Three years ago, in Microsoft Certified Technical Education Centers (CTECs) around the world, Microsoft Certified Trainers (MCTs) tried to put Windows NT administrators at ease by giving some version of the following speech: "Windows 2000 adds hundreds of new features. But just because so many features are included doesn't mean you have to use all of them." Many administrators took this pronouncement to heart with regard to Group Policy and simply ignored this powerful Win2K tool. Group Policy introduced the ability to control a wealth of computer and user-environment settings by using the structural elements (i.e., sites, domains, and organizational units—OUs) of Active Directory (AD). For example, you could configure Group Policy Objects (GPOs) to standardize security policies by server function and restrict users' ability to reconfigure desktop computers.
Unfortunately, Microsoft's implementation of all that power was imperfect. For example, Win2K Group Policy management tools couldn't provide a comprehensive view of policy deployment and its effects. Windows Server 2003 tries to remedy Group Policy's shortcomings through several new policy options and two GPO administration tools.
Win2K Group Policy Shortcomings
As one of the more significant (and complex) new features pioneered in Win2K, Group Policy wasn't thoroughly understood by Win2K adopters. Organizations that wanted to implement Group Policy needed to make that decision early in migration planning, and some decided to avoid its use to simplify the migration process. In organizations that embraced Group Policy, many administrators found the Group Policy management tools to be cumbersome.
Simply to use Win2K's Group Policy management tool, which doesn't launch by default, you typically need to launch the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or the MMC Active Directory Sites and Services snap-in, navigate to the container (i.e., the domain, site, or OU) that holds a GPO, then manually launch the Group Policy snap-in from the container. If you want to examine or edit policies in two different containers—even closely related containers, such as parent and child OUs—you need to launch the Group Policy snap-in for each container. In fact, if you associate multiple GPOs with one container, you must view each GPO in a separate MMC window.
Layers of nested OUs, combined with site and domain GPOs and dozens of categories to which different GPOs might apply, make planning GPOs difficult. Simply determining the effect of combined GPO settings—what applies to a particular user logged on to a particular computer—is a piece of detective work.
Windows 2003 addresses almost all these Group Policy problems. The most important Windows 2003 changes are the Group Policy Management Console (GPMC) and the MMC Resultant Set of Policies (RSoP) snap-in.
The GPMC doesn't ship with Windows 2003, but it's available for download from the Microsoft Web site (http://www.microsoft.com/downloads/details.aspx?familyid=f39e9d60-7e41-4947-82f5-3330f37adfeb&displaylang=en). After you download the tool, simply double-click the gpmc.msi package and follow the instructions to install it. In addition to adding a GPMC shortcut to the Administrative Tools folder, the installation process updates the Group Policy tab on the properties pages of sites, domains, and OUs in the Active Directory Users and Computers and Active Directory Sites and Services snap-ins to provide a direct link to the GPMC. You can also launch the GPMC by clicking Start, Run, then typing
You must run the GPMC from Windows 2003 or Windows XP Professional Edition with Service Pack 1 (SP1) or later, but you can use the tool to manage GPOs in Win2K domains. You can manage sites, domains, and OUs from one tool and multiple domains and forests from one screen. As Figure 1 shows, the GPMC's treeview pane provides a top-level view of forests and the containers within them. The right-hand pane's contents change depending on what you select in the treeview pane.
When you select a container, three tabbed windows—Linked Group Policy Objects, Group Policy Inheritance, and Delegation—appear in the right-hand pane, as Figure 2 shows. The Linked Group Policy Objects tab displays all GPOs that are directly linked to the selected container, shows the order in which they are applied, and lets you launch Group Policy Editor (GPE) or create a new GPO.
The Group Policy Inheritance tab conveniently lists all GPOs that are in effect in the selected container, including those that are linked to a higher-level container and that are enabled in the selected container through inheritance. This display takes into account whether inheritance is blocked and whether blocking is overridden. However, the Group Policy Inheritance tab doesn't display GPOs applied at the site level for domains or OUs. The Delegation tab displays user profiles that have permission to manage GPOs in the selected container.
The GPMC displays four containers that aren't available in the Win2K AD management tool. Figure 2 shows these containers in the treeview pane.
- The Group Policy Objects container exists within each domain and site and contains the same GPOs listed within individual containers. You can back up and restore GPOs from the Group Policy Objects container.
