Group PolicyTasks | Windows Server 2003 in a Nutshell

Group Policy Tasks

We'll look at general tasks for managing GPOs first. I'll then describe how to configure different types of GPO settings. After that, we'll examine the RSoP tool and I'll explain how to use it. Finally, we'll look at how to use the new Group Policy Management Console (GPMC) that can be downloaded from Microsoft's web site.

Manage Group Policy

The procedures described here use different consoles in different situations:

To work with GPOs in a domain or OU: Open the Active Directory Users and Computers console right-click on a domain or OU Properties Group Policy tab
To work with GPOs in a site: Open the Active Directory Sites and Services console right-click on a site Properties Group Policy tab

If the context described is not clear in the procedures that follow, the console to be used is explicitly stated; otherwise , the appropriate console is assumed to be already open at the start of the procedure. You typically work with GPOs by creating and linking them to a specific container (site, domain, or OU) in Active Directory using the consoles, but you can also open GPOs directly using the Group Policy Object Editor (GPOE).

Create a GPO

To create a GPO, you must first decide which container you want it to be linked to in Active Directory. This can be either a site, domain, or OU. By default, a GPO is automatically linked to the container on which it is created. To create a new GPO, access the properties sheet for the desired container using the appropriate MMC console and:

Right-click on a container Properties Group Policy New specify a name

Once a GPO has been created, it must be configured (see Configure a GPO later in this section).

To see how to perform these tasks using the GPMC, see Manage Group Policy Using the GPMC later in this section.

Open a GPO

Open a GPO using an MMC console that has the Group Policy snap-in installed. You can do this in different ways:

Open the Active Directory Users and Computers (or Sites and Services) console, right-click a domain or OU (or site) to which the GPO is linked, and then select:

Properties Group Policy select the GPO Edit

This opens the GPOE console and displays the different configurable settings of your selected GPO.
Add the Group Policy Object Editor snap-in to a new or existing MMC console, and then open the GPO in it. For example:

Start Run mmc OK Console Add/Remove Snap-in Add Group Policy Object Editor Add Browse select a GPO

Link a GPO

When you create a new GPO, it is automatically linked to the site, domain, or OU that you selected for creating it (see Create a GPO earlier in this section). You can also link a selected container (Site, Domain, or OU) to a GPO as follows :

Right-click on a container Properties Group Policy Add select {Domain OU Sites All} as focus look in domain or different OU select a GPO

The Group Policy Object Links listbox displays all the GPOs that are currently linked to your container. To unlink a GPO from a container, do the following:

Right-click on the container Properties Group Policy select a linked GPO Delete Remove this link from the list

Display Links for a GPO

You can view the containers your GPO is linked to in Active Directory as follows:

Right-click on a container Properties Group Policy select a GPO Properties Links select domain Find Now

Alternatively, you can find links by opening the GPO in a Group Policy console (see Open a GPO earlier in this section) and then:

Right-click on the GPO's root node in the console tree Properties Links select domain Find Now

Filter a GPO

Right-click on a container Properties Group Policy Properties Security select { user group computer} you want the GPO not to apply to clear the Read and Apply Group Policy checkboxes

Alternatively, you can filter a GPO in the Group Policy console (see Open a GPO earlier in this section) and then:

Right-click on the GPO's root node in the console tree Properties Security continue as before

Force a GPO

Right-click on a container Properties Group Policy select a GPO Options select No Override

Any settings in this GPO are now applied to the entire subtree of the Active Directory hierarchy beneath the selected container, regardless of any other GPOs linked to containers in the subtree.

Block GPO Inheritance

Right-click on a container Properties Group Policy select Block Policy Inheritance

Blocking GPO inheritance prevents settings from GPOs linked to parent containers from being inherited by the selected child container. The exception is if parent GPO settings are forced (see Force a GPO earlier in this section).

