Welcome Services Getting Started Support and Tools Documentation  
 
 

Group Policy Management Console (GPMC)

Created: 06/12/2003 Version 0.0.0.1

I. What is the Group Policy Management Console?
II. What are the requirements for GPMC?
III. How Do I Launch GPMC?
IV. GPMC Startup View
V. Basic Group Policy Operations ( Create, Link, Edit, Disable )
VI. Backup and Restore
VII. Import, Export, Copy and Paste Operations
VIII. Reporting
IX. Group Policy Modeling (RSOP Planning mode)
X. Group Policy Result (RSOP Logging mode)
XI. Troubleshooting
XII. References

I. What is the Group Policy Management Console?

Group Policy Management Console (GPMC) is a new Microsoft Management Console (MMC) which offers a unified interface to group policy management. Without GPMC, group policy is managed through a collection of various snap-in, management console and command line utilities (Support Tools and Resource Kit):

  • Active Directory Users and Computers
  • Group Policy Editor
  • Delegation of Control Wizard
  • Resultant Set of Policy (RSOP) snap-in
  • GPRESULT.EXE (Resource Kit)

Aside from enabling group policy management tasks from a single view, enhancements have been added:

  • Import and export function
  • Copy and paste
  • Reporting functions (save, print) for Group Policies
  • Backup and restore
  • Scripting of group policy tasks
  • Resultant Set of Policy modes
    • Logging - available only for Server 2003 and XP machines
    • Modeling - requires 1 Server 2003 domain controller in the domain

GPMC can be used to manage GPOs in Windows 2000 and Windows Server 2003 domains. Some of the enhancements are not available to Windows 2000 domains or Windows 2000 machines. Unlike the Resource Kits, GPMC is a fully supported product by Microsoft.

II. What are the requirements for GPMC?

To install GPMC, you will need:

  1. A single license for Windows Server 2003 which allows for installation of GPMC on an unlimited number of machines.
  2. A machine running:
    1. Windows Server 2003
    2. Windows XP Professional with SP1 and .NET Framework

You can download GPMC from http://www.microsoft.com/downloads. After download, install GPMC by double-clicking on the MSI package (GPMC.MSI).

After installation, a shortcut named Group Policy Management is added to the Administrative Tools program group. The install process also replaces the default group policy management interface in the Active Directory Users and Computers console with GPMC, as shown in Figure 1.

Figure 1. Active Directory Users and Computers Group Policy tab

III. How Do I Launch the GPMC?

Several ways of launching GPMC are listed below:

From the Active Directory Users and Computers console

  1. Launch Active Directory Users and Computers MMC.
  2. Select the target OU for managing group policy.
  3. Right-click on the OU and select Properties.
  4. From the OU properties window, click on the Group Policy tab.
  5. Click on the button labeled Open...

From the Administrative Tools program group

  1. Navigate to the Administrative Tools program group.
  2. Select the Group Policy Management shortcut.

From the Run menu

  1. From the Start button, select Run.
  2. Type gpmc.msc and press Enter.

By default, the first time GPMC starts up, it loads the forest and domain information of the currently logged on user, as shown on Figure 2. Check the troubleshooting section if the forest/domain information is not shown in the GPMC interface.

Figure 2. Default GPMC View

IV. GPMC Startup View

Figure 3 shows GPMC with the default configuration when launched using an account in the campus.berkeley.edu domain (CalNetAD). If the forest information is not displayed, go to the troubleshooting section.

Figure 3. Expanded GPMC View

Four subnodes are available within the forest node.

Domains - displays domains in the forest. By default, only the domain of the logged on user is displayed. Within the domain, the following items are displayed.

  • All GPOs linked to the domain
  • All Top-level OUs
  • The Group Policy Objects container for the domain

Figure 4. Domains subnode

Sites - displays site objects in the forest.

Group Policy Modeling - RSOP planning mode. Enables simulation of the effect of group policies on users and computers. Thus, it eliminates the need to move users or computers to the OU where GPOs are linked to determine Resultant Set of Policies. Requires 1 Server 2003 domain controller as the simulation requires services running on a Server 2003 domain controller. Currently not available in CalNetAD since the domain controllers run Windows 2000 Server.

Group Policy Results - RSOP logging mode. Available only for Server 2003 and XP machines. Results represent the actual resultant set of policy applied to users and computers based on GPOs linked to the user and computer OUs. Output is similar to the results generated by running GPRESULT.EXE on Windows 2000 machines.

