| Group Policy was a wonderful addition when it was first included in Windows 2000. With the new functionality added in Windows Server 2003, it's even better. However, now that we've come to rely on Group Policy to assist us in managing our networks, it has become essential that we keep it configured properly. Fortunately, Microsoft has provided several tools to assist in managing Group Policy. In the following sections, we'll take a brief look at a few of them. Note: Know It All As we mentioned in Chapter 9, "Implementing Group Policy," as of SP2, Microsoft still was not including the Group Policy Management Console with Windows Server 2003. It is available only as a download from the website. However, this tool makes managing Group Policy a lot easier, and you should expect to see it on the exam.
GPResult GPResult is a command-line tool that was originally part of the Windows 2000 Server Resource kit, but is now included with the operating system in Windows XP and Windows Server 2003. GPResult allows you to display the Group Policy settings and the Resultant (RSoP) for a computer or user. Group policy can be applied to a user or computer at the site, domain, or OU, and multiple GPOs can be applied at each level. Because of these different overlapping levels of policies, it's helpful, if not essential, to have a tool that can tell you what the final outcomethe RSoPreally is. This Resultant Set of Policy information is extremely important when you're trying to figure out why a Group Policy setting doesn't seem to be applied, or when it is being applied when it shouldn't be! Table 10.1 shows the available command-line options for the tool. Table 10.1. Command-Line Options for gpresultParameter | Description |
|---|
/s Computer | The name or IP address of a remote computer. The default is the local computer. | /u Domain\User | Runs the command in the context of the user that is specified by Domain\User. The default is the current user. | /p Password | Specifies the password of the user account that is specified in the /u parameter. | /user TargetUserName | Specifies the username of the user whose RSoP data is to be displayed. | /scope {user | computer} | Displays either user or computer results. If you omit the /scope parameter, both user and computer settings are displayed. | /v | Displays verbose policy information. | /z | Specifies that the output display all available information about Group Policy. This parameter produces a lot of information and redirects output to a text file when you use it. | /? | Displays help. |
As you can see from the command options, gpresult can be run either locally or remotely. It can also be limited to either Computer or User settings. One item that might not be apparent is that you must enter the computer name where the user has logged on, even in those cases where you don't want to see the computer settings. You also will not be able to get any data for a user who has never logged on. This is because most user policies cannot be applied until the user logs on at least once. In Step by Step 10.4, we're going to use the gpresult tool to see the effects of the multiple GPOs that we assigned to the users in the Kansas City\Users OU. Step by Step 10.4 Using gpresult to determine RSoP 1. | Log on to your test server as Administrator.
| 2. | Open a command window.
| 3. | Enter the following command: gpresult /userusername /scope user /v. (For username, enter the name of the user account that you have been using for the previous exercises).
| 4. | The output of the command will appear in the command window, as shown in Figure 10.9.
Figure 10.9. Part of the output using the /v option for the gpresult command. 
|
|
As you can see, the gpresult command supplies a lot of data not only about the GPOs, but also about the user. Run the command again with a variety of command-line options using both the /v for verbose output and the /Z for full output. You might want to pipe the output to a text file for easier reading. Note: Domain Type You'll notice that the gpresult tool will display the domain type as Windows 2000. It looks like Microsoft hasn't updated the tool to recognize Windows Server 2003 domains yet.
Group Policy Results Now that we've had a chance to review the data from the gpresult tool, let's take a look at a similar report using the Group Policy Management Console. The Group Policy Results function of the GPMC presents much of the same data as the gpresult tool, but it produces it using a GUI wizard that prompts you for the desired parameters so that you don't need to memorize any obscure command-line options. In addition, it also produces a nice multicolored report suitable for printing that can be exported in HTML or XML, so that it can be displayed on a web page or added to a report for your management. The limitation of the Group Policy Reports function is that it can report only on Windows XP or Windows Server 2003 machines. Windows 2000 servers or workstations are not supported. In Step by Step 10.5, we're going to use the Group Policy Results Function of the GPMC to see the effects of the multiple GPOs that we assigned to the users in the Kansas City\Users OU. Use the same user and computer names that you used in Step by Step 10.4 so that you can compare results. Step by Step 10.5 Using the Group Policy Results Function of the GPMC to determine RSoP 1. | Open the Group Policy Management Console. Right-click the Group Policy Results node and select Group Policy Results Wizard from the pop-up menu.
| 2. | This starts the Group Policy Results Wizard. Click Next to continue.
| | | 3. | The Computer Selection dialog box appears, as shown in Figure 10.10. Select the Another Computer option button, and enter the name of the computer. Also select the Do Not Display Policy Settings for the Selected Computer check box. Click Next to continue.
Figure 10.10. You must enter the computer name where the user has logged on, even though you don't want to see the computer settings. 
| 4. | The User Selection dialog box appears, as shown in Figure 10.11. Select the desired user, and then click the Next button.
Figure 10.11. Select the desired user. Notice that only the users who have previously logged on to the computer are displayed. 
| 5. | On the Summary of Selections screen, review your choices. If you need to make any changes, click the Back button; otherwise, click Next.
| 6. | When the Completing the Group Policy Wizard screen appears, click Finish.
| 7. | The report will appear in the right pane of the console window. Click the Settings tab to see the settings that were applied to the user account.
| | | 8. | The Group Policy Results are displayed (see Figure 10.12).
Figure 10.12. The settings applied to the user account. Compare these with the results from the gpresult tool. 
|
|
The three tabs of the query results are as follows: Summary This page lists the GPOs, the security group membership, and any WMI filters. Settings This is a complete list of the policy settings applied to the user or computer. Events This lists all the policy-related events found in the event viewer on the targeted machine.
After the report has been run, it can be saved to a file for future reference. Group Policy Reporting As you've probably noticed from working with GPOs, it's hard to tell at a glance what all the settings are. It can be quite tedious to open up the Group Policy Object Editor and expand every folder in every branch of every node in the GPO so that you can see what is enabled and what is not. Fortunately, Microsoft has supplied a Group Policy Reporting function in the Group Policy Management Console. This function allows you to display all the settings for a GPO in an HTML window, and like the Results report, you can save it to a file for future use. In Step by Step 10.6, we're going to use the Group Policy Reporting of the GPMC to examine the settings of one of the GPOs that we assigned to the users in the Kansas City\Users OU. Step by Step 10.6 Using The Group Policy Reporting function of the GPMC 1. | Open the Group Policy Management Console. Expand the Kansas City OU, and select the Users OU underneath it.
| 2. | Click the GPO link for the User Folder Redirection GPO. When prompted whether you are using a link, click Yes.
| 3. | The User Folder Redirection configuration is displayed in the right pane of the GPMC. Select the Settings tab.
| 4. | As shown in Figure 10.13, all the configuration settings for the GPO are displayed.
Figure 10.13. The Group Policy Management Console, displaying the settings for a GPO. 
|
|
The four tabs displayed for each GPO contain the following: Scope This page lists the OUs that the GPO is linked to, Security Filtering, and any WMI filters. Settings This is a complete list of the policy settings contained in the GPO. Delegation This tab shows the permissions that users and groups have for the GPO. Details This lists all the system statistics for the GPO, such as the owner, when it was created and modified, the GUID, and the version number. This tab also allows you to disable the entire GPO or just the User or the Computer section.
After the report has been run, it can be saved to a file for future reference. Challenge You are the network administrator for your company. The network consists of a single Active Directory domain. All network servers run Windows Server 2003, and all client computers run Windows XP Professional. As typical with most administrators, you're overworked. A new application has been released that has to be installed on 50 workstations before the end of the week. You don't have the time, so you recruit a couple of temp employees to do it for you. The new application requires the installer to have local administrator rights on the workstation, but you don't want temporary employees to have domain administrator rights. How do you handle this? Try to complete this exercise on your own, listing your conclusions on a sheet of paper. After you have completed the exercise, compare your results to those given here. 1. | Create a global group and name it Temporary Admins. Add the user accounts of the temporary employees to this group
| 2. | Open the Group Policy Management Console. Right-click the OU that the PCs are located in and select Create and Link a GPO Here from the pop-up menu.
| 3. | When the New GPO prompt appears, enter the name Restricted Groups, and click OK.
| 4. | The new GPO will appear in the Group Policy Objects container and as a linked object under the OU folder.
| 5. | Right-click the new GPO and select Edit from the pop-up menu. The Group Policy Editor MMC appears.
| 6. | Click the Computer Configuration icon, and then click the Windows settings folder.
| 7. | Right-click the Restricted Groups icon and select Add Group.
| 8. | In the Add Group dialog, enter Administrators, and then click the OK button.
| | | 9. | The Administrators Properties window opens (just like the one we showed earlier in Figure 10.8). Click the Add button, and add the Temporary Admins global group to the group. Click OK to save.Giving temporary employees domain administrator rights is generally not a good idea. By assigning them to the local administrators group, they will have the ability to install software on all machines affected by the GPO. In addition, if they should add any other users to the local administrators group, either purposely or accidentally, those user accounts will be removed at the next Group Policy refresh cycle.
|
|
|