Delegate Control of a GPO

Administrators can give trusted users administrative control over a GPO linked to a container. These users can manage the GPO settings even if they don't have administrative privileges over the container itself. Management is limited to modifying GPO settings and not creating new GPOs linked to the container. To do this:

Right-click on a container Properties Group Policy select a GPO Properties Security Add select user account Add select user account allow Read and Write permission

Or you can open the GPO in a Group Policy console and then:

Right-click on the GPO's root node in the console tree Properties Security continue as before

If a user has administrative privileges over a container, he can create and modify new GPOs linked to that container.

Disable a GPO

Right-click on the container Properties Group Policy select a linked GPO Options select Disabled

Disabling a GPO lets you modify its settings without worrying about having these modifications applied until you are ready.

Delete a GPO

Right-click on the container Properties Group Policy select a linked GPO Delete Remove the link and delete the Group Policy Object permanently

Deleting a GPO deletes all the links between that GPO and different containers.

Configure a GPO

To configure the settings of a GPO, first open it for editing and then configure settings by double-clicking on them. The kind of configuration you can perform on a setting depends on the type of setting involved.

If you are going to play around with the configuration of a GPO, disable it first so that the new settings you specify aren't accidentally applied to your client computers while you are playing with them.

Configure Administrative Templates Settings

These settings usually have three states you can choose from:

Enabled: The setting is applied when Group Policy is applied.
Disabled: The setting is removed when Group Policy is applied.
Not configured: The setting is ignored when Group Policy is applied.

Of course, the actual results of configuring an administrative template setting depend on the number of different GPOs applied, the containers they are linked to, whether GPO inheritance is blocked or forced, and so on. In addition to specifying the state, many administrative template settings require further information as well, depending on the type of operating-system function being controlled.

Configure Folder Redirection Settings

Before you can configure the settings on a redirected folder, you need to redirect it as described in the following procedures. To configure a redirected folder:

User Configuration Windows Settings Folder Redirection right-click on a folder to redirect Properties Settings

If you want a user to have exclusive rights to her redirected folder, select "Grant the user exclusive rights." If multiple users will be sharing the same redirected folder, clear this setting. If you later unlink the GPO containing the folder-redirection policies from the OU where the users reside in Active Directory, you can specify whether to leave folders in their present (redirected) location or restore them to the local user profile for each user.

Redirect All Users' Folders to the Same Share

User Configuration Windows Settings Folder Redirection right-click on a folder to redirect Properties Target Setting Basic \\ <server>\<share>

For example, you could redirect the Start menu folder to \\<server>\<share> for all users and set the NTFS permission to Read for the Users group on the < shar e> folder. In this way, all your users will have a common, standard Start menu that they can use but not modify.

Redirect Each User's Folders to a Different Share

User Configuration Windows Settings Folder Redirection right-click a folder to redirect Properties Target Setting Basic \\ <server>\<share>\%<username> %

Using the %<username>% replaceable variable in this case causes a separate subfolder named %<username>% to be created for each user within <share> .

Redirect Folders Based on Group Membership

User Configuration Windows Settings Folder Redirection right-click on a folder to redirect Properties Target Setting Advanced Add Security Group Membership Browse select a group OK Target Folder Location \\ <server>\<share>\<folder>

The option "Move the contents of Application Data to the new location" should be selected on the Settings tab; otherwise, redirection will not occur!

Configure Script Settings

Use these three steps to implement a startup/shutdown/logon/ logoff script using Group Policy:

Create the script file using Notepad or some other editor.
Copy the script file to the GPT for the GPO in the SYSVOL share. This is necessary because the script file must be stored in the GPT so the GPO can run it when Group Policy is applied to the client. A simple way to copy the script file to the correct GPT folder is to do the following:

Right-click on the script file in Windows Explorer or My Computer select Copy

Open the GPO that will run the script (see Open a GPO earlier in this section) and:

For startup/shutdown scripts

Computer Configuration Windows Settings Scripts

For logon/logoff scripts

User Configuration Windows Settings Scripts

Double-click on the appropriate policy in the details pane to open its properties sheet, and click Show Files to open a window for the script folder in the GPT. Then paste the script into the GPT window.
Finally, add the script to the GPO by opening the properties sheet of the scripts setting and:

Add Browse select script OK specify parameters needed for the script to run (optional)

If a startup or logon script fails to terminate properly, it must time out before another startup script can execute. The default timeout value is 10 minutes, which means that if your startup script has a problem, users are going to be pretty frustrated. You can configure the timeout value using the following GPO setting which applies globally to all scripts:

Computer Configuration Administrative Templates System Logon Maximum wait time for Group Policy scripts

If multiple startup scripts are configured, they execute in the order in which they are listed on the Script tab of Startup Properties.

You can also assign a specific logon script to an individual user using the Profile tab of the properties sheet in Active Directory Users and Computers. See Users in this chapter for more information.

Configure Security Settings

You can configure security settings at the local, domain, or domain-controller level. The settings you configure may be overridden by Group Policy, however, depending on how Group Policy has been configured.

Configure a Local Security Policy

Open the Local Security Policy console expand console tree and select a policy container double-click on a policy setting in details pane configure setting as desired

The changes you make to a Local Security Policy are applied immediately to the local machine.

Configure a Domain Security Policy

Start Administrative Tools Domain Security Policy modify settings as desired

A better method is to create custom GPOs linked to the domain and selected OUs using Active Directory Users and Computers. You then configure the security settings in each GPO as desired by opening the GPO and:

Computer Configuration Windows Settings Security Settings modify settings as desired

Configure Software-Installation Settings

Prior to configuring your method of software deployment, you need to perform the following preparatory steps:

Create or obtain a Windows Installer package: A Windows Installer package (an .msi file) must first be created or obtained for the application you want to remotely deploy on your client computers. You may obtain a package from Microsoft or a third-party vendor, or you may create your own package using a third-party packaging tool.

If you need to deploy an application that doesn't come from the vendor with a Windows Installer package file ( .msi file), you can obtain a third-party packaging tool such as WinINSTALL to create your own packages. WinINSTALL is available from OnDemand Software, Inc. at http://www.crystaldecisions.com. WinINSTALL is also included in Microsoft Systems Management Server. WinINSTALL LE is included on the WS2003 CD for this purpose.

Create a software distribution point: Share a folder on a file server on your network, and assign users Read and Execute permissions on the contents of the share. Create a subfolder that has the same name as the application you want to deploy, and store the .msi package file and any other files required for the application in the subfolder.
Create or edit a GPO: If you want to deploy software for all user or computer objects within a container (a site, domain, or OU), you need to create a new GPO and link it to the container or edit an existing GPO that is linked to the container.

The remaining procedures assume that you have already opened the GPO for editing unless otherwise specified.

Add a New Package for Deployment

Select {Computer User} Configuration Software Settings right-click on Software installation New Package select package Open

At this point you have three options:

Assigned: This causes the application to be automatically deployed the next time the user logs on (if User Configuration was chosen) or the client computer boots up (if Computer Configuration was chosen ). You can further configure the package for deployment by right-clicking the package in the details pane to open its properties sheet.
Published: This causes the application to appear as available for installation in Add/Remove Programs in the Control Panel, as well as automatically installed if the user double-clicks on a file whose file association matches the application. You can further configure the package for deployment by right-clicking the package in the details pane to open its properties sheet.
Advanced published or assigned: This simply opens the properties sheet for the new package and lets you configure the deployment method (assigned or published) and other options.

After you add a new package, you can further configure the deployment method, add software modifications, or create software categories. See the relevant headings in this section for more details.

Add Software Modifications to a Package

You can add and remove software modifications only when you are preparing to deploy the package. You can't add software modifications to the application once it has been installed on the client machines. Transform files ( .mst files) are typically supplied by the vendor that created the package:

Select {Computer User} Configuration Software Settings Software installation right-click a package Properties Modifications Add select an . mst file Open

If you have multiple software modifications added, they are applied in the order displayed.

Change the Deployment Method for a Package

Select {Computer User} Configuration Software Settings Software installation right-click a package select a new deployment method

If your package is assigned, you can change it to published. If it is published, you can either change it to assigned or leave it as published but enable or disable automatic installation by users double-clicking on the appropriate file association for the application.

Configure Default Deployment Settings for All Packages

Select {Computer User} Configuration Software Settings right-click Software installation Properties

The key options to configure on these tabs are:

General

You can change the location where your packages are assumed to be stored. The default location is on domain controllers in the relevant GPT within the SYSVOL share:

sysvol\<domain>\Policies\<GPT_GUID>\Machine\Scripts\Startup

You can configure deployment options so that new packages are automatically published or assigned by default, so that a dialog box prompts whether you want to assign or publish the packages, or so that the properties sheet for the package lets you configure its deployment options in detail.

The Basic installation, user-interface option enables automatic installation using the default, Windows Installer, package settings. Maximum allows users to manually specify the installation options instead. Most .msi packages support both of these options.

If you want the application to be uninstalled automatically when the GPO containing the software-installation policy no longer applies to the users and computers for which it was configured (either by unlinking the GPO from the OU or by moving users and computers to a different OU), select "Uninstall the applications when they fall out of the scope of management."

File extensions

See Modify File-Extension Priorities later in this section.

Categories

See Create and Assign Software Categories later in this section.

Configure Deployment Settings for a Package

Select {Computer User} Configuration Software Settings Software installation right-click a package Properties

Here are the key options on the Deployment tab:

Deployment type: Lets you change how your software is deployed (either Assigned or Published). If you choose Published, you can enable or disable either or both of the two installation methods used to install published software (by document activation or by using Add/Remove Programs).
Deployment options: Lets you choose to have the application installed automatically when the GPO used to deploy software is unlinked from the OU or when the user or computer objects are moved to a different OU where the GPO doesn't apply.
Installation user-interface options: Basic installation provides automatic installation using the default Windows Installer package settings, while Maximum lets you specify installation options.
Advanced: Displays the product code for the application and advanced diagnostic information.

Create and Assign Software Categories

To create a new category for software you are publishing:

Select {Computer User} Configuration Software Settings right-click on Software installation Properties Categories Add enter a category name

Once the category is created, you can assign it to a package:

Select {Computer User} Configuration Software Settings Software installation right-click on a package Properties Categories select a category Select

Modify File-Extension Priorities

If you are deploying two different versions of an application that creates files with the same file extension, you can specify which extension's priority will be used to deploy published software using document activation (i.e., double-clicking on a document). To do this:

Select {Computer User} Configuration Software Settings right-click on Software installation Properties File extensions use Up or Down buttons

The application at the top of the list is installed. This affects all users or computers that have the currently selected GPO applied to them.

Redeploy Software

Use this procedure to apply a fix (service pack or patch) to a deployed application. This works only if the fix comes as a Windows Installer package file (an .msi file). First, place the fix in the appropriate location (where the original package file was placed). To apply the fix, open the GPO that was used to deploy the application and:

Select {Computer User} Configuration Software Settings Software installation right-click on a package All Tasks Redeploy application Yes

Remove Deployed Software

To remove deployed software:

Select {Computer User} Configuration Software Settings Software installation right-click on a package All Tasks Remove

You can either choose to have the application removed immediately (i.e., when users' client computers next reboot or users next log on), or you can leave existing deployments as they are and prevent any new deployments from occurring. Either action removes the policy for the package from the Software Installation container in the GPO but doesn't delete the package itself from its distribution point. If you choose to leave existing deployments intact, users may be able to delete them manually using Add/Remove Programs in the Control Panel, depending on Group Policy settings for their domain or OU.

Upgrade Deployed Software

To deploy a newer version of software you have already deployed using Group Policy, add a new package for the upgraded version of the software (see Add a New Package for Deployment earlier in this section). Then do the following:

Select {Computer User} Configuration Software Settings Software installation right-click on the new package Properties Upgrades Add Browse select package for previous version OK specify whether to uninstall previous application first or perform the upgrade over it

The previous version may have been selected automatically with the right uninstallation/upgrade option. At this point, if you select the option "Required upgrade for existing packages," then a mandatory upgrade will be performed, replacing the previous version with the new version when the client computers boot up next or the user logs on next. If you deselect this option, the upgrade is optional and users can choose whether to continue working with the previous version or upgrade to the new version.

Note that upgrading a deployed application to a new version is different from applying a service pack or a fix to the application. To apply a service pack or fix to a deployed application, see Redeploy Software earlier in this section.

Assign an Application

If you are deploying software on client computers using Windows Installer technologies, Windows Installer packages are published automatically in Active Directory when you add a new package to the Software installation container in a GPO. Some packages, howeverparticularly those you create using .msi filesmust be published manually or assigned in Active Directory, as follows:

Right-click on the OU to which the GPO for deploying the application is linked Properties Group Policy select the GPO Edit {User Computer} Configuration Software Settings Software Installation New Package specify UNC path to share on file server where .msi file resides select .msi file Open select Assign

Assigning the application results in its appearance in Add/Remove Programs in the Control Panel for users or computers in the OU where the GPO is configured to deploy the application.

Use RSoP

RSoP queries can be run various ways to simulate the effect of Group Policy on a domain, OU, or site. For example, to run an RSoP query on a domain or OU:

Active Directory Users and Computers right-click on domain or OU All Tasks Resultant Set of Policy (Planning)

This starts the RSoP Wizard that can be used to view simulated policy settings for a selected user and computer. You can either skip to the end of the wizard immediately to see the result of your policies or click Next to simulate slow WAN links or loopback processing, specify a site, simulate the groups to which the user and computer might belong, and specify WMI filters linked to the GPO. When the wizard completes, the results of the RSoP query are displayed in a new console.

Next, you can run an RSoP query on a user or computer:

Active Directory Users and Computers right-click on computer or user All Tasks Resultant Set of Policy (Planning) or Resultant Set of Policy (Logging)

Logging mode reviews the settings currently applied to a user or computer, while planning mode simulates the application of a Group Policy you are considering:

Logging mode specify computer specify user view results

Planning mode starts Resultant Set of Policy Wizard

You can also run an RSoP query on a site:

Active Directory Sites and Services right-click on a site All Tasks Resultant Set of Policy (Planning)

RSoP in planning mode lets you simulate the effect of Group Policy without actually applying it, allowing you to see what would happen if you selected the policy you are examining. You can also run RSoP in logging mode, which displays the settings that result from applying the current Group Policy to a specified user or computer. To do this, you first create a custom MMC console containing the RSoP snap-in:

Start Run mmc OK Add/Remove Snap-in Add Resultant Set of Policy Add

Now do the following:

Right-click on Resultant Set of Policy node Generate RSoP Data Logging Mode select {this computer another computer (specify)} optionally display resulting user settings only select {this user another user (specify)} optionally display resulting computer settings only

Save an RSoP Query

You can save RSoP queries for later analysis:

RSoP query View Archive data in console file File Save specify filename

Change an RSoP Query

If you want to rerun RSoP with a different user or computer, do this:

Right-click on RSoP query Change Query specify computer specify user

View an RSoP Report in HTML

Finally, try this:

Start Help and Support Support Tasks Tools System Information View Advanced System Information View Group Policy Settings Applied

You can print this!

Manage Group Policy Using the GPMC

This section provides a brief overview of Group Policy management tasks performed using Version 1.0 of the GPMC, an optional add-on for WS2003 that can be downloaded from Microsoft's web site. To open the GPMC console, do one of the following:

Administrative Tools Active Directory Users and Computers right-click on a domain or OU Properties Group Policy Open

Administrative Tools Active Directory Sites and Services right-click on a site Properties Group Policy Open

Administrative Tools Group Policy Management

Start Run gpmc.msc

You can also add the Group Policy Management snap-in to a new or existing MMC console to create your own custom tool for managing Group Policy (see the "Microsoft Management Console" sections later in this chapter for more information).

Note that the GPMC is used only for managing GPOs and GPO links and for modeling or evaluating how they are applied to domains, sites, and OUs in a forest. The GPMC is not used for editing GPO settings, which is done with the GPOE instead. For information about managing GPO settings, see the section Configure a GPO earlier in this section.

