Enhancing Manageability with Group Policy Management Console

Enhancing Manageability with Group Policy Management Console

The Group Policy Management Console (GPMC) is the new tool used for configuring and using Group Policy with Windows 2003. After it is installed, the choice to use AD Users and Computers to access and configure Group Policy is removed from the local computer.

The GPMC must be installed on Windows Server 2003 or Windows XP. The GPMC.msi package can be downloaded from the http://www.microsoft.com/downloads Web site. Search for "GPMC.msi" and download the tools. Once installed, it can be found by choosing Start, All Programs, Administrative Tools, Group Policy Management.

The GPMC provides many useful features; some of the most useful will be covered in the following section.

GPO Operations: Backup, Restore, Copy, and Import

A crucial improvement in Group Policy is the ability to back up (or export) the data to a file. Then you can restore the Group Policy data into the same location. Note that the backup only backs up data specific to that GP itself. Other Active Directory Objects that can be linked to GPOs such as individual WMI filters (although the WMI links are backed up and restored) and IP Security policies are not backed up, due to complications with restores. Note also that performing a restore actually restores the original GUID of the GPO. This is useful when replacing a misconfigured GPO or especially one that was deleted.

The importing functionality allows for the importation of exported GPO data into a different location than the one from which it was exported, even to one with which no trust exists. Imports can be done in different domains, across forests, or within the same domain. This is most useful to move a GPO from a test lab into production without having to manually create what was done in the test lab, or, conversely, to update a test lab with the most current GPOs in production.

Copying GPOs is a very useful tool, as well. If you have configured a complex GP on a certain OU and want to duplicate the GPO(s) on other OUs, you need only copy the GPO and a new GPO is automatically created with the copy process. This new GPO can then be placed in the new location. You don't need to re-create the GPOs manually. This is quicker and also eliminates the possibilities of mistakes. Note however, that the data isn't saved to a file as it is in the backup or export of the GPO data. Trusts must be in effect for cross-domain or forest copies, or the Stored User Names and Passwords utility can be used if no trust exists. Note that copying a GPO requires creation of GPO rights in the target area as well as read access to the source GPO.

Migrating Tables

During a cross-domain or cross-forest restore or copy operation, it might not be the best method to import all the exact configuration settings that exist in the backed up GPO to the new area. For this purpose, migration tables are useful. A migration table can be used to convert values from a source to values that apply in the new target location or destination . The source and destination mappings can be changed to accommodate any differences in configuration between the two.

Supporting Group Policy Management Across Forests

The GPMC enables you to easily view and configure Group Policy in multiple forests and domains. The default view shows multiple forests, and you can configure which forests and domains to view and administer from the GPMC. It is not possible to link a GPO from a domain in a forest to another domain in another forest. However, it is possible to configure Group Policies to reference servers in another forest.

By default, a forest can only be managed if a two-way trust exists between it and the forest of the administrator. You can configure it to work with only a one-way trust or no trust at all by choosing View, Options, clicking the General tab, and un-checking Enable Trust Delegation.

If you are supporting Group Policy in a forest with which you don't have a trust, you will need to use the Stored User Names and Password tool to access the other forest. Find the Stored User Names and Password tool by choosing Start, Control Panel, User Accounts, Advanced, Manage Passwords in Windows XP or Start, Control Panel, Stored User Names & Passwords in Windows Server 2003. When the Stored User Names and Password tool appears, you will see a screen similar Figure 6.6.

HTML Reporting Functionality and the Settings Tab

The Settings tab is a very useful area in the GPMC. You can use it to view the HTML reports on the GPO. These HTML reports state what is configured in the individual GPO. It provides an area to see all the settings, allows for looking easily at the descriptions (the "explain" sections) of the selected objects, and lets you condense and expand the details of the report by clicking on Show All. Additionally, the reports can be saved or printed.

Linking WMI Filters

Linking WMI Filters enables you to apply group policies and establish their scopes based on attributes of target computers. You can do this by using the WMI filters to query the WMI settings of the target computers for true/false and apply group policies based on the true/false WMI queries. A "false" on the target computer results in the GPO not being applied. Conversely, a "positive" results in the application of the GPO.

Because WMI filters are separate from GPOs, they must be linked to GPOs in the GPO Scope tab to function properly. Only one WMI filter can be applied to each GPO. Additionally, WMI filters will only work on Windows XP and later workstations, not Windows 2000 or before, or non “Microsoft operating systems.

Searching the GPMC for Group Policies

The GPMC enables you to search for specific group policies or data within the GPOs. Data such as permissions, GPO name , linked WMI filters, user configuration contents (what is configured), computer configuration contents, and GPO GUID can be searched for using the granular searching functionality in the GPMC.