|
6.3. Group Policy Management ToolsBefore we get much further into the chapter, it's important to introduce some alternative management tools that will be used throughout the remainder of the book to administer GP. Although the Group Policy Object Editor you access from within Active Directory Users and Computers is sufficient for managing a small- to medium-size deployment with a few GPOs, it is woefully inadequate at managing a large-scale GP deployment in a bigger organization. To answer this need, Microsoft created the Group Policy Management Console (GPMC) and released it just after Windows Server 2003 was released to manufacturingthis is why the GPMC isn't included on the Windows Server 2003 distribution CD, at least at the time of this writing. (More about this tool is coming up in the next section.) Also, several third-party tools are available to assist you in managing GPOs, their scope and effect, and their application, including the following.
Let's take a closer look at the extended functionality and cleaner interface of the GPMC. 6.3.1. Group Policy Management ConsoleMicrosoft created the GPMC, supported on Windows Server 2003 or Windows XP, to enable administrators to better configure and use GPOs. The Group Policy Object Editor has various shortcomings, but by far the biggest one is the lack of ability to see the exact scope of a GPO's application, which made troubleshooting policies across machines difficult. The GPMC fixes these issues and adds a scripting ability, which many administrators find useful in troubleshooting, deploying, and generally administering GP. The GPMC takes the "basic" administration of GPOs from the Group Policy Object Editor and integrates itself with the UI: when you load Active Directory Users and Computers and click the Group Policy tab, if the GPMC is installed you'll see a message with a button to launch the console. This is shown in Figure 6-6. Figure 6-6. Launching the GPMCYou also can launch the GPMC from the Administrative Tools group on the Start Menu or from within the Control Panel. The default view of the GPMC is shown in Figure 6-7. Figure 6-7. The default view of the GPMC for the hassalltech.local forestTo navigate around in the GPMC, you need to expand the forest you want to manage in the left pane. Then you can select specific domains and sites within that forest, and OUs within those boundaries. When you expand, for example, a particular domain, links to the GPOs that exist are listed within their respective OUs. They also are listed under the Group Policy Objects folder. If you double-click a particular GPO, you're presented with the details of the GPO in the right pane. The first tab is the Scope tab, as shown in Figure 6-8. Figure 6-8. Examining a standard GPO: the Scope tabThe Scope tab examines how far-reaching the effects of this GPO are. Sites, domains, and OUs that are linked to the GPO you've selected are listed at the top of the window. You can change the listing of pertinent links using the drop-down box, where you can choose to list links at the current domain, the entire forest, or all sites. At the bottom of the window, any security filtering done by ACLs is listed. Clicking the Add button brings up the standard permissions window, as you would expect from the Group Policy Object Editor. At the very bottom, you can see any WMI filters to which this GPO is linked. You can choose to open the WMI filter for editing by clicking the Open button. Of course, you can associate only one WMI filter with any particular GPO, and as before, WMI filters work only with Windows XP and Windows Server 2003. The next tab, Details, simply shows the domain in which the current GPO is located, the owner of the GPO, when the GPO was created and modified, the version numbers for the user and computer portions, the GUID of the object, and whether the GPO is fully enabled or fully disabled, or whether just the computer or user configuration portions are enabled. The next tab, the Settings tab, is shown in Figure 6-9. Figure 6-9. Examining a standard GPO: the Settings tabThe Settings tab is one of the most useful tabs in the GPMC. The GPMC will generate HTML-based reports of all the settings in a particular GPO, and you can condense and expand portions of the report easily for uncluttered viewing. You can print the report for further reference, or save the report for posting to an internal web site for your IT administrators. It's a much, much easier way to discern what settings a GPO modifies than the Group Policy Object Editor. To edit the GPO that is displayed in the report, simply right-click it and select Edit. To print the HTML report, right-click it and select Print; to save the report, right-click it and select Save Report. Finally, the Delegation tab lists in a tabular format the users and groups that have specific permissions for the selected GPO, what those permissions are, and if they're inherited from a parent object. Clicking Add brings up the common Select User, Computer, or Group dialog box that you are familiar with from reading this chapter. You can remove a delegated permission by clicking the appropriate user or group in the list and then clicking the Remove button. The Properties button will bring up the standard Active Directory Users and Computers view of the selected user and group. 6.3.1.1 Searching for GPOsUsing the GPMC, you can search for specific GPOs or for the values of properties of some GPOs. To do so, right-click a forest or domain in the lefthand pane of the GPMC and select Search from the context menu. The Search for Group Policy Objects screen appears, as shown in Figure 6-10. Figure 6-10. Searching for GPOsYou can select the scope of your search to be all domains within a forest, or within a specific domain that you select from the drop-down list at the top of the screen. Then you specify your search criteria by selecting the item to search, the condition to match, and the value that the condition should match. Here are the possible search terms:
