In-Depth

Lighten Up the Group Policy Load

Microsoft’s new Group Policy Management Console is a solid—and much needed—tool for enterprise environments.

• By Zubair Alexander
• October 01, 2003

One of the major Windows 2000 selling points for Microsoft has been Active Directory and its Group Policies. However, Microsoft didn’t offer any unified tool for managing the core aspects of Group Policies. As a system administrator, you can create a custom Microsoft Management Console (MMC) that can include various snap-ins for managing your corporate Group Policy Objects, such as AD Users and Computers and AD Sites and Services. Creating custom consoles makes your job somewhat easier, but you still need to use multiple snap-ins. In addition, there’s no easy way to see the affect of GPO settings or get custom reports.

Last April Microsoft released Group Policy Management Console 1.0, a free add-on tool that unifies Group Policy management all across the enterprise and enables programmatic access to GPOs. In this article we’ll examine the system requirements for GPMC, explore various features, delve into the reporting and modeling aspects, discuss the Group Policy Modeling and Group Policy Results functionality, cover WMI Filters, and finally look at GPMC sample scripts.

What GPMC Does
GPMC is an MMC snap-in (see Figure 1) that integrates features from several existing tools, such as the Resultant Set of Policy snap-in and the Delegation Wizard. Although it can be used to manage both Windows Server 2003 and Win2K AD domains, it can only be installed on Windows 2003 and Windows XP computers. GPMC has a long list of features that system administrators will appreciate. It offers importing/exporting, copying/pasting, and backing/restoring of GPOs. It also simplifies management of reporting and scripting.

Figure 1. The Group Policy Management Console packages up several tools, including Resultant Set of Policy snap-in and Delegation Wizard. (Click image to view larger version.)

Before discussing the system requirements and features of GPMC, let’s clear a couple of common misconceptions about this tool. First, GPMC is not part of Windows 2003 or any resource kit. GPMC is free, downloadable, add-on software from Microsoft that’s not part of any specific operating system. Second, GPMC is meant to be used as a one-stop management tool for GPOs. It doesn’t replace existing tools like AD Users and Computers. You’ll still need those tools for AD administration tasks, such as creating users and groups.

GPMC lets you directly edit individual GPOs; plus, it gives you the big picture of sites, domains, and organizational units (OUs). It also gives you quick access to the existing Group Policy snap-ins for your convenience.

Note: The Win2K Group Policy snap-in has been renamed to Group Policy Object Editor in Windows 2003.

System Requirements
GPMC can be used to manage either Windows 2003 or Win2K (SP2 or later) AD domains. However, GPMC installation is not directly supported on Win2K computers. It can only be installed on Windows 2003 and Windows XP computers. Installation on Windows XP requires Windows XP Service Pack 1 (SP1) and Microsoft .NET Framework. In addition, you also need to install the post-SP1 hotfix KB 326469 because GPMC requires version 5.1.2600.1186 or later of gpedit.dll. The hotfix updates the gpedit.dll, which is in Windows XP SP2.

GPMC is supported by Microsoft Premier Support Services (PSS) and may be installed on an unlimited number of computers, as long as you have at least one license for Windows 2003. In addition to English, Microsoft plans to offer localized versions of GPMC in languages such as French, German, and Japanese.

To manage a Win2K domain in the same forest as a Windows 2003 domain, you need to have at least Win2K SP2 installed on Win2K servers. However, to manage a Win2K server from a computer running GPMC in a different Windows 2003 forest, with an external trust between the two forests, you must have SP3 installed on Win2K server. In Windows 2003, the AD administration tools (including GPMC) encrypt and digitally sign the LDAP traffic. If for some reason you’re unable to deploy Win2K SP3, you can modify the registry and as a temporary workaround disable LDAP encryption and signing. Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\AdminDebug in the registry and add a new DWORD value of ADsOpenObjectFlags. Use a hex value of 3 for Value data. Although this option is a workaround, it’s not something I’d recommend. Use it only as a last resort since you’re disabling LDAP encryption and signing for all AD administration tools, not just GPMC. Check out KB 325465 for more details.

Note: Once GPMC is installed, you can no longer use AD Users and Computers or other administrative tools to manage GPOs. The Group Policy tab on these tools adds a link to the GPMC for your convenience. To manage GPOs from these tools you’ll have to remove GPMC, which will activate the Group Policy tab again.

