Discussion:
Getting Rid of Policy Preference Settings
(too old to reply)
Baboon
2008-06-27 23:33:00 UTC
Permalink
Here is an example scenario:
I have a GPO that includes the new GP Preference settings to create a
Scheduled Task. An Administrator deletes the Scheduled Task and it will not
come back. Even moving the machine out of the applicable OU and back in
again or removing from/re-adding to the domain will not recreate the
Scheduled Task.

I assume that I need to clean the Registry of the setting. Is this correct?

Also, I am having a hard time understanding why you get the option to apply
the Preference setting only once. It seems that a GP refresh doesn't apply
even if you leave that option unchecked.

Thanks.
Mark Heitbrink [MVP]
2008-06-28 19:25:34 UTC
Permalink
Hi,
Post by Baboon
I have a GPO that includes the new GP Preference settings to create a
Scheduled Task. An Administrator deletes the Scheduled Task and it will not
come back. Even moving the machine out of the applicable OU and back in
again or removing from/re-adding to the domain will not recreate the
Scheduled Task.
That´s why they are preferences and not policies.
But you can check the box -> delete if not longer in scope

Take a look at the tab, where the WMI filter is defined, there you
will see it.
Post by Baboon
I assume that I need to clean the Registry of the setting.
Is this correct?
just define the opposite n the GPO, to revert the setting.
Post by Baboon
Also, I am having a hard time understanding why you get the option to apply
the Preference setting only once.
It´s the same behavior lke any other policy, they only apply once
if the counter doen´t change, the GPO is never applied again.
It will if you run gpupdate /force, but not in a usual gpupdate process.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Miles Li [MSFT]
2008-06-30 07:00:04 UTC
Permalink
Hello,

Thank you for your post.

Please allow me to confirm that my understandings are correct. As I
understand it, the issue is:

You have a concern that a group policy preference item does not come back
when it is deleted on the clients. You want group policy preference item
re-created automatically when they are deleted on clients.

If I have misunderstood your concerns please feel free to let me know.

Explanation :
==============

1. I assume that I need to clean the Registry of the setting. Is this
correct?


You can modify the ACTION type of that group policy preference item form
CREATE to UPDATE. UPDATE group policy preference items will refresh the
applied items when the computer startups and user logins. When a applied
preference item is deleted on client, the group policy preference item with
UPDATE action will re-create it. (without the option "Apply once and do not
reapply")

Create. Create a new item on the targeted computer.
Delete. Remove an existing item from the targeted computer.
Replace. Delete and recreate an item on the targeted computer. The
result is that Group Policy preferences replace all existing settings and
files associated with the preference item.
Update. Modify an existing item on the targeted computer. If the
item does not exist, create a new one.


2. Also, I am having a hard time understanding why you get the option to
apply the Preference setting only once. It seems that a GP refresh doesn't
apply even if you leave that option unchecked.


Yes, as Mark mentioned, this is exactly the difference between Group Policy
(managed settings) and Preference (unmanaged settings). It you allow users
to change preferences after you've deployed them. By explicitly deploying
preferences rather than accepting the default operating system settings,
you create configurations that are more compatible with your IT environment
and are specifically tailored to your organization and how its people use
their computers.

==============

For more details, please refer to the following link:

Group Policy Preferences Overview
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-
9d6e-f6e0fb7a0790&displaylang=en

Hope it helps.



Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Baboon
2008-07-07 03:03:03 UTC
Permalink
Thanks for the reply.

"You want group policy preference item re-created automatically when they
are deleted on clients."
I know they won't come back automatically, but I would like to be able to
force them to be recreated on individual computers.

Please see my reply to Mark's post to see if I am understanding the behavior
correctly.
Post by Miles Li [MSFT]
Hello,
Thank you for your post.
Please allow me to confirm that my understandings are correct. As I
You have a concern that a group policy preference item does not come back
when it is deleted on the clients. You want group policy preference item
re-created automatically when they are deleted on clients.
If I have misunderstood your concerns please feel free to let me know.
==============
1. I assume that I need to clean the Registry of the setting. Is this
correct?
You can modify the ACTION type of that group policy preference item form
CREATE to UPDATE. UPDATE group policy preference items will refresh the
applied items when the computer startups and user logins. When a applied
preference item is deleted on client, the group policy preference item with
UPDATE action will re-create it. (without the option "Apply once and do not
reapply")
Create. Create a new item on the targeted computer.
Delete. Remove an existing item from the targeted computer.
Replace. Delete and recreate an item on the targeted computer. The
result is that Group Policy preferences replace all existing settings and
files associated with the preference item.
Update. Modify an existing item on the targeted computer. If the
item does not exist, create a new one.
2. Also, I am having a hard time understanding why you get the option to
apply the Preference setting only once. It seems that a GP refresh doesn't
apply even if you leave that option unchecked.
Yes, as Mark mentioned, this is exactly the difference between Group Policy
(managed settings) and Preference (unmanaged settings). It you allow users
to change preferences after you've deployed them. By explicitly deploying
preferences rather than accepting the default operating system settings,
you create configurations that are more compatible with your IT environment
and are specifically tailored to your organization and how its people use
their computers.
==============
Group Policy Preferences Overview
http://www.microsoft.com/downloads/details.aspx?FamilyID=42e30e3f-6f01-4610-
9d6e-f6e0fb7a0790&displaylang=en
Hope it helps.
Sincerely,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Baboon
2008-07-07 02:58:09 UTC
Permalink
Thanks for the response.
Late last week a scenario arose that illustrates the issue....

