Group Policy Preferences - Run in logged-on users security context

Regarding Group Policy Preferences (GPP)...

When would it be necessary to use/select “Run in Logged on User’s Security Context” - and - when would you NOT want to use it (thereby defaulting to every GPPP item applied is processed under the local SYSTEM account)?

This article gives some helpful info ( but it is not clear to me when one should plan to use or not use the setting.
Who is Participating?
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
By default ,the group policy client running on a computer processes user preference within the security context of either the winlogon account(for computer running vesions of windows prior to vista) or the system account (for computers runnning Win vista and above).In this context , a preference extension is limited to the environmental variables and system resouces avaialable to the computer.Alternately ,the client can process user preferences in the security context of the logged-on user.This allows the preference extension to access resources as the user rather than as a system service,which might be required when using drive map or other preferences for which the computer might not have permission to access resources or might need to work with user environmental variables.

Run in logged-on user's security context (user policy option) section and common tab image for configuring Network Drive and Printer Mappings ignore this setting as they always use the user context anyway.see below links.
SandeshdubeySenior Server EngineerCommented:
Run in logged-on user's security context (user policy option)" changes the default user context. Normally preferences are processed using the Local System account (SYSTEM), selecting this option will make sure the user context is used instead.

If you are confifuring Network Drive and Printer Mappings ignore this setting as they always use the user context anyway.
GoodEnoughThenAuthor Commented:
Sandeshdubey, thank you. Your post confirms *what* the "Run in logged-on user's security context" does, but I'm not certain it addresses *why*, ie- why I would have to (or absolutely need to) check that option (or conversely why I would NOT want to check that box.) How will I know exactly which context to chose, the default SYSTEM or the manually selected USER, at the time I'm creating the GPP? What are the determining factors?

Also, I'm confused by "If you are configuring Network Drives and Printer Mappings ignore this setting as they always use the user context anyway".

The article "Configure Common Settings" that you included reads, "This can be especially important when using drive maps or other preferences in which the computer may not have permissions to resources or when using environment variables." To me this seems to suggest, the opposite, that you do NEED to check "Run in logged on user's security context".

Can you please explain my confusion? Am I misreading it? Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.