RSoP
Microsoft's RSoP tool doesn't help you create or link GPOs, but rather lets you examine their effects—think of RSoP as a "read-only" tool. RSoP is a query engine and reporting tool that operates in two modes. Logging mode displays the effects of currently applied GPOs, and Planning mode displays the effects of a combination of current and proposed GPOs. You won't find the RSoP tool in Windows 2003's Administrative Tools folder; to use the RSoP tool, define a custom MMC console for its snap-in or type
rsop.msc
at the command line.
When you launch the RSoP snap-in, the first window you'll see is the Mode Selection screen, which lets you choose between Logging and Planning modes. Logging mode displays all effective settings. In Planning mode, the RSoP tool's wizard interface lets you change existing GPOs, add new GPOs, move user or computer accounts to new OUs or sites, alter security group memberships, and apply WMI filters.
After you choose the mode, the snap-in will prompt you for the username and the computer you want to examine. The RSoP then displays the effect of the specified policy or combination of policies. The RSoP tool is a great way to try out a change without actually inflicting it on users.
Other Group Policy Changes
Windows 2003 also provides many other Group Policy enhancements. Here are five of the most notable improvements.
- The Group Policy Object Editor, which replaces the MMC Group Policy snap-in, offers a Web-based interface and an Extended View option that provides a detailed explanation of any policy you select. You can filter the Group Policy Object Editor's view on the basis of OS (Windows 2003, XP, or Win2K), Configured Settings, or Managed Settings. To launch the Group Policy Object Editor, open the Active Directory Sites and Services or Active Directory Users and Computers snap-in; right-click a site, domain, or OU; select Properties; then click the Group Policy tab.
- Windows 2003 adds a new Group Policy software deployment option. The Install this application at logon option provides a more forceful "push" of applications compared with the Win2K options.
- WMI Filters let you configure GPOs to take effect conditionally. This feature lets you apply GPOs based on the installed OS type, service pack level, machine type, and value of many other environment variables.
- Windows 2003 makes available a limited degree of cross-forest GPO functionality. You can't link GPOs between forests, but if a forest trust exists between two Windows 2003 forests and someone uses a user account from one forest to log on to a machine in the other forest, Windows will pass GPOs from one forest to the other to put both user and computer settings in effect appropriately.
- A new Windows 2003 and XP command-line utility, gpupdate.exe, lets you refresh Group Policy settings on a computer. Gpupdate.exe replaces the Win2K Secedit command's /refreshpolicy option.
New Group Policy Settings
Windows 2003 introduces more than 160 new Group Policy settings, many with expanded security potential. Windows 2003 also renames some Win2K settings.
- The Windows Settings\Security Settings\Software Restriction Policies setting lets you control which Windows applications a system can run.
- The Administrative Templates\System\User Profiles setting controls whether user profiles are mandatory, local, or roaming.
- The Administrative Templates\System\Net Logon setting controls logon operations, including the creation of automatic DNS SRV records and DC discovery.
- The Administrative Templates\System\System Restore setting lets you enable and disable XP's automatic system-state backups.
- The Administrative Templates\Network\SNMP setting lets you centrally configure SNMP settings that support monitoring and control functions.
A Better ROI
Group Policy typifies many of the functional aspects of AD that Microsoft introduced in Win2K. However, implementing Group Policy's sizable potential in Win2K required an equally sizable investment of effort and planning. Through new tools and some overall fine-tuning in Windows 2003, Microsoft made ignoring Group Policy's capabilities much less attractive.