Group PolicyTools

Previous page
Table of content
Next page

Group PolicyTools

Together with the complexity of Group Policy comes a plethora of tools for administering it.

GUI Tools

First, let's summarize the various GUI tools included in WS2003 for managing Group Policy:

Active Directory Users and Computers

This console can be used to create, delete, edit, and link GPOs to domains and OUs.

Active Directory Sites and Services

This console can be used to create, delete, edit, and link GPOs to sites.

Group Policy Object Editor (GPOE)

This MMC snap-in is used to edit the settings of existing GPOs, but you can't use it to create a new GPO. This snap-in was named Group Policy in W2K.

Local Security Policy

This console can be used on standalone and member servers to verify the security settings on the local machine.

Domain Controller Security Policy

This console can be used on domain controllers to verify the security settings for the domain controller.

Domain Security Policy

This console can be used on domain controllers to verify the security settings for the domain.

Resultant Set of Policies (RSoP)

This MMC snap-in is new to WS2003 and can be used to analyze how GPOs combine to produce effective settings on the local machine. RSoP can run in one of two modes:

Planning Mode

Simulates the effect of Group Policy without actually applying it

Logging Mode

Obtains the results of Group Policy that have been applied

Related Security Tools

The use of two other MMC snap-ins has a bearing on Group Policy:

Security Configuration and Analysis

Analyzes and configures security on the local computer

Security Templates

Defines security templates that can be applied to a GPO to define its security settings

These tools are discussed later in this chapter under Security Templates .

Command-Line Tools

Useful command-line tools for managing Group Policy include gpupdate , which refreshes Group Policy settings (replacing secedit used in W2K), and gpresult , which displays the RSoP settings for a target user on a specified computer. See gpupdate and gpresult in Chapter 5 for more information.

Group Policy Management Console (GPMC)

The fact that the GUI tools for managing Group Policy aren't well-integrated and have no provision for backing up, exporting, or copying GPOs can make managing Group Policy difficult in a large enterprise environment with multiple domains and sites and a large OU hierarchy. To alleviate this problem, Microsoft has released a new integrated tool for administering Group Policy called the Group Policy Management Console (GPMC). Unfortunately, this tool was developed too late to be included with the Gold Release of the WS2003 product CD, but it is downloadable from Microsoft's web site at www.microsoft.com/downloads/ and is free, provided you comply with the licensing agreement, which requires that you have at least one WS2003 license. Note that you don't have to actually have a WS2003 machine installed; just having a license is sufficient. See the GPMC EULA for details.

Features of GPMC

The GPMC can be installed on either a WS2003 machine or on a client computer running Windows XP Professional with SP1 or later. Once installed, the GPMC replaces the Group Policy tab of the properties sheet with a domain or OU in Active Directory Users and Computers or with a site in Active Directory Sites and Services. If desired, GPMC can be uninstalled later by rerunning the downloaded GPMC.msi Windows Installer file to restore the original Group Policy tab for these consoles. The new GPMC console can be used to:

  • Manage GPOs and GPO links for domains, sites, and OUs. The GPMC can also manage Group Policy across multiple forests even if there is no trust relationship between them.

  • Model and report RSoP in HTML format.

  • Back up and restore GPOs.

  • Export and import GPOs.

  • Copy GPOs.

  • Perform script operations on GPOs (but not on actual GPO settings).

  • Manage WMI filters for GPOs. WMI filters let administrators who write scripts for the Windows Management Interface dynamically determine the scope of GPOs based on attributes of the target computer. WMI is an interesting feature, but beyond the scope of this book.

The GPMC isn't used to configure actual GPO settings; this is still done using the Group Policy Object Editor (GPOE) snap-in (see Configure a GPO in Group PolicyTasks ).

GPMC Console Tree

The hierarchical structure of the GPMC console tree typically looks like this: 

 Group Policy Management     Forest:  DNS_name_of_forest  Domains         Sites         Group Policy Modeling         Group Policy Results

The pattern repeats if there are additional forests under the root Group Policy Management node. The four nodes under Forest are described next in detail.

Domains

The Domains container displays a flat list of each domain in the forest regardless of its parent domain or tree. The container for each individual domain typically looks like this: 

 Domain     GPO links to domain...     OUs...     Group Policy Objects     WMI Filters

At the minimum, the GPO link to the Default Domain Policy is displayed under the Domain node, which displays the domain using its DNS name . Each OU can also contain one or more GPO links to the OU (if there are any), while the Group Policy Objects container holds the actual GPOs created within the domain. Note that GPO links are displayed using shortcut icons to distinguish them from GPO objects.

Sites

The Sites container initially can be used to display a flat list of all sites in the forest. By default, however, the Sites container displays nothing when it is selected, since querying Active Directory across the enterprise to determine information about all sites in the forest can take some time if slow WAN links are involved. To make certain sites visible, right-click on the container and select Show Sites. Like domains, all sites are displayed as peers of one another.

Group Policy Modeling

This node provides similar functionality to RSoP running in planning mode and lets you simulate or model how Group Policy settings are applied to users and computers without actually applying the settings. Note that this node isn't present if a W2K forest is selected; the node is visible only if the selected forest has at least one WS2003 domain controller present in itin other words, if the Active Directory schema of the forest is WS2003 level.

Group Policy Results

This node provides similar functionality to RSoP running in logging mode and lets you query target users and computers to obtain information about existing Group Policy settings. Note that while this node is present regardless of whether the schema is WS2003 or W2K, the node can display RSoP results only on target computers running either WS2003 or XP.

To see what the GPMC can actually do, see Manage Group Policy Using GPMC in the next section.


Previous page
Table of content
Next page
Windows Server 2003 in a Nutshell
Windows Server 2003 in a Nutshell
ISBN: 0596004044
EAN: 2147483647
Year: 2003
Pages: 415
Authors: Mitch Tulloch
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
Kanban Made Simple: Demystifying and Applying Toyotas Legendary Manufacturing Process
Network Security Architectures
Cisco IOS Cookbook (Cookbooks (OReilly))
802.11 Wireless Networks: The Definitive Guide, Second Edition
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy