Many Group Policy preference items share common options. Each preference item displays these options on the Common tab. The common options are consistent among the preference extensions and allow you to control the error handling for a particular extension, the security context the extension uses when processing user configuration settings, the scope and application of preference items, and item-level targeting, which provides filtering at the preference item level, in addition to Group Policy filtering.
Configuring common options
Common options include:
- Stop processing items in
this extension if an error occurs on this item
- Run in logged-on user's
security context (user policy option)
- Remove this item when
it is no longer applied
- Apply once and do not
Stop processing items in this extension if an error occurs on this item
Each preference extension can contain one or more preference items.
- By default, a failing preference item does
not prevent other preference items in the same extension from
- If the Stop processing items in this
extension if an error occurs on this item option is selected, a
failing preference item prevents remaining preference items within
the extension from processing. This change in behavior is limited
to the hosting Group Policy object (GPO) and does not extend to
Preference extensions start processing preference items from the bottom of the list and work their way to the top. Preference items successfully applied prior to the failing preference item are applied. The preference extension only stops processing preference items that follow the failing preference item.
Run in logged-on user's security context (user policy option)
There are two security contexts in which Group Policy applies user preferences: the SYSTEM account and the logged-on user.
- By default, Group Policy processes user
preferences using the security context of the SYSTEM account. In
this security context, the preference extension is limited to
environment variables and system resources available only to the
- If the Run in logged-on user's security
context option is selected, it changes the security context
under which the preference item is processed. The preference
extension processes preference items in the security context of the
logged-on user. This allows the preference extension to access
resources as the user rather than the computer. This can be
especially important when using drive maps or other preferences in
which the computer may not have permissions to resources or when
using environment variables. The value of many environment
variables differs when evaluated in a security context other than
the logged-on user.
Remove this item when it is no longer applied
Group Policy applies policy settings and preference items to users and computers. You determine which users and computers receive these items by linking one or more Group Policy objects (GPOs) to Active Directory sites, domains, or organizational units. User and computer objects that reside in these containers receive policy settings and preference items defined in the linked GPOs because they are within the scope of the GPO.
- Unlike policy settings, by default preference
items are not removed when the hosting GPO becomes out of scope for
the user or computer.
- If the Remove this item when it is no
longer applied option is selected, it changes this behavior.
After selecting this option, the preference extension determines if
the preference item should not apply to targeted users or computers
(out of scope). If the preference extension determines the
preference item is out of scope, it removes the settings associated
with the preference item.
Selecting this option changes the action to Replace. During Group Policy application, the preference extension recreates (deletes and creates) the results of the preference item. When the preference item is out of scope for the user or computer, the results of the preference item are deleted, but not created. Preference items can become out of scope by using item-level targeting or by higher-level Group Policy filters such as WMI and security group filters.
The Remove this item when it is no longer applied option is not available when the preference item action is set to Delete.
Apply once and do not reapply
Preference items are applied when Group Policy refreshes.
- By default, the results of preference items
are rewritten each time Group Policy refreshes. This ensures that
the results of the preference items are consistent with what the
administrator designated in the Group Policy object.
- If the Apply once and do not reapply
option is selected, it changes this behavior, so the preference
extension applies the results of the preference item to the user or
computer only once. This option is useful when you do not want the
results of a preference item to reapply.
Group Policy provides filters to control which policy settings and preference items apply to users and computers. Preferences provide an additional layer of filtering called targeting. Item-level targeting allows you to control if a preference item applies to a group of users or computers. For more information, see Preference Item-Level Targeting.