These tasks assume you have the GPMC console open.

Create a GPO

There are several ways to create new GPOs using the GPMC. For example, to create a GPO and link it automatically to a domain or OU, do this:

Right-click on domain or OU Create and Link a GPO Here specify name for new GPO

To create an unlinked GPO, do this:

Select a domain right-click on Group Policy Objects New specify name for new GPO

Don't forget that the new GPO must first be linked to a domain, OU, or site before it can be used.

Open a GPO

To open a GPO in the GPOE from the GPMC, do this:

Right-click on GPO Edit

You can also right-click on a GPO link to do thisnote that GPO links have shortcut icons to distinguish them from GPOs. A dialog box appears when you click on a GPO link to remind you that actions you perform affect the GPO and all links for that GPO.

Here is a new way of displaying GPO settings in HTML format:

Select a GPO or GPO link Settings show settings as desired

Note that this displays only defined GPO settings, together with other information about the GPO itself. If the new Internet Explorer Enhanced Security Configuration component is enabled, the first time you follow this procedure, a dialog box appears prompting you to add the HTML page displayed to the Trusted Sites zone. To save the HTML file for later viewing, do this:

Right-click on a GPO or GPO link Save Report

Link a GPO

To link an existing GPO to a domain, OU, or site, do this:

Right-click on domain, OU, or site Link an Existing GPO select GPO(s) to link

You can also drag and drop a GPO onto a domain, OU, or site to link it. Once a GPO is linked, the link can be enabled or disabled anytime using this toggle:

Right-click on GPO link Link Enabled

Display Links for a GPO

To view which domains, OUs, or sites a GPO is linked to, do this:

Select a GPO Scope specify location Links

Modify GPO Link Order

To modify the order in which multiple GPOs linked to a domain, OU, or site are applied, do this:

Select domain, OU, or site Linked Group Policy Objects move up or down

The GPO with a link order of 1 has the highest precedence for that domain, OU, or site.

Scope a GPO

To scope a linked GPO (specify which users and computers will receive the settings in the GPO), do this:

Right-click on GPO Scope Security Filtering Add users, groups, or computers

Enforce a GPO

To force a GPO to apply to the entire subtree of Active Directory beneath a domain, OU, or site, do this:

Right-click on a GPO link Enforced

To undo this, repeat. A GPO link that is enforced displays with a gray padlock on its icon. This procedure of enforcing a GPO link corresponds to the No Override option in the standard Group Policy interface that the GPMC replaces when it is installed.

Block GPO Inheritance

To prevent a domain, OU, or site from inheriting GPOs from any parent container, do this:

Right-click on domain, OU, or site Block Inheritance

To undo this, repeat. When this is enabled, the domain, OU, or site displays a blue exclamation point on its icon.

Delegate Group Policy

By default, the ability to create GPOs is a right of the Group Policy Creator Owners (GPCO) group, but an administrator can also delegate this right to any other user or group by adding the user or group to the GPCO group. Another way of granting this right is by:

Select Group Policy Objects Delegation Add select user or group

To delegate limited ability to manage specify aspects of GPOs, do this:

Select a GPO Delegation Add select user or group specify permissions

Possible permissions are:

Read
Edit Settings
Edit Settings, Delete, Modify Security

You can also assign custom permissions by clicking the Advanced button, which corresponds to the Security tab on the standard Group Policy interface.

To delegate the ability to manage certain aspects of GPOs and GPO links using the GPMC, do this:

Select a domain, OU, or site Delegation Add select user or group select {This container This container and all child containers} select permission {Link GPOs Perform Group Policy modeling analyses Read Group Policy results data}

This procedure can assign only one permission at a time, but you can repeat it to assign multiple permissions to the same user or group.

