19 March, 2016

Group Policy Management Console in Windows 2012 Server

Believe it or not, first few snapshots (Images) of this post were taken on 23rd Sep 2012 and few on 1st Sep 2013... And I did not got time for a write up for this post in last 3 years... You can understand now how busy I am... :)

Lets get back to this post... You can keep on praising me meanwhile for my dedication and hard work...

This post is all about GPMC in Windows 2012 Server. The new changes which were introduced in GPMC

Its a conflicting statement which I usually give... At times I say I have been working since the days of Windows 2000 and then at time I would like to say that I am young and haven't even seen Windows 2000... You know... Saying that you have been working since Windows 2000 days adds a lot of weight as a system admin...

Coming back to GPMC again... Earlier in Windows 2000 and Windows 2003, We use to have a tool known as GPOTOOL... You all must be knowing the fact that Group Policies are stored partially in AD and partially in SYSVOL. And to successfully apply them it is mandatory that the version of the GPO in AD should match with the version of same GPO in SYSVOL...

GPOTOOL was used to compare this version. However there were some issues with that tool and that`s why Microsoft introduced a Tab "Status"in GPMC.

"This page shows the status of Active Directory and SYSVOL (DFSR) replication for this domain as it relates to Group Policy"

You must be thinking why I wrote the above statement when it was mentioned in the snapshot given below... This is called search optimization... Getting my blog / post listed in the search results when someone looks for this string... This is not called ADShotGyan... This is ExtraGyan which I like to share periodically...

As stated earlier, this tool (As well as the earlier one "GPOTool") will "Compare" the version of a GPO in AD with that of in SYSVOL. For a comparison, there has to be a Baseline Server

So, here in this snap in, you will have a Baseline Server. Usually, the baseline server is the PDC, however this can be changed

Currently, The Data is Uncollected. So lets click on "Detect Now"

And here you gooooooo... Infrastructure Status was last gathered: 9/23/2012 6:04 AM

6:04 AM... Guys... 6:04 AM

See... How Hard Working I am... :)

So, It detected the domain controller and the replication was in sync

Now lets checks if this actually works. We will stop the Active Directory Domain Services on a Domain Controller and then will run the same test again

Ahhh... Active Directory Status "Inaccessible"

Click on this link...

Lets start the service again

Working again now...

Note that on left pane, we have selected the "Domain Name"

Now what if I select the linked Group Policy "Default Domain Policy"

I don`t get the "Status" Tab

I click on an OU in left pane and still I don`t see the Status Tab

But what if I click on a GPO listed in the Group Policy Objects

Yes, It shows the Status Tab. Point to note here is that this status tab when clicked on a GPO will show me the status for that GPO ONLY, However when the domain name was selected, it showed me the status of all the GPO`s

Group Policy Results...

Summary Tab
Details Tab
Policy Events Tab

Summary Tab

- If a fast link or a slow link was detected
- Any special alerts


List all the group policy settings configured in this group policy object

This is further divided into:-

- General
- Component Status
- Settings
- Group Policy Objects
- WMI Filters


- Computer Name
- Domain
- Site
- OU
- Security Group Membership

Component Status:

- Group Policy Infrastructure
- Registry
- Security

This will list the status (Success/Failure), Time Taken (In Processing the CSE), Last Process Time and Event Log

Notice that the "Last Process Time" and the "Event Log" is a Link

Click on the link for "Last Process Time" and you will get the following dialog box

Great Information...

- Loopback Processing
- Loopback Mode
- Link Speed
- Slow Link Threshold
- Domain Controller Name
- Domain Controller IP
- Processing Trigger

All this information is remote as this information if of the client and not of the domain controller (In the example we have selected the domain controller as the machine, but if you choose a client machine then all this information will be of the client machine) as we are running RSOP remotely from the GPMC Snap-In

Click on the "Event Log" Link

This will list all the events which has appeared in the event log while the group policy was processing


The settings which have been defined in the Group Policy Object

Notice again that the Policy has a Link

Clicking on the link will display a dialog box which will explain the description of that setting

This is same which we use to get in the GPO Editor when we click on a setting

Applied GPO:

List all the GPO`s applied at this location

WMI Filters

Policy Events

List all the Events related to Group Policy Processing of the particular machine

Group Policy Update (Remote)

Another cool feature of GPMC is to allow remote policy update

Right click on an OU and select the option "Group Policy Update"

Oops... Error

Yes, that was done intentionally so that you can see that its not that you will only get success, you may get an error as well. At this time, the machine in that OU was turned off so we got this error

Doing the same on the Domain Controller OU