You can stack criteria to have multiple conditions in your search by selecting the appropriate query and clicking Add to add the current criteria to the query list. Then you can select more criteria and add them to create more complex searches. You can remove selected criteria from the query list by clicking the Remove button. Click Search to start the search, and Stop Search to stop it before it has finished. The results of the search appear at the bottom of the screen. You can select a particular GPO that results from the search and go directly to editing it by selecting it and clicking the Edit button. You also can save the set of results by clicking the Save Results button, which puts the results in a text file of comma-separated values (CSVs). Finally, to clear the current results and perform a new search, click the Clear button. 6.3.1.2 Backing up, copying, importing, and exporting GPOs using the GPMCThe GPMC supports copying, importing, backing up, and restoring GPO information. Previously, GPO backups were not possible unless you performed a system state backup of a domain controller. When you back up a GPO using the GPMC, only data pertinent to that particular GPO is backed up. Linked objects are not backed up because restoring that information becomes troublesome. However, when you restore, Windows automatically assigns the previous GUID of the backed-up GPO, which is wonderful for simply resurrecting an inadvertently deleted GPO. It is not uncommon for administrators to spend a great deal of time configuring GPOs exactly as needed and then to find themselves having to repeat the process manually on several other OUs for which they are responsible. The GPMC can save hours upon hours with its copy capability. You simply can copy a GPO or set of GPOs and then paste them elsewhere into another OU. However, a copy isn't the same as a backup because the copy process doesn't replicate the information in a file that can be moved elsewhere for safekeeping. Also, a copy of a GPO has a different GUID than the original GPO. To perform a GPO copy, you need rights to create GPOs in the destination location and read access to the GPOs in the original location. The GPMC also supports the ability to import and export GPOseven to a separate domain with which no trust exists to the original domain. This is useful when you need to copy the same GPO settings to multiple domains or when moving between development and productions forests. You don't need to meticulously re-create all your GPOs on the other domains; simply export them using the GPMC and import them on the new domain. It's a faster and less error-prone procedure. Importing GPOs across domains can be a bit complex because you'll need to create a migration table to specify how the GPMC should translate domain-specific data from one domain into the other. Most GPOs contain information such as users, groups, computers, and UNC paths that refer to objects available in a specific domain. These might not be applicable in the new domain, so you'll need to tell Windows how to translate these objects stored within the source GPO to other objects applicable to the destination GPO's location. Here's a more specific list of GPO aspects you can modify within the migration process:
Let's walk through several examples for backing up, copying, exporting, and importing GPOs with the GPMC. To back up a specific GPO, follow these steps:
To copy a specific GPO, follow these steps:
Figure 6-12. Copying GPOsYour GPO has been copied. To import a specific GPO, you need to create a new GPO in the location to which you want to import settings. For example, if you want to import the lockout policy from one domain into a new domain, you'll need to create a new GPO in the new domain. Then, follow these steps:
6.3.1.3 Managing GP across multiple forestsUsing the GPMC, you can quite easily browse and set up GPOs in several distinct forests and domains. In fact, even the default setup of the GPMC allows you to select Add Forest from the Action menu and then to type the name of a forest you want to manage. The GPMC will add that to the list of available forests in the left pane. Managing GP for multiple forests comes with a few requirements:
