See how to use the Group Policy Management Console to simplify the administration of Group Policies, especially in Windows Server 2003.
Managing Group Policies in Windows has typically required a bit of a juggling act, especially in large corporate environments with a complex Active Directory (AD) structure. But those days are gone, thanks to a free tool Microsoft has made available for download—the Group Policy Management Console (GPMC).
Without GPMC, you have to employ a variety of different tools—such as Active Directory Users And Computers, AD Sites And Services, Access Control List Editor, the Resultant Set of Policy (RSoP) snap-in, and Delegation Wizards—to tame the many-headed beast of Group Policies in Active Directory. GPMC brings the functionality of all those tools neatly together into a single, powerful management console that enables you to manage multiple domains and forests with ease, thanks to a unified interface.
What GPMC can do
In addition to the features mentioned above, GPMC has the ability to backup and restore Group Policy objects (GPOs); import/export and copy/paste GPOs and Windows Management Instrumentation (WMI) filters; provide HTML reporting of GPO settings and RSoP data. What's more, most of these operations are scriptable. Using these operations, you can plan, create, test, and migrate Group Policies.
GPMC can be used to manage Windows Server 2003 and Windows 2000 domains. Of course, Active Directory must already be enabled. The GPMC console itself can be installed on a workstation running Windows Server 2003, Windows XP Professional with Service Pack 1 (plus an additional post-SP1 hot fix that is included with GPMC), and the Microsoft .NET Framework. GPMC does not, however, run under Windows 2000. Also, in terms of the license, you must have at least one copy of Windows 2003 running on your network (or have one license of Windows Server 2003 available).
Let's take a look at the unified management console (Figure A) in GPMC, which is the most important aspect of the tool.
Until now, a GPO's strength—an orderly, categorized collection of layer upon layer of settings—was also its weakness, because there was no easy way to get a bird's eye view of the policy settings. If this was a problem with one GPO, the problem became compounded by the number of GPOs you had to manage and keep track of.
With GPMC that has changed. For an overview of a GPO's settings (called reporting), expand Group Policy Objects and select the GPO (Figure B).
In the right-hand pane, under the Settings tab, click on Show All at the top right. A summary of the GPO's settings will be displayed as an HTML report. This report can be generated by any user with read access to the GPO. Previously, users required read and write permissions to the GPO to open it. Why the change? This makes things easier for certain categories of users who need to see but not edit GPO settings, such as helpdesk technicians or administrators troubleshooting a Group Policy issue.
With GPMC you now also have the ability to save all the settings in a GPO to a file for printing or viewing. Just right-click the desired category or categories that you've opened, and select Print or Save report from the context menu. Reports can be saved to a file as either HTML or XML. To view a saved report directly in a Web browser, you need Internet Explorer 6 or Netscape 7. You can also generate similar reports for Group Policy Modeling and Group Policy Results (more about these later).
GPMC will provide you with just as simplified an overview of the net effect of all your GPOs using Group Policy Results, formerly known as the Resultant Set of Policy tool.
Can't see the forest through the trees? GPMC allows you to list only the forests and domains you wish to see. Simply right-click the forest or domain node and select Remove. Getting forests back (or adding more) is as easy as right-clicking Group Policy Management and selecting Add forest.
By default you can only add a forest to GPMC if there is a two-way trust with the forest of the user running GPMC. You can, however, get GPMC to work with only one-way trust or even no trust, but I won't go into the details here.
As you probably noticed, a forest has four subnodes: Domains, Sites, Group Policy Modeling, and Group Policy Results. The Group Policy Modeling node (the new name for the Resultant Group Policies in Planning node) will only be visible in a forest that has the Windows Server 2003 schema for Active Directory. You will also need at least one domain controller running Windows Server 2003 if you want to perform a Group Policy Modeling analysis.
Where have all the sites gone? The Sites node is initially empty. Right-click on it and select Show Sites for your sites to appear. The absence of sites is "to speed up console performance by not enumerating a potentially large number of sites in the forest, unless explicitly requested by the user", according to Microsoft.
Both the Group Policy Modeling node and the Group Policy Results node give you access to the RSoP. The former is a powerful new feature enabling you to simulate the effect of policy settings for planning purposes. You can simulate the effect of policies for any user and computer in a forest. The Group Policy Results node provides you with the actual resultant set of policies for users and computers.
Group Policy Results is only available for computers running Windows XP or Windows Server 2003. But although you cannot obtain Group Policy Results data for a Windows 2000 computer, you can simulate the RSoP data using Group Policy Modeling.
Although GPMC, by default, uses the same domain controller for all operations in that domain, you can choose which domain controller to use for each domain, as well for all sites in a forest. You have a choice between the PDC emulator, any available DC, any available DC running Windows Server 2003 (useful if you are restoring a deleted GPO containing Group Policy software installation settings), or any DC you specify. To choose a DC, right-click the domain node and select Change Domain Controller. To choose a DC for operations on sites, right-click the Sites node and click Change Domain Controller.
