GPMC: The Best Windows Group Policy Manager Going
In recent articles we have been covering some of the Windows Server 2003 tools that you may not be aware of. This week we continue this theme by looking at the Group Policy Management Console (GPMC).
The GPMC is an extremely useful tool that allows you to manage, test, and evaluate Group Policy settings. It brings the functions of a number of other tools, such as Resultant Set of Policy and Gpresult, and puts them all in one easy-to-use utility. It sounds a little bold to say that the GPMC is the only tool you’ll ever need to manage Group Policy on your Windows Server 2003 system, but the reality is that it’s probably true.
Like a number of other tools designed for Windows Server 2003, the GPMC missed shipping on the original Windows Server 2003 CD, and so it must be downloaded from the Microsoft Website http://www.microsoft.com/windowsserver2003/gpmc/default.mspx.
Once downloaded and installed, an icon, Group Policy Management, is added to the Administrative Tools menu. One thing to note is that after the GPMC is installed, the Group Policy tab of domains, OUs, and sites are modified with a button that allows you to launch the GPMC. You can no longer link or create GPOs from the Group Policy tab of Active Directory objects.
Using the GPMC
When you first start the GPMC tool, you’ll see the split-pane interface common to most other Windows Server 2003 utilities. In the left pane are listed the forests, domains and sites in your Active Directory structure. Below these there are two nodes – Group Policy Modeling and Group Policy Results. We’ll talk more about these nodes later in the article. You can see an example of the basic GPMC interface in Figure 1. For the purposes of this figure, the tree in the left hand pane is completely expanded.
Perhaps the most common use of the GPMC is to work directly with Group Policy Objects (GPOs). As you expand the tree in the left pane of the GPMC, you will see that GPOs are listed under any domain, OU, or site to which they are linked. There is also a container called Group Policy Objects, which lists all of the GPOs defined on the system irrespective of linking. It is useful to see the GPOs listed in this way, as it goes some way to reinforcing the fact that a GPO is an Active Directory object in its own right, and not a property of another Active Directory object such as an OU or domain.
Right-clicking a GPO brings up a menu from which you can access features such as the backup utility, a tool that lets you import settings, and the ability to copy GPOs between domains. You can also choose to disable part (User Configuration Settings or Computer Configuration Settings) or all of the GPO.
Double-clicking a GPO brings up a properties page for the GPO. These property pages have four tabs, as shown in Figure 2.
The Scope tab allows you to see what objects this GPO is linked to, as well as any security or Windows Management Instrumentation (WMI) filters that are in place. WMI is a feature of Windows Server 2003 that allows you to filter group policy based on criteria such as the amount of memory installed in a system, the type of processor, or even the IP address. We’ll be looking at WMI in more detail in an upcoming article.
The Details tab shows basic information such as creation and modification dates, the UID, and whether or not the GPO is enabled.
The Settings tab is one that you will use often, as it displays, in an easy to read format, all of the settings defined in the GPO. When you click on the Settings tab, the configurations are retrieved from the GPO, which means you are always seeing the very latest version of the information. Right clicking anywhere on the report and selecting Edit from the menu starts the Group Policy Object Editor MMC snap-in. You can also save the report in HTML format or print it from the right-click menu. You can see an example of the settings tab in Figure 3.
One of the nice things about navigating the properties pages of GPO is that you are always taken to the same page when clicking between GPOs. If you have the Settings tab open on one GPO and then select another GPO, the Properties page will automatically open at the Settings tab. This makes it very easy to compare settings between policies.
Group Policy Modeling
In addition to the basic tasks such as creating and editing GPOs, the GPMC can also be used to model what effect moving a user or computer between OUs or domains would have. For administrators in complex environments with many GPOs, such a feature is invaluable. Instead of actually moving the object and ‘seeing what happens’, Group Policy Modeling allows you to simulate the move without ever having to move the object in question. Clever, huh?
To start the modeling process, right-click the corresponding folder in the GPMC and select Group Policy Modeling Wizard. This wizard will take you through the basic steps associated with the modeling, such as determining which object to perform the modeling on, and to which site, domain or OU you want to simulate a move to. It will also allow you to test behavior such as changing security groups, simulating a slow network connection and factoring in WMI filters. The results are displayed in an easy to read format that can be printed or saved for later reference. Modeling tasks are also saved within the GPMC, so you can refer to them later. You can see the results of a Group Policy Modeling process in Figure 4.
Group Policy Results
Another very useful feature of the GPMC tool is the Group Policy Results node. The Group Policy Results node allows you to see what the resultant policy is for a given user or computer object. Using the information provided, you can determine what the final result is of group policy application for an object, as well as the ‘winning’ GPO. This is important as it allows you to determine where an unexpected result is coming from.
Like the Group Policy Modeling feature, the Group Policy Results node has a wizard associated with it that simplifies the process of choosing a target object. After specifying the computer for which you want to run the test, and selecting a user ID for the run (which can be either the logged on user or another user from Active Directory), the report is generated and displayed on screen. You can see an example of this in Figure 5.
Space limits covering the functionality of GPMC in more detail here, but you can clearly see that it is a valuable and extremely useful tool. I strongly encourage you to download it, install it, and see what it can do.