Section 6.3. Group Policy Management Tools


6.3. Group Policy Management Tools

Before we get much further into the chapter, it's important to introduce some alternative management tools that will be used throughout the remainder of the book to administer GP.

Although the Group Policy Object Editor you access from within Active Directory Users and Computers is sufficient for managing a small- to medium-size deployment with a few GPOs, it is woefully inadequate at managing a large-scale GP deployment in a bigger organization. To answer this need, Microsoft created the Group Policy Management Console (GPMC) and released it just after Windows Server 2003 was released to manufacturingthis is why the GPMC isn't included on the Windows Server 2003 distribution CD, at least at the time of this writing. (More about this tool is coming up in the next section.) Also, several third-party tools are available to assist you in managing GPOs, their scope and effect, and their application, including the following.


FAZAM

FAZAM tracks changes to GPOs, provides version control for GPOs, allows new or changed GPOs to move into production only after being tested and approved, eliminates the risk of making changes to a live production environment, handles multiple users making simultaneous changes, and enhances GPO administration delegation. However, there are reports that this tool does not work well with Windows 2000 and is fully functional only on Windows Server 2003. FAZAM is available at http://www2.fullarmor.com/solutions/group.


NetIQ Group Policy Administrator

NetIQ Group Policy Administrator handles change and release management to keep better track of GPO modification, creation, and deletion, and enhances change simulation and analysis of hypothetical GPO deployments above and beyond what Windows Server 2003 provides. NetIQ Group Policy Administrator is available at http://www.netiq.com/products/gpa/default.asp.


Quest ActiveRoles

Quest ActiveRoles allows junior-level administrators to securely make changes to important elements of Active Directory, including GP. Quest ActiveRoles is available at http://www.quest.com/fastlane/activeroles/.

Let's take a closer look at the extended functionality and cleaner interface of the GPMC.

6.3.1. Group Policy Management Console

Microsoft created the GPMC, supported on Windows Server 2003 or Windows XP, to enable administrators to better configure and use GPOs. The Group Policy Object Editor has various shortcomings, but by far the biggest one is the lack of ability to see the exact scope of a GPO's application, which made troubleshooting policies across machines difficult. The GPMC fixes these issues and adds a scripting ability, which many administrators find useful in troubleshooting, deploying, and generally administering GP.

The GPMC takes the "basic" administration of GPOs from the Group Policy Object Editor and integrates itself with the UI: when you load Active Directory Users and Computers and click the Group Policy tab, if the GPMC is installed you'll see a message with a button to launch the console. This is shown in Figure 6-6.

Figure 6-6. Launching the GPMC


You also can launch the GPMC from the Administrative Tools group on the Start Menu or from within the Control Panel.

The default view of the GPMC is shown in Figure 6-7.

Figure 6-7. The default view of the GPMC for the hassalltech.local forest


To navigate around in the GPMC, you need to expand the forest you want to manage in the left pane. Then you can select specific domains and sites within that forest, and OUs within those boundaries. When you expand, for example, a particular domain, links to the GPOs that exist are listed within their respective OUs. They also are listed under the Group Policy Objects folder.

If you double-click a particular GPO, you're presented with the details of the GPO in the right pane. The first tab is the Scope tab, as shown in Figure 6-8.

Figure 6-8. Examining a standard GPO: the Scope tab


The Scope tab examines how far-reaching the effects of this GPO are. Sites, domains, and OUs that are linked to the GPO you've selected are listed at the top of the window. You can change the listing of pertinent links using the drop-down box, where you can choose to list links at the current domain, the entire forest, or all sites. At the bottom of the window, any security filtering done by ACLs is listed. Clicking the Add button brings up the standard permissions window, as you would expect from the Group Policy Object Editor.

At the very bottom, you can see any WMI filters to which this GPO is linked. You can choose to open the WMI filter for editing by clicking the Open button. Of course, you can associate only one WMI filter with any particular GPO, and as before, WMI filters work only with Windows XP and Windows Server 2003.

