Windows Server Reference Guide

Utilizing Group Policy Management Console

Created Sep 26, 2003.

Group policy design isn't a matter of collecting rows upon rows of items. Since multiple users, or even groups of users, can exist within groups themselves, the optimum console enables a more directly hierarchical approach, where relationships between policy items are represented symbolically. Because membership sets can cross over into one another's domains, what you need to be able to see is the result of these crossovers—so depending upon what multiple groups a user may belong to, you can determine what that user is permitted to do—the resultant set of policies (RSoP).

Building a Group Policy Object By Experiment

You determine whether a set of policies would result in the behavior you want or expect for a user (without having to log on as that user), through the Group Policy Modeling Wizard in GPMC. Here, you can simulate the deployment of a specified group policy, evaluate the results of the test, make changes as needed, and then test the deployment again. Think of this as a workbench for crafting a group policy object. Once the wizard shows that the GPO's results make sense, you can then back up the modeled GPO's configuration, and then import it into production. This way, you make the GPO work first, and then you use it only when it does work.

To simulate a GPO, in GPMC, in the list at left, choose Group Policy Modeling. Then in the action pane, select More Actions, Group Policy Modeling Wizard. The wizard enables you to input slow links, loop-back configuration, WMI filters, and other configuration choices. Each modeling is presenting in its own report as a subnode under the Group Policy Modeling node.

Creating a Fresh Group Policy Object

To create a new Group Policy Object (without modeling it first using the Wizard), do the following:

1. In the left pane, choose the container (domain, site, or OU) that will receive the GPO once it's ready.
2. In the action pane (on the right), select More Actions, Create and Link a GPO Here.
3. In the New GPO dialog box, under Name, enter a unique, common sense name.
4. Click OK. The Group Policy Object will be based on a default template, and is now linked to the container you chose. Immediately, you'll want to change this to reflect the policy you actually intend to apply.

Editing a GPO

To edit a Group Policy Object from GPMC, follow these steps:

1. In GPMC, in the left pane, choose the container to which the GPO applies.
2. In the center pane, click the Linked Group Policy Objects tab.
3. In the list under GPO, right-click the name of the object you wish to edit, and from the popup, select Edit. This will bring up the Group Policy Object Editor (GPOE).
4. In GPOE, in the console tree, under one of the Settings categories, choose a policy category.
5. In the details pane at right, double-click a policy to open the properties page, and then change the policy settings. The settings that appear here will be specific to the policy you're working on. Click OK to continue.
6. In the GPOE window, select File, Exit to finalize your edits and return to GPMC.

Backing Up a GPO

One new major improvement to Group Policy management offers the ability to back-up (or export) the Group Policy data to a file. Using the backup functionality of the GPMC, any policy can be tested in a lab environment and then exported to a file for deployment in the production domain. You can import a backed up GPO created within a different domain, across a forest domain (even where no trusts have been formed), or within the same domain as it was created.

When backing up Group Policy, you back up only data specific to that GPO itself. Other Active Directory objects that can be linked to GPOs, such as individual WMI filters and TCP/IP security policies, are not backed up, because of complications with restores when working with these specific areas. When backup is completed, you can restore the Group Policy data in the same location, restoring proper functionality to mis-configured and accidentally deleted group policies.

A newly created GPO is linked by default to the site, domain, or organizational unit that you select when you create the Group Policy Object, and its settings apply to that site, domain, or organizational unit. If you want to unlink the GPO from that site, domain, or organizational unit, you will want to back it up first prior to deleting it.

1. In GPMC, in the console tree at left, choose Group Policy Objects.
2. In the list that opens up below it, choose the GPO you wish to back up.
3. In the action pane, select More Actions, Back Up.
4. In the Back Up Group Policy Object dialog box, under Location, choose a secure, non-system location—someplace where your GPO file will play no role, accidentally, in the setup of your operating system.
5. Under Description, enter a passage that describes how best your GPO may be re-used in a future situation.
6. Click Back Up. Momentarily, the Backup dialog box will display the progress of the operation. Click OK when it's completed.

If you've configured a complex group policy and applied the setting to a specific OU in the domain, the GPO can be copied and duplicated for application to another OU.

Deleting a GPO

Once your GPO is safely backed up, it's safe for you to remove it from its original container.

1. In GPMC, in the left pane, under Group Policy Objects, right-click the GPO's name, and from the popup, select Delete.
2. From the dialog box, click OK.

Disabling a GPO

When you disable a GPO link, that GPO's settings no longer apply to users or computers in the site, domain, or organizational unit to which it was linked; and they no longer apply to users and computers in child containers that inherit those settings. But you can easily re-enable the policy at a later time.

1. In GPMC, in the left pane, under Group Policy Objects, choose the GPO's name.
2. In the action pane, select More Actions, GPO Status.
3. In the submenu, the Enabled item should be checked. Select a disability setting that reflects how much you want to disable the GPO: User Configuration Settings Disabled, Computer Configuration Settings Disabled, or All Settings Disabled.

Books and E-books

• Kouti, Sakari; Seitsonen, Mika. Inside Active Directory: A System Administrator's Guide, 2nd Edition. Addison-Wesley Professional, 2004. Preview Chapter 7, "Group Policy," on Safari.
• Mathers, Todd W. Windows Server 2003/2000 Terminal Server Solutions, Third Edition. Addison-Wesley Professional, 2004. Preview Chapter 15, Group Policy Configuration, on Safari.

Online Resources

• "Introduction to Group Policy in Windows Server 2003." Microsoft Word document available from microsoft.com.
• "Server Isolation with Microsoft Windows Explained." Microsoft Word document available from microsoft.com.