Group Policy object editor overview for GPMC

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy object editor

Group Policy Object Editor is an MMC snap-in used to edit the policy settings in Group Policy objects (GPOs).

Opening Group Policy Object Editor

In Group Policy Management Console (GPMC), open Group Policy Object Editor by right-clicking a node for a GPO or a GPO link and then clicking Edit.

Note

  • You must have edit rights on the GPO in order to open it in Group Policy Object Editor.

Configuring Group Policy settings

Group Policy Object Editor consists of two main sections: User Configuration, which holds settings that are applied to users (at logon and periodic background refresh) and Computer Configuration, which holds settings that are applied to computers (at startup and periodic background refresh). These sections are further divided into the different types of policies that can be set, such as Administrative Templates, Security, or Folder Redirection. For more information about these categories of policy settings, see Group Policy Object Editor Extensions.

You configure Group Policy settings by navigating to the appropriate location in each section. For example, if you want to set an Administrative Templates policy setting in a GPO to prevent users from seeing the Run command, you would need to enable the policy setting Remove Run Menu from Start Menu. This is located under User Configuration\Administrative Templates\Start Menu and Task Bar. You edit most policy settings by double-clicking the title of the policy setting, which opens a dialog box that provides specific options. In Administrative Templates policy settings, for example, you can choose to enable or disable the policy setting or leave it as not configured. In other areas, such as Security Settings, you can select a check box