Why do Group Policy settings require me to have a degree in philosophy?

Raymond Chen


Josh points out that Group Policy settings often employ double-negatives (and what’s the difference between turning something off and not configuring it)?
Group Policy settings are unusual in that they are there to modify behavior that would continue to exist without them. They aren’t part of the behavior but rather a follow-on. Suppose that the default behavior is to do XYZ automatically, but due to requests from corporate customers, a Group Policy is added to alter this behavior. The Group Policy for this might look like this:

Don’t do XYZ automatically

The template for boolean Group Policy settings is

Blah blah blah

Consequently, every boolean Group Policy setting is forced into the above format, even if the setting is reverse-sense, as our sample one is. In general, the three settings for a Group Policy mean

EnabledChange the behavior as described in the title of the group policy.
DisabledDo not change the behavior and continue with the default behavior.
Not configuredLet somebody else decide.

The difference between Disabled and Not configured is that when you disable a Group Policy, then you’re saying “Restore default behavior.” On the other hand, if you don’t configure a Group Policy setting, then you’re saying “I have no opinion about whether this Group Policy should be enabled or disabled, so keep looking, because there might be another Group Policy Object that does express an opinion.”
Recall that multiple Group Policy Objects can apply to a specific user. For example, a typical user may be subject to a Local Group Policy, a Non-Administrator Local Group Policy, a series of other Group Policies depending on what security groups the user belongs to, and then a User-Specified Group Policy. You can use the Resultant Set of Policy snap-in to see how all these different Group Policy Objects interact.

The upshot of this is that Group Policy settings often end up using double negatives if the policy is to disable a default behavior. You “Enable” the setting to disable the default behavior, you “Disable” the setting to enable the default behavior, and you leave the setting “Not configured” if you want to let some other Group Policy Object decide. Even when there is a more clever way of wording the options to avoid the double negative, the people who write Group Policy descriptions are so used to double-negatives that it doesn’t even occur to them that a particular setting setting permits an optimization. (Either that, or they figure that system administrators are so used to seeing double-negatives, that when it’s not there, they get confused!)

Raymond Chen
Raymond Chen

Follow Raymond