During the implementation of your first Group Policy Preference setting, you will likely find yourself staring at four different choices. Not all preferences behave this way, but many do. This happens because most preference settings (as well as almost anything you do inside the Windows operating system) is really just a setting or changing of something inside the registry. When telling Group Policy to put registry settings into place, you have the choice of handling that registry key in one of four different ways: Create, Replace, Update, or Delete. If you acronym that out, it spells CRUD! Hilariously, Microsoft themselves even refer to this selection of choices as "CRUD" in some documentation.
Let's look at an example. In the following screenshot, you can see that I am creating a GPO that contains a new Preference setting. This preference setting is going to plug a new Registry key/value into the registry for my users. We will more thoroughly walk through the steps for creating a new Registry key later in this chapter because that is a fairly common task, but what I wanted to show you right now is that when I create this new Registry item, I have a drop-down list called Action. From the list, I get to make a choice of Create, Replace, Update, or Delete:
Here are descriptions of the four CRUD actions:
- Create: Use this action to create a setting ONLY if it does not already exist. If the setting exists and is set to something else, this preference will then be ignored. In our example, if I were to configure this new registry value for Create, it would only take an action if that value did not already exist inside the user's registry.
- Replace: Use this action to remove an existing setting, and replace it with our new setting. The Replace option is a little bit redundant as you will soon see (because Update or Delete are probably more in line with what you are looking for) and, as such, I don't often find preferences that include Replace values.
- Update: This is the default action, and is generally the most useful. If the setting that we are configuring doesn't already exist, Update will create it. Additionally, if the setting does already exist on the client machine, it will be updated to reflect our new setting instead. It's sort of like forcing a policy into place, except again remember that preferences are typically able to be overwritten by users, so someone else could still come along and change your preference setting.
- Delete: This removes the specified preference settings from the machine. Sometimes you need to make sure that certain settings are gone from a group of machines – this is the way to accomplish that. Deletes are helpful for backing out particular preference settings that you might have been previously enforcing. Remember that Policy settings can typically self-remove when the GPO no longer applies to a machine, but any Preferences that were applied continue to be applied even after the GPO is long gone. If you have applied Preferences to your users or machines and you now want to reverse those Preferences and remove them, you can create a new GPO that contains Preference configuration for the same settings, but change the Action to Delete, and Group Policy will then reach out and do the work for you of forcibly removing those Preference settings. It is always a good idea to test deletion preferences before rolling them out to your workforce, because deleting settings from the registry is a great way to break applications or even Windows itself.