Lighten Up the Group Policy Load
Microsoft’s new Group Policy Management Console is a solid—and much needed—tool for enterprise environments.
- By Zubair Alexander
- October 01, 2003
One of the major Windows 2000 selling points for Microsoft has been Active
Directory and its Group Policies. However, Microsoft didn’t offer
any unified tool for managing the core aspects of Group Policies. As a
system administrator, you can create a custom Microsoft Management Console
(MMC) that can include various snap-ins for managing your corporate Group
Policy Objects, such as AD Users and Computers and AD Sites and Services.
Creating custom consoles makes your job somewhat easier, but you still
need to use multiple snap-ins. In addition, there’s no easy way to
see the affect of GPO settings or get custom reports.
Last April Microsoft released Group Policy Management Console 1.0, a
free add-on tool that unifies Group Policy management all across the enterprise
and enables programmatic access to GPOs. In this article we’ll examine
the system requirements for GPMC, explore various features, delve into
the reporting and modeling aspects, discuss the Group Policy Modeling
and Group Policy Results functionality, cover WMI Filters, and finally
look at GPMC sample scripts.
What GPMC Does
GPMC is an MMC snap-in (see Figure 1) that integrates features from several
existing tools, such as the Resultant Set of Policy snap-in and the Delegation
Wizard. Although it can be used to manage both Windows Server 2003 and
Win2K AD domains, it can only be installed on Windows 2003 and Windows
XP computers. GPMC has a long list of features that system administrators
will appreciate. It offers importing/exporting, copying/pasting, and backing/restoring
of GPOs. It also simplifies management of reporting and scripting.
|Figure 1. The Group Policy Management Console
packages up several tools, including Resultant Set of Policy snap-in
and Delegation Wizard. (Click image to view larger version.)
Before discussing the system requirements and features of GPMC, let’s
clear a couple of common misconceptions about this tool. First, GPMC is
not part of Windows 2003 or any resource kit. GPMC is free, downloadable,
add-on software from Microsoft that’s not part of any specific operating
system. Second, GPMC is meant to be used as a one-stop management tool
for GPOs. It doesn’t replace existing tools like AD Users and Computers.
You’ll still need those tools for AD administration tasks, such as
creating users and groups.
GPMC lets you directly edit individual GPOs; plus, it gives you the big
picture of sites, domains, and organizational units (OUs). It also gives
you quick access to the existing Group Policy snap-ins for your convenience.
Note: The Win2K Group Policy snap-in has been renamed to
Group Policy Object Editor in Windows 2003.
GPMC can be used to manage either Windows 2003 or Win2K (SP2 or
later) AD domains. However, GPMC installation is not directly supported
on Win2K computers. It can only be installed on Windows 2003 and Windows
XP computers. Installation on Windows XP requires Windows XP Service Pack
1 (SP1) and Microsoft .NET Framework. In addition, you also need to install
the post-SP1 hotfix KB 326469
because GPMC requires version 5.1.2600.1186 or later of gpedit.dll. The
hotfix updates the gpedit.dll, which is in Windows XP SP2.
GPMC is supported by Microsoft Premier Support Services (PSS) and may
be installed on an unlimited number of computers, as long as you have
at least one license for Windows 2003. In addition to English, Microsoft
plans to offer localized versions of GPMC in languages such as French,
German, and Japanese.
To manage a Win2K domain in the same forest as a Windows 2003 domain,
you need to have at least Win2K SP2 installed on Win2K servers. However,
to manage a Win2K server from a computer running GPMC in a different Windows
2003 forest, with an external trust between the two forests, you must
have SP3 installed on Win2K server. In Windows 2003, the AD administration
tools (including GPMC) encrypt and digitally sign the LDAP traffic. If
for some reason you’re unable to deploy Win2K SP3, you can modify
the registry and as a temporary workaround disable LDAP encryption and
signing. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\AdminDebug in the registry and add a new DWORD value of
ADsOpenObjectFlags. Use a hex value of 3 for Value data. Although this
option is a workaround, it’s not something I’d recommend. Use
it only as a last resort since you’re disabling LDAP encryption and
signing for all AD administration tools, not just GPMC. Check out KB 325465
for more details.
Note: Once GPMC is installed, you can no longer use AD
Users and Computers or other administrative tools to manage GPOs. The
Group Policy tab on these tools adds a link to the GPMC for your convenience.
To manage GPOs from these tools you’ll have to remove GPMC, which
will activate the Group Policy tab again.