6.3.1.4 Using RSoP planning mode with the GPMCThe GPMC provides a cleaner graphical interface to the RSoP functionality found within GP in Windows Server 2003 than the regular, bundled tools. The GPMC supports the planning and logging mode, as the standard Group Policy Object Editor does, and you can access each using the Group Policy Modeling and Group Policy Results items in the left pane of the GPMC. In RSoP planning mode, accessed through Group Policy Modeling, you can simulate the effects of the deployment of GPOs, change the GPO in accordance with those results, and retest. You can specify a particular domain controller, users, security groups, and user memberships within, the location of a machine or site, and any applicable WMI filters, and then model the results of applying a specific GPO. To get started in planning mode, right-click Group Policy Modeling and, from the context menu, select Group Policy Modeling Wizard. Click Next from the introductory screen. The Domain Controller Selection screen appears, as shown in Figure 6-14. Figure 6-14. Modeling Group Policy: selecting a domain controllerHere, select the domain controller to use when processing the RSoP request. This domain controller must be running Windows Server 2003. You can choose a specific domain controller from the list, or let Windows choose a domain controller. You also can select domain controllers in a given domain using the drop-down list. Click Next to continue. The User and Computer Selection screen appears, as shown in Figure 6-15. Figure 6-15. The User and Computer Selection screenOn this screen, you specify the user and computer settings you want to have analyzed when you apply GP. You also can choose a container if you want to analyze more than one user or computer. Note also at the bottom of the screen the option to skip to the end of the wizard. If you have a simple query that is complete at any point during the wizard, simply select this option to bypass the remaining screens and go straight to the results of the query. Click Next to continue. The Advanced Simulation Options screen appears, as shown in Figure 6-16. Figure 6-16. The Advanced Simulation Options screenOn this screen, you can tell Windows to simulate a very slow link between domain controllers and clients, whether to merge or replace loopback processing (explained earlier in this chapter), and the site to which these settings should apply. This is a very useful algorithm for testing real-world conditions. Click Next to continue. Next comes the User Security Groups screen, as depicted in Figure 6-17. Figure 6-17. The User Security Groups screenOn this screen, you can see the results of applying Group Policy if you change the existing user or computer's security group memberships. The current group memberships are listed in the box, and you can add and remove them at will using the Add and Remove buttons. To undo your changes, just click Restore Defaults. Click Next when you have the list as you want it. If you have selected a computer or container of computers in the initial step of the wizard, the Computer Security Groups screen will appear next. It operates exactly like the User Security Groups screen does, as just described. Click Next to continue. The WMI Filters for Users screen appears next, as shown in Figure 6-18. Figure 6-18. The WMI Filters for Users screenHere, you instruct Windows to assume that the user (or container of users) you've selected meets either all configured WMI filters or the specified WMI filter as shown in the box. Click Next when you've selected the appropriate filters. If you selected a computer or container of computers in the first step of the modeling wizard, the WMI Filters for Computers screen appears next; this screen functions exactly like the WMI Filters for Users screen I just discussed. Click Next to continue. The next screen is a summary of your selections. Confirm that all is well, and then click Next to begin the simulation. When the process is complete, the wizard will let you know. When you click Finish, the results will appear. A sample results screen is shown in Figure 6-19. Figure 6-19. Group Policy Modeling resultsThe result is an HTML file that you can collapse and expand as needed. You can see each computer configuration and user configuration result, including GPOs that would be applied and denied, any WMI filters that would be used, how each GP component would survive the deployment, and general information about the query. You can right-click the report and either print or save it. And, if you change your GP settings and want to rerun the same query on the new settings, simply right-click the results page within the GPMC and select Rerun Query. 6.3.1.5 Using RSoP logging mode with the GPMCThe RSoP logging mode with the GPMC, called Group Policy Results, operates in much the same way as the planning mode does. To get started, right-click Group Policy Results in the left pane of the GPMC and select Group Policy Results Wizard from the context menu. Click away from the introductory screen in the wizard, and the Computer Selection screen appears, as shown in Figure 6-20. Figure 6-20. The Computer Selection screenHere, select the computer for which you want to obtain results. You can analyze the current computer or another computer on the network. You also can limit the results to only the User Configuration portion of GP using the checkbox in the middle of the screen. Click Next to continue. The User Selection screen appears next. This is reproduced in Figure 6-21. Figure 6-21. The User Selection screenOn this screen, you can select which user to report the results of the User