We have an OU for preparing XP machines to migrate to new Vista ones. Among
other things the GPO for the OU sets a Scheduled Task to run ScanState from
USMT in a batch file. Someone mistakenly moved computer objects into the OU
even though they are not scheduled to go until next week. The Admin was
ready to just delete the Scheduled Task on each machine, when I fortunately
stopped him. (We eventually realized that since the batch file lives in a
network location, we could simply block it and let the Scheduled Task fail
every day until it's needed. But that is beside the point.)

So, given that scenario, see my reponses below to see if I have this right.
Post by Mark Heitbrink [MVP]
Hi,
Post by Baboon
I have a GPO that includes the new GP Preference settings to create a
Scheduled Task. An Administrator deletes the Scheduled Task and it will not
come back. Even moving the machine out of the applicable OU and back in
again or removing from/re-adding to the domain will not recreate the
Scheduled Task.
That´s why they are preferences and not policies.
But you can check the box -> delete if not longer in scope
Take a look at the tab, where the WMI filter is defined, there you
will see it.
I understand the difference in concept between policies and preferences, but
it seems like after someone deletes a preference setting, I would expect that
forcing the policy to reapply should bring it back. I guess that's not the
case, but as you point out, I can choose to delete if no longer in scope.
("Remove this item when it is no longer applied" on the Common tab.) I tried
this when I first started working with these, but it forces the setting to be
an Update instead of a Create operation. I guess a new Update operation
works the same as a Create operation, so it probably should be OK. If I
choose this option, will removing the machine from the OU, refreshing policy,
then moving it back to the OU restore the setting?
Post by Mark Heitbrink [MVP]
Post by Baboon
I assume that I need to clean the Registry of the setting.
Is this correct?
just define the opposite n the GPO, to revert the setting.
The problem is, I am talking about a scenario where just a few machines need
to have the preference setting reapplied, so this is not an option.
Post by Mark Heitbrink [MVP]
Post by Baboon
Also, I am having a hard time understanding why you get the option to apply
the Preference setting only once.
It´s the same behavior lke any other policy, they only apply once
if the counter doen´t change, the GPO is never applied again.
It will if you run gpupdate /force, but not in a usual gpupdate process.
So this suggests that if an Admin deletes a preference setting, gpupdate
/force will bring it back, correct?
Post by Mark Heitbrink [MVP]
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Mark Heitbrink [MVP]
2008-07-07 08:01:47 UTC
Permalink
Hi,
[...] The Admin was ready to just delete the Scheduled Task
on each machine, when I fortunately stopped him.
This is not a problem in Group Policy, it´s the problem, that
the "wrong" persona has administrative priviledge.
[...] ("Remove this item when it is no longer applied" on the Common tab.)
[...] If I choose this option, will removing the machine from the OU,
refreshing policy, then moving it back to the OU restore the setting?
Yes it should.
So this suggests that if an Admin deletes a preference setting, gpupdate
/force will bring it back, correct?
yes. Absolutly.

Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Baboon
2008-07-09 14:02:00 UTC
Permalink
Thanks, I mostly understand the behavior of the Preference settings at this
point. I appreciate the help.

When I mentioned the Administrator deleting a Preference setting on
individual machines, I didn't mean to suggest that this was an inherent
problem with Preferences, I was giving an example of a scenario where we
would need bring back a deleted setting.

I have tested scenario as such:
- Set Scheduled Task and Power Scheme Preferences choosing "Remove this item
when it is no longer applied".
- Confirmed that the setting applied to a machine in the respective OU.
Removed the machine from the OU - After a refresh the settings were gone -
Good!
- Moved the machine back to the OU with the Preference settings in the GPO.
- The Preference settings came back - Good!
On the same machine I tried this:
- Deleted a Preference setting, but left the machine in the OU with the
settings.
- Used "gpudate /force", which brought the Preference back - Good!

What I haven't yet tested is to *not* use "Remove this item when it is no
longer applied", then delete a Preference to see if "gpupdate /force" will
bring it back. Logically it seems like that should work as well, but I
thought we had tried exactly that and it failed. I'll let you know after I
have a chance to test this.

