Group Policy Management Console
One of the reasons Group Policy doesn't get leveraged as much as it should is, I think, that the tools for managing it were a bit kludgy under Windows 2000, and even in the initial release of Windows Server 2003. Not anymore, though, since the Group Policy Management Console (GPMC) is not the same old clunky thing that you've been living with. But this tool has managed to fly under some people's radar because it wasn't released as part of the 2003 operating system. GPMC is an out-of-band product that you can download from the Microsoft website to manage Group Policies on 2003 networks. (You can even use GPMC on a 2000 AD domain, but some of the more advanced features won't be available to you.) GPMC can be installed on any Windows Server 2003 machine or XP workstation with Service Pack 1 or higher. Windows XP computers will also need the .NET Framework installed. (The GPMC will not run on 64-bit versions of Windows.) GPMC offers you the following key features to simplify Group Policy management:
- A simplified user interface that makes Group Policy much easier to use, manage, configure, and secure
- The ability to back up and restore individual Group Policy Objects, as well as all GPOs in a domain
- HTML reporting of the settings in an individual GPO
- Import/export and copy/paste functions for GPOs and Windows Management Instrumentation (WMI) filters
NOTE: If you're on XP Service Pack 1, you'll need to have the Q326469 hotfix installed. But don't worry; the installer will let you know if it's not, and even install it for you automatically.
The installer itself is pretty straightforward: as long as you're on an XP or 2003 machine, you just double-click the .MSI file and click Next until you're done. The console will launch, attach to the domain that your computer is a member of, and provide a graphical view of your forest as you can see in Figure 4-1.
Once you expand the Domains node, you'll see an entry for each Organizational Unit (OU) in your domain, and each GPO that's linked to a particular OU. Additionally, you'll see a list of every GPO that you've created, whether it's currently linked to a container or not. When you click an individual GPO, you can see a graphical summary of the settings it includes, like the one shown in Figure 4-2. You can view individual GPOs by drilling down in the following order:
2. Your Domain Name
3. Group Policy Objects
As you can see, this gives you an easy-to-read overview of your Group Policy settings. In addition, the Scope tab spells out precisely which domains, sites, and OUs are affected by this GPO and what Access Control Lists (ACLs) have been applied on it. Having this information right at your fingertips can save you a lot of time in troubleshooting, especially if you're taking over a network from someone else who may not have documented his GPO configurations very well.
NOTE: While you're looking at the pretty reports that GPMC generates for you, why don't you take a second to right-click the GPO and click Save Report. This will save the information to an HTML file that you can use as a part of your network documentation, so that the person who takes over from you doesn't have the same complaint.
Another great feature of GPMC, and one that's firmly embedded in the "Why didn't they let us do this before?" column, is the ability to back up and restore your Group Policy Objects, and even copy GPOs between different domains and forests. Prior to the release of the GPMC, your only option for backing up a GPO before making a change was to manually create a copy of the object, which quickly became time-consuming and a waste of resources if you wanted to maintain multiple copies that you could roll back to. Now it's easy: just right-click the GPO that you want to back up and click Back Up. (Or click the top-level Group Policy node and click Back Up All to take care of all of them at once.) This will create a series of file folders in the location you specify, all with rather ugly-looking GUID names like this:
Once you've created the backups, you can store them to tape as a part of your usual backup schedule. But it gets even better than that: the GPMC installation includes a Scripts folder (installed to C:Program FilesGPMC Scripts by default) with a number of predefined scripts that you can use to automate your administration tasks. BackupAllGPOs.wsf allows you to back up all of your GPOs within a given domain from the command line as a onetime or scheduled task, using the following syntax:
BackupAllGPOs.wsf BackupLocation [/Comment:value] [/Domain:value]
So a scheduled task to back up all of your GPOs to a file folder on your C: drive would look like this:
BackupAllGPOs.wsf c:GPO-Backups /comment:"Back Up All Domain GPOs"
More than a dozen other predefined scripts are provided with the GPMC, including scripts that allow you to
- Back up all GPOs in your domain.
- Back up a single GPO.
- Find any disabled GPOs.
- Find GPOs with duplicate names.
- Get summary reports for all GPOs.
There's also a useful help file (found in the C:Program FilesGPMC directory by default), called gpmc.chm, to get you started with these if you're unfamiliar with scripting. I'll admit that even I used to be immensely script-o-phobic, but getting past the script fear will make you a much better network manager. So say it with me, if you haven't already: "Scripting is my friend." We'll be talking about various other scripting solutions throughout this guide; it's a deceptively simple technology that will allow you to do pretty complex things with a relatively low learning curve.
Migrating Group Policy Settings
If you've ever wished that you could quickly move the settings from one Group Policy Object to another, the GPMC will also make that task immensely simple. As long as you have sufficient rights to both the source and destination domains and forests, copying a GPO is as simple as right-clicking a GPO and selecting Copy or Import within the console window. This is especially useful if you maintain a separate Active Directory forest for testing purposes; once you've perfected policy settings in the test area, you can simply copy the finished GPO into your production domain.
NOTE: In a copy operation, a new GPO is created in the destination domain or forest. During an import, GPMC requires that the destination object already exist; the imported settings will overwrite any existing information in the destination GPO.
You'll also have access to a Migration Table during the copy process. This will let you map any domain-specific settings like usernames, SIDs, and UNC paths from the source domain into the target so that the copied information will match up correctly. For example, you may have a test server called TEST-01 that contains the user directories for your test environment. But when you copy your GPO into production, you want TEST-01HOME %username% to change to APP1HOME%username%; the Migration Table will allow you to do this without needing to make the change manually anywhere that it occurs within the Group Policy Object. To use the Migration Table, follow these steps:
1. Run mtedit.exe from the GPMC installation folder. This will create a blank Migration Table.
2. To automatically populate the Migration Table, click Tools ➤ Populate from GPO or Tools ➤ Populate from Backup.
3. By default, each source value will assume that its destination name is the same as the value listed for source name. It's up to you to manually edit the Destination Name column to include the appropriate values, as you can see in Figure 4-3.
4. When you've finished, click Tools ➤ Validate Table, which verifies that any security principals and UNC paths in the Destination column actually exist.
NOTE: You can either type in the mapped entries manually, or right-click the Destination field and select Browse.
Modeling Group Policy
The Group Policy Management Console also assists you in planning and troubleshooting your Group Policy strategy by allowing you to play out "What if?" scenarios using a modeling tool. Like the rest of the GPMC, Group Policy Modeling is fairly intuitive and wizard-driven; in fact, if you've used the Resultant Set of Policy (RSoP) Wizard or gpresult.exe from the Windows 2000 Resource Kit, you're probably already familiar with the available options. To create a Group Policy Modeling report, follow these steps:
1. Open the Group Policy Management Console. Right-click Group Policy Modeling and select Group Policy Modeling Wizard. Click Next to bypass the initial Welcome screen.
2. Select the domain and domain controller that you want to use to perform the test. The DC needs to be a 2003 DC: you can either select a specific DC or allow the wizard to pick any available 2003 box. Click Next when you're done.
3. Select 1) the user or user container, and 2) the computer or computer container that you want to analyze. You can mix-and-match these as well: you can pick a single user object and an OU that contains your computer accounts, a single user and computer object, etc.
4. At this point you've given the wizard all the information it needs to create a basic report. So you can place a check mark next to Skip to the final page of this wizard without collecting additional data, or click Next to fine-tune the results of the report.
5. On the Advanced Simulation Options page, you can choose to modify the Group Policy behavior in any of the following ways:
- Simulate a slow link.
- Simulate loopback processing, using either the Replace or Merge setting. (We'll talk more about loopback processing in a minute.)
- Specify which site to process, if you have GPOs attached to your Active Directory sites, and then click Next.
- Specify which user and computer security groups you want to analyze. You can use security groups to do advanced filtering of GPO settings, which we'll talk about in the "Applying Security Filtering" section later in the chapter.
- Specify which user and computer WMI filters you'd like to simulate.
- At this point you'll be taken to a final screen that will list all of the settings you've selected. As with most wizards, you can click Back to make any changes, or click Next and then Finish to run the Modeling report.
Once you've completed the wizard, GPMC will create its now-familiar HTML report that will detail which GPO settings would be in effect in the situation you created. Perhaps most useful is that, if there are multiple Group Policy Objects present, the Modeling report will inform you which GPO "won." This is invaluable as an aid to troubleshooting, especially if your GPO structure is a complex one with multiple levels of inheritance.
Monitoring Group Policy Results
The Group Policy Results Wizard is quite similar to Group Policy Modeling, except that it provides the actual GPO settings that are being applied to a specific user/computer combination. Like the Modeling Wizard, it creates an HTML report detailing the GPO settings in place, and which GPO is enforcing those settings.
CAUTION: You can't run the Group Policy Results Wizard for computers running Windows 2000. However, you can use Group Policy Modeling to basically mimic the same report. Yeah, I don't get it either; but there it is.
Click for the next excerpt in this series: Who gets what? Deploying Group Policies
Click for the complete book excerpt series.