Thursday, June 19, 2008

Windows Server 2008 Group Policy Management Console

You'll find that GPOs themselves are much easier to create and edit using Microsoft's Group Policy Management Console (GPMC), a drop-in replacement for the more limited Group Policy Object Editor that you might know from previous versions of Windows Server. Native Group Policy Object Editor, the tool has limitations: the biggest by far being the lack of ability to see the exact scope of a GPO's application, making troubleshooting very difficult. The GPMC fixes this and also offers a cleaner interface, scripting functionality, and enhancements to troubleshooting and modeling features.

To navigate around in the GPMC, you need to expand the forest you want to manage in the left pane. Then you can select specific domains and sites within that forest, and OUs within individual domains. When you expand, for example, a particular domain, links to the GPOs that exist are listed within their respective OUs. They also are listed under the Group Policy Objects folder. Clicking on a GPO brings up a four-tabbed screen in the right pane.

The first tab is the Scope tab, which examines how far-reaching the effects of this GPO are. Sites, domains, and OUs that are linked to the GPO you've selected are listed at the top of the window. You can change the listing of pertinent links using the drop-down box, where you can choose to list links at the current domain, the entire forest, or all sites. At the bottom of the window, any security filtering done by ACLs is listed. Clicking the Add button brings up the standard permissions window, as you would expect from the Group Policy Object Editor.

At the very bottom, you can see any WMI filters to which this GPO is linked. You can choose to open the WMI filter for editing by clicking the Open button. You can associate only one WMI filter with any particular GPO, and WMI filters work only with Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. We'll get to these in a bit—for now, let's move on.

The next tab, Details, simply shows the domain in which the current GPO is located, the owner of the GPO, when the GPO was created and modified, the version numbers for the user and computer portions, the GUID of the object, and whether the GPO is fully enabled or fully disabled or whether just the computer or user configuration portions are enabled.

The Settings tab is one of the most useful tabs in the GPMC. The GPMC will generate HTML-based reports of all the settings in a particular GPO, and you can condense and expand portions of the report easily for uncluttered viewing. You can print the report for further reference, or save the report for posting to an internal web site for your IT administrators. It's a much, much easier way to discern which settings a GPO modifies than the Group Policy Object Editor. To edit the GPO that is displayed in the report, simply right-click it and select Edit. To print the HTML report, right-click it and select Print; to save the report, right-click it and select Save Report.

Finally, the Delegation tab lists in a tabular format the users and groups that have specific permissions for the selected GPO, what those permissions are, and whether they're inherited from a parent object. Clicking Add brings up the common Select User, Computer, or Group dialog box that you are familiar with from reading this chapter. You can remove a delegated permission by clicking the appropriate user or group in the list and then clicking the Remove button. The Properties button will bring up the standard Active Directory Users and Computers view of the selected user and group.

No comments: