17 December, 2010

GPMC - Group Policy Management Console

Group Policy Management Console (GPMC)

GPMC was introduced in Windows 2003 as a separate download but has been integrated in Windows 2008

GPMC provide a central way of creating/configuring and maintaining group policies

The GPMC Snap-In consist of 2 Panes - Right Pane and Left Pane

Left Pane:

1. Forest Name
2. Domain Name
3. Group Policy Object
4. OU Name
5. Group Policy Object Container
6. WMI Filters
7. Starter GPO
8. Sites
9. Group Policy Modelling
10. Group Policy Results

Group Policy Object

On the left pane, click on any Group Policy Object and you will get the following options on the Right Pane

1. Scope - Links, Security Filtering, WMI Filtering
2. Details
3. Settings
4. Delegation

Specifies the location where the group policy has been linked to
Enforced - Same as "No Override" in Windows 2000/2003
Link Enabled - If the group policy object linked at this location (only) is enabled / disabled

Security Filtering: On which objects in AD will this group policy will apply

WMI Filtering: Scripts/Filters created to narrow down the scope of the Group Policy. Suppose we have an application that we are deploying using group policy and the application can only be run on Windows XP 64 Bit Edition. We have client machines running on Windows XP 32 bit/64bit, Windows Vista and Windows 7. Now either i have to know which all client machines are running on Windows XP 64 bit Edition and then move those machines into an OU and then apply the policy on that OU. Else I can create a WMI Filter in which I can specify a Clause similar to the programming "If-Then", where in the If statement will contain "Windows XP 64 Bit" and hence forth the policy will only apply when the "If" condition will return "True" i.e when it will find a Windows XP 64 Bit Machine

Create Date of this Group Policy Object
Modify Date of this Group Policy Object
User Version
Computer Version
Unique ID of the Group Policy Object
GPO Status - Enabled (User/Computer Settings) / Disabled

This will list all the Users/Computer Settings that has been defined in this GPO

Rights and Permissions assigned to Users/Groups on this GPO

Save Report:
To store the settings of this GPO in a HTML File. Quite useful in case you want to get the settings from the customer and test the same settings on your machine to repro an Issue


On the left pane, click on any OU and you will get the following options on the Right Pane

1. Linked Group Policy Objects
2. Group Policy Inheritance
3. Delegation

Linked Group Policy Objects
List of GPO linked with the OU and its status (Enforced/Link Enabled/GPO Status/WMI Filter)

Group Policy Inheritance
List the order in which all the group policies which are linked with this OU will apply. The group policy applies from bottom to up i.e First the "Default Domain Policy" (Precedence 3) will apply, then "DS Policy" (Precedence 2) will apply and then finally the "EPS Policy" (Precedence 1) will apply. In case of any conflict in the settings defined in these policies, the settings defined in the the policy "EPS Policy" (Precedence 1) will take effect else if there is no conflict then the settings from all the three group policies linked with this OU will merge and will apply

Creating and Linking a GPO are 2 different steps
With GPMC, You can either link an existing GPO to an OU or you can create and link the GPO directly (In 1 step)

Block Policy Inheritance
Same as Windows 2003 where in we can apply "Block Policy Inheritance" on any OU. This when implemented will block all the policies coming from the above level except for the policies on which "No Override" or "Enforce" is Enabled.

A Policy with "No Override" or "Enforce" is Enabled cannot be blocked

Group Policy Modelling Wizard
An option which can be used to simulate the effect of a Group Policy on a User/Computer before actually applying that Group Policy

Ex: Suppose we have designed a policy to block all the 3rd party applications to be run by the users and we are not sure how this policy will take effect (Whether it will block only the 3rd party applications only or even the basic applications). There are different ways by which we can achieve this

1. We can apply the policy and then wait for the results (Good/Bad)
2. We can move a user/computer in an OU and then apply this policy (Testing on a small subset of users/computers before actually applying it domain wide)
3. To run the Group Policy Modelling Wizard which will simulate the effect of this policy before the application of policy on the user/computer

Group Policy Resultant Wizard
Running RSOP Remotely for a User/Computer. For this to run, the User has to log on to the client machine against which we are running the Group Policy Resultant Wizard at least once

By default, the Group Policy Snap-In always connects to the PDC. But this behaviour can be changed

We can backup a Group Policy Object

The backed up Group Policy Objects

We can also restore the SAME Group Policy object which we have backed up

We cannot use the backup of one Group Policy Object to be restored on the other Group Policy Object

Import Settings
To restore the settings of one Group Policy Object to another DIFFERENT Group Policy Object, we have to use the "Import Settings" option
Lets Import the Settings to the "Default Domain Controller Policy" from the "Default Domain Controller Policy" Backup

Lets Import the Settings to the "DS Policy" from the "Default Domain Controller Policy" Backup