- Windows 2003 Group Policy lets you filter GPOs based on environment-specific Windows Management Instrumentation (WMI) settings. The WMI Filters container displays all GPOs and lets you import and examine WMI filters.
- The Group Policy Modeling container integrates the Resultant Set of Policies (RSoP) tool in Planning mode to simulate the effect of any new GPO. To use the Group Policy Modeling feature, your forest must contain at least one domain controller (DC) that runs Windows 2003.
- The Group Policy Results container also integrates with the RSoP tool to display the effective settings for any scenario and can display the combined effects of domain, site, and OU GPOs.
The GPMC also adds power to scripters' arsenals. All GPMC functions are scriptable. You'll find several sample scripts (for tasks such as GPO backup and creation) in the \program files\ gpmc\scripts directory.
Microsoft's RSoP tool doesn't help you create or link GPOs, but rather lets you examine their effects—think of RSoP as a "read-only" tool. RSoP is a query engine and reporting tool that operates in two modes. Logging mode displays the effects of currently applied GPOs, and Planning mode displays the effects of a combination of current and proposed GPOs. You won't find the RSoP tool in Windows 2003's Administrative Tools folder; to use the RSoP tool, define a custom MMC console for its snap-in or type
at the command line.
When you launch the RSoP snap-in, the first window you'll see is the Mode Selection screen, which lets you choose between Logging and Planning modes. Logging mode displays all effective settings. In Planning mode, the RSoP tool's wizard interface lets you change existing GPOs, add new GPOs, move user or computer accounts to new OUs or sites, alter security group memberships, and apply WMI filters.
After you choose the mode, the snap-in will prompt you for the username and the computer you want to examine. The RSoP then displays the effect of the specified policy or combination of policies. The RSoP tool is a great way to try out a change without actually inflicting it on users.
Other Group Policy Changes
Windows 2003 also provides many other Group Policy enhancements. Here are five of the most notable improvements.
- The Group Policy Object Editor, which replaces the MMC Group Policy snap-in, offers a Web-based interface and an Extended View option that provides a detailed explanation of any policy you select. You can filter the Group Policy Object Editor's view on the basis of OS (Windows 2003, XP, or Win2K), Configured Settings, or Managed Settings. To launch the Group Policy Object Editor, open the Active Directory Sites and Services or Active Directory Users and Computers snap-in; right-click a site, domain, or OU; select Properties; then click the Group Policy tab.
- Windows 2003 adds a new Group Policy software deployment option. The Install this application at logon option provides a more forceful "push" of applications compared with the Win2K options.
- WMI Filters let you configure GPOs to take effect conditionally. This feature lets you apply GPOs based on the installed OS type, service pack level, machine type, and value of many other environment variables.
- Windows 2003 makes available a limited degree of cross-forest GPO functionality. You can't link GPOs between forests, but if a forest trust exists between two Windows 2003 forests and someone uses a user account from one forest to log on to a machine in the other forest, Windows will pass GPOs from one forest to the other to put both user and computer settings in effect appropriately.
- A new Windows 2003 and XP command-line utility, gpupdate.exe, lets you refresh Group Policy settings on a computer. Gpupdate.exe replaces the Win2K Secedit command's /refreshpolicy option.
New Group Policy Settings
Windows 2003 introduces more than 160 new Group Policy settings, many with expanded security potential. Windows 2003 also renames some Win2K settings.
- The Windows Settings\Security Settings\Software Restriction Policies setting lets you control which Windows applications a system can run.
- The Administrative Templates\System\User Profiles setting controls whether user profiles are mandatory, local, or roaming.
- The Administrative Templates\System\Net Logon setting controls logon operations, including the creation of automatic DNS SRV records and DC discovery.
- The Administrative Templates\System\System Restore setting lets you enable and disable XP's automatic system-state backups.
- The Administrative Templates\Network\SNMP setting lets you centrally configure SNMP settings that support monitoring and control functions.
A Better ROI
Group Policy typifies many of the functional aspects of AD that Microsoft introduced in Win2K. However, implementing Group Policy's sizable potential in Win2K required an equally sizable investment of effort and planning. Through new tools and some overall fine-tuning in Windows 2003, Microsoft made ignoring Group Policy's capabilities much less attractive.