GPMC Basics
After installing GPMC, you can access the console from Administrative Tools folder. Their are four main folders available in the left hand pane under the forest:

• Domains
• Sites
• Group Policy Modeling
• Group Policy Results

You can add additional forests to the console. However, if you add a Win2K forest, it won’t list the Group Policy Modeling node in the left hand pane. Here’s a brief explanation of the GPMC nodes.

Domains The Domains node lists the DNS names of the domains. Regardless of what your domain hierarchy looks like, all the domains are listed as peers of each other.

Sites The Sites node also shows all the sites as peers. Although Sites is visible in the left-hand pane, by default none of the sites are shown in this node. This is mainly due to speed and performance reasons. You can right-click Sites, select Show Sites and then select the sites you’d like to see in the console.

Group Policy Modeling Both the Group Policy Modeling node and the Group Policy Results node are tied to the Resultant Set of Policy (RSoP) functionality. Group Policy Modeling is meant for planning mode, while Group Policy Results offers logging mode. Group Policy Modeling is useful for “what if” scenarios, as it simulates policy settings that can be applied to any user or computer in the forest, before the settings are actually applied. The RSoP planning mode requires at least one Windows 2003 domain controller in the forest. As mentioned earlier, Win2K forests don’t support this feature.

Group Policy Results The Group Policy Results offers the RSoP logging mode functionality. Unlike Group Policy Modeling, which offers only a simulation, Group Policy Results shows the actual results of the settings that are applied to the users and computers by directly obtaining the information from the individual user or computer. One thing to keep in mind here is that this resultant set of policy can only be obtained from Windows 2003 and Windows XP computers. Win2K computers don’t support this feature.

Managing GPOs
You can create, edit, delete and manage GPOs easily using GPMC. To create a GPO and link it to a specific domain or OU, right-click that domain or OU and select Create and Link the GPO Here. This automatically creates the OU and links it to that domain or OU. To create a GPO without linking it, right-click the Group Policy Objects node and select New. Alternatively, you can run the sample script createGPO.wsf at the command line to create a GPO.

As you add GPOs to various locations in the domain, they’re automatically visible in the Group Policy Objects node under the domain. This is where you configure, edit, copy, delete, backup, restore, import settings, configure filtering, use delegation, and view settings for the GPOs.

GPMC consolidates several group policy management tools to make your life easier, but it doesn’t replace existing AD administration tools, such as AD Users and Computers. You can create and delete GPOs in GPMC.

To delete a GPO, right-click the GPO and select Delete. The affect of deleting a GPO depends on where you delete the link. For example, selecting a GPO in the Information Technology OU and deleting it will only delete the link to that GPO. The GPO itself will not be deleted. On the other hand, if you want to delete the GPO and all links to it in the domain, go to the Group Policy Objects node and delete the GPO from that location. This will delete the GPO and all the links in the current domain, but not the links in other domains.

The GPOs may be linked to a site, domain or OU. This is referred to as the Scope of Management (SOM). In order for a GPO to be applied, it must be linked to a SOM. If a GPO already exists, you can link it to a SOM by right-clicking the site, domain or OU and selecting Link an Existing GPO. Remember that GPOs are per-domain objects that can be linked anywhere in a forest, so when you link a GPO to an OU, it doesn’t really reside in that OU. It’s tied to the domain and may be used anywhere in that domain, or the entire forest.

One nice GPMC feature is the ease of applying security filters. In Win2K, both the Read and Apply Group Policy permissions had to be manually applied in the Access Control List (ACL) Editor to set the security filters on a GPO. In GPMC, the same results can be easily achieved by going to the GPO and adding or removing the security principals in the Security Filtering section on the Scope tab (see Figure 2). By adding security principals here you’re automatically applying both Read and Apply Group Policy permissions. To confirm this, click on the Delegation tab, then Advanced button to bring up the ACL Editor (see Figure 3). On the Delegation tab, the security principal’s (Help Desk Staff) permissions are listed as Read (from Security Filtering), but the ACL Editor shows the Help Desk Staff with both the Read and Apply Group Policy permissions.

Figure 2. Configuring security filtering for a GPO. (Click image to view larger version.)

 

Figure 3. GPMC makes it easy to apply security filters, as shown in this view of the ACL Editor. (Click image to view larger version.)

Importing and Exporting GPOs
GPMC allows importing and exporting (backup) of GPOs. There’s an import option on the context menu of a GPO but no export option; Microsoft uses the term backup for exporting a GPO.

