GPO Rule of thumb for: Disabled vs Enabled vs Not Configured
Is there any documentation that explains difference between these:
- Policy Not Configured
- Policy Disabled
- Policy Enabled, Setting Enabled
- Policy Enabled, Setting Disabled
- Policy Enabled, Setting Prompt
I know that Disabled and Enabled enforce the policy, which as I understand it means that users cannot change the policy locally.
I've found some blog post that indicates that Policy Disabled is equivalent to "not configured, but enforced." Meaning that the policy's default, not configured behavior is now enforced so a user cannot change it locally.
However, I can't find any documentation that backs this up. Can anyone help clear up the confusion?
Solution 1:
Group Policy Administrative Template policies don't do anything more than set registry values (typically under Software\Policies
in HKEY_CURRENT_USER
and HKEY_LOCAL_MACHINE
, as well as a couple other locations, or anywhere that a third-party ADM(X) file might want to set them).
Personally, I think that thinking about Administrative Template policies like registry manipulation seems more intuitive. Each GPO containing Administrative Templates is "overlaid" on the registry during Group Policy processing, and any values specified in that GPO overwrite values previously loaded there (either because those values were in the registry by default, or because they were put there by a person or another GPO).
I think it's equally important to remember that how programs react to values in the registry is part of that program's behavior, not part of the Administrative Template policy functionality. The policy puts things into the registry (or deletes them). How the program in question reacts to those values being present and set to a specific value (or not being present) is part of the program's behavior and varies from program to program.
An Administrative Template policy can set a single value in the registry, or it can be written to manipulate multiple values. That just depends on how the ADM(X) file was written.
Writing an ADM(X) is beyond the scope of this question, but it's something you should know about if you really want deep understanding of Group Policy. With the advent of Group Policy Preferences registry preference extension it has become much less important to make custom ADM(X) files than it was in the past, but it's still nice if you want to give a clean user interface to other sysadmins.
With all of that in mind, here's what the various "states" mean for a given Administrative Template policy:
Policy Not Configured - No value(s) are specified. Any value(s) already in the registry aren't manipulated.
Policy Disabled - Any value(s) that would be created by the policy present are deleted.
Policy Enabled - Manipulation of the registry (adding, altering, or deleting values) will occur. Typically this takes the form of placing into or altering existing values in the registry but it is possible that an enabled policy could delete values, too.
Some of the Internet Explorer Administrative Template policies contain tri-state list-boxes with the choices "Enabled", "Disabled", and "Prompt". I suspect these are what you're referring to with the items below.
- Policy Enabled, Setting Enabled
- Policy Enabled, Setting Disabled
- Policy Enabled, Setting Prompt
In all three of these cases the "Policy Enabled" means that you're putting a value into the registry. Internet Explorer uses that value to determine if the setting being manipulated should be enabled, disabled, or if the user should be prompted. This isn't Administrative Template policy behavior-- it's how Internet Explorer interprets the values placed into the registry by the Administrative Template policy that determines this behavior.
No matter which is selected, from an Administrative Template perspective the policy is enabled so you're just manipulating a value the registry.