Cheers.
Post by Mark Heitbrink [MVP]
Hi,
[...] The Admin was ready to just delete the Scheduled Task
on each machine, when I fortunately stopped him.
This is not a problem in Group Policy, it´s the problem, that
the "wrong" persona has administrative priviledge.
[...] ("Remove this item when it is no longer applied" on the Common tab.)
[...] If I choose this option, will removing the machine from the OU,
refreshing policy, then moving it back to the OU restore the setting?
Yes it should.
So this suggests that if an Admin deletes a preference setting, gpupdate
/force will bring it back, correct?
yes. Absolutly.
Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy
Homepage: www.gruppenrichtlinien.de - deutsch
Blog: gpupdate.spaces.live.com - english
Miles Li [MSFT]
2008-07-11 11:07:21 UTC
Permalink
Hello,

I am pretty sure that the Preference items will come back when not choosing
"Remove this item when it is no longer applied" option. To approve it, I
make a test as follows:


- Set Scheduled Task Preferences NOT choosing "Remove this item when it is
no longer applied".

- Confirmed that the setting applied to a machine in the respective OU.

- Removed the machine from the OU - After a refresh the settings were NOT
gone

- Delete the applied Scheduled Tasks

- Moved the machine back to the OU with the Preference settings in the GPO.

- Use "gpudate /force", which brought the Preference back.


Hope it helps.


Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Baboon
2008-07-19 01:17:01 UTC
Permalink
Interestingly, when my colleague tested this using almost the same scenario
as you, he forgot to use the /force option, but the preference setting still
came back.

We have been testing on XP, but not Vista. I guess we should try Vista as
well just in case.

I would like confirmation of one more behavior of Preference Settings:
I have an Update setting to set the local Administrator passwords on all
machines in an OU. I assume that if I later want to change the password, I
would need to create a new Update Preference setting for that. I assume that
if I simply change the password in the existing Preference setting, only new
machines will receive the change. If you don't know the answer already, just
let me know and I will test this myself.

Thanks for all the help.
Post by Miles Li [MSFT]
Hello,
I am pretty sure that the Preference items will come back when not choosing
"Remove this item when it is no longer applied" option. To approve it, I
- Set Scheduled Task Preferences NOT choosing "Remove this item when it is
no longer applied".
- Confirmed that the setting applied to a machine in the respective OU.
- Removed the machine from the OU - After a refresh the settings were NOT
gone
- Delete the applied Scheduled Tasks
- Moved the machine back to the OU with the Preference settings in the GPO.
- Use "gpudate /force", which brought the Preference back.
Hope it helps.
Sincerely,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Mark Heitbrink [MVP]
2008-07-19 10:58:42 UTC
Permalink
Post by Baboon
Interestingly, when my colleague tested this using almost the same scenario
as you, he forgot to use the /force option, but the preference setting still
came back.
You can manipulate every single CSE to be applied everytime in "force"
mode.

CompConf\AdmTemppl\System\GroupPolicy\
"Name of CSE"
-> PART: "Process GPO even if the setting has not changed"


Mark
--
Mark Heitbrink - MVP Windows Server - Group Policy

Homepage: www.gruppenrichtlinien.de - deutsch
Discuss : www.freelists.org/list/gpupdate
Baboon
2008-07-21 18:39:02 UTC
Permalink
I had said:
"I assume that if I later want to change the password, I
would need to create a new Update Preference setting for that. I assume that
if I simply change the password in the existing Preference setting, only new
machines will receive the change."

I was wrong about this. Simply editing the existing setting with the new
password was enough to change it on a machine which had already gotten the
policy, even without forced policy refresh. I guess that isn't surprising,
since this is probably seen as a change in the GPO.

I have a feeling that the trouble I had been experiencing when I first
posted to this thread was due to our test machines having trouble
communicating with the DCs at the time, because the behavior was much
different the way I recall it.

Thanks for all of your help.
Post by Baboon
Interestingly, when my colleague tested this using almost the same scenario
as you, he forgot to use the /force option, but the preference setting still
came back.
We have been testing on XP, but not Vista. I guess we should try Vista as
well just in case.
I have an Update setting to set the local Administrator passwords on all
machines in an OU. I assume that if I later want to change the password, I
would need to create a new Update Preference setting for that. I assume that
if I simply change the password in the existing Preference setting, only new
machines will receive the change. If you don't know the answer already, just
let me know and I will test this myself.
Thanks for all the help.
Post by Miles Li [MSFT]
Hello,
I am pretty sure that the Preference items will come back when not choosing
"Remove this item when it is no longer applied" option. To approve it, I
- Set Scheduled Task Preferences NOT choosing "Remove this item when it is
no longer applied".
- Confirmed that the setting applied to a machine in the respective OU.
- Removed the machine from the OU - After a refresh the settings were NOT
gone
- Delete the applied Scheduled Tasks
- Moved the machine back to the OU with the Preference settings in the GPO.
- Use "gpudate /force", which brought the Preference back.
Hope it helps.
Sincerely,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Miles Li [MSFT]
2008-07-23 10:53:03 UTC
Permalink
Hello,

I am glad to know that you have found out the roor casue of this issue. If
you have any furhter questions or concerns, please don't hesitate to let me
know.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Loading...