Policy vs Preference

Jul
30
2009

Team: I had this email exchange with a friend of mine the other day.

The email title was: “Policy vs. Preference (I don’t get it.)”

I thought you’d like it. Read all the way thru to the end for how to get more information TOMORROW, Friday at 12.00 PM EST.

[Note, we're having some login issues to the GPanswers.com web accounts. Sorry if you're affected right now; we're working to fix it... Thanks.]

Jeremy…

OK I’m having serious brain ‘problem.’ What, really, is the difference between an unmanaged policy setting and a preference (GPPreferences-style)?

I CAN remember, at this late hour, that managed policy settings are in the Policies key of the registry. Seems to me that unmanaged policy settings (which equate to settings that can tattoo, right?) are elsewhere, yeah? So what makes them different than changes made by Preferences?

I am just trying to hone my use of terminology and make my boss understand “Policy” vs “Preference” vs “PolicyPak”. THANKS!!!!

Okay Frank.. So.. I’m sure there’s some “complete and proper definition” somewhere at Microsoft about what a Policy is vs. a Preference.

But when I talk with people about “Policy” Vs. “Preference” here’s the litmus-test I use to determine “which is which.”

I define policy as “three things”… that is, these three things need to be TRUE for you to be able to call it a “True Policy.” A policy means that the setting:

1. Properly goes to the “Policies” keys in the registry (one of only FOUR sanctioned locations)

and

2. UI lockout occurs such that users cannot scoot around it

and

3. UI lockout / setting reverts when GPO falls “out of scope” (ie: You whack the GPO.)

So, “Prohibit Access to the Control Panel” is a true POLICY. It meets these three criteria.

If you crack open the ADM/X, you’ll see that the registry punch goes to the Policies keys… and once set, users cannot scoot around it.

A Preference is EVERYTHING ELSE.

So.. some criteria to check if it’s a Preference would be:

1. Does it store its keys anywhere in the registry? (ie: OUTSIDE the 4 proper Policies keys?)

and

2. Does it still permit a user to manipulate the UI? (ie: No UI lockout?)

So, 99% of hand-created ADM or ADMX templates and a large percentage of GP Prefs items are just that.. Preferences. (Note that many GP Preferences items have a scope which are NOT the registry. For instance, “Local users and groups” deals with the local SAM and NOT the registry. Others, deal with services. But for the purposes of this discussions, I think you’re asking about REGISTRY items, and many of the GP Preferences items are, indeed, registry focused.)

So, let’s examine the GP Preferences “Internet Explorer Settings.” They’re Preferences.

Why? Because… once a user gets the settings…

Test #1: The keys aren’t contained in the “Policies” keys
Test #2: Users can scoot around and change the values to whatever they want
Test #3: If you whack the GPO with a preference, what happens? It “tattoos” or “leaves behind” the settings you set.

Do note, if you whack the GPO with a GP Preference, on some items there is an extra flag which is called “Remove when no longer applies” which will DELETE THE VALUE (not REVERT the value). Which, could be harmful to your application. Ouch.

So, where does PolicyPak fit in?

In contrast.. POLICYPAK will “bridge the gap” when it comes to Registry punches and settings Applications’ settings.

The free PolicyPak Community edition is able to:

1. Write keys anywhere in the registry

while

2. Performing UI lockout

and magically

3. Reverting to the value you want when no longer applies (not totally deleting the value!)

PS: There’s a guide which I wrote to help clear up a lot of these questions. Let me know what you think:
http://www.policypak.com/images/pdf/PowerAdminsGuideToTrueDesktopLockdown.pdf