V. Basic Group Policy Operations ( Create, Link, Edit, Disable)

There are several ways of creating a Group Policy Object:

Create and Link in target OU

  1. Select and right-click on the target OU.

  2. Choose Create and Link a GPO here... option.

  3. An new GPO is created and opened in the Group Policy Editor snap-in.

  4. You can now make your changes to the GPO.

  5. When done, close the snap-in.

  6. No additional steps are necessary to link the GPO.

Create an unlinked GPO within the Group Policy Object node

  1. Select the Group Policy Object node from the GPMC. This will expand and display all the GPOs in the domain.
  2. Right-click and select New and assign an appropriate name to the GPO.
  3. Right-click on the new GPO and select Edit... to launch the Group Policy Editor.
  4. Modify GPO as required.
  5. When done, close the GPO. Proceed to linking a GPO to link the new GPO to the target OU.

Linking a GPO

  1. Right-click on the target GPO and select Link an existing GPO...
  2. Select the GPO and click OK.

Editing a GPO

GPOs can be edited with the Group Policy Objects node or within the OU container where the GPO is linked.

  1. Select the OU or the Group Policy Objects node.
  2. Select the GPO.
  3. Right-click and choose Edit...
  4. This will open the Group Policy Editor where changes can be made.

Disabling a GPO

GPOs in whole or part (User or Computer Configuration node) can be disabled. Disable a node, if no settings are configured in that node, to reduce group policy processing time. You can also disable the entire GPO to prevent accidental application of settings while configuring a Group Policy Object.

  1. Within the Group Policy Objects node, select the target GPO.
  2. Right-click and select GPO Status.
  3. Select one of 4 options available:
  • Enabled
  • User Configuration Settings Disabled
  • Computer Configuration Settings Disabled
  • All Settings Disabled

VI. Backup and Restore

From GPMC, it is easy to perform backup and restore operations. Backup and restore operation options are context-sensitive, depending on where you are within the Group Policy Objects node.

Backup Individual GPO(s)

  1. Click on the Group Policy Objects note to display all GPOs in the domain.
  2. Select the target GPO(s) for backup. For multiple GPOs:
    1. For a range of GPOs, select the first GPO, press SHIFT and click on the last GPO.
    2. For multiple non-contiguous GPOs, select the first GPO, press CTRL and click on other GPOs.
  3. Right-click and select Backup...
  4. On the next window, speficy the backup directory and description and click Back Up.
  5. Click OK when done.

Backup All GPOs

This operation is normally performed by domain administrators.

  1. Select the Group Policy Object node.
  2. Right-click and select Backup All...
  3. Specify the backup directory and description and click Back Up.
  4. Click OK when done.

Restore GPO

  1. Within the Group Policy Object node, select the target GPO.
  2. Right-click and select Restore from Backup... This will launch the Restore Group Policy Object Wizard.
  3. Click Next.
  4. Specify the correct backup folder location.
  5. If multiple backups have been done, choose the correct backup version. The Source GPO window displays the GPO name, backup timestamp and description. You can also check the settings on the source GPO by clicking on the View Settings... button.
  6. Click Next.
  7. Click Finish when ready to restore.
  8. Click OK when done. You have now restored the GPO.

VII. Import, Export, Copy and Paste Operations

Import Operation

Settings can be imported from any backed up GPO. The import process overwrites existing policy settings on the target GPO. Before the import operation, make sure to backup the GPO so you have a restore point in case it is needed.

  1. Within the Group Policy Objects node, select the target GPO. You can create a new GPO if you want to import settings to a new GPO.
  2. Right-click on the selected GPO and choose Import Settings...
  3. Click Next on the Import Settings wizard.
  4. If there are existing settings in the Target GPO, you will be prompted to backup the GPO first before proceeding. Click on the Backup... button to create a backup copy. Otherwise, click Next.
  5. Specify the path for the backup directory of the source GPO and click Next.
  6. From the list of backed up GPOs, select the correct source GPO and click Next.
  7. Click Next to continue import.
  8. Click Finish when ready.
  9. Click OK when the import operation is complete.

Exporting a GPO

Exporting a GPO involves creating a backup. Once you have a backup of the GPO, you can use the backup copy to import the settings to a target GPO.

Copy and Paste

Replicating GPO settings is as simple as Copy and Paste. Follow the instructions below to copy a GPO.

  1. Within the Group Policy Objects node, select the source GPO.
  2. Right-click and choose Copy.
  3. Right-click on the Group Policy Objects node and select Paste.
  4. You will be prompted for the permissions on the GPO. Select "Use default... " or "Preserve Existing..." and click OK.
  5. The GPO copy will be named "Copy of GPOname". You can now rename it and modify settings as needed.

VIII. Reporting Features

One of the strengths of GPMC is its reporting feature and the richness of information it displays about Group Policy Objects.

Properties View from the Group Policy Objects node

Expanding the Group Policy Objects node displays all GPOs in the domain and lists summary information about the individual GPOs. Information such as:

  • Name - GPO friendly name
  • GPO Status - shows whether the GPO is enabled, disabled. If disabled, it indicates whether the whole GPO is disabled, or just the Computer or User Configuration node.
  • Modified Date - timestamp of latest GPO change
  • Owner - display the owner of the GPO.

Figure 5. Group Policy Objects Node View

Individual GPO Properties

For more detailed information of GPO properties, you can select the specific GPO within the Group Policy Object or the OU where it is linked. Once you have selected the GPO, detailed information about the GPO is exposed. Four categories of information are organized into 4 separate tabs.

  • Scope - displays OU linkage , security filtering, WMI filtering information (Figure 6)
  • Details - domain, owner, creation time, modify time,GUID and status (Figure 7)
  • Settings - displays configured settings, allows saving (HTML or XML)and printing (Figure 8)
  • Delegation - display permissions (ACL) for the GPO (Figure 9)

Figure 6. Group Policy Properties Scope tab

Figure 7. Group Policy Properties Details tab

Figure 8. Group Policy Properties Settings tab

Figure 9. Group Policy Properties Delegation tab

Saving or Printing GPO Settings

With GPMC, you can document and publish GPO settings. You'll need to select the GPO to access the save and print capability.

  1. Within the Group Policy Objects node or the OU, select the GPO to display properties.
  2. Select the Settings tab.
  3. Right-click on an area in the Settings pane and select Print or Save Report...

Figure 10. Group Policy Print/Save Feature

  1. If you selected Print, choose the target printer and click OK.
  2. If you selected Save Report..., choose type the file name and specify the file type (HTML or XML). Click Save.

IX. Changing Default Policy Inheritance

This section discusses changing the default inheritance of group policy. It is strongly recommended that you explore alternative methods before using these strategies. If you decide to implement these changes, make sure that you have fuly tested the settings and you are fully aware of the impact these changes will have in your environment.

Block Inheritance

Blocking inheritance is a property of the OU container. Blocking inheritance is strongly discourage as this turns off inheritance of all GPOs linked to higher level objects (domain, parent OU). Before implementing the setting, perform extensive testing and consult fellow OU admins for alternative methods. To block policy inheritance from parent objects, follow the steps below:

  1. Select the OU where block inheritance needs to be turned on.
  2. Right-click on the OU and select Block Inheritance.
  3. You have now turned on block inheritance. No GPO assigned at a higher level will be applied. You will need to link GPOs to this OU to deploy GPO settings.

No Override

The No Override setting is an attribute of the GPO itself. Setting this attribute overrides GPO settings assigned at the lower level and block inheritance. You enable this attribute when you want to assign standard GPO settings at a higher level OU and prevent GPO at lower-level OUs from overriding these settings.

  1. Navigate to the target OU where the GPO is linked.
  2. Select the GPO.
  3. Right-click and choose Enforced.

Filtering Group Policy Permission

Changing the default permission for a GPO limits the effect of the GPO to specified groups of users. Use sparingly as this may make GPO management and troubleshooting more complex. Also, remember to document changes.

  1. Implicit Deny
    1. Within Group Policy Objects node, select the target GPO.
    2. Make sure that the Scope tab is selected.
    3. In the Security Filtering pane, highlight the Authenticated Users group and click Remove.
    4. Click the Add button, enter the first few characters of the group, click Check Names, select the correct group and click OK twice. Repeat process for additional groups.
    5. You have now limited the effect of the GPO to members of the groups you added.

