Three years ago, in Microsoft Certified Technical Education Centers (CTECs) around the world, Microsoft Certified Trainers (MCTs) tried to put Windows NT administrators at ease by giving some version of the following speech: "Windows 2000 adds hundreds of new features. But just because so many features are included doesn't mean you have to use all of them." Many administrators took this pronouncement to heart with regard to Group Policy and simply ignored this powerful Win2K tool. Group Policy introduced the ability to control a wealth of computer and user-environment settings by using the structural elements (i.e., sites, domains, and organizational units—OUs) of Active Directory (AD). For example, you could configure Group Policy Objects (GPOs) to standardize security policies by server function and restrict users' ability to reconfigure desktop computers.
Unfortunately, Microsoft's implementation of all that power was imperfect. For example, Win2K Group Policy management tools couldn't provide a comprehensive view of policy deployment and its effects. Windows Server 2003 tries to remedy Group Policy's shortcomings through several new policy options and two GPO administration tools.
Win2K Group Policy Shortcomings
As one of the more significant (and complex) new features pioneered in Win2K, Group Policy wasn't thoroughly understood by Win2K adopters. Organizations that wanted to implement Group Policy needed to make that decision early in migration planning, and some decided to avoid its use to simplify the migration process. In organizations that embraced Group Policy, many administrators found the Group Policy management tools to be cumbersome.
Simply to use Win2K's Group Policy management tool, which doesn't launch by default, you typically need to launch the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or the MMC Active Directory Sites and Services snap-in, navigate to the container (i.e., the domain, site, or OU) that holds a GPO, then manually launch the Group Policy snap-in from the container. If you want to examine or edit policies in two different containers—even closely related containers, such as parent and child OUs—you need to launch the Group Policy snap-in for each container. In fact, if you associate multiple GPOs with one container, you must view each GPO in a separate MMC window.
Layers of nested OUs, combined with site and domain GPOs and dozens of categories to which different GPOs might apply, make planning GPOs difficult. Simply determining the effect of combined GPO settings—what applies to a particular user logged on to a particular computer—is a piece of detective work.
Windows 2003 addresses almost all these Group Policy problems. The most important Windows 2003 changes are the Group Policy Management Console (GPMC) and the MMC Resultant Set of Policies (RSoP) snap-in.
The GPMC
The GPMC doesn't ship with Windows 2003, but it's available for download from the Microsoft Web site (http://www.microsoft.com/downloads/details.aspx?familyid=f39e9d60-7e41-4947-82f5-3330f37adfeb&displaylang=en). After you download the tool, simply double-click the gpmc.msi package and follow the instructions to install it. In addition to adding a GPMC shortcut to the Administrative Tools folder, the installation process updates the Group Policy tab on the properties pages of sites, domains, and OUs in the Active Directory Users and Computers and Active Directory Sites and Services snap-ins to provide a direct link to the GPMC. You can also launch the GPMC by clicking Start, Run, then typing
gpmc.msc
You must run the GPMC from Windows 2003 or Windows XP Professional Edition with Service Pack 1 (SP1) or later, but you can use the tool to manage GPOs in Win2K domains. You can manage sites, domains, and OUs from one tool and multiple domains and forests from one screen. As Figure 1 shows, the GPMC's treeview pane provides a top-level view of forests and the containers within them. The right-hand pane's contents change depending on what you select in the treeview pane.
When you select a container, three tabbed windows—Linked Group Policy Objects, Group Policy Inheritance, and Delegation—appear in the right-hand pane, as Figure 2 shows. The Linked Group Policy Objects tab displays all GPOs that are directly linked to the selected container, shows the order in which they are applied, and lets you launch Group Policy Editor (GPE) or create a new GPO.
The Group Policy Inheritance tab conveniently lists all GPOs that are in effect in the selected container, including those that are linked to a higher-level container and that are enabled in the selected container through inheritance. This display takes into account whether inheritance is blocked and whether blocking is overridden. However, the Group Policy Inheritance tab doesn't display GPOs applied at the site level for domains or OUs. The Delegation tab displays user profiles that have permission to manage GPOs in the selected container.
The GPMC displays four containers that aren't available in the Win2K AD management tool. Figure 2 shows these containers in the treeview pane.
- The Group Policy Objects container exists within each domain and site and contains the same GPOs listed within individual containers. You can back up and restore GPOs from the Group Policy Objects container.
- Windows 2003 Group Policy lets you filter GPOs based on environment-specific Windows Management Instrumentation (WMI) settings. The WMI Filters container displays all GPOs and lets you import and examine WMI filters.
- The Group Policy Modeling container integrates the Resultant Set of Policies (RSoP) tool in Planning mode to simulate the effect of any new GPO. To use the Group Policy Modeling feature, your forest must contain at least one domain controller (DC) that runs Windows 2003.
- The Group Policy Results container also integrates with the RSoP tool to display the effective settings for any scenario and can display the combined effects of domain, site, and OU GPOs.
The GPMC also adds power to scripters' arsenals. All GPMC functions are scriptable. You'll find several sample scripts (for tasks such as GPO backup and creation) in the \program files\ gpmc\scripts directory.