Microsoft provides several different tools
administrators can use to create and manage local and domain-based group
policies. The OS version the administrator is using to manage policies
determines the functionality the tools provide. As an example, when new
group policies are created using the Windows Server 2008 or greater
Group Policy Management Console, the GPO folder utilizes the new
ADMX/ADML templates, whereas the Windows XP and Windows Server 2003 tool
uploads the original ADM template files into the GPO folder.
This section details the
tools provided with Windows Vista, Windows Server 2008 and later OSs to
manage local and group policies.
Group Policy Management Console
The most functional and useful tool provided
to create and manage Active Directory group policies is the Group Policy
Management Console (GPMC). The GPMC was introduced after the release of
Windows Server 2003; the functionality included with different OSs
produces different options and resulting operations when creating and
managing Active Directory group policies. This is the main tool for
managing the Group Policy infrastructure.
The GPMC is a Microsoft Management Console
(MMC) snap-in and can be added to a custom console. The GPMC snap-in
provides the most functionality for administrators who want to manage
domain group policies. The GPMC provided with Windows Server 2012 can
perform the following Group Policy administrative functions:
• Enable starter GPO functionality and create new starter GPOs
• Create new domain group policies
• Create new group policies using starter GPOs as templates
• Create and configure GPO links to sites, domains, and OUs
• View and manage GPOs in domains in the local and trusted Active Directory forests
• Back up and restore a single or all GPOs in a domain
• Back up and restore a single or all starter GPOs in a domain
• Import group policies from external
domains and migrate security settings using migration tables to ensure
proper import functionality
• Manage GPO link enforcement, enable links, and disable links
• Configure the block inheritance settings for sites, domains, and OUs
• Manage GPO status to control which nodes in a GPO are enabled or disabled
• Create and link WMI filters for GPOs
• Manage GPO security filtering
• Manage GPO delegation and administrative security
• Manage the GPO order of processing on containers with multiple GPO links
• View all configured settings of
existing group policies and any additional information, such as the
revision number, filtering, delegation, and create exported reports of
the configuration
• Check the replication status of the GPO infrastructure
• Generate HTML reports used to summarize Group Policy configurations and settings
• Run the Group
Policy Modeling Wizard to determine how group policies will be applied
to users or computers in specific containers
• Run the Group Policy Results Wizard to investigate how policies have been applied to specific computer/user objects
Group Policy Object Editor
The Group Policy Object Editor (GPOE), is the
tool used to edit local group computer and user policies. Each server
and workstation computer has a default local security policy. This
policy is accessed through the shortcut to the specific Local Security
Policy MMC snap-in located in the Administrative Tools program folder.
Now that Windows Vista, Windows Server 2008, and later OSs support
multiple local group policies, the GPOE must be used to manage or create
any local group policies other than the default.
The GPOE is used to edit all the configuration
settings of a policy. This includes configuring security settings,
installing software packages, creating restriction policies, defining
the scripts used by computers and users, and many other functions.
Group Policy Management Editor
To manage domain group policies, the Group
Policy Management Editor (GPME) is used and provides the same
functionality as the GPOE plus additional functionality only available
with this tool. One of the biggest differences is that the GPME includes
not only the Policy Settings node, but also the Preferences Settings
node, which is only available in domains. GPME is installed on Windows
Vista and later by downloading and installing the Remote Server
Administration Tools (RSAT) tools for the particular service pack and
OS. On Windows Server 2008, Windows Server 2008 R2, and Windows Server
2012 OSs, you can install the Group Policy tools from the Add Features
applet of Server Manager.
Group Policy Starter GPO Editor
The Group Policy Starter GPO Editor is used to
edit starter GPOs created by Group Policy administrators. This console
only shows the Administrative Templates nodes under the Computer
Configuration and User Configuration sections of a starter GPO. By
default, the settings available in the Administrative Templates sections
are all that can be set in a starter GPO; however, Microsoft provides
read-only starter GPOs for Windows Vista and Windows XP, but the Windows
Vista policy best practices still apply to Windows Server 2012 and
Windows 8. The Group Policy Starter GPO Editor is included with the
Windows Server 2012 Remote Server Administration Tools.
Print Management Console
First introduced with Windows Server 2003 R2,
the Print Management console is used to manage Active Directory and
local server and workstation printers. The Print Management console, shown in Figure 1,
can be used to view settings, configure drivers and options, and manage
printer and print jobs on a particular system or Active Directory-wide.
The Print Management console can also be used to deploy printers to
computers or users using the Deployed Printers node. Deploying printers
is a function that extends Group Policy functionality to allow printers
to be deployed to a predetermined set of users or computer objects to
which a GPO is linked.
Figure 1. PRINT Management console.
The GPOE and the GPME on Windows Vista and
later include the Deployed Printers node beneath the Windows Settings
node in both the Computer Configuration and User Configuration settings
nodes. On Windows Server 2008 and later server OSs, the Print Management
console must be installed from the Server Manager Features, Add
Features link before the Deployed Printers node will be available in the
Group Policy Editor consoles. If a policy contains printers defined in
the Deployed Printers nodes, and the policy is viewed using the GPMC or
GPME on Windows XP, the deployed printers will not be viewed.
Furthermore, if the policy is opened on a Windows Server 2003 R2 server,
and if the Print Management console is not installed from Windows
components, the Deployed Printers node will not be shown. As a best
practice, only create GPOs to deploy printers using the GPMC and GPME on
Windows Vista, Windows Server 2008, and later OSs. To install the Print
Management console on Windows Server 2012, run the Add Features applet
from Server Manager and select the Print and Document Services Tools
from the Remote Administration Tools submenu.
Gpupdate.exe
The gpupdate.exe tool is a command-line tool
that assists administrators in troubleshooting GPO processing and
initiating GPO processing on demand. Certain sections of group policies
will only be applied at computer startup and user logon, whereas others
will be applied during these intervals and during the periodic refresh
interval. For the settings that apply during the computer startup and
user logon intervals, if network connectivity to the domain controllers
is not available during this interval, these settings might not ever be
applied. Also, remote or mobile workstations, systems that are put to
sleep or hibernated, and users logging on using cached credentials
usually do not get these policies applied. This is where the new Network
Location Awareness service for Windows Vista, Windows Server 2008, and
later OSs come into play; it will notify the system that a domain
controller is available and that will trigger a Group Policy refresh
cycle.
The gpupdate.exe tool enables you to apply
user and computer policies immediately. One common use of this tool is
to add the gpupdate.exe to a VPN post-connection script to allow these
settings to be applied to remote workstations that belong to the Active
Directory infrastructure. This tool provides the following options:
• gpupdate.exe /Target:{Computer | user}—This function allows the tool to process only the specified node of the group policy.
• gpupdate.exe /Force—This option reapplies all policy settings. This option does not automatically reboot the computer or log off the users.
• gpupdate.exe /Wait—This option defines how many seconds to allow GPO processing to complete. The default is 600 seconds, or 10 minutes.
• gpupdate.exe /Logoff—This option logs off the user account after GPO processing has completed.
• gpupdate.exe /Boot—This
option reboots the computer after Group Policy processing completes.
This is to apply the GPO settings that are only applied during computer
startup.
• gpupdate.exe /Sync—This
option processes GPO settings that normally only occur during computer
startup and user logon. This option requires that the administrator
designate whether the system can restart the computer or log off the
user.
