CRUD: When to use Create, Replace, Update or Delete in Group Policy Preferences?
I have to admit: I don’t use Group Policy Preferences as much as I probably should. Historically, when I migrate clients from a legacy system such as Windows Server 2003 or 2008 to something newer, I tended to leave well enough alone, so to speak, and just update existing logon scripts, batch files or what have you.
But, while those old methods work great for stuff like mapping network drives or deploying printer connections, they just aren’t as flexible, and do not offer the same level of control (or ease of maintenance) as some of the newer tools. Early on (like a decade ago) when I first started running into clients who were having issues with Group Policy Preferences, I usually just scoffed, and reverted them back to what I knew and was comfortable with.
What a mistake! Once I learned the cause for so many of those issues tended to be poor setup, execution or migration techniques, I started to change my own practices.
One of the areas of confusion that I often run across is IT admins not knowing when to use which setting, and why. To clear it up, here is a quick run-down of CRUD (Create, Replace, Update or Delete). Even Googling this topic and reading in the forums on various answers can be frustrating, to say the least. And I think I can do a little better.
I also think a lot of people who have to do migrations infrequently have this question: “If I am migrating a file share or a printer connection, should I use Create, Replace or Update? Do I need to throw a Delete policy in for the old mappings/connections?” Let me try to answer these concerns now:
Create – You will notice this option comes with a green icon. Green is Good! Right? Green actually indicates that this action is very low impact and low risk–it’s a “safe” move. E.g. If this mapping or connection does not exist, then create it. Otherwise, if it does exist, then do nothing. But if you’re trying to use this during a migration, you might not get the result you want. You might not get your objects to show up, or you could get duplicate objects, depending on the situation. It’s great if you’re deploying brand new objects that have never been in the environment before, but as we will see, Update has the same net result in that case, and it allows you to perform updates to the same object later on. So I almost never use this Create option in practice.
Replace – Unlike it’s friendlier cousin (above), Replace has an angry red icon and will not only create new objects, but destroy old ones, too. No matter what, you are getting this new object. If using this during migrations, for example when shared folders and mapped network drives are moving from an older file server to a newer one, then be sure to switch it to Update after you are done migrating (so that you don’t have the GPO deleting and recreating this object periodically later down the road). Note: if you go to the common tab and choose the option to “Remove this item when it is no longer applied” then the action will automatically be changed to Replace.
Update – A yellow icon, as in: Warning! You might overwrite something. You can update the object with new settings, or create the object if it doesn’t exist. However, you should note: it does not remove or destroy any objects. The example I like to use here is that if I try to Update an existing printer connection to refer to a new server path like changing \\srv-oldprinters\printer to \\srv-newprinters\printer–the result is that I get a new printer (like I wanted) but I keep the old one too (which I didn’t want). I would have had to add a delete option for the old path, since Update cannot delete anything, like Replace can. Remember: If there is no existing object to update, then create the object–but don’t delete any objects, just update them. Because of this behavior, I usually choose this action whenever I’m deploying brand new objects, and just update it later on whenever something minor changes with it. For major changes like migrations to new servers, I would use Replace, since update is much weaker (albeit not as weak as Create). Just be aware that if you use Update in migration scenarios, you may not get the results you want, similar to Create.
Delete – This is exactly what it sounds like: delete the object. Just get rid of it. That’s why this item gets a red x. Appropriate for use when a share or printer has been permanently removed. Oddly enough, and especially with printer connections, I have found that this may not always be effective–especially if the object was put into place by something other than Group Policy preferences, so I often create a logon script to blow those items away anyhow, just as extra protection. If the policy works and the logon script is redundant, still no harm in covering your bases.
An example of a logon script that can destroy connections to network drives and/or network printers (use only when they are permanently offline):
REM The next line deletes the network drive at P:\
net use p: /d
REM The next line removes a printer connection at \\srv-printers\printer
rundll32 printui.dll,PrintUIEntry /q /dn /n “\\srv-printers\printer”