Group Policy Preferences – What Takes Preference?

How do you know if one Group Policy Preference occurs before another?

Hi again everyone,

Today I’m sharing something that I have just found out about, thanks to the very helpful Alan Burchill (Twitter) who is a MVP in Group Policy. Thanks Alan!

So, I’ve talked about Group Policy Preferences before – wonderful, and not widely used enough yet – but they’ll do pretty much anything you could do with a login script with the added benefits of high granularity, GUID and targeting based on almost any criteria you can think of rather than writing complex scripts and error reporting in event viewer.

I came into a scenario where I needed to delete all of the files in a directory, then copy several files back into that same directory. As I created this, I then wondered how I’d make sure that the delete occured before the copy. If it happened the other way around, the end result would be an empty directory!

If you’re doing multiple settings of the same type, then they get an Order number as per the screenshot below. You can move the order around, to make sure things occur in their proper turn. Something like environmnet variables may need this, since your second variable may use the first variable as part of it’s path, and if it was the wrong order then you wouldn’t have the first environment variable set before it was called:


Simple enough. But, what if you need an environment variable in place before you map a drive using that variable? The next screenshot is from the same policy, using one of the variables above to map a drive. But, if you look at the order number, it’s also a 1. The order is only relevant for items in that same area (as per this example, Drive Maps).




How do you know what will happen first? This is what Alan Burchill found out for me. There is a set order in which each client side extension runs, and to view this you need to delve into the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\GPExtensions



The order is based on the GUID. I’ve highlighted the second one, which is Group Policy Environment – the environment variables. They’re all self explanatory once you click on them, or you can search what you’re looking for and then ensure that they are in the order you need them to be. There’s one exception to this, which is {35378EAC-683F-11D2-A89A-00C04FBBCFA2} but that’s a blank entry… possibly so you can force something to be first if needed? We’re not quite sure on that bit!

I hope that helps you if you ever run into this sort of thing. There are other workarounds you can do, such as creating two seperate GPO’s and put those GPO’s in the correct order, but best practise is to have as few GPO’s as possible.Anyway, for my example above, the environment variables come before drive mappings which is {5794DAFD-BE60-433f-88A2-1A31939AC01F} so we’re safe.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.