Software\Policies\SAP - does the SAP application need to know
    that it also needs to check this hive? So escentially true policies can only
    be written for "active directory aware applications" as it were? Or does the
    OS handle this?

    Would really appreciate some help on this
    y2k, Nov 15, 2006
    1. Advertisements

  2. Howdie!
    No - the setting will be reapplied every time the policies get
    refreshed. The only thing you cannot handle is, that if you wanted to
    revert the settings you made, you cannot use the "Not configured"
    function. See
    The application must be written to look for the settings in "Policies".
    So if it does not support feature/Reg-Key (although it's supported by
    Microsoft!) you will have to write preferences for these applications.


    Florian Frommherz, Nov 16, 2006
    1. Advertisements

  3. y2k

    y2k Guest

    No - the setting will be reapplied every time the policies get
    That's what I always thought. OK, that's good to know. Yea, I already knew
    that changing it back to not configured wouldn't remove the entry.
    OK, so I was right on that too !! That's good to know.

    I just have two more questions:

    1. I understand that policies are removed when a user logs off, or the pc
    is shutdown (depending on user or computer policies). So if a computer were
    shut down and then fell out of the scope of a particular policy, obviously
    the settings for that policy would be removed. But what about security
    settings like file permissions and registry permissions. Would they revert
    back to the windows default? Or would they stay at what they were configured
    in the old policy (lets assume the new policy doesn't define any file or
    registry permissions but the old one did). It's not quiet the same as
    registry entries is it, while you can always delete a registry entry (in
    theory) you can't delete an ACL, a file/folder always has to have some
    permissions. Am I making sense?

    2. I notice that the permissions for HKCU\Software\Policies is read only
    for users. I always understood that computer configuration was applied using
    the local system account and user configuration was applied using the user
    account. Is this not the case (if it were, surely the user would need modify
    rights to the policies hive)? If so, then could I go one step closer to
    changing my preferences to policies by removing the write permission for the
    users group. That way, the user cannot change the preference at all.

    Thanks for your reply
    y2k, Nov 16, 2006
  4. y2k

    y2k Guest

    please ... can somebody help answer my final two questions?
    y2k, Nov 20, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.