Group PolicyTools |
Together with the complexity of Group Policy comes a plethora of tools for administering it.
First, let's summarize the various GUI tools included in WS2003 for managing Group Policy:
This console can be used to create, delete, edit, and link GPOs to domains and OUs.
This console can be used to create, delete, edit, and link GPOs to sites.
This MMC snap-in is used to edit the settings of existing GPOs, but you can't use it to create a new GPO. This snap-in was named Group Policy in W2K.
This console can be used on standalone and member servers to verify the security settings on the local machine.
This console can be used on domain controllers to verify the security settings for the domain controller.
This console can be used on domain controllers to verify the security settings for the domain.
This MMC snap-in is new to WS2003 and can be used to analyze how GPOs combine to produce effective settings on the local machine. RSoP can run in one of two modes:
Simulates the effect of Group Policy without actually applying it
Obtains the results of Group Policy that have been applied
The use of two other MMC snap-ins has a bearing on Group Policy:
Analyzes and configures security on the local computer
Defines security templates that can be applied to a GPO to define its security settings
These tools are discussed later in this chapter under Security Templates .
Useful command-line tools for managing Group Policy include gpupdate , which refreshes Group Policy settings (replacing secedit used in W2K), and gpresult , which displays the RSoP settings for a target user on a specified computer. See gpupdate and gpresult in Chapter 5 for more information.
The fact that the GUI tools for managing Group Policy aren't well-integrated and have no provision for backing up, exporting, or copying GPOs can make managing Group Policy difficult in a large enterprise environment with multiple domains and sites and a large OU hierarchy. To alleviate this problem, Microsoft has released a new integrated tool for administering Group Policy called the Group Policy Management Console (GPMC). Unfortunately, this tool was developed too late to be included with the Gold Release of the WS2003 product CD, but it is downloadable from Microsoft's web site at www.microsoft.com/downloads/ and is free, provided you comply with the licensing agreement, which requires that you have at least one WS2003 license. Note that you don't have to actually have a WS2003 machine installed; just having a license is sufficient. See the GPMC EULA for details.
The GPMC can be installed on either a WS2003 machine or on a client computer running Windows XP Professional with SP1 or later. Once installed, the GPMC replaces the Group Policy tab of the properties sheet with a domain or OU in Active Directory Users and Computers or with a site in Active Directory Sites and Services. If desired, GPMC can be uninstalled later by rerunning the downloaded GPMC.msi Windows Installer file to restore the original Group Policy tab for these consoles. The new GPMC console can be used to:
Manage GPOs and GPO links for domains, sites, and OUs. The GPMC can also manage Group Policy across multiple forests even if there is no trust relationship between them.
Model and report RSoP in HTML format.
Back up and restore GPOs.
Export and import GPOs.
Copy GPOs.
Perform script operations on GPOs (but not on actual GPO settings).
Manage WMI filters for GPOs. WMI filters let administrators who write scripts for the Windows Management Interface dynamically determine the scope of GPOs based on attributes of the target computer. WMI is an interesting feature, but beyond the scope of this book.
The GPMC isn't used to configure actual GPO settings; this is still done using the Group Policy Object Editor (GPOE) snap-in (see Configure a GPO in Group PolicyTasks ).
The hierarchical structure of the GPMC console tree typically looks like this:
Group Policy Management Forest: DNS_name_of_forest Domains Sites Group Policy Modeling Group Policy Results
The pattern repeats if there are additional forests under the root Group Policy Management node. The four nodes under Forest are described next in detail.
The Domains container displays a flat list of each domain in the forest regardless of its parent domain or tree. The container for each individual domain typically looks like this:
Domain GPO links to domain... OUs... Group Policy Objects WMI Filters
At the minimum, the GPO link to the Default Domain Policy is displayed under the Domain node, which displays the domain using its DNS name . Each OU can also contain one or more GPO links to the OU (if there are any), while the Group Policy Objects container holds the actual GPOs created within the domain. Note that GPO links are displayed using shortcut icons to distinguish them from GPO objects.
The Sites container initially can be used to display a flat list of all sites in the forest. By default, however, the Sites container displays nothing when it is selected, since querying Active Directory across the enterprise to determine information about all sites in the forest can take some time if slow WAN links are involved. To make certain sites visible, right-click on the container and select Show Sites. Like domains, all sites are displayed as peers of one another.
This node provides similar functionality to RSoP running in planning mode and lets you simulate or model how Group Policy settings are applied to users and computers without actually applying the settings. Note that this node isn't present if a W2K forest is selected; the node is visible only if the selected forest has at least one WS2003 domain controller present in itin other words, if the Active Directory schema of the forest is WS2003 level.
This node provides similar functionality to RSoP running in logging mode and lets you query target users and computers to obtain information about existing Group Policy settings. Note that while this node is present regardless of whether the schema is WS2003 or W2K, the node can display RSoP results only on target computers running either WS2003 or XP.
To see what the GPMC can actually do, see Manage Group Policy Using GPMC in the next section.