To back up (export) a GPO, go to the Group Policy Objects node in GPMC. This is where backups are managed. To backup an individual GPO, right-click that GPO and select Back Up. You can also back up all GPOs by right-clicking the Group Policy Objects node and selecting Back Up All. Settings external to the GPOs, such as WMI filters and IPSec policies, aren’t backed up since they’re independent objects in the AD and not tied to GPOs.

Once all GPOs have been backed up, you can use the Manage Backups option by right-clicking Group Policy Objects node. This allows you to restore, delete or view individual GPO settings. When you perform a backup, it copies the entire contents of a GPO from the AD to the backup folder. This includes the GUID, version, status, and all policy settings.

You can import a GPO once it’s been backed up. Importing a GPO will transfer only the policy settings back from the backup folder to the AD. It doesn’t make any changes to the permissions or the GUID associated with the GPO. Furthermore, you can only import a GPO that already exists in the AD; importing copies the policy settings from the backup to this existing GPO. Importing also erases any existing policy settings in the destination GPO. To import a GPO, right-click the GPO under the Group Policy Objects node and select Import Settings. Notice that the option is called Import Settings, rather than just Import. This is a reminder that the Importing option only transfers the policy settings to the destination GPO. It doesn’t import permissions or other components of a GPO.

Restoring GPOs
You can restore a backed-up GPO by right-clicking the GPO under the Group Policy Objects node and selecting Restore from Backup. This starts the restore wizard. Keep in mind that you can only restore a GPO to the domain where it was created; the restore operation restores everything, including the GPO’s GUID, which is tied to the domain of its creation.

You can also restore deleted GPOs. The restore option isn’t listed on the context menu on the Group Policy Object’s node; it’s only available from right-clicking the Group Policy Objects node and using Manage Backups. In Manage Backups, select the deleted GPO that was previously backed up and click Restore.

Copying a GPO
The concept of copying a GPO is different from restoring or importing one. When you copy a GPO, you’re creating a new GPO with a new GUID, without linking it to any site, domain, or OU. You’re also transferring the policy settings to the destination GPO. The newly created GPO will automatically have the default ACLs for GPOs applied to it, unless you choose to preserve the permissions. You can copy GPOs within a domain, to another domain within the forest, or to another domain in a different forest.

Let’s say you want to copy the Corporate IT Policy GPO to a new GPO called HR Policy within the domain. First, right-click the Corporate IT Policy under the Group Policy Objects node and select Copy. Then go to the Group Policy Objects node, right-click and select Paste. You’ll be given the option to specify the permissions for the new GPO. You can either choose the default permissions for the new GPO or preserve the existing permissions. The newly created GPO will be called Copy of Corporate IT Policy, which you can rename to HR Policy. If you want to ensure that the new GPO has the same permissions—for example, security filtering settings—make sure to choose the option to preserve the existing permissions. Otherwise, you’ll have to manually set the security filtering permissions.

The main difference between copying and importing GPOs is that you can only import a GPO that’s been backed up to a folder on the hard drive. However, you can copy any existing GPO in the AD, whether it’s been backed up or not. In addition, the copy operation creates a brand new GPO with a new GUID, so the GPO doesn’t need to exist in the AD beforehand. The import operation, on the other hand, can only be performed if the destination GPO already exists in the AD.

Group Policy Modeling
Group Policy Modeling simulates GPO deployments for planning and testing purposes, without actually applying the policy to users or computers (see Figure 4). The Resultant Set of Policy (RSoP) has two modes: Planning and Logging. Group Policy Modeling is referred to as RSoP Planning Mode, while Group Policy Results is referred to as RSoP Logging Mode.

As long as you have at least one Windows 2003 domain controller in the forest, you can use the Group Policy Modeling feature to simulate policy deployment on any Windows 2003 or Win2K computer in the forest. To use it, right-click the Group Policy Modeling node in GPMC and select Group Policy Modeling Wizard. This wizard is the newer version of the RSoP MMC snap-in in Windows 2003. It offers all the functionality of the RSoP MMC snap-in plus some additional capabilities, such as HTML reporting of RSoP data. Among other things, you can simulate policy implementation for a slow network connection or configure loopback processing options on the Advanced Simulation Options screen.

Figure 4. Plan and simulate GPO deployments using the handy Group Policy Modeling Wizard.

