Group Policy is near the top of any list of Windows 2000's most powerful features and is becoming more important with each Windows release. The ability to control the characteristics of large numbers of servers and clients is crucial at a time when just one incorrectly configured computer can spread a virus in seconds. Unfortunately, Group Policy is also near the top of any list of Win2K's most complex features. The high point of Win2K Group Policy is its strong capabilities; its low points become obvious when you try to manage these policies across an enterprise.
That's why the Group Policy Management Console (GPMC) is an invaluable tool. GPMC is a new, free Microsoft Management Console (MMC) snap-in for Windows Server 2003 that's designed to be the central management point for anything a Group Policy administrator might want to do. GPMC's UI makes working with Group Policy much simpler.
GPMC's Features
GPMC's list of features reads like a Group Policy administrator's wish list. GPMC has a new UI that lets you view Group Policy Objects (GPOs) across domains—and even forests—in an intuitive and useful way. You can now generate HTML reports on GPO settings even if you don't have write access to the GPO. You can back up and restore GPOs, export them from one domain and import them into another, and even perform mapping operations to a different set of security principals and Universal Naming Convention (UNC) paths between domains. GPMC also incorporates Resultant Set of Policies (RSoP), the most requested Group Policy enhancement for Windows 2003. You can use the Windows Management Instrumentation Query Language (WQL) to build Windows Management Instrumentation (WMI) filters. GPMC even has a tool that lets you search for GPOs within a domain or across all domains in a forest.
Requirements and Installation
Although GPMC is associated with the Windows 2003 release, the utility doesn't require the most recent OS, but the GPMC license agreement stipulates that you can install the GPMC only on a network on which you're running at least one copy of Windows 2003. You can install GPMC on Windows 2003 in its out-of-the-box configuration or on Windows XP with both Service Pack 1 (SP1) and the Windows .NET Framework (available from Windows Update or http://www.microsoft.com/downloads/details.aspx?familyid=262d25e3-f589-4842-8157-034d1e7cf3a3&displaylang=en) installed. If you're installing GPMC on XP, the installation package will automatically install XP Quick Fix Engineering (QFE) update Q326469 if it isn't already present. This QFE updates your version of gpedit.dll to the version GPMC requires. GPMC doesn't run on 64-bit versions of Windows because the Framework doesn't yet have a 64-bit version. GPMC and related documents are available from http://www.microsoft.com/windowsserver2003/gpmc.
In addition to managing Windows 2003 forests, GPMC can manage forests that contain Win2K domain controllers (DCs). The Win2K DCs should be running at least SP2 and preferably SP3. (For more information, see the Microsoft article "Windows 2000 Domain Controllers Require SP3 or Later When Using Windows Server 2003 Administration Tools" at http://support.microsoft.com//?kbid=325465.) To run Group Policy Modeling, you must upgrade at least one DC to Windows 2003. Be forewarned that editing GPOs in a Win2K forest using uplevel clients such as Windows 2003 and XP can result in a subtle consequence. If you use an uplevel client to edit a Win2K GPO, the client's newer policy settings will by default automatically upgrade the GPO without informing you. The Microsoft article "Upgrading Windows 2000 Group Policy for Windows XP" (http://support.microsoft.com//?kbid=307900) documents this behavior. Win2K clients will ignore the new settings, but you should be aware that this guerilla upgrade is taking place. To prevent the upgrade, enable the policy User Configuration/Administrative Templates/System/Group Policy/Turn off automatic update of ADM files in the GPOs you don't want automatically updated.
You can also run into GPO conflicts if you use the base XP release to edit a GPO, then upgrade your DCs to Win2K SP3. The administrative templates are automatically updated based on a simple timestamp, and the timestamps for the newly installed SP3 templates indicate that those files are newer than the XP files. The result is that the Win2K SP3 admin templates (newer in timestamp) overwrite the XP Group Policy templates (newer in code development), which can result in a corrupt admin template. Both the prevention of this problem and its fix are straightforward: Use a Windows 2003, XP SP1, or Win2K client to edit your Win2K GPOs because the timestamps for those OSs' Group Policy administrative templates are newer than the timestamps for Win2K SP3's templates.
When you install GPMC, it appears in the Administrative Tools as Group Policy Management. Because the utility is an MMC snap-in, you can also create a customized MMC console that contains GPMC by launching MMC and adding Group Policy Management from the Add/Remove Snap-in menu.
The UI
Let's take a look at GPMC's main console, which Figure 1 shows. As with all MMC snap-ins, the UI consists of two areas: the scope pane on the left and the results pane on the right. The scope pane shows an Active Directory (AD) structure in a layout similar to the MMC Active Directory Users and Computers snap-in. If you look closely, however, you'll see several important differences. The first difference is that you can include multiple forests (e.g., the corpvm.bigtex.net and deuby.net forests in Figure 1). The second difference is that, within each forest, GPMC shows only containers that can have GPOs linked to them—sites, domains, and organizational units (OUs). Microsoft calls sites, domains, and OUs the scope of management (SOM). The third difference is how this pane shows the true relationship of GPOs to the SOM. As Figure 1 shows, the GPOs associated with these containers are depicted as shortcuts or links (note the little arrows on the icons). GPOs aren't stored in the containers in which they're created; they're stored on a per-domain basis (shown in the GPMC UI within the Group Policy Objects container) and linked to their target SOMs.
The GPMC UI supports drag-and-drop operations as well as the traditional context-menu method of performing tasks on a GPO. For example, you can link a GPO to an OU simply by selecting the GPO in the Group Policy Objects container and dragging it to the DC's OU. A dialog box confirms most GPO drag-and-drop operations; these kinds of operations can have wide-ranging consequences such as inadvertently linking a GPO to the wrong container, and you don't want to let a slip of the wrist screw up your default domain policy or other policies.
Previous
Register
