There is an important distinction that every Group Policy administrator needs to understand about policies. There are two different types of policies, and they behave very differently. You can think of the two types as managed versus unmanaged, and also as policy versus preference. The word preference in this case is not necessarily the same distinction between the lumping of policy settings being separated from Group Policy Preference settings inside the Group Policy Management Editor. Those preferences we will be discussing in Chapter 6, Group Policy Preferences. In this sense, I am talking only about settings that exist in the traditional Policy locations inside GPME, namely inside the Administrative Templates section, but they are settings that behave more as if they are preferences in the user's eyes. On the flip side, policies are more stringent and generally more powerful.
Managed policies behave like true gentlemen. These are the settings that you put into place and expect results, but when you request these policy settings to back away from the places they are applied, they happily comply. What do I mean by that? When you plug some policy settings into a GPO and then filter that GPO to a location, you expect those settings to be put into place on the machines or users to which you have filtered the GPO. And that happens just fine with all policy settings inside the Group Policy Management Editor. But what about when that GPO no longer applies to a machine? What if you change the Security Filtering of the GPO, or if you move a workstation from one OU to another and it no longer receives the same GPO? Do those settings that were previously applied continue to be applied? Or are they removed from the machine now that the GPO is no longer filtering to it? The answer to that question differs based on what Group Policy settings we are talking about. True managed policy settings will behave in the way you would expect—when you retract a GPO, the settings disappear as well. They are reversed and removed from the workstation. Then there are other settings that really behave like preferences. These are settings that get applied to the computer via Group Policy, but when that GPO later falls out of scope and no longer applies to the computer, these preference settings do not retract automatically and are left hanging around on the machine. Most of the time, when dealing with these different kinds of settings, we are working within the Administrative Templates section of the GPME. So let's segue into a talk about Administrative Templates themselves.