Streamline tasks with Group Policy Management Console in Windows Server 2003

How to use the Group Policies console to manage the rights of users and make managing policies much easier

Group Policies provide a powerful and flexible way to manage the user's operating environment and to make sure that all kinds of functions are performed consistently. Although Group Policies management in Windows 2000 is good, the same function in Windows Server 2003 is even more powerful—and it includes a new management console that makes it easier to maintain this service.

Changes in Windows Server 2003
The biggest improvement to Group Policies in Windows Server 2003 is the introduction of the Group Policy Management Console (GPMC), which I'll discuss in a minute. In addition, more than 200 new policy settings are included with the new operating system, resulting in more control over the Control Panel, Remote Assistance, network connections, profiles, and DNS, among other things.

Another significant improvement is the ability for Group Policies to be applied to machines that meet hardware specifications you set. This is possible because Group Policy reporting is tied to Windows Management Instrumentation (WMI). So, for instance, an administrator can push a policy to a machine that has a specified amount of hard drive space or that meets specific RAM requirements.

Introducing the Group Policy Management Console
Windows Server 2003's GPMC centralizes all Group Policy management functions, including backup and restore of Group Policy objects, import and export capability of Group Policy objects, and resultant set of policy reporting. By combining functions from a number of tools, such as Active Directory Users And Computers, Active Directory Sites And Services, the Resultant Set Of Policy snap-in, and the Delegation Wizard, the GPMC eliminates the need to go to a bunch of locations to perform common tasks.

The GPMC can manage both Windows 2000 and Windows Server 2003 domain controllers, but the console must be installed on either Windows Server 2003 or Windows XP SP1. If it is installed on Windows XP SP1, Windows XP QFE Q326469 and the .NET Framework must also be installed.

The GPMC is available for download from Microsoft's Group Policy site. The download is called gpmc.msi, and you can start the installation just by double-clicking the file. Installation is quick and easy, consisting of only a couple of screens, including a license agreement. After installation, you can launch the GPMC at Start | Administrative Tools | Group Policy Management. Figure A shows the GPMC window.

Figure A
The Group Policy Management Console

Using the GPMC
Using the GPMC is easy, but you should have an understanding of how Group Policies work, lest you push out a policy that creates a problem. The left-hand window provides most of the navigation you need to modify parts of the Group Policy.

GPMC can manage multiple forests. To add a forest, right-click on Group Policy Management and select Add Forest from the shortcut menu. You'll be prompted for the name of the forest.

Modify the default policy
The default policy can be modified by expanding the forest option and selecting Domains followed by the name of your domain. In my example, the domain is named, appropriately enough, Under the name of your domain, you'll find an option for the Default Domain Policy. Click on this to view the details for this policy, as shown in Figure B.

Figure B
Overall details for the Default Domain Policy

To edit the policy, right-click on it and choose Policy. This will launch the Group Policy Object Editor with the selectedobject as the target. Figure C shows an example.

Figure C
The GPMC launches other Group Policy tools as needed.

Instead of completely replacing other Group Policy tools, the GPMC supplements them by providing a single point of initial administration. When there is a better tool to perform a specific task, the GPMC launches it.

Filtering by system specifications
As I mentioned earlier, Group Policy is tied to WMI, which enables you to enforce a policy based on system hardware specifications. At the bottom of Figure B, notice the section labeled WMI Filtering. In that screen shot, no WMI filter is linked to the Group Policy object. And since this is a new domain, no WMI filters have been specified yet. To create one, right-click on WMI Filters in the left pane and select New from the shortcut menu. This will present you with a window on which you can specify the parameters required to create the new filter. In Figure D, I have provided a name and description for a new filter.

Figure D
Create a new WMI filter.

To add a new WMI query, click the Add button. The resulting window asks for two pieces of information—the namespace to use and the query. Most WMI information is gleaned from the root\CIMv2 name space. To create a filter that targets Windows XP Professional machines, use the query Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional" (Figure E). Click the Save button when you finish.

Figure E
A new WMI query

To use the new filter with a GPO, click the down arrow in the WMI Filtering section of the Group Policy Object Details window and select it. As an example, I added my new filter to the default domain policy. Then, I clicked the option for the new filter in the left-hand window under WMI filters. In Figure F, you can see that this results in detailed information about that particular filter, including the query and the GPOs it's linked to.

Figure F
WMI filter details

Resultant Set of Policy (RSoP)
Group Policies can be pretty complex and can confuse even the most experienced administrator. This is especially true when you're trying to figure out what is going to happen when a number of policies are applied. Fortunately, the GPMC's Group Policy Results Wizard makes this determination easier.

To start the wizard, right-click on Group Policy Results in the navigation pane and select Group Policy Results Wizard from the shortcut menu. The first screen, shown in Figure G, asks you to specify which computer the wizard should report on.

Figure G
Select the computer to use for the wizard.

You can choose to limit the wizard results to a specific set of users, as shown in Figure H. For this example, I'll report on the current user, which is Administrator.

Figure H
Select the users to report on.

The last screen of the wizard, shown in Figure I, provides a summary of your selections. When complete, the results of the wizard are available under the Group Policy Results option in the navigation pane of the GPMC.

Figure I
Results of the RSoP wizard

You can see in Figure I that this wizard provides a comprehensive view of the specified user, indicating which GPOs are applied and the reasons that other GPOs might not be applied. For example, the Default Domain Policy is not applied because the WMI filter applying the policy to just Windows XP Pro machines failed, since the user is currently logged into a Windows Server 2003 machine instead.

A definite improvement over Windows 2000
The Group Policies console offers a great way to manage the rights of users in your organization, but their complexity and the number of tools they require can make them confusing and difficult to manage. New features for Group Policies in Windows Server 2003 domains, such as the ability to tie a Group Policy to a WMI filter, make managing policies much easier. The GPMC consolidates Group Policy maintenance into a single management entity and provides valuable tools, such as the Group Policy Results Wizard, that make group policies even more powerful than before.

Editor's Picks

Free Newsletters, In your Inbox