As I see it, Group Policy Preferences is a lot like sushi: You either love it, or you've never truly experienced it.

GPPs aren't new. They've been around since the release of Windows Server 2008. But, oddly, still today I don't find them in widespread use. In and among other reasons, GPPs were introduced to Group Policy to overcome a fairly significant hurdle: While using existing Group Policy settings is a relatively easy process; creating your own custom Group Policy settings isn't.

If the configuration you need to enforce with Group Policy is something that's already built-in, the process requires creating a Group Policy Object, enabling the setting, and adding any setting-specific configuration that's required. Apply the GPO to an OU and you're done. On the other hand, enforcing custom Group Policy settings requires hand-coding your own ADM or ADMX file. If you don't know the ADM secret language or aren't comfortable with ADMX's XML roots, you've got a big problem.

While Group Policy Preferences is able to configure all sorts of different settings, there's one in particular that comes in handy for my uses all the time. That use is in setting and enforcing specific registry values for the different applications on my network. With it, I can automatically tick a checkbox or set a value in my applications on behalf of my users. Gone are all those awful How to Setup Application XYZ documents that my users summarily ignored.

Also gone are most of the help desk calls that invariably result when they don't follow directions.

Standardization, Outlook Style

One such setting that became necessary very recently was the need to standardize on a common Outlook email experience. After years of dealing with inconsistencies in how emails looked from different users, our company decided to enforce a specific typeface, font size, and color for every corporate email.

Figure 1: Signatures and Stationary

It's a legitimate request. Some people's 'creativity' just doesn't exude corporate professionalism. Problem is that telling people to conform their settings in Outlook 2010's Signatures and Stationary control panel (seen in Figure 1 above) is a far cry from them actually doing it.

You probably know that you can get to that control panel by navigating to File | Options | Mail, and then clicking Stationary and Fonts. What you might not know is that any settings here are actually stored in the registry, specifically in each user's HKEY_CURRENT_USER hive. For Outlook 2010, the exact path is HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MailSettings. Depending on what you've set in Signatures and Stationary, you'll see different keys and values inside this location.

Here's where Group Policy Preferences gets ridiculously powerful. Traditionally, making changes to user settings in HKCU has been nightmarishly difficult because these settings are only loaded when the user logs in. A GPP who's User Configuration is enabled, however, also executes when that user logs in. That means no matter where they are, they're going to get your enforced setting.

Even better, because GPPs are designed to configure custom settings, you can point that GPP in the Group Policy Management Editor at the registry of an already-configured user and use their settings as the template for setting and enforcing everyone else.

Outlook 2010 Enforcement, the Easy Way

Here's how to solve this otherwise nasty problem. Find yourself a computer with Outlook 2010 installed and navigate to the Signatures and Stationary control panel you see in Figure 1. There, configure whatever settings you need to enforce. I'll set mine to the Compass theme. I also miss the good old days when Times New Roman was king of fonts, so I'll set that as the font for Composing and reading plain text messages.

Figure 2: MailSettings

After clicking OK, bring up the registry editor (regedit.exe) and navigate to HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\MailSettings on that same computer. You'll see something similar to Figure 2, although the values in your data column will probably be slightly different.

Figure 3: Edit Binary Value

What you're seeing are hexadecimal values that correspond with the settings you just selected in the interface. Double-click TextFontComplex and you'll bring up a window called Edit Binary Value (see Figure 3). That windows shows how the hex values map to a set of plaintext characters. Luckily you don't have to worry about the exact data here. You've asked Outlook to create this data when you configured the setting in Outlook's GUI interface.

Figure 4: New Registry Properties

It's at this point where GPPs get really exciting. Launch the Group Policy Management Console and create and edit a new GPO. Navigate to User Configuration | Preferences | Windows Settings | Registry and right-click to create a New Registry Item. You'll see a screen similar to Figure 4. Click the button with the three ''' dots to launch the Registry Item Browser. This little tool is freakishly cool.

Figure 5: Registry Item Browser

Inside it you can navigate down the registry tree to the same location in HKEY_CURRENT_USER. There, as you can see in Figure 5, you'll find Outlook's settings along with all that nasty hexadecimal data that you configured in the GUI. Highlight one of the items and click Select.

Figure 6: New Registry Properties (with values)

You should return back to the New Registry Properties screen, but this time all the values are already filled out for you. At this point you can click OK and repeat this process for each registry key you want to configure and enforce. In this case, that might be the keys for NewTheme, TextFontComplex, and TextFontSimple, but yours can really be anything. Finish up, close the Group Policy Management Editor, link the GPO to an OU full of users to configure, and your job is complete.

'but what about Computers without Outlook?

An excellent question, one that's kind of solved in Figure 6's Common tab. Bring back up that screen and view the Common tab. There, check the box next to Item-level targeting and click the Targeting button. What results is a new control panel called the Targeting Editor.

The job of this Targeting Editor is to limit the application of a Group Policy Preference. In it you can add one or more custom items that must be fulfilled if the GPP's setting is to be applied to the computer that user is logging into. In our case, we don't want this setting to apply when Outlook isn't present on the computer. Doing so would have no effect. Worse, it would muddy up the computer's registry, adding a setting where no setting should exist.

Figure 7: Targeting Editor

To resolve this, click to create a New Item called File Match and configure it to apply the GPP when Outlook's OUTLOOK.EXE file is found in C:\Program Files (x86)\Microsoft Office\Office14. If you want to get really creative, you can limit it further to apply only when the Outlook it finds is actually Outlook 2010. That version will be somewhere between version 14 and 15, which is information you can learn by viewing the properties of OUTLOOK.EXE and checking out the Details tab.

What you see with this Targeting Editor is pretty much what you get with limiting configurations. This tool is great when your configurations are fairly broad in scope. If you need more fine-tuned targeting control, such as delivering different settings to different people, you might look elsewhere to third party solutions that add more granular control.

Notwithstanding, GPPs are indeed your friend. Or, at least they should be. Now go use them to their fullest potential. And while you're at it, think about giving that raw fish a try. You might just find something unexpectedly wonderful.