Group Policy has always been one of Active Directory's (AD's) big selling points, and in Windows Server 2003, Microsoft has greatly extended Group Policy Object (GPO) functionality and management through the release of the Microsoft Management Console (MMC) Group Policy Management Console (GPMC) snap-in. Because GPMC is a large, complex topic, you need to have a good understanding of the subject to get the most out of GPOs in your environment. For some background about GPMC and to download the snap-in, I recommend you read the Microsoft article "Enterprise Management with the Group Policy Management Console" (http://www.microsoft.com/windowsserver2003/gpmc) and the Group Policy Management Console Reference on the Microsoft Web site at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gpmc/gpmc/group_policy_management_console_reference.asp.
The arrival of Windows 2003 opens the doors to some great new scripting opportunities, not the least of which is GPMC's support for automation. As a result, you can now script GPOs to perform common policy-based tasks. Let's review the basics of enabling and disabling a GPO; linking and unlinking a GPO from a site, domain, or organizational unit (OU); and configuring other options that you can automate within the GPMC.
Understanding GPOs
Policy-based administration lets an administrator configure detailed settings to define an environment for users and computers once, then rely on the system to enforce that state. Under Windows NT, creating such an enforceable environment was challenging, but AD's group policies simplify and extend the process and the options you can configure. You can even come up with your own ways of categorizing users according to the work they do and the roles they perform. As a result, whenever you add a new user to an AD group, you can trigger automatic configuration and software installation for that user in a way that's appropriate for his or her role. Each GPO can contain two parts—one that applies to a computer (e.g., a startup script or a change to the system portion of the registry) and one that applies to a user (e.g., a logoff script or a change to the user portion of the registry). GPOs can contain only computer policies, only user policies, or a combination of the two.
GPO creation is a standalone process. Then, through a process known as linking, you associate the GPO with one or more locations (i.e., local machines, sites, domains, OUs) in the AD tree that you want to receive the policy. You use the Group Policy Object Editor snap-in, formerly known as the Group Policy Editor (GPE), to edit GPOs. Group Policy Object Editor can manage only one GPO at a time, and you can't use it to link a GPO. For this reason, Microsoft developed GPMC.
With GPMC, you can perform almost any GPO-related task (including editing GPOs through Group Policy Object Editor) from one interface, as opposed to using Windows 2000's three or four tools. GPMC installs several COM objects that let you script 90 percent of your GPO management functions. It also installs a directory full of sample scripts that address many common administrative tasks. Another long-awaited feature now available is Resultant Set of Policies (RSoP), which lets you model and test GPOs. With RSoP, you can configure several different settings, including which container to process, which security groups to include, whether to use a specific site, whether to use loopback mode, and whether to use a specific Windows Management Instrumentation (WMI) filter. When you use RSoP, you ultimately end up with a Group Policy Object Editor—looking treeview of the settings to be applied by the GPO.
GPMC lets you manage Windows 2003 and Win2K-based domains. However, GPMC must run on a Windows 2003 or a Windows XP Professional Edition Service Pack 1 (SP1) machine that's running the Windows .NET Framework and the Quick Fix Engineering (QFE) update, which is an additional post-SP1 hotfix that the tool will install if it's not already present. For more information about QFE, see the Microsoft article "You Must Install a Hotfix to Install GPMC on Windows XP Professional" (http://support.microsoft.com/?kbid=326469). Although you can install the software on a computer that isn't a member of a domain, doing so has little practical use and the installer will let you know that the computer needs to be a member of a domain to make effective use of the tool.
Scripting Using GPMC
As we look through some scripting examples, keep in mind that GPMC's objects let you script GPO operations that are exposed within the GPMC tool but don't let you script a GPO's settings. To create a GPO, you must use Group Policy Object Editor—you can't use GPMC. When you create a GPO, its user and computer components are enabled by default: You can use GPMC to disable one or both of these components. DisableAll.vbs, which Listing 1 shows, is a simple script that disables both the user and computer components of a GPO in a domain. The script starts by using VBScript's CreateObject function to create a GPMC automation object and assigns it to the gpm variable. The script then uses the IGPM::GetDomain method to get a handle to the mydomain.mycorp.com domain.