The next tab, Details, simply shows the domain in which the current GPO is located, the owner of the GPO, when the GPO was created and modified, the version numbers for the user and computer portions, the GUID of the object, and whether the GPO is fully enabled or fully disabled, or whether just the computer or user configuration portions are enabled.

The next tab, the Settings tab, is shown in Figure 6-9.

Figure 6-9. Examining a standard GPO: the Settings tab


The Settings tab is one of the most useful tabs in the GPMC. The GPMC will generate HTML-based reports of all the settings in a particular GPO, and you can condense and expand portions of the report easily for uncluttered viewing. You can print the report for further reference, or save the report for posting to an internal web site for your IT administrators. It's a much, much easier way to discern what settings a GPO modifies than the Group Policy Object Editor.

To edit the GPO that is displayed in the report, simply right-click it and select Edit. To print the HTML report, right-click it and select Print; to save the report, right-click it and select Save Report.

Finally, the Delegation tab lists in a tabular format the users and groups that have specific permissions for the selected GPO, what those permissions are, and if they're inherited from a parent object. Clicking Add brings up the common Select User, Computer, or Group dialog box that you are familiar with from reading this chapter. You can remove a delegated permission by clicking the appropriate user or group in the list and then clicking the Remove button. The Properties button will bring up the standard Active Directory Users and Computers view of the selected user and group.

6.3.1.1 Searching for GPOs

Using the GPMC, you can search for specific GPOs or for the values of properties of some GPOs. To do so, right-click a forest or domain in the lefthand pane of the GPMC and select Search from the context menu. The Search for Group Policy Objects screen appears, as shown in Figure 6-10.

Figure 6-10. Searching for GPOs


You can select the scope of your search to be all domains within a forest, or within a specific domain that you select from the drop-down list at the top of the screen. Then you specify your search criteria by selecting the item to search, the condition to match, and the value that the condition should match. Here are the possible search terms:

  • GPO name "contains," "does not contain," or "is exactly" your value.

  • GPO links "exist in" or "do not exist in" certain sites or all sites.

  • Security group; you simply select one or more security groups using the standard selection dialog.

  • User configuration "contains" or "does not contain" folder redirection, Internet Explorer branding, registry, scripts, or software installation values.

  • Computer configuration "contains" or "does not contain" EFS recovery, IP security, Microsoft disk quota, QoS packet scheduler, registry, scripts, software installation, or wireless GP values.

  • GUID "equals" your value.

You can stack criteria to have multiple conditions in your search by selecting the appropriate query and clicking Add to add the current criteria to the query list. Then you can select more criteria and add them to create more complex searches. You can remove selected criteria from the query list by clicking the Remove button.

Click Search to start the search, and Stop Search to stop it before it has finished. The results of the search appear at the bottom of the screen. You can select a particular GPO that results from the search and go directly to editing it by selecting it and clicking the Edit button. You also can save the set of results by clicking the Save Results button, which puts the results in a text file of comma-separated values (CSVs). Finally, to clear the current results and perform a new search, click the Clear button.

6.3.1.2 Backing up, copying, importing, and exporting GPOs using the GPMC

The GPMC supports copying, importing, backing up, and restoring GPO information. Previously, GPO backups were not possible unless you performed a system state backup of a domain controller. When you back up a GPO using the GPMC, only data pertinent to that particular GPO is backed up. Linked objects are not backed up because restoring that information becomes troublesome. However, when you restore, Windows automatically assigns the previous GUID of the backed-up GPO, which is wonderful for simply resurrecting an inadvertently deleted GPO.

It is not uncommon for administrators to spend a great deal of time configuring GPOs exactly as needed and then to find themselves having to repeat the process manually on several other OUs for which they are responsible. The GPMC can save hours upon hours with its copy capability. You simply can copy a GPO or set of GPOs and then paste them elsewhere into another OU. However, a copy isn't the same as a backup because the copy process doesn't replicate the information in a file that can be moved elsewhere for safekeeping. Also, a copy of a GPO has a different GUID than the original GPO. To perform a GPO copy, you need rights to create GPOs in the destination location and read access to the GPOs in the original location.

The GPMC also supports the ability to import and export GPOseven to a separate domain with which no trust exists to the original domain. This is useful when you need to copy the same GPO settings to multiple domains or when moving between development and productions forests. You don't need to meticulously re-create all your GPOs on the other domains; simply export them using the GPMC and import them on the new domain. It's a faster and less error-prone procedure.

Importing GPOs across domains can be a bit complex because you'll need to create a migration table to specify how the GPMC should translate domain-specific data from one domain into the other. Most GPOs contain information such as users, groups, computers, and UNC paths that refer to objects available in a specific domain. These might not be applicable in the new domain, so you'll need to tell Windows how to translate these objects stored within the source GPO to other objects applicable to the destination GPO's location. Here's a more specific list of GPO aspects you can modify within the migration process:

  • Security policy settings, including user rights assignments, restricted groups, services, filesystem entries, and registry keys and values

  • Advanced folder redirection policies

  • The ACL on a GPO itself, which can be preserved or discarded at your discretion

  • The ACL on software installation GPOs (I'll discuss software installation later in this chapter), which relies on your selecting the option immediately preceding this one

Let's walk through several examples for backing up, copying, exporting, and importing GPOs with the GPMC. To back up a specific GPO, follow these steps:

  1. Open the GPMC.

  2. Expand the Forest and Domain trees in the left pane, and then select Group Policy Objects under your domain.

  3. In the right pane, select the GPO you want to back up.

  4. Right-click the GPO and select Back Up.

  5. The Back Up Group Policy Object dialog box appears, as shown in Figure 6-11. Enter the location you want to store the backed-up GPO files in the first box, and then enter a helpful description for yourself so that you can identify the backed-up files later.

    Figure 6-11. Backing up GPOs


  6. A progress box will appear, indicating how far Windows has progressed in the backup procedure. A message in the Status box will appear noting a successful backup when the procedure is finished.

  7. Click OK to finish.

To copy a specific GPO, follow these steps:

  1. Open the GPMC.

  2. Expand the Forest and Domain trees in the left pane, and then select Group Policy Objects under your domain.

  3. In the right pane, select the GPO you want to copy.

  4. Right-click the GPO and select Copy.

  5. Find the OU within Active Directory to which you want to paste the copied GPO and select it.

  6. Right-click the OU and select Paste from the context menu. A message, shown in Figure 6-12, will appear asking you if you want to link the GPOs you copied to the destination OU. Click OK to continue.

Figure 6-12. Copying GPOs


Your GPO has been copied.

To import a specific GPO, you need to create a new GPO in the location to which you want to import settings. For example, if you want to import the lockout policy from one domain into a new domain, you'll need to create a new GPO in the new domain. Then, follow these steps:

  1. Open the GPMC.

  2. Expand the Forest and Domain trees in the left pane, and then select Group Policy Objects under the new domain.

  3. In the right pane, select the GPO you want to use.

  4. Right-click the GPO and select Import Settings. The Import Settings Wizard appears.

  5. The wizard will prompt you to back up the settings currently within the destination GPO. Click the Backup button to do so, and follow the procedure earlier in this section to step through that process. When you are done, click Next.

  6. Select the location where the GPO that you want to import is located. Then, click Next.

  7. The Source GPO screen appears. All the GPOs that are stored in the location you input in step 6 are listed on this screen. You can select an individual GPO and click View Settings to refresh your memory as to the settings the GPO contains. Select the GPO you want to use, and then click Next.

  8. The Migrating References screen appears. Depending on the settings contained within the GPO, you might need to "map" entries using a migration table. You can select to copy the existing entries directly from the source (using the first bulleted option), or you can create a new migration table by clicking New. This results in the Migration Table Editor window appearing, as shown in Figure 6-13.

    Figure 6-13. The Migration Table Editor


  9. From the Tools menu, select Populate from Backup, and then select the source GPO you are importing. Windows will populate the objects that need to be retranslated automatically.

  10. In the Destination Name column, simply enter the correct name for the source property in its new location. Be sure these properties already exist within the destination location; the GPMC can't create them on the fly. Also, if some properties don't need to be changed, simply enter <Same As Source> in the Destination Name column.

  11. You can save this migration table for use in other GPO import procedures by selecting Save from the File menu and specifying a location. This can be anywhere on your filesystem.

  12. Close the Migration Table Editor. The Migrating References screen will reappear, and the migration table you just created will appear. Click Next to continue.

  13. The Completing the Import Settings Wizard screen will appear. Confirm your settings are correct, and then click Finish. Your settings will be imported.

6.3.1.3 Managing GP across multiple forests

Using the GPMC, you can quite easily browse and set up GPOs in several distinct forests and domains. In fact, even the default setup of the GPMC allows you to select Add Forest from the Action menu and then to type the name of a forest you want to manage. The GPMC will add that to the list of available forests in the left pane.

Managing GP for multiple forests comes with a few requirements:

  • To make everything work out of the box, you need to have a two-way trust between the target forest and the forest that the machine on which you are running the GPMC is in.

  • If you have only a one-way trust, choose Options from the View menu, and then on the General Tab uncheck Enable Trust Delegation, a feature which allows permissions for managing GPOs to be assigned to the other forest for reciprocal management.

  • If you don't have a trust, you'll need to use the Stored User Names and Passwords applet in the Control Panel of Windows Server 2003 or the User Accounts applet in Windows XP to keep your login information for the remote forest.

  • Most likely you will need Enterprise Administrator credentials to manage GP in other forests.

6.3.1.4 Using RSoP planning mode with the GPMC

The GPMC provides a cleaner graphical interface to the RSoP functionality found within GP in Windows Server 2003 than the regular, bundled tools. The GPMC supports the planning and logging mode, as the standard Group Policy Object Editor does, and you can access each using the Group Policy Modeling and Group Policy Results items in the left pane of the GPMC.

In RSoP planning mode, accessed through Group Policy Modeling, you can simulate the effects of the deployment of GPOs, change the GPO in accordance with those results, and retest. You can specify a particular domain controller, users, security groups, and user memberships within, the location of a machine or site, and any applicable WMI filters, and then model the results of applying a specific GPO.

To get started in planning mode, right-click Group Policy Modeling and, from the context menu, select Group Policy Modeling Wizard. Click Next from the introductory screen. The Domain Controller Selection screen appears, as shown in Figure 6-14.

Figure 6-14. Modeling Group Policy: selecting a domain controller


Here, select the domain controller to use when processing the RSoP request. This domain controller must be running Windows Server 2003. You can choose a specific domain controller from the list, or let Windows choose a domain controller. You also can select domain controllers in a given domain using the drop-down list. Click Next to continue.

The User and Computer Selection screen appears, as shown in Figure 6-15.

Figure 6-15. The User and Computer Selection screen


On this screen, you specify the user and computer settings you want to have analyzed when you apply GP. You also can choose a container if you want to analyze more than one user or computer. Note also at the bottom of the screen the option to skip to the end of the wizard. If you have a simple query that is complete at any point during the wizard, simply select this option to bypass the remaining screens and go straight to the results of the query. Click Next to continue.

The Advanced Simulation Options screen appears, as shown in Figure 6-16.

Figure 6-16. The Advanced Simulation Options screen


On this screen, you can tell Windows to simulate a very slow link between domain controllers and clients, whether to merge or replace loopback processing (explained earlier in this chapter), and the site to which these settings should apply. This is a very useful algorithm for testing real-world conditions. Click Next to continue.

