Why do Group Policy settings require me to have a degree in philosophy?

Josh points out that Group Policy settings often employ double-negatives (and what's the difference between turning something off and not configuring it)?

Group Policy settings are unusual in that they are there to modify behavior that would continue to exist without them. They aren't part of the behavior but rather a follow-on. Suppose that the default behavior is to do XYZ automatically, but due to requests from corporate customers, a Group Policy is added to alter this behavior. The Group Policy for this might look like this:

Don't do XYZ automatically

The template for boolean Group Policy settings is

Blah blah blah

Consequently, every boolean Group Policy setting is forced into the above format, even if the setting is reverse-sense, as our sample one is. In general, the three settings for a Group Policy mean

Enabled Change the behavior as described in the title of the group policy.
Disabled Do not change the behavior and continue with the default behavior.
Not configured Let somebody else decide.

The difference between Disabled and Not configured is that when you disable a Group Policy, then you're saying "Restore default behavior." On the other hand, if you don't configure a Group Policy setting, then you're saying "I have no opinion about whether this Group Policy should be enabled or disabled, so keep looking, because there might be another Group Policy Object that does express an opinion."

Recall that multiple Group Policy Objects can apply to a specific user. For example, a typical user may be subject to a Local Group Policy, a Non-Administrator Local Group Policy, a series of other Group Policies depending on what security groups the user belongs to, and then a User-Specified Group Policy. You can use the Resultant Set of Policy snap-in to see how all these different Group Policy Objects interact.

The upshot of this is that Group Policy settings often end up using double negatives if the policy is to disable a default behavior. You "Enable" the setting to disable the default behavior, you "Disable" the setting to enable the default behavior, and you leave the setting "Not configured" if you want to let some other Group Policy Object decide. Even when there is a more clever way of wording the options to avoid the double negative, the people who write Group Policy descriptions are so used to double-negatives that it doesn't even occur to them that a particular setting setting permits an optimization. (Either that, or they figure that system administrators are so used to seeing double-negatives, that when it's not there, they get confused!)

Comments (11)
  1. gedoe says:

    They're just all electronics engeneers. Those are used to double negatives as (in the old days, I have not kept up I guess its still true in hardware ports) a nand/nor port was cheaper and faster than an and/or port.

  2. alt-92_ says:

    RSoP.msc is deprecated btw, GPresult (especially on current Windows versions) is much better and less error-prone.

  3. voo says:

    @gedoe Yeah. Also pretty often IOBs or reset signals where a logical true is often represented as a 0.. I'm sure quite confusing for the first time, but alas you get used to it.

  4. Joshua says:

    I'm rather surprised this post was not a lightning rod.

  5. Troll says:

    As alt-92_ points out, RSOP was deprecated (because Microsoft became lazy) in Vista SP1. Now we have to use gpresult. Why are we going back from the GUI to command line, MS needs to un-deprecate it and make it show the full set of configured policies. Also, filtering policies in Group Policy to show those that apply only to a specific product is gone in Windows 7. I can only filter "any" or "all", not "only".

  6. Worf says:

    @von: worse yet are active low flags in software that don't have anything to do with hardware. Complete with 'n' prefix in the name. So you have to set them to FALSE to enable them.

    At least active low signals make a lot of sense electrically (NMOS transistor driving it low which can be made extremely powerful for their size (PMOS are bigger), so signals with large fanouts can have smaller output transistors. Also why you see more open-drain outputs with pullup resistors than open-source with pulldowns. Finally, ground is usually a huge power rail while Vcc isn't, so it's far easier to pull down to ground and not worry about noise or buffers if the ground bounces a bit than pull up and pull the Vcc rail below operating threshold.

    And yes, NAND/NOR are faster gates – CMOS does inversion by default, each input consumes two transistors – an NMOS and a PMOS. AND/ORs add an extra inverter and thus have more gate delay. Plus NAND/NOR are fully describable -you can implement any logic circuit with just NAND or just NOR gates.

  7. Neil says:

    Not forgetting TTL which also had inversion by default, and open collector (analogous to open drain). I think they mostly came in NPN types for similar reasons.

  8. alt-92_ says:

    @ Troll: I'll bite ..

    RSoP.msc is deprecated because it doesn't work with GP Preferences (at all), gave you questionable info and is completely non-interactive.  Gpresult.exe since NT6x is much more refined, exports better and reports (both HTML and XML) are easy to read and really shows all applied policies including Preferences – and if there are no adm(x), it'll present the registry locations.

    Filtering in gpedit.msc works just fine. You're doing it wrong :P

  9. Booker G says:

    Why does the resolution of GetTickCount() vary between 15 and 16ms? Is it a rounding issue?

    Also, is there any reason why the resolution hasn't been selected as 1ms as in other operating systems running on the same system architecture? (not trolling, honest!)

    [As noted elsewhere, improving the resolution to 1ms reduces battery life by 10%. -Raymond]
  10. Joshua says:

    @Booker G: it relates to the old system clocks that ticked a non-integer number of times a second.

  11. Troll says:

    @alt-92_, well then it is their job to *make it work* with GP Preferences instead of abandoning a perfectly good MMC snap-in. And filtering doesn't work as I want in Windows 7 GPO. Let's say I want to only view policies that apply to Vista, not Windows 7, not XP because for those OSes, I have a different set of policies that I want to enforce. Without the "only" option, I can only see ones that apply to "all" or "any" which is not what I want. Of course, alternatively, one can do it using WMI filters in GMPC.

Comments are closed.