Configuration section. The list is limited to those who are logged on to the computer and for whom you have permission to read the results. You also can limit the results displayed to computer configuration information only by using the radio button at the bottom of the screen. Click Next to continue. The Summary of Selections screen appears. Confirm your choices, and click Next to perform the query. When the process is complete, the wizard will notify you. Click Finish to view the results; a sample result screen is shown in Figure 6-22. Figure 6-22. Results from the Group Policy Results WizardLike the other GPMC reports, this one is HTML-based and can be saved and printed by right-clicking anywhere in the report and selecting the appropriate option. For each of the Computer Configuration and User Configuration portions of GP, the report shows the following:
6.3.1.6 WMI filtersA new feature of Windows Server 2003 is the ability to filter GP based on WMI data. Using WMI filters, you can construct a query with WMI Query Language (WQL) that will return various results onto which you can apply a GP. WMI allows you to pull various characteristics otherwise unavailable through Windows, such as a computer's manufacturer and model number, the installation of certain software packages, and other information. You might use WMI when applying policies using these criteria. To enable a WMI filter, click the Browse/Manage button within the particular GPO's properties in the GPMC to create a new filter or to select an existing filter. Keep in mind that if you set a WMI filter for a GPO, it's an all-or-nothing affair: you can't individually select certain policy settings to apply only to the filtered objects. Either the entire policy applies to the list of filtered objects, or the entire policy doesn't apply. This might unfortunately result in an inordinate number of GPOs in your directory, each servicing a different list of filtered objects. Keep this is mind when structuring policies. Also be aware that you can apply only one WMI filter per GPO. If you're not familiar with WQL, Microsoft has provided a utility called Scriptomatic that, although unsupported by Microsoft, helps you construct and use WMI queries for many different Windows administration tasks. You can find the Scriptomatic utility at http://www.microsoft.com/downloads/details.aspx?FamilyID=9ef05cbd-c1c5-41e7-9da8-212c414a7ab0&displaylang=en. If you're curious, here is a sample WMI filter to target all systems running Windows XP. This will give you an idea of the structure of a filter and how to create one: <?xml version="1.0" encoding="utf-8" ?> <filters> <filter> <description>All Windows XP Machines</description> <group>MYDOMAIN\Windows XP Computers</group> <query namespace="ROOT\CIMv2"> SELECT * FROM Win32_OperatingSystem WHERE Version = 5.1.2600 </query> <!-- More queries --> </filter> <!-- More filters --> </filters> 6.3.1.7 Delegating administration of GPsWindows 2000 introduced a feature that allowed you to delegate administrative authority for any number of privileges to certain users; this was an extremely useful and cost-effective way to spread out the workload and increase business unit responsibility for their own IT costs. In Windows Server 2003, Microsoft extended this ability to GPOs, allowing an administrator to extend supervisory privileges (to use old Netware terminology) over some actions with regard to GPOs. Here's how it works. By default, the creation of GPOs is restricted to members of the Domain Admins or Enterprise Admins groups or to those users who belong to the Group Policy Creator Owners group. The key distinction between those security groups is that although those in an administrator group can create and edit any and all GPOs in a directory, the members of the Group Policy Creator Owners group (hereinafter referred to as the GPCO group) can edit only those policies they created themselves. (If you are familiar with LDAP terminology, this is the managedBy concept.) In addition, members of the GPCO group cannot link GPOs to containers within a directory unless a special permission, known as Manage Policy Links, has been explicitly granted to them. If you take advantage of delegation in your organization and empower group or department managers to administer IT assets within their own scope of control, you might want to enable them to administer some GPOs for their group. It's likely that these managers aren't members of the Domain Administrators or Group Policy Administrators groups, so you'll need to delegate individual privilegeseither the ability to create and edit GPOs themselves, or the ability to link GPOs to objects within Active Directory. The two privileges are independent; they are not required in tandem. To delegate the ability to create and edit GPOs to a user or group, follow these steps:
To delegate the ability to link GPOs to objects, follow these steps:
If you prefer to do this via scripting, a couple of sample scripts are included with a default GPMC installation, located in the Program Files\Group Policy Management Console\Scripts directory, that can delegate these two abilities. You can delegate GPO creation and ownership with the SetGPOCreationPermissions.wsf script, and you can link with the SetSOMPermissions.wsf script. |
|