Next comes the User Security Groups screen, as depicted in Figure 6-17.

Figure 6-17. The User Security Groups screen


On this screen, you can see the results of applying Group Policy if you change the existing user or computer's security group memberships. The current group memberships are listed in the box, and you can add and remove them at will using the Add and Remove buttons. To undo your changes, just click Restore Defaults. Click Next when you have the list as you want it.

If you have selected a computer or container of computers in the initial step of the wizard, the Computer Security Groups screen will appear next. It operates exactly like the User Security Groups screen does, as just described. Click Next to continue.

The WMI Filters for Users screen appears next, as shown in Figure 6-18.

Figure 6-18. The WMI Filters for Users screen


Here, you instruct Windows to assume that the user (or container of users) you've selected meets either all configured WMI filters or the specified WMI filter as shown in the box. Click Next when you've selected the appropriate filters.

If you selected a computer or container of computers in the first step of the modeling wizard, the WMI Filters for Computers screen appears next; this screen functions exactly like the WMI Filters for Users screen I just discussed. Click Next to continue.

The next screen is a summary of your selections. Confirm that all is well, and then click Next to begin the simulation. When the process is complete, the wizard will let you know. When you click Finish, the results will appear. A sample results screen is shown in Figure 6-19.

Figure 6-19. Group Policy Modeling results


The result is an HTML file that you can collapse and expand as needed. You can see each computer configuration and user configuration result, including GPOs that would be applied and denied, any WMI filters that would be used, how each GP component would survive the deployment, and general information about the query. You can right-click the report and either print or save it. And, if you change your GP settings and want to rerun the same query on the new settings, simply right-click the results page within the GPMC and select Rerun Query.

6.3.1.5 Using RSoP logging mode with the GPMC

The RSoP logging mode with the GPMC, called Group Policy Results, operates in much the same way as the planning mode does. To get started, right-click Group Policy Results in the left pane of the GPMC and select Group Policy Results Wizard from the context menu.

Click away from the introductory screen in the wizard, and the Computer Selection screen appears, as shown in Figure 6-20.

Figure 6-20. The Computer Selection screen


Here, select the computer for which you want to obtain results. You can analyze the current computer or another computer on the network. You also can limit the results to only the User Configuration portion of GP using the checkbox in the middle of the screen. Click Next to continue.

The User Selection screen appears next. This is reproduced in Figure 6-21.

Figure 6-21. The User Selection screen


On this screen, you can select which user to report the results of the User Configuration section. The list is limited to those who are logged on to the computer and for whom you have permission to read the results. You also can limit the results displayed to computer configuration information only by using the radio button at the bottom of the screen. Click Next to continue.

The Summary of Selections screen appears. Confirm your choices, and click Next to perform the query. When the process is complete, the wizard will notify you. Click Finish to view the results; a sample result screen is shown in Figure 6-22.

Figure 6-22. Results from the Group Policy Results Wizard


Like the other GPMC reports, this one is HTML-based and can be saved and printed by right-clicking anywhere in the report and selecting the appropriate option. For each of the Computer Configuration and User Configuration portions of GP, the report shows the following:

  • General information about the query

  • GPOs that were applied and GPOs that were denied

  • The user and/or computer's membership in security groups when GP was applied

  • WMI filters that "catch" the user or computer

  • The status of each component of GP, including GPOs themselves, EFS recovery, the registry, and security (permissions)

6.3.1.6 WMI filters

A new feature of Windows Server 2003 is the ability to filter GP based on WMI data. Using WMI filters, you can construct a query with WMI Query Language (WQL) that will return various results onto which you can apply a GP. WMI allows you to pull various characteristics otherwise unavailable through Windows, such as a computer's manufacturer and model number, the installation of certain software packages, and other information. You might use WMI when applying policies using these criteria.

