Windows Server 2003 - GPMC (Group Policy Management Console)
Guy Recommends
A solution to monitor, manage and archive thousands of
events that are generated by devices across the entire network. Download FREE
trial
GPMC (Group Policy Management Console)
The GPMC is one of Microsoft's best new features in all of Windows Server 2003. Within
the GPMC is a rich variety of tools for creating, editing, observing, modeling and reporting on all aspects of Group Policy. As an example, my old friend 'Barking Eddie' spent two week's documenting all the Group Policies
for one company, when I showed him the GPMC, he was crestfallen and said he could have done that same job in half an hour with GPMC.
Remember
that
Microsoft designed the GPMC for Windows Server 2003 rather than W2K. Get your
copy of GPMC.msi as a download from Microsoft's site. While I am
assured that the GPMC will work on Windows 2000 Domains, I have not got it to
run. (However, I have not tried that hard as I now prefer Server 2003.)
The GPMC unifies Group Policy management
across your Active Directory forest. Before the GPMC, administrators needed multiple tools
to manage Group Policy; the Microsoft Active Directory Users and
Computers, the Delegation Wizard, and the ACL Editor. Not only does the GPMC integrate the
existing Group Policy tools, but also it brings the following exciting new capabilities:
A user interface that makes it easier to create and edit each Group Policy.
New WMI filtering means that you can apply policies to particular machine,
or only if there is enough disk space.
Interfaces to Backup, restore, import, and copy Group Policy Objects (GPOs).
Simplified management of Group Policy-related security.
Reporting for GPO settings and Resultant Set of Policy (RSoP) data.
Troubleshooting Group Policies is tricky. As an MCT trainer, I can thoroughly recommend TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Group Policy or go for
a combination of modules.
See more about Group Policy training here
After I downloaded the GPMC from Microsoft's site, I installed the application by double clicking GPMC.msi. At first I carried on in my old ways. When I wanted to check a group
policy I launched Active Directory Users and Computer and right clicked the domain, properties, and thence to the Group Policy tab. (See Diagram.)
However I soon found that you could add a
GPMC snap-in to the MMC, and this is now my preferred method of accessing the GPMC.
Right from you outset GPMC gives you the big picture. The GUI encourages you to
survey the range of places to look for Group Policies,
from the Forest at the top, through to the Domain and down to the Sites. The OU Group Policies are hidden under the domain, note that OUs have a little book symbol that is absent from container
objects such as Users, Builtin and Computers. What this means is that if you see the book symbol then you can create a Group Policy, whereas if all you see is a blank yellow folder, then you cannot create a Group Policy
at that location. The GPMC also lists any Models
or Policy Results.
Microsoft provide a snap-in called RSoP for showing a given combination of
policy settings. I find that if you install the GPMC, then you do not
really do not need this RSoP. However, if you have Windows 2000 and no
GPMC then the RSoP is intuitive to
use and comes in two modes:
Logging mode. In logging mode, the RSoP snap-in tracks the policies
that you apply. In this mode, the tool shows the actual policies for a given
user or computer.
Planning mode. In planning mode, the snap-in indicates the set of
policies that would be applied if you deployed the policy. You can
perform what-if analyses on the user and computer; the domain, and
organizational unit.
I am so pleased that Windows 2000's Secedit has been superseded by Gpupdate
on XP, the old Secedit syntax was
horrendous.
Mostly, I just run plain Gpupdate in a 'Dos Box', occasionally, I append the following switches:
/force reapplies all settings.
/target:computer or /target:user applies only the user or computer
section of your policy. Normally I would use plain Gpupdate without the
optional target switch.
/logoff Useful for settings that do not apply until the user logs
on again.
/boot Handy for configurations which need the computer to restart.
N.B. /boot does not mean apply the settings every time the computer
reboots.
While, I prefer the GPMC console above, Gpresult is a handy command line utility to display the results of Group Policy.
What I particularly like is the /user switch. Take the example where you
are logged on as the administrator, but wish to test a user called Psycho's
settings. Rather than logoff then logon as that user, just type: gpresult
/USER psycho. Do remember the /USER. This command would be a mistake:
gpresult /psycho.
This handy command line utility restores the two default Group Policy objects to
their original state (Domain and Domain Controllers). You find this 'get out of jail card' = Dcpgofix in
the \windows\repair folder. However because the \windows folder is in the
'Path' you can just run Dcpgofix in a 'Dos Box.
Syntax and Switches
dcgpofix [/ignoreschema][/target: {domain | dc | both}]
Example: dcgpofix /target: GuyDom
Caution
This tool will restore the default domain policy and also the default domain
controllers policy to their state just after installation. Naturally, when
you run dcgpofix, you lose all changes made to these Group Policies.
By specifying the /ignoreschema parameter, you can enable Dcgpofix.exe to
work with different versions of Active Directory. However, default policy
objects might not be restored to their original state. To ensure compatibility,
use the version of Dcgpofix.exe that is installed with the operating system.