Disable a GPO

You can disable all or part (user or computer configuration) of a GPO by:

Right-click on a GPO GPO Status disable user, computer, or all configuration settings as desired

You can also do this by:

Select a GPO Details GPO Status disable user, computer, or all configuration settings as desired

Delete a GPO

To delete a GPO:

Right-click on GPO Delete

Manage Multiple Forests

By default, the GPMC displays only the forest to which the user account running the console belongs. To use this tool to manage another forest with which a two-way, cross-forest trust has already been established, do the following:

Right-click on root node Add Forest specify DNS or NetBIOS name of remote forest

You can also remove a forest from the GPMC by right-clicking on the forest node and selecting Remove.

Back Up/Export a GPO

New to the GPMC is the ability to back up (or export) a GPO to a file:

Right-click on a GPO Backup specify location specify a name

To view the defined settings of a backed -up GPO, do this:

Right-click on Group Policy Objects Manage Backups select a backed-up GPO View Settings

You can also back up GPOs from the command line using the BackupGPO.wsf and BackupAllGPOs.wsf scripts installed with the GPMC.

Restore a GPO

Restoring a backed-up GPO resets the GPO to the state it had before it was backed-up:

Right-click on Group Policy Objects Manage Backups select a backed-up GPO Restore

You can also do this by:

Right-click on the GPO Restore from Backup follow wizard to select backup file

You can also restore GPOs from the command line using the RestoreGPO.wsf and RestoreAllGPOs.wsf scripts installed with the GPMC.

Import a GPO

You can import a GPO that was previously exported (backed up) to transfer GPO settings from a backed-up GPO to a different existing GPO. This operation can be performed within a domain, between domains, or between forests. To do this:

Right-click on a GPO Import follow wizard to select backup file

You can also import GPOs from the command line using the ImportGPO.wsf and ImportAllGPOs.wsf scripts installed with the GPMC.

Copy a GPO

Copying a GPO is like backing it up or exporting it, except that the GPO is not saved as a file but instead is used to create a new (identical) GPO:

Right-click on a GPO Copy right-click on the Group Policy Objects container in any domain in the forest Paste specify permissions {Use default permissions for the new GPO (default) Preserve the existing permissions}

If you copy a GPO to the same container in which it resides, its resulting name will begin with "Copy of." You can also copy GPOs between forests that have two-way trusts established between them. You can also copy GPOs from the command line using the CopyGPO.wsf script installed with the GPMC.

Copying GPOs across domains is complicated by the fact that some information in a GPO may be specific only to the domain in which it was created. To make this work, you can create a migration table to map references to users, groups, computers, and UNC paths in the source GPO to the new values they will have in the target GPO. See the online help for the GPMC for more information.

Search for a GPO

New to the GPMC is the ability to search a forest for a GPO:

Right-click on a forest Search specify search range and criteria

Perform Group Policy Modeling

Group Policy Modeling corresponds to RSoP planning mode and allows you to simulate how Group Policy will be applied to a user or computer before you actually try applying it. Group Policy Modeling uses a wizard as follows:

Right-click on Group Policy Modeling Group Policy Modeling Wizard select a WS2003 domain controller select a user or container and/or select a computer or container skip to end of wizard or configure advanced modeling options

The advanced options include:

Slow WAN link simulation
Loopback processing (replace or merge)
Select a site
Modify alternate Active Directory paths for user and/or computer containers
Modify user's and computer's security group membership
Specify WMI filters for users and computers

The result of running the wizard is a saved query in the Group Policy Modeling container. By right-clicking on this query, you can:

Display the applied GPO settings in detail in RSoP console
Rerun the query
Create a new query based on the original one
Save the results displayed in the details pane as an HTML report

Obtain Group Policy Results

Group Policy results correspond to RSoP logging mode and let you obtain the actual resultant Group Policy settings that have been applied to a user or computer (unlike Group Policy Modeling, which is only a simulation). You obtain Group Policy results using a wizard:

Right-click on Group Policy Results Group Policy Results Wizard select this computer or another computer optionally display resulting user settings only select {this user another user (specify)} optionally display resulting computer settings only

The results node is placed in the Group Policy Results container, and by right-clicking on it, you can:

Display the applied GPO settings in detail in the RSoP console
Rerun the query
Save the results displayed in the details pane as an HTML report