Microsoft warns that it is important to consider the choice of domain controller in order to avoid replication conflicts. "This is especially important to consider since GPO data resides in both Active Directory and on SYSVOL, and two independent replication mechanisms must be used to replicate GPO data to the various domain controllers in the domain. If two administrators are simultaneously editing the same GPO on different domain controllers, it is possible for the changes written by one administrator to be overwritten by another administrator, depending on replication latency. To avoid this situation, GPMC uses the PDC emulator in each domain as the default to help ensure that all administrators are using the same domain controller. However, it may not always be desirable to use the PDC. For example, if the administrator resides in a remote site, or if the majority of the users or computers targeted by the GPO are in a remote site, then the administrator may want to choose to target a domain controller at the remote location. It's important to note that if multiple administrators manage a common GPO, it is recommended that all administrators use the same domain controller when editing a particular GPO, to avoid collisions in File Replication Services (FRS)." This comes from the Microsoft White Paper "Administering Group Policy with the GPMC."
There are various ways you can create GPOs using the GPMC:
- Right-click any domain or Organization Unit (OU) and choose Create and Link. As the option implies, you can then simultaneously create a new GPO and link it to the domain or OU.
- Right-click Group Policy Objects and click New to create a new unlinked GPO.
- Use a script, like the sample script called CreateGPO.wsf, included in GPMC.
- Copy the GPOs.
Once you have created the GPOs, you have to define settings. To do so (as you did up to now using the Group Policy snap-in, Group Policy Editor, or GPedit), merely right-click a GPO and choose Edit.
Applying a GPO (referred to as "scoping the GPO") to users and computers by linking it to a site, domain, or OU is easy using GPMC.
GPOs can be applied to sites, domains, and OUs. These GPO targets have often been referred to as SDOU, but the preferred term now is Scope of Management, or SOM.
Here are the ways you can link a GPO to SOMs:
- Right-click a domain or OU node, and choose Create and Link a GPO here.
- Right-click a site, domain, or OU node, and choose Link an existing GPO here.
- Drag a GPO from under the Group Policy objects node to the OU (you can only drag-and-drop within the same domain).
If you need to specify new locations in which to place new user accounts, new computer accounts, or both, Windows Server 2003 has two new tools for the job. Redirusr.exe (for user accounts) and Redircomp.exe (for computer accounts) can be found in the %windir%\system32 directory of a WS2K3 system.
GPO security filtering
GPMC simplifies security filtering for a GPO. Security filtering refers to managing permissions on a GPO. You can employ this to further help you determine which users and computers will receive the settings in a GPO. For a GPO to apply to a user or computer, that user or computer must have both Read and Apply Group Policy permissions on the GPO.
Up to now, you had to use the ACL editor to set the Read And Apply Group Policy permissions for users, computers, and groups if you wanted to change the scope of a GPO. With GPMC, all you have to do is add or remove security principals (users, computers, groups) in the security filtering section under the Scope tab for the GPO or the GPO link. The Read and Apply Group Policy permissions for the relevant security principal is then automatically set or removed.
Group Policy inheritance
You can also use GPMC to see the effect of Group Policy inheritance. Just select the container and choose the Group Policy Inheritance tab in the details pane. All the GPOs for the selected container will be shown that would be inherited from parent containers (except for GPOs linked to sites). Note the Precedence column. It shows the order of precedence for all the links that would be applied to objects in this container.
To block inheritance, right-click on the GPO link and deselect Enforced. You can also set a GPO link to Enabled (again, right-click the link and select Enabled from the drop-down menu) to allow it to be processed.
A new feature of Windows Server 2003 and Windows XP is WMI Filters, which enable you to dynamically determine the scope of GPOs based on attributes of the target computer. As Microsoft says, "This provides the administrator with the potential to dramatically extend the filtering capabilities for GPOs well beyond the previously available security filtering mechanism."
To create WMI Filters, right-click either the WMI Filters container or the Contents pane for this node and select New.
There are three ways to link such a filter to a GPO:
- On the Scope tab of the GPO, use the WMI Filter drop-down to select a WMI Filter to link to the GPO.
- On the General tab of a WMI Filter, right-click the GPOs that use this WMI Filter section and select Add.
- Drag a WMI Filter onto a GPO.
Because there is too much detail about GPO operations—the ability to backup (export), restore, import, and copy GPOs—to cover in this article, I will focus on one aspect here: the ability for planning, creating, testing, and migrating group policies.
Using a test environment closely resembling the AD structure of your production environment, you can test and validate changes to your policy deployment. Once you're happy with the result, you can import and/or copy the GPOs to the production environment.
To help you set up a test environment that closely resembles the production environment, Microsoft has provided two sample scripts:
- CreateXMLFromEnvironment.wsf – As Microsoft states: "This script uses the information in a live domain to generate an XML file and a set of GPO backups that represent the policy information for that domain. The XML file captures information such as OU structure, groups and users, GPOs and the settings contained in them, links to GPOs, security on GPOs, and WMI filters. By running this script against a production domain, you can capture the essential policy information for that domain for later re-use."
- CreateEnvironmentFromXML.wsf – "This script populates a domain with policy information such as OU structure, groups, and users, GPOs and the settings contained in them, links to GPOs, security on GPOs, and WMI filters using an XML file and a set of GPO backups referenced in the XML. The XML file required as the input for this script can be generated using the previous script. By using this second script in conjunction with the XML file previously generated, you can replicate the contents of one domain to another."
For details on using these scripts, see the chapter "Staging Group Policy Deployments" in the Windows Server 2003 Deployment Kit.
This tutorial has walked you through the details of using the Group Policy Management Console (GPMC) to streamline the creation and deployment of Group Policies. This article has also explained several caveats that you need to be aware of when working with the GPMC and Group Policies. All in all, most administrators should be happy to have the GPMC to simplify Group Policy management.