     

Figure 11. Filter ACL: Implicit Deny

  1. Explicit Deny
    1. Within Group Policy Objects, select the target GPO.
    2. Select the Delegation tab.
    3. Click on the Add button, Click the Add button, enter the first few characters of the group, click Check Names, select the correct group and click OK twice.
    4. Select the group you just added and click Advanced...
    5. In the Security Settings windows, highlight the group.
    6. In the Permissions pane, check the Deny box for Apply Group Policy permission. Repeat process for additional groups.
    7. Now, only users or computers who are not members of the groups you added will be affected by the GPO.

     

    Figure 11. Filter ACL: Explicit Deny

IX. Group Policy Modeling (RSOP Planning Mode)

Group Policy Modeling (RSOP Planning Mode) allows an administrator to simulate the effect of GPOs when users and/or computers are moved to OUs where target GPOs are linked. This saves time and effort in testing GPO settings linked to OUs. This feature requires at least 1 Server 2003 domain controller in the domain. It is not currently available in the production environment (campus.berkeley.edu) as our DCs run on Windows 2000 Server.

  1. Select and right-click on the Group Policy Modeling node.
  2. Choose Group Policy Modeling wizard...
  3. Click Next.
  4. Select campus.berkeley.edu in the Show Domain Controllers in this domain... drop down box.
  5. Accept the default for the Process simulation in this domain controller... and click Next.
  6. In the User and Computer Selection windows, specify the correct OU container or specific user/computer and click Next.
  7. In the Advanced Simulation Options windows, enable additional options like slow link processing, loopback processing if needed. Click Next when ready.
  8. In the User Security Groups window, specify other group memberships for the user, if any, and click Next.
  9. In the Computer Security Groups window, specific other group memberships for the computer, if any and click Next.
  10. Click Next twice on the 2 WMI filter window to accept the default.
  11. In the Summary of Selection windows, verify that choice listed are correct. IF not, you can click on the Back button to modify the options. Click Next to start the simulation. Click Finish when done.
  12. The query is automatically saved so you can rerun or modify when needed. Three categories of information are available when the query completes.
  • Summary- summary information about user, computer, and GPOs (Figure 12)
  • Settings - detailed view of simulated effective policies (Figure 13)
  • Query - displays query properties (Figure 14)

Figure 12. Modeling Summary tab

Figure 13. Modeling Settings tab

Figure 14. Modeling Query tab

X. Group Policy Result (RSOP Logging Mode)

Group Policy Result (RSOP Logging Mode) allows an administrator to capture effective Resultant Set of Policies (RSOP) based on actual GPOs linked to the user OU and computer OU. The output of this function is similar to the output you get when using the GPRESULT.EXE resource kit utility in Windows 2000. Unlike GPRESULT.EXE, RSOP Logging Mode allows the administrator to specify the target machine and user from the interface itself, without requiring a user logon to the target machine. However, this feature is available only for target machines that are running Windows XP and Server 2003. For Windows 2000 machines, you will still have to use GPRESULT.EXE. To run Group Policy Results, you will need to be a local administrator on the target machine.

  1. Right-click on the Group Policy Results node, select Group Policy Results wizard...
  2. Click Next.
  3. In the Computer Selection window, select target computer and click Next.
  4. In the User Select window, select target user (current user or another user) and click Next.
  5. In the Summary of Selections window, verify that all options are correct. To make change click on the Back button. Click Next when ready.
  6. Click Finish when done. YOu will get a result pane similar to the modeling result pane. The first two tabs are the summary and details tag. The third tab is called Policy Events listing event log entries related to the GPO application.

Figure 15. Group Policy Results

XI. Troubleshooting

If the GPMC does not display the Active Directory forest information as shown in Figure 2, you may need to turn off trust detection. Afterwards, follow the steps to add domains to the GPMC.

Turn off Trust Detection

  1. From the GPMC GUI, click on the View menu and select Options.

    2. Figure 16. GPMC View Menu

  2. Click on the General tab and uncheck the box labeled Enable Trust Detection.

    3. Figure 17. GMPC General Options

  3. Click OK when done.
  4. Configure GPMC to add the domains you are going to manage, as shown in Add Domain to GPMC.

Add Domain to GPMC

  1. Right-click on the Group Policy Management Icon.

    2. Figure 18. Add Forest option

  2. Select Add Forest..., type campus.berkeley.edu in the domain box and click OK.

    3. Figure 19. Input Domain box

  3. If you get an error message regarding trust detection, follow the steps to turn off trust detection from the View menu.

XII. References

  
Contact Us