In "Group Policy Made Great," http://www.winnetmag.com, InstantDoc ID 37554, I wrote about a product that Microsoft was then beta-testing called the Group Policy Management Console (GPMC). In that article, I wrote that the GPMC looked pretty good but was lacking a few things that I hoped Microsoft would rectify. Today, I’m happy to report that the GPMC is completed and that most of the news about it is good.
The first bit of good news is that the GPMC is finished and available for download. To get a copy, go to http://microsoft.com/downloads/details.aspx?familyid=F39E9D60-7E41-4947-82F5-3330F37ADFEB&displaylang=en. While you’re there, you might also need to go to http://www.microsoft.com/downloads/details.aspx?FamilyID=262d25e3-f589-4842-8157-034d1e7cf3a3&DisplayLang=en to pick up a copy of the Windows .NET Framework—the GPMC requires it.
The first—and worst—bit of bad news is that you can't install the GPMC on a Windows 2000 system: The GPMC runs only on Windows Server 2003 and Windows XP Professional. So, is the GPMC of any value in a Win2K network? To a limited extent, yes. You can load the console on an XP system, then use it to analyze Group Policy behavior on a remote system. Although that remote system can’t be a Win2K system, it can be an XP system that gets its Group Policy Objects (GPOs) from a Win2K-based domain controller (DC). However, the second piece of bad news is that the GPMC license explicitly says that you can download and run the console only on a network on which you're running at least one copy of Windows 2003. Technologically, nothing prevents you from downloading the GPMC, running it on an XP system that's a member of a Win2K-based Active Directory (AD) domain, and analyzing the Group Policy behavior of other XP boxes on the domain—but you'd violate your GPMC license if you did so.
What does the GPMC do that’s so neat? It does a lot of things, but I'll zero in on my two favorites. The GPMC provides a flattened view of GPOs and Resultant Set of Policy (RSoP) reports, and it lets you back up and restore GPOs.
Anyone who’s ever looked at a GPO knows that it can contain potentially hundreds of settings. Because so many GPO settings are possible, creators of Group Policy–related tools tend to create hierarchies of folders in their tools. For example, if you look at Group Policy Editor (GPE—gpedit.msc), you'll see a Security Options folder inside a Local Policies folder inside a Security Settings folder inside a Windows Settings folder inside a Computer Configuration folder. Consequently, figuring out what a GPO does is a nightmare. You must drill down to the innermost folder, then examine its contents. In most cases, you'll find that the settings are “not defined,” so you must then go to the next folder, look at its contents, and so on. Wading through all the "not defineds" at all the levels to extract the few defined settings that matter can take quite a while. Ever since I first looked at a GPO, I’ve wanted to be able to click View/Flat on GPE’s menu (don’t bother looking; no such setting exists) and get the no-folder version of a GPO. Every GPO could have hundreds of settings, but most GPOs have no more than a handful. I want to view just that handful.
The GPMC provides that capability. Open up the Group Policy Objects folder and right-click the GPO whose secrets you want to lay bare. In the right-hand pane, click Settings and Show all, and you'll see a nice summary of the GPO. An RSoP tool will similarly show you “just the facts, ma’am” on the sum effect of all of your GPOs—what setting applies to your system, and which GPO supplies that setting.
That capability alone would make the download worthwhile, but the GPMC provides more: GPO backup and restore. Let’s say I’ve crafted a GPO that sets up my network just the way you’d like to set up yours, so you ask me for a copy of my GPO. Without the GPMC, I’d have to say, “Sorry, but I can’t give you a copy. You can't transport GPOs from one domain to another." But now, the GPMC's GPO backup and restore capability lets you easily move GPOs between domains.
If that doesn't sound interesting, consider a practice that I picked up from my friend and fellow AD geek Jeremy Moskowitz. When people hire me to fix their ailing AD domains, the first thing I want to do is to get the network to a known-good state, so I temporarily disable the client's user-defined GPOs. Often, however, I find no user-defined GPOs because the local administrators have created all their GPOs by modifying the Default Domain Policy or Default Domain Controllers Policy. How can I restore a Default Domain Policy that someone has messed with? I could spend a few hours in GPE trying to return the Default Domain Policy to its out-of-the-box state. Or—here’s the cool part—I could simply back up a Default Domain Policy that hasn't been changed from another domain and restore the policy to the client domain. Instant Default Domain Policy reset: Just what I wanted for my birthday!
I highly recommend that you pull down a copy of the GPMC if you haven't done so yet. But to Microsoft, I say, "Have a heart! Please change that license so that I can legally use the GPMC in a mixed XP/Win2K network. We’re all going to go to Windows 2003 eventually; until then, cut us some slack and let us run the GPMC on XP. The GPMC is a great piece of work; tweak that license and make it even better!"