In recent articles we have been covering some of the Windows Server 2003 tools that you may not be aware of. This week we continue this theme by looking at the Group Policy Management Console (GPMC).
The GPMC is an extremely useful tool that allows you to manage, test, and evaluate Group Policy settings. It brings the functions of a number of other tools, such as Resultant Set of Policy and Gpresult, and puts them all in one easy-to-use utility. It sounds a little bold to say that the GPMC is the only tool you’ll ever need to manage Group Policy on your Windows Server 2003 system, but the reality is that it’s probably true.
Like a number of other tools designed for Windows Server 2003, the GPMC missed shipping on the original Windows Server 2003 CD, and so it must be downloaded from the Microsoft Website http://www.microsoft.com/windowsserver2003/gpmc/default.mspx.
Once downloaded and installed, an icon, Group Policy Management, is added to the Administrative Tools menu. One thing to note is that after the GPMC is installed, the Group Policy tab of domains, OUs, and sites are modified with a button that allows you to launch the GPMC. You can no longer link or create GPOs from the Group Policy tab of Active Directory objects.
Using the GPMC
Perhaps the most common use of the GPMC is to work directly with Group Policy Objects (GPOs). As you expand the tree in the left pane of the GPMC, you will see that GPOs are listed under any domain, OU, or site to which they are linked. There is also a container called Group Policy Objects, which lists all of the GPOs defined on the system irrespective of linking. It is useful to see the GPOs listed in this way, as it goes some way to reinforcing the fact that a GPO is an Active Directory object in its own right, and not a property of another Active Directory object such as an OU or domain.
Right-clicking a GPO brings up a menu from which you can access features such as the backup utility, a tool that lets you import settings, and the ability to copy GPOs between domains. You can also choose to disable part (User Configuration Settings or Computer Configuration Settings) or all of the GPO.
Double-clicking a GPO brings up a properties page for the GPO. These property pages have four tabs, as shown in Figure 2.
The Details tab shows basic information such as creation and modification dates, the UID, and whether or not the GPO is enabled.
The Settings tab is one that you will use often, as it displays, in an easy to read format, all of the settings defined in the GPO. When you click on the Settings tab, the configurations are retrieved from the GPO, which means you are always seeing the very latest version of the information. Right clicking anywhere on the report and selecting Edit from the menu starts the Group Policy Object Editor MMC snap-in. You can also save the report in HTML format or print it from the right-click menu. You can see an example of the settings tab in Figure 3.
One of the nice things about navigating the properties pages of GPO is that you are always taken to the same page when clicking between GPOs. If you have the Settings tab open on one GPO and then select another GPO, the Properties page will automatically open at the Settings tab. This makes it very easy to compare settings between policies.
Group Policy Modeling
In addition to the basic tasks such as creating and editing GPOs, the GPMC can also be used to model what effect moving a user or computer between OUs or domains would have. For administrators in complex environments with many GPOs, such a feature is invaluable. Instead of actually moving the object and ‘seeing what happens’, Group Policy Modeling allows you to simulate the move without ever having to move the object in question. Clever, huh?
Group Policy Results
Another very useful feature of the GPMC tool is the Group Policy Results node. The Group Policy Results node allows you to see what the resultant policy is for a given user or computer object. Using the information provided, you can determine what the final result is of group policy application for an object, as well as the ‘winning’ GPO. This is important as it allows you to determine where an unexpected result is coming from.
Space limits covering the functionality of GPMC in more detail here, but you can clearly see that it is a valuable and extremely useful tool. I strongly encourage you to download it, install it, and see what it can do.