Note that the default DC GPO for the amrvm.corpvm.bigtex.net domain is selected on the scope pane, so the results pane provides details about that GPO. The results pane has four property sheets that describe each GPO's scope, details, settings, and delegation. Discovering which containers a user-created GPO is linked to can be a time-consuming process in Win2K. The result pane's Scope tab lets you determine which SOM the GPO is linked to.
In Figure 1, the default DC GPO isn't linked to any other sites, domains, or OUs. The Links list box presents all links to the GPO in one location. The Security Filtering section of the results pane shows which users and computer will process the GPO.
The Details tab provides GPO information that you previously had to hunt all over to find. This information includes the GPO's domain and owner, when the GPO was created and modified, the version numbers of the user and computer settings in AD and on SYSVOL, the GPO's globally unique identifier (GUID), and the GPO's enabled/disabled status.
The Settings tab lets you see the GPO configuration in an expandable HTML report—no more hunting through the MMC Group Policy Editor snap-in. Only the sections that have enabled settings are listed, and only the enabled settings are shown. You can expand or collapse each section by selecting show or hide. By right-clicking anywhere in the report, you can edit the GPO (through the standard MMC Group Policy Object Editor snap-in), print the report, or save it as an HTML file that expands and collapses as the original does.
The Delegation tab describes who has GPO rights. This view is clear and simple compared with the Byzantine complexity of the ACL editor for AD objects. Any listed security principal can have five possible setting combinations: Read, Edit settings, Edit settings/delete/modify security, Read (from Security Filtering) and (if you select the Advanced button on the Delegation tab and use the ACL editor to edit permissions directly) Custom. Security principals that have the Read (from Security Filtering) setting have security filtering applied to them and appear in the Security Filtering section of the Scope tab.
One common task the GPMC won't help you with is triggering the policy-update process, which you must do by using Gpupdate (in Windows 2003 and XP) or Secedit (in Win2K). To trigger a Group Policy update, open a command prompt from the appropriate client and run one of the above commands.
GPO Operations
One of the most frustrating aspects of working with Win2K Group Policy is that you can't manipulate GPOs the way you manipulate file system objects. Unlike pure file system objects or purse AD objects, GPOs are hybrid constructs unique in Win2K; each GPO has an AD component as well as a file system component. The AD component is distributed through AD replication, and the file system component is circulated around the DCs' SYSVOLs through the File Replication Service (FRS). This is one reason GPOs are so hard to manipulate. You can create and delete them and edit their settings and security, but performing other kinds of operation against a GPO is just about impossible. You can't back up the GPO for safekeeping, restore it if you mess up something, or make a copy of it for a test forest. However, GPMC makes all these operations easy.
Backup
To back up a GPO, simply right-click the GPO in the scope pane and choose Backup. The system will prompt you to enter the save location and a description before it begins backing up the GPO. You can back up all GPOs in the domain by right-clicking the Group Policy Objects container and selecting Back Up All. GPMC will show the progress of the backup, as Figure 2 shows. The same context menu also has a Manage Backups utility that lists all the backed-up GPOs in a specified folder.
Restore
When you restore a GPO, the GPO's existing settings are deleted and the backed-up settings are restored to their state at the time you backed them up. You can use the restore operation to roll back a GPO that's in an unhealthy or unwanted state or recover a deleted GPO. GPMC doesn't restore the links to the GPO if you've deleted them, but because the GPO's GUID remains the same, existing links will work on the restored GPO the way they did with the original.
To restore a GPO, right-click the GPO under the GPO container and select Restore From Backup. If you've deleted the GPO, right-click the GPO container, select Manage Backups, and choose the GPO you want to restore. When you select the particular backup you want to use, you can view the backed up GPO's settings (in the same report format as the Settings tab) to be sure it's the GPO you want.
Register
