The Group Policy Management Console was released somewhere around the year 2003. I am not entirely sure it is as well known as it should be. This tool is very beneficial and most I.T. administrators should be using it. Especially corporate I.T. administrators that need to report on Group Policy object settings, specifically security related settings like password polices.
This tool allows you to manage your network enterprise easier from one location. In addition to its powerful management features it also gives the ability to backup/restore and import/export of GPOs, generate reports on Resultant Set of Policy (RSoP) or GPO settings, and Group Policy Modeling. An additional feature that the GPMC provides is scripting support. You can create scripts in VBScript or Jscript to perform quite a few different tasks, even creating and deleting GPOs.
Although the snap-in allows management of Group Policies in a Windows Server 2000 or 2003 Active Directory environment, the computer that runs the GPMC snap-in must be either Windows Server 2003 or Windows XP Professional with Service Pack 1 (plus an additional post-SP1 hotfix), and most have Microsoft .NET Framework installed.
Installing the GPMC snap-in
Click http://www.microsoft.com/windowsserver2003/gpmc/default.mspx and follow the links to download and install the GPMC snap-in.
The install package creates a shortcut for the Group Policy Management Console in the Administrative Tools folder. You can also run MMC and add the snap-in manually. For those not familiar with the Microsoft Management Console (MMC) and adding snap-ins, view this page.
Using the GPMC snap-in
The screen is split into 2 panes, assuming you are authenticated to your domain you should see in the left pane a hierarchal list of your Active Directory structure. If you have any Organizational Units (OU) they should be listed along with some collections that are not OUs. “Group Policy Objects” for example which contains all of the Group Policy Objects (GPO) created in your domain. This can be a nice feature for cleaning up unnecessary GPOs or verifying which OUs a GPO is linked to.
In the right pane you will see specifics for whatever object you have selected on the left pane. For example, if you click on an OU in the left pane then the right pane will contain multiple tabs that contain information pertaining to that OU. The first tab is “Linked Group Policy Objects” which shows a list of what GPOs are assigned directly to this OU, the second tab is “Group Policy Inheritance” which shows a list of GPOs that have been inherited from OUs, domains, or sites below, and the third tab “Delegation” shows which users or groups have what permissions for this OU.
Let’s go over the important features of the GPMC.
GPO Settings Reporting
The GPMC allows you to quickly generate a report that details all of the configured settings in a GPO. No more browsing through a GPO with the Group Policy Editor trying to figure out which settings your configured.
Creating the report is very easy; all you need to do is click on a GPO object in the hierarchal list in the left pane of the GPMC tool, then click on the Settings tab on the right pane. You will now see a small link that states “show all”, click this link. Now you will see a screen similar to the one below that lists just the configured items.
This screen gives you the ability to either save to a file or print for future reference. Very handy.
Backing Up and Restoring GPOs
You can back up and restore GPOs easily with the GPMC snap-in. This is beneficial if you want to quickly restore previous GPOs. By backing up GPOs before you modify them you can create a manual versioning of GPOs.
In the left pane right click on the “Group Policy Objects” collection and select “Back Up All”.
It will display a backup status screen and begin backing up right away. If your Primary Domain Controller (PDC) server is not local and depending on how many GPOs you have this process may take a few minutes.
Restoring GPOs is just as easy as backing them up. You can restore backed up GPOs from the Manage Backups window. The Manage Backups window is access from within the GPMC by right clicking on the “Group Policy Objects” container and then clicking on “Manage Backups…”. If you have backed up all of your GPOs into the same location this should show in the list. In addition the Manage Backups list has versioning built in and gives you the option to only show the latest version of a GPO. The Time Stamp field shows the date the GPO was backed up.
Click on Restore to restore a GPO. The View Settings button will allow you to see which settings are within a specific GPO.
Group Policy Modeling
Now we move on to the best feature that the Group Policy Management Console snap-in has to offer, Group Policy Modeling. Basically you pick an OU container that holds users and an OU container that holds computers and then the wizard essentially runs a figurative resultant set of policy of which policies would be applied.
To create a new model you will need to right click on the “Group Policy Modeling” collection from the hierarchal list in the left pane, and then click on Group Policy Modeling Wizard. Once you have created a model it will be saved automatically as an item in the “Group Policy Modeling” collection for future use.
Once you have created a model with the wizard you will have a nice report similar to the one shown below. If you click on the “show all” link it will expand all options quickly.
Even more beneficial is the “Settings” tab which will display all settings from the GPOs associated. This would most likely be a good report to provide auditors who need verification or documentation on which settings are taking effect.
For those I.T. administrators that work for a publicly traded or otherwise restricted company this tool provides enough reporting capabilities to document how your network is configured. I am referring to companies that must abide to some form of compliance auditors, like those per Sarbanes-Oxley (SOX).
Obviously what is required of you will be determined by your auditors, I would still have to say the information reported from this tool should be good enough.
This tool is a must have for I.T. administrators in a Windows Server 2000 or 2003 Active Directory environment. Download it and begin using today. If you are still creating Group Policy Objects from within the Active Directory Users and Computers snap-in you might want to consider checking Group Policy Management Console out, you may be quite surprised.
Group Policy Management Console :: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx