Group Policy, Active Directory, and the GPMC

Windows 2000 administrators already somewhat familiar with Group Policy will tell you that finding what you need and understanding what's going on under the hood can sometimes be confusing. The interface used to create, modify, and manipulate Group Policy in Windows 2000 has led to numerous missteps and head scratching when people try to figure out why something isn't going the way it should.

Occasionally, Microsoft has recognized that the first iteration of a product release has missed the mark a little in the way the product works, acts, or interfaces. They often request additional customer feedback, embrace it, regroup, and return a "2.0 version" of the product.

To make optimal use of Group Policy in an Active Directory environment, the Group Policy team at Microsoft introduced a free, downloadable "2.0 version" for managing Group Policy in Active Directory. It's called the Group Policy Management Console, or GPMC, as mentioned earlier. The GPMC isn't part of the Windows 2000, Windows 2003, or Windows XP operating systems; you need to fetch it and install it.

Kickin' it Old-School

Out of the box, Windows 2000 and Windows 2003 domains use the old-style GPMC interface. If you've never seen the old-style interface, you can do so right now before we leave it in the dust for the new GPMC in the next section.

To see the old-style interface and create your first GPO at the domain level, follow these steps:

Log on to the Domain Controller WINDC01 as Domain Administrator.
Choose Start ˜ Programs ˜ Administrative Tools and select Active Directory Users And Computers.
Right-click the domain name and choose Properties from the shortcut menu, as shown in Figure 1.3, to open the Properties dialog box for the domain.

Click the Group Policy tab.

Tip	There is a "Default Domain Policy" GPO butyou won't modify it at this time. (I'll talk about it in Chapter 6.) As I'll discuss, it is not recommended that you modify he "Default Domain Policy" GPO for regular settings.

Click the New button to spawn the creation of your first GPO.
For this first example, type My First GPO , as shown in Figure 1.4.
Highlight the policy, and click Edit to open the Group Policy Object Editor.

Figure 1.3: Right-click the domain name and choose Properties.

Figure 1.4: You've just created your first GPO in Active Directory.

At this point, things should look familiar, just like the Local Group Policy Object Editor, with the user and computer nodes. For example, if you drill down into the Administrative Templates folder in the User Configuration folder, you can make a wish at the domain level, and all your computers will obey.

For now, don't actually make any changes; just close the Group Policy Object Editor and read on.

GPMC Overview

The GPMC is a tool you download from Microsoft for free, which can then be loaded on Windows XP or Windows 2003 client machines. Once loaded, the GPMC provides a one-stop shop for managing nearly all aspects of Group Policy in your Active Directory. Again, it doesn't matter if your Active Directory or domains are Windows 2000 or Windows 2003; it just matters that you have Active Directory.

Why Abandon Old School?

In Figure 1.4, we were able to create our first GPO (even though we didn't actually place any policy settings in there). The interface seems reasonable enough to take care of such simple tasks . And, heck, this interface is already part of the operating system, so, why move away from it?

The old-school way of viewing and managing Group Policy just isn't scalable over the long haul. This interface doesn't show us any relationship between the GPO we just created and the domain it's in. As you'll see in this chapter, the new interface demonstrates a much clearer relationship between the GPOs you create, the links it takes to use them, and the domains where the GPOs actually "live."

The old-style interface also provides no easy way to figure out what's going on inside the GPOs you create. To determine what changes are made inside a GPO, you need to reopen each GPO and poke around. I've seen countless administrators open each and every GPO in their domain and manually document their settings on paper for backup and recovery purposes.

Indeed, backup and recovery is a really, really big deal, and the old-school mechanism (via NTBACKUP) provided no realistic way to back up and recover GPOs without copious amounts of surgery.

With that in mind, I encourage all of you those currently using the original Windows 2000 old-school way (and those who haven't even yet been to school) to step up and try the new way of doing things, the GPMC.

Throughout this chapter and the book, I'll give you pointers about what to do if you're still stuck on working with the old-school way of doing things. However, there's little reason to stay old school when the new way has so much to offer. Did I mention that the GPMC is free? (Yes, Jeremy, about 10 times already.)

It's my hope that those of you already familiar with Group Policy will use the examples in this chapter to get comfy with the new GPMC interface. Also, if you're totally new to the concept of Group Policy, I hope you'll keep your eyes forward and don't look back to the old-school way.

Microsoft has made it quite clear that their direction for all future Group Policy efforts, including white papers, TechNet articles, paid phone support, free newsgroup support, Microsoft Official Curriculum, and even future MCSE/MCSA (Microsoft Certified Systems Engineer/ Microsoft Certified Systems Administrator) exams, will be geared with a heavy eye toward the use of the GPMC.

Basically, the GPMC is here to stay; we need to get up to speed with it and embrace it. The good news is that it's quite pleasant to work with and it's powerful to boot. The best news is that it only takes one Windows XP machine to load the GPMC, and it can be used with both Windows 2000 Active Directory and Windows 2003 Active Directory domains.

So enough yakkin' already about the virtues of the GPMC. Let's get going already!

Note

Even though you cannot load the GPMC on a Windows 2000 Domain Controller or a Windows 2000 Professional machine, it's still capable of controlling Windows 2000 domains. Again, the idea is to simply load the GPMC on just one Windows XP machine in your Windows 2000 domain, and you'll be in good company managing your Windows 2000 Active Directory.

The GPMC's name says it all. It's the Group Policy Management Console. Indeed, this will be the MMC snap-in that you use to manage the underlying Group Policy mechanism. The GPMC just helps us tap into those features already built into Active Directory. I'll highlight the mechanism of how Group Policy works throughout the next three chapters.

One major design goal of the GPMC is to get a Group Policycentric view of the lay of the land. Compared with the old interface, the GPMC does a much better job of aligning the user interface of Group Policy with what's going on under the hood.

The GPMC also provides a programmatic way to manage your GPOs. In fact, the GPMC scripting interface allows just about any GPO operation (other than to dive in and create or modify actual policy settings). We'll explore scripting with the GPMC in Chapter 7. So, if you're interested in scripting, you'll need to have the GPMC bits loaded on the XP systems you want to script.

You'll load the GPMC on the same machines that you use to manage your current Group Policy universe. Some people walk up to their Domain Controllers, log on to the console, and manage their Group Policy infrastructure there. Others use a management workstation and manage their Group Policy infrastructure from their own Windows XP workstations. In either case, to use the GPMC, you'll need to load the GPMC installation software (and the prerequisites) on the machines on which you want this sexy new view to appear. GPMC will only load on Windows XP/SP1 (or greater) and Windows 2003 machines (Domain Controllers and member servers) as discussed in the next section.

Tip	I'll talk more about the use and best practices of a Windows XP management workstation in Chapter 5.

Installing the GPMC

As I mentioned, the GPMC isn't part of the standard Windows 2003 or Windows XP package out of the box. You can, however, download it for free from www.microsoft.com/grouppolicy . Click the link for the Group Policy Management Console to locate the download.

Once it's downloaded, the GPMC is called GPMC.MSI. You can install this on either Windows 2003 or Windows XP with at least SP1, but nothing else. That is, you cannot load the GPMC on Windows 2000 servers or workstations; but, as I noted before, the GPMC can manage Windows 2000 domains with Windows 2000 and Windows XP clients as well as Windows 2003 domains with Windows 2000 or Windows XP clients .

The Original GPMC versus the GPMC with SP1

The GPMC you can download today is called "GPMC with SP1" And it's all good. Not just because of the minor bug fixes, but because of the licensing agreement the GPMC with SP1 provides.

The original GPMC license stipulated that the GPMC was to be loaded only on machines with at least one license of Windows 2003 server on record. However, with GPMC with SP1, that licensing restriction has been lifted. GPMC with SP1 can be used to manage domains without any Windows 2003 servers and without any Windows 2003 Client Access Licenses (CALs).

Therefore, for shops with only Windows 2000, the only requirement is that you have but one Windows XP machine (with at least Service Pack 1) with which to load the GPMC and manage your Active Directory and Group Policy. Oh, and, of course, that one Windows XP client needs a CAL. And that's it.

Note

If you will use the GPMC to manage Windows 2003 domains, all the functionality of the tool is present. If you will use the GPMC to manage Windows 2000 domains, some functionality will not be present. Windows 2003 Active Directory contains several new Group Policy features that Windows 2000 domains cannot use. I'll explicitly explain those features that are not accessible within Windows 2000 domains as they come up. These features are largely explored in Chapter 3.

Warning

Additionally, if you have any remaining Windows 2000 Domain Controllers, you should have at least SP2 and preferably SP3 applied to them. This is because most Windows 2003 tools, including the GPMC, use LDAP (Lightweight Directory Access Protocol) signing for all communication. For more information, seethe Microsoft Knowledge Base article 325465, "Windows 2000 Domain Controllers Require SP3 or Later When Using Windows Server 2003 Administration Tools."

Installing the Prerequisites and GPMC Manually

Installing the GPMC does require certain prerequisites, which must be loaded in the order listed here.

Loading the GPMC on Windows XP

If you intend to load the GPMC on a Windows XP machine to manage Group Policy in your domain, follow these steps:

The Windows XP Service Pack 1 is required. If you are unsure whether SP1 (or later) is installed, run the WINVER command, which will tell you whether a service pack is installed. So, if your Windows XP system doesn't have at least SP1 installed, you should install it.
The GPMC requires the .NET Framework to run properly. If it's not installed, you'll need to download and install it. At last check, the .NET Framework download was at http://msdn.microsoft.com/netframework/downloads/updates/default.aspx ( shortened to http://tinyurl.com/ekc7 ). If it's not there, search the Microsoft site for ".NET Framework."

After downloading .NET Framework, double-click the install to get it going on your target Windows XP/SP1 (or greater) machine. It isn't a very exciting or noteworthy installation.
To install the GPMC, double-click the GPMC.MSI file you downloaded. If you're running Windows XP with SP1, the GPMC installation routine will report that a hotfix (also known as a QFE) is required and then proceed to automatically install the hotfix on the fly. This hot-fix (Q326469) is incorporated into Windows XP's SP2. So, if installing on an Windows XP/ SP2 machine, you won't be asked to bother to install it.

Loading the GPMC on a Windows 2003 Domain Controller

If you intend to load the GPMC on a Windows 2003 Domain Controller or a member server, there are just a couple of things to do:

Although there aren't any Windows 2003 prerequisites, it's a good idea to install the latest version of the .NET Framework and the latest version of the Windows 2003.
To install the GPMC, double-click the GPMC.MSI file you downloaded.

Installing the Prerequisites and GPMC via Group Policy Software Distribution

In Chapter 10, you'll learn how to automate your software distribution with Group Policy. Here, however, is a quick reference for how to perform automated installations of the GPMC and its prerequisites. Again, recall that you can load the GPMC only on Windows XP and Windows 2003 machines.

The .NET Framework 1.1 or later must be installed on all target Windows XP machines intended to use the GPMC. And there's no penalty for loading it on Windows 2003 target machines. Download the Redistributable Package (from the Microsoft link described above), expand its contents, and assign the NETFX.MSI to the Windows XP (and/or Windows 2003) machines on which you intend to load the GPMC.

You'll find an expanded discussion on how to deploy the .NET Framework via Group Policy Software Distribution (and also Microsoft SMS) at http://tinyurl.com/458zj and, even more specifically , http://tinyurl.com/772u6 .

You can also assign the GPMC.MSI file itself to either Windows XP or Windows 2003 machines either member servers or Domain Controllers.

You'll perform the magic in three steps: You'll need to create two GPOs (one that deploys the .NET Framework and another that deploys the GPMC). Then you'll need to order the GPOs so that .NET Framework is deployed first. You need to ensure that the GPO which deploys the .NET Framework is set with the highest priority in the link order (confusing, I know.) Stay tuned , we talk about ordering and prioritization of GPOs in Chapter 2.

Upgrading from NT 4.0 to Windows 2000, Windows 2003, or Windows 2003) SP1: Cleaning Up Old GPOs

After you run the GPMC, you may be prompted to "clean up" older GPOs the first time you touch one. You should do so. Under the hood, the GPMC is adjusting some key security descriptors in Active Directory.

The precise error message you'll get is "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK."

By allowing this, you can do some fancy footwork later, as you'll see in the section "Advanced Security and Delegation with the GPMC" in Chapter 2. You will only see this message if your Windows 2000 PDC-Emulator domain was upgraded from anything prior to SP4.

The Results of Loading the GPMC

After the GPMC is loaded on the machine from which you will manage Group Policy (the management workstation), you'll see that the way you view things has changed. If you take a look in Active Directory Users And Computers (or Active Directory Sites And Services) and try to manage a GPO, you'll see a curious link on the existing Group Policy tab (as seen in Figure 1.5).

Figure 1.5: The Group Policy tab now refers you to the GPMC and provides a link.

Additionally, you'll see a Group Policy Management icon in the Administrative Tools folder in the Start Menu folder.

Creating a One-Stop Shop MMC

As you'll see, the GPMC is a fairly comprehensive Group Policy management tool. But the problem is that right now, the GPMC and the Active Directory Users And Computers snap-ins are not integrated beyond what you see in Figure 1.5.

Often, you'll want to change a Group Policy on an OU and then move computers to that OU. Unfortunately, you can't do so from the GPMC; you must to return to Active Directory Users And Computers to finish the task. This can get frustrating quickly. The GPMC does allow you to right-click at the domain-level to choose to launch the Active Directory Users And Computers console when you want, but I prefer a one-stop shop view of my Active Directory management. It's a matter of taste.

To that end, my preference is to create a custom MMC by running MMC from the Run dialog box and then add in both Active Directory Users And Computer and Group Policy Management snap-ins as shown here.

Now, you'll really have a near-unified view of most of what you need at your fingertips. Both Active Directory Users And Computers and the GPMC can create and delete OUs. Both tools also allow administrators to delegate permissions to others to manage Group Policy, but that's where the two tools' functionality overlap ends.

The GPMC won't show you the actual users and computer objects inside the OU; so deleting an OU from within the GPMC is dicey at best, because you can't be sure of what's inside!

You can choose to add other snaps -ins too, of course, including Active Directory Sites And Services or anything else you think is useful. The illustrations in the rest of this book will show both snap-ins loaded in this configuration.

You can launch the GPMC from either the new link in Active Directory Users And Computers (or Active Directory Sites And Services) or directly from new icon in the Start Menu. However, clicking Open in the existing tools has a slight advantage of telling the GPMC to "snap to" the location in Active Directory on which you are currently focused.