The following excerpt is from Chapter 2 of the free eBook "Administrator shortcut guide to Active Directory security"...
written by Derek Melber and Dave Kearns and available from a link at Realtimepublishers.com. Click for the complete book excerpt series.
Group Policy Management Console
The Microsoft Group Policy Management Console (GPMC) provides an interface that simplifies administering GPOs. This new tool has limitations -- for example, it runs only on Windows XP Professional and WS2K3-- however, these limitations are easy to overcome. Even in a pure Win2K AD environment, GPOs can be administered from a single Windows XP computer running the GPMC.
What advantage does this tool provide over the old method of managing GPOs? The answer is clear if you have ever used the old method of managing GPOs. The old method relied upon the Group Policy tab located on the properties sheet of a site, the domain and all OUs. This one tab, which Figure 2.3 shows, gave a masked view of the entire GPO picture, which caused much confusion among most administrators.
Figure 2.3: Win2K Group Policy tab, providing administration of GPOs.
The GPMC is much easier to use, and the control over GPOs is more efficient. The tool provides for the same features as all the other GPO tools and interfaces provided with Win2K in one tool. The GPMC provides for routine creation, management and deletion, as well as archiving, resultant set of policies (RSoP) and modeling. Figure 2.4 shows the GPMC interface.
Figure 2.4: GPMC provides a simpler interface to control all aspects of GPOs.
Key features provided by the GPMC include:
- Controlling inheritance -- The GPMC offers complete control over both Block Policy Inheritance and No Override. These features can be very complex if using the built-in tools, but the GPMC makes this easier to see and administer.
- GPO Filtering -- Filtering of GPOs can be a complex and laborious task. With the GPMC, the listing of the GPOs provides a logical view of the GPOs, which makes the administration of the GPO ACL an easier task.
- Delegating GPO administration -- There are actually two ways to delegate GPO administration. One is at the GPO level and the other is at the Container level (site, domain or OU). The GPMC helps to see this delegation and will provide for better control because of the clearer view.
- Reporting on GPO settings -- When an administrator needs to know all of the settings in a GPO, he or she must open the GPO and start to scan through the sea of settings manually. With the new reporting tool, you can quickly see all of the settings in the GPO without the added headaches.
- GPO operations -- The GPO operations within Win2K had to come from a third-party tool. However, the new GPMC provides robust and easy control over GPOs, including the ability to import them from another domain or archive, duplicate GPOs and more. These are essential functions for AD and GPO implementation.
- WMI filters -- WMI filtering is going to take the concept of OU and GPO design to the next level. With WMI filtering, you are able to target specific computers, not based on location in the AD but based on characteristics of the computer itself.
- GPO modeling and results -- The RSoP is crucial to an administrator who is attempting to move user and computer accounts from one OU to another. The RSoP is also important for administrators who are attempting to troubleshoot why a user does or does not have a particular setting. GPOs can get out of control and can be very complex. These reporting tools help demystify the complexity.
- Searching -- The search capabilities in the GPMC are a refreshing change from hacking through the GPO interface to attempt to find the setting that you are looking for. GPMC allows for searches on GPO name, GPO links, configuration categories, and the GUID.
All of these functions help control GPOs, which help control the security of all user and computer accounts in the domain. The management of the GPOs also needs to be controlled, which is not all that easy in Win2K. With the delegation tab at every level in the GPMC, management can be easily configured, verified and managed. Typically, there are five main tasks that need to be controlled and managed for GPO management:
- Creating GPOs -- In Win2K, giving a user the ability to create GPOs is not a complex task, just confusing. With the GPMC, a user can be given the privilege to create GPOs by using the delegation tab associated with the GPOs node. This allows for separation of duties within the GPO world. A user that can create GPOs can't link them to an object.
- Linking GPOs -- To give a user the ability to link GPOs in Win2K, the delegation wizard was required. With the GPMC, the delegation tab on the site, domain, or OU where the user will have the linking capability provides easy configuration for this task.
- Managing GPOs -- This category is a broad definition that really includes editing, deleting and modify GPO settings -- there is no equal configuration tool in Win2K. The GPMC provides this option at each GPO.
- Editing GPOs -- There is no need to give administrators more power than they need, and this setting ensures that doesn't happen. This delegated GPO task gives the administrator just the ability to edit the GPO settings, but nothing else. This is not a global setting, it is associated with each GPO individually.
- Viewing GPOs -- There are two levels of viewing GPOs within the GPMC, which is two more than with Win2K GPO management. The delegated user will only be able to view the single GPO, or, if the domain or OU is delegated view options, the administrator can perform a model analysis on the GPO to see what the settings would be for a user and/or computer.