The Group Policy Modeling node shows all your queries in the left-hand pane. The right-hand pane shows three tabs for each query: Summary, Settings, and Query. Right-click the query and select Save Report to save the contents of the summary and settings tab in a single report in either HTML or XML format. You can also open the RSoP MMC snap-in by right-clicking the query and selecting Advanced View.

If you add a Win2K forest to GPMC, it wouldn’t list the Group Policy Modeling node in the left-hand pane because Win2K DCs can’t simulate RSoP data. RSoP service is only available on Windows 2003 DCs.

Group Policy Results
Group Policy Results shows the actual data obtained from a target computer, and is referred to as RSoP Logging Mode. The target computer must be an XP or Windows 2003 computer, as Win2K computers won’t report RSoP data. To use this feature, right-click Group Policy Results node in the left-hand pane and select Group Policy Results Wizard.

The Group Policy Results node shows all your queries in the left pane. The right pane shows three tabs for each query: Summary, Settings, and Policy Events.

WMI Filters
Windows Management Instrumentation (WMI) Filters allow you to extend the filtering capabilities of GPOs. WMI makes all kinds of data available for a target computer, such as hardware and software inventory, configuration information, and various computer settings. It fetches this data from AD, the Registry, drivers, SNMP, file system, and other services and applications. WMI Filtering lets you run queries against this data.

A WMI filter is made up of one or more queries written in WMI Query Language (WQL) that’s evaluated against the target computer. If all the queries against the target computer’s WMI data are evaluated as true, the GPO is applied; otherwise it’s not.

A WMI filter can be linked to multiple GPOs, but each GPO can only have one WMI filter applied. For example, you can create a WMI filter called “XP Computers” and link it to a GPO called Corporate IT Policy. This is the only WMI filter you can apply to the Corporate IT Policy GPO. However, the same WMI filter can also be applied to other GPOs in the domain, such as HR Policy GPO. You can import and export WMI filters, which are saved as WMI filters MOF files. Note: Only Windows XP and later clients support WMI filters.

Let’s say you want to apply a WMI filter to all Toshiba laptops in your company (see Figure 5). Right-click the WMI Filters node under the domain in GPMC and select New. In the New WMI Filter window, enter the name and optional description for the filter, such as Toshiba Laptops. Click Add and type the following in the Query box:

Select * from Win32_ComputerSystem
where manufacturer = "Toshiba" and Model = "Tecra 8000"
OR Model = "Tecra 8100"

then click OK.

Note: In a Win2K domain, you must run AD /domainprep, or else the WMI Filters node will be missing in the GPMC under the Win2K domain. In addition, the GPO won’t show the WMI Filtering section on the Scope tab in the right-hand pane.

Figure 5. WMI Filtering is a powerful feature of the GPMC. (Click image to view larger version.)

Sample Scripts
The GPMC provides strong scripting support. The user interface is based on a set of COM interfaces that both scripting technologies (Jscript, VBScript) and programming languages (Visual Basic, Visual C++) can take advantage of. Using these technologies, you can back up, restore, import, export, copy, paste, create, delete, rename, search, link, unlink, delegate security, create rights and generate reports for GPOs.

GPMC comes with a number of sample scripts installed in the %programfiles%\gpmc\scripts folder. The scripts folder isn’t in the path, so you’ll need to execute the scripts at the command line from the scripts folder. To create a Sales GPO using createGPO.wsf script, for example, go to the command prompt, change directory to the %programfiles%\gpmc\scripts directory and type cscript createGPO.wsf Sales.

Cscript is not the default scripting engine, but you can always make it the default by typing cscript //H:cscript. For usage options, type “/?” after the script name. So to see the usage options for createGPO.wsf script, type createGPO.wsf /?.

Functional, Fabulous, Free!
GPMC is a valuable tool for system administrators to help manage enterprise-wide Group Policies. It’s a one-stop shop for managing GPOs. It offers easy access to forests, domains, sites, OUs, security filters, and reporting functionality. RSoP planning mode allows you to plan your GPO deployment before actually applying the policy settings. RSoP logging mode shows the actual results of the settings that are applied to the users and computers.

With strong support for programmatic access to Group Policies, scripting technologies and programming languages can make the system administrators’ job easier and provide unlimited scripting capabilities to developers. GPMC version 1.0 may not be the perfect tool, but it’s much better than juggling numerous snap-ins to manage GPOs. It also offers several new functionalities and it’s free!