To enable a WMI filter, click the Browse/Manage button within the particular GPO's properties in the GPMC to create a new filter or to select an existing filter. Keep in mind that if you set a WMI filter for a GPO, it's an all-or-nothing affair: you can't individually select certain policy settings to apply only to the filtered objects. Either the entire policy applies to the list of filtered objects, or the entire policy doesn't apply. This might unfortunately result in an inordinate number of GPOs in your directory, each servicing a different list of filtered objects. Keep this is mind when structuring policies. Also be aware that you can apply only one WMI filter per GPO.

If you're not familiar with WQL, Microsoft has provided a utility called Scriptomatic that, although unsupported by Microsoft, helps you construct and use WMI queries for many different Windows administration tasks. You can find the Scriptomatic utility at http://www.microsoft.com/downloads/details.aspx?FamilyID=9ef05cbd-c1c5-41e7-9da8-212c414a7ab0&displaylang=en.

If you're curious, here is a sample WMI filter to target all systems running Windows XP. This will give you an idea of the structure of a filter and how to create one:

<?xml version="1.0" encoding="utf-8" ?>  <filters>       <filter>             <description>All Windows XP Machines</description>             <group>MYDOMAIN\Windows XP Computers</group>             <query namespace="ROOT\CIMv2"> SELECT * FROM Win32_OperatingSystem WHERE Version =  5.1.2600 </query> <!-- More queries -->       </filter>       <!-- More filters --> </filters>

6.3.1.7 Delegating administration of GPs

Windows 2000 introduced a feature that allowed you to delegate administrative authority for any number of privileges to certain users; this was an extremely useful and cost-effective way to spread out the workload and increase business unit responsibility for their own IT costs. In Windows Server 2003, Microsoft extended this ability to GPOs, allowing an administrator to extend supervisory privileges (to use old Netware terminology) over some actions with regard to GPOs. Here's how it works.

By default, the creation of GPOs is restricted to members of the Domain Admins or Enterprise Admins groups or to those users who belong to the Group Policy Creator Owners group. The key distinction between those security groups is that although those in an administrator group can create and edit any and all GPOs in a directory, the members of the Group Policy Creator Owners group (hereinafter referred to as the GPCO group) can edit only those policies they created themselves. (If you are familiar with LDAP terminology, this is the managedBy concept.) In addition, members of the GPCO group cannot link GPOs to containers within a directory unless a special permission, known as Manage Policy Links, has been explicitly granted to them.

If you take advantage of delegation in your organization and empower group or department managers to administer IT assets within their own scope of control, you might want to enable them to administer some GPOs for their group. It's likely that these managers aren't members of the Domain Administrators or Group Policy Administrators groups, so you'll need to delegate individual privilegeseither the ability to create and edit GPOs themselves, or the ability to link GPOs to objects within Active Directory. The two privileges are independent; they are not required in tandem.

To delegate the ability to create and edit GPOs to a user or group, follow these steps:

  1. Open the GPMC.

  2. In the Tree view, select Group Policy Objects.

  3. Navigate to the Delegation tab in the righthand pane.

  4. Add the user or group to whom you want to delegate the privilege.

To delegate the ability to link GPOs to objects, follow these steps:

  1. Open the GPMC.

  2. Select the OU or other object for which you want to give the ability to link GPOs.

  3. Navigate to the Delegation tab in the righthand pane.

  4. Add the user or group to whom you want to delegate the privilege.

If you prefer to do this via scripting, a couple of sample scripts are included with a default GPMC installation, located in the Program Files\Group Policy Management Console\Scripts directory, that can delegate these two abilities. You can delegate GPO creation and ownership with the SetGPOCreationPermissions.wsf script, and you can link with the SetSOMPermissions.wsf script.



    Learning Windows Server 2003
    Learning Windows Server 2003
    ISBN: 0596101236
    EAN: 2147483647
    Year: 2003
    Pages: 149

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net