After installing GPMC, you can access the console from Administrative
Tools folder. Their are four main folders available in the left hand pane
under the forest:
- Group Policy Modeling
- Group Policy Results
You can add additional forests to the console. However, if you add a
Win2K forest, it won’t list the Group Policy Modeling node in the
left hand pane. Here’s a brief explanation of the GPMC nodes.
Domains The Domains
node lists the DNS names of the domains. Regardless of what your domain
hierarchy looks like, all the domains are listed as peers of each other.
Sites The Sites
node also shows all the sites as peers. Although Sites is visible in the
left-hand pane, by default none of the sites are shown in this node. This
is mainly due to speed and performance reasons. You can right-click Sites,
select Show Sites and then select the sites you’d like to see in
Group Policy Modeling Both the Group Policy
Modeling node and the Group Policy Results node are tied to the Resultant
Set of Policy (RSoP) functionality. Group Policy Modeling is meant for
planning mode, while Group Policy Results offers logging mode. Group Policy
Modeling is useful for “what if” scenarios, as it simulates
policy settings that can be applied to any user or computer in the forest,
before the settings are actually applied. The RSoP planning mode requires
at least one Windows 2003 domain controller in the forest. As mentioned
earlier, Win2K forests don’t support this feature.
Group Policy Results The Group Policy Results
offers the RSoP logging mode functionality. Unlike Group Policy Modeling,
which offers only a simulation, Group Policy Results shows the actual
results of the settings that are applied to the users and computers by
directly obtaining the information from the individual user or computer.
One thing to keep in mind here is that this resultant set of policy can
only be obtained from Windows 2003 and Windows XP computers. Win2K computers
don’t support this feature.
You can create, edit, delete and manage GPOs easily using GPMC. To create
a GPO and link it to a specific domain or OU, right-click that domain
or OU and select Create and Link the GPO Here. This automatically creates
the OU and links it to that domain or OU. To create a GPO without linking
it, right-click the Group Policy Objects node and select New. Alternatively,
you can run the sample script createGPO.wsf at the command line to create
As you add GPOs to various locations in the domain, they’re automatically
visible in the Group Policy Objects node under the domain. This is where
you configure, edit, copy, delete, backup, restore, import settings, configure
filtering, use delegation, and view settings for the GPOs.
GPMC consolidates several group policy management tools to make your
life easier, but it doesn’t replace existing AD administration tools,
such as AD Users and Computers. You can create and delete GPOs in GPMC.
To delete a GPO, right-click the GPO and select Delete. The affect of
deleting a GPO depends on where you delete the link. For example, selecting
a GPO in the Information Technology OU and deleting it will only delete
the link to that GPO. The GPO itself will not be deleted. On the other
hand, if you want to delete the GPO and all links to it in the domain,
go to the Group Policy Objects node and delete the GPO from that location.
This will delete the GPO and all the links in the current domain, but
not the links in other domains.
The GPOs may be linked to a site, domain or OU. This is referred to as
the Scope of Management (SOM). In order for a GPO to be applied, it must
be linked to a SOM. If a GPO already exists, you can link it to a SOM
by right-clicking the site, domain or OU and selecting Link an Existing
GPO. Remember that GPOs are per-domain objects that can be linked anywhere
in a forest, so when you link a GPO to an OU, it doesn’t really reside
in that OU. It’s tied to the domain and may be used anywhere in that
domain, or the entire forest.
One nice GPMC feature is the ease of applying security filters. In Win2K,
both the Read and Apply Group Policy permissions had to be manually applied
in the Access Control List (ACL) Editor to set the security filters on
a GPO. In GPMC, the same results can be easily achieved by going to the
GPO and adding or removing the security principals in the Security Filtering
section on the Scope tab (see Figure 2). By adding security principals
here you’re automatically applying both Read and Apply Group Policy
permissions. To confirm this, click on the Delegation tab, then Advanced
button to bring up the ACL Editor (see Figure 3). On the Delegation tab,
the security principal’s (Help Desk Staff) permissions are listed
as Read (from Security Filtering), but the ACL Editor shows the Help Desk
Staff with both the Read and Apply Group Policy permissions.
|Figure 2. Configuring security filtering for
a GPO. (Click image to view larger version.)
|Figure 3. GPMC makes it easy to apply security
filters, as shown in this view of the ACL Editor. (Click image to
view larger version.)
Importing and Exporting GPOs
GPMC allows importing and exporting (backup) of GPOs. There’s
an import option on the context menu of a GPO but no export option; Microsoft
uses the term backup for exporting a GPO.
To back up (export) a GPO, go to the Group Policy Objects node in GPMC.
This is where backups are managed. To backup an individual GPO, right-click
that GPO and select Back Up. You can also back up all GPOs by right-clicking
the Group Policy Objects node and selecting Back Up All. Settings external
to the GPOs, such as WMI filters and IPSec policies, aren’t backed
up since they’re independent objects in the AD and not tied to GPOs.
Once all GPOs have been backed up, you can use the Manage Backups option
by right-clicking Group Policy Objects node. This allows you to restore,
delete or view individual GPO settings. When you perform a backup, it
copies the entire contents of a GPO from the AD to the backup folder.
This includes the GUID, version, status, and all policy settings.
You can import a GPO once it’s been backed up. Importing a GPO will
transfer only the policy settings back from the backup folder to the AD.
It doesn’t make any changes to the permissions or the GUID associated
with the GPO. Furthermore, you can only import a GPO that already exists
in the AD; importing copies the policy settings from the backup to this
existing GPO. Importing also erases any existing policy settings in the
destination GPO. To import a GPO, right-click the GPO under the Group
Policy Objects node and select Import Settings. Notice that the option
is called Import Settings, rather than just Import. This is a reminder
that the Importing option only transfers the policy settings to the destination
GPO. It doesn’t import permissions or other components of a GPO.
You can restore a backed-up GPO by right-clicking the GPO under the Group
Policy Objects node and selecting Restore from Backup. This starts the
restore wizard. Keep in mind that you can only restore a GPO to the domain
where it was created; the restore operation restores everything, including
the GPO’s GUID, which is tied to the domain of its creation.
You can also restore deleted GPOs. The restore option isn’t listed
on the context menu on the Group Policy Object’s node; it’s
only available from right-clicking the Group Policy Objects node and using
Manage Backups. In Manage Backups, select the deleted GPO that was previously
backed up and click Restore.
Copying a GPO
The concept of copying a GPO is different from restoring or importing
one. When you copy a GPO, you’re creating a new GPO with a new GUID,
without linking it to any site, domain, or OU. You’re also transferring
the policy settings to the destination GPO. The newly created GPO will
automatically have the default ACLs for GPOs applied to it, unless you
choose to preserve the permissions. You can copy GPOs within a domain,
to another domain within the forest, or to another domain in a different
Let’s say you want to copy the Corporate IT Policy GPO to a new
GPO called HR Policy within the domain. First, right-click the Corporate
IT Policy under the Group Policy Objects node and select Copy. Then go
to the Group Policy Objects node, right-click and select Paste. You’ll
be given the option to specify the permissions for the new GPO. You can
either choose the default permissions for the new GPO or preserve the
existing permissions. The newly created GPO will be called Copy of Corporate
IT Policy, which you can rename to HR Policy. If you want to ensure that
the new GPO has the same permissions—for example, security filtering
settings—make sure to choose the option to preserve the existing
permissions. Otherwise, you’ll have to manually set the security
The main difference between copying and importing GPOs is that you can
only import a GPO that’s been backed up to a folder on the hard drive.
However, you can copy any existing GPO in the AD, whether it’s been
backed up or not. In addition, the copy operation creates a brand new
GPO with a new GUID, so the GPO doesn’t need to exist in the AD beforehand.
The import operation, on the other hand, can only be performed if the
destination GPO already exists in the AD.
Group Policy Modeling
Group Policy Modeling simulates GPO deployments for planning and
testing purposes, without actually applying the policy to users or computers
(see Figure 4). The Resultant Set of Policy (RSoP) has two modes: Planning
and Logging. Group Policy Modeling is referred to as RSoP Planning Mode,
while Group Policy Results is referred to as RSoP Logging Mode.
As long as you have at least one Windows 2003 domain controller in the
forest, you can use the Group Policy Modeling feature to simulate policy
deployment on any Windows 2003 or Win2K computer in the forest. To use
it, right-click the Group Policy Modeling node in GPMC and select Group
Policy Modeling Wizard. This wizard is the newer version of the RSoP MMC
snap-in in Windows 2003. It offers all the functionality of the RSoP MMC
snap-in plus some additional capabilities, such as HTML reporting of RSoP
data. Among other things, you can simulate policy implementation for a
slow network connection or configure loopback processing options on the
Advanced Simulation Options screen.
|Figure 4. Plan and simulate GPO deployments using
the handy Group Policy Modeling Wizard.
The Group Policy Modeling node shows all your queries in the left-hand
pane. The right-hand pane shows three tabs for each query: Summary, Settings,
and Query. Right-click the query and select Save Report to save the contents
of the summary and settings tab in a single report in either HTML or XML
format. You can also open the RSoP MMC snap-in by right-clicking the query
and selecting Advanced View.
If you add a Win2K forest to GPMC, it wouldn’t list the Group Policy
Modeling node in the left-hand pane because Win2K DCs can’t simulate
RSoP data. RSoP service is only available on Windows 2003 DCs.
Group Policy Results
Group Policy Results shows the actual data obtained from a target computer,
and is referred to as RSoP Logging Mode. The target computer must be an
XP or Windows 2003 computer, as Win2K computers won’t report RSoP
data. To use this feature, right-click Group Policy Results node in the
left-hand pane and select Group Policy Results Wizard.
The Group Policy Results node shows all your queries in the left pane.
The right pane shows three tabs for each query: Summary, Settings, and
Windows Management Instrumentation (WMI) Filters allow you to extend
the filtering capabilities of GPOs. WMI makes all kinds of data available
for a target computer, such as hardware and software inventory, configuration
information, and various computer settings. It fetches this data from
AD, the Registry, drivers, SNMP, file system, and other services and applications.
WMI Filtering lets you run queries against this data.
A WMI filter is made up of one or more queries written in WMI Query Language
(WQL) that’s evaluated against the target computer. If all the queries
against the target computer’s WMI data are evaluated as true, the
GPO is applied; otherwise it’s not.
A WMI filter can be linked to multiple GPOs, but each GPO can only have
one WMI filter applied. For example, you can create a WMI filter called
“XP Computers” and link it to a GPO called Corporate IT Policy.
This is the only WMI filter you can apply to the Corporate IT Policy GPO.
However, the same WMI filter can also be applied to other GPOs in the
domain, such as HR Policy GPO. You can import and export WMI filters,
which are saved as WMI filters MOF files. Note: Only Windows XP and later
clients support WMI filters.
Let’s say you want to apply a WMI filter to all Toshiba laptops
in your company (see Figure 5). Right-click the WMI Filters node under
the domain in GPMC and select New. In the New WMI Filter window, enter
the name and optional description for the filter, such as Toshiba Laptops.
Click Add and type the following in the Query box:
Select * from Win32_ComputerSystem
where manufacturer = "Toshiba" and Model = "Tecra 8000"
OR Model = "Tecra 8100"
then click OK.
Note: In a Win2K domain, you must run AD
/domainprep, or else the WMI Filters node will be missing in the
GPMC under the Win2K domain. In addition, the GPO won’t show the
WMI Filtering section on the Scope tab in the right-hand pane.
|Figure 5. WMI Filtering is a powerful feature
of the GPMC. (Click image to view larger version.)
The GPMC provides strong scripting support. The user interface
is based on a set of COM interfaces that both scripting technologies (Jscript,
VBScript) and programming languages (Visual Basic, Visual C++) can take
advantage of. Using these technologies, you can back up, restore, import,
export, copy, paste, create, delete, rename, search, link, unlink, delegate
security, create rights and generate reports for GPOs.
GPMC comes with a number of sample scripts installed in the %programfiles%\gpmc\scripts
folder. The scripts folder isn’t in the path, so you’ll need
to execute the scripts at the command line from the scripts folder. To
create a Sales GPO using createGPO.wsf script, for example, go to the
command prompt, change directory to the %programfiles%\gpmc\scripts directory
and type cscript createGPO.wsf Sales.
Cscript is not the default scripting engine, but you can always make
it the default by typing cscript //H:cscript.
For usage options, type “/?” after the script name. So to see
the usage options for createGPO.wsf script,
type createGPO.wsf /?.
Functional, Fabulous, Free!
GPMC is a valuable tool for system administrators to help manage enterprise-wide
Group Policies. It’s a one-stop shop for managing GPOs. It offers
easy access to forests, domains, sites, OUs, security filters, and reporting
functionality. RSoP planning mode allows you to plan your GPO deployment
before actually applying the policy settings. RSoP logging mode shows
the actual results of the settings that are applied to the users and computers.
With strong support for programmatic access to Group Policies, scripting
technologies and programming languages can make the system administrators’
job easier and provide unlimited scripting capabilities to developers.
GPMC version 1.0 may not be the perfect tool, but it’s much better
than juggling numerous snap-ins to manage GPOs. It also offers several
new functionalities and it’s free!