Group Policy Preferences - Run in logged-on users security context

Regarding Group Policy Preferences (GPP)...

When would it be necessary to use/select “Run in Logged on User’s Security Context” - and - when would you NOT want to use it (thereby defaulting to every GPPP item applied is processed under the local SYSTEM account)?

This article gives some helpful info (http://deployhappiness.com/run-in-logged-on-users-security-context) but it is not clear to me when one should plan to use or not use the setting.
GoodEnoughThenAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SandeshdubeySenior Server EngineerCommented:
Run in logged-on user's security context (user policy option)" changes the default user context. Normally preferences are processed using the Local System account (SYSTEM), selecting this option will make sure the user context is used instead.

If you are confifuring Network Drive and Printer Mappings ignore this setting as they always use the user context anyway.http://technet.microsoft.com/en-us/library/cc772371.aspx
0
GoodEnoughThenAuthor Commented:
Sandeshdubey, thank you. Your post confirms *what* the "Run in logged-on user's security context" does, but I'm not certain it addresses *why*, ie- why I would have to (or absolutely need to) check that option (or conversely why I would NOT want to check that box.) How will I know exactly which context to chose, the default SYSTEM or the manually selected USER, at the time I'm creating the GPP? What are the determining factors?

Also, I'm confused by "If you are configuring Network Drives and Printer Mappings ignore this setting as they always use the user context anyway".

The article "Configure Common Settings" that you included reads, "This can be especially important when using drive maps or other preferences in which the computer may not have permissions to resources or when using environment variables." To me this seems to suggest, the opposite, that you do NEED to check "Run in logged on user's security context".

Can you please explain my confusion? Am I misreading it? Thank you!
0
SandeshdubeySenior Server EngineerCommented:
By default ,the group policy client running on a computer processes user preference within the security context of either the winlogon account(for computer running vesions of windows prior to vista) or the system account (for computers runnning Win vista and above).In this context , a preference extension is limited to the environmental variables and system resouces avaialable to the computer.Alternately ,the client can process user preferences in the security context of the logged-on user.This allows the preference extension to access resources as the user rather than as a system service,which might be required when using drive map or other preferences for which the computer might not have permission to access resources or might need to work with user environmental variables.


Run in logged-on user's security context (user policy option) section and common tab image for configuring Network Drive and Printer Mappings ignore this setting as they always use the user context anyway.see below links.

http://www.windowsecurity.com/articles-tutorials/windows_os_security/Group-Policy-related-changes-Windows-Server-2008-Part4.html

http://www.serverwatch.com/tutorials/article.php/3881656/Windows-Server-2008-Directory-Services-Group-Policy-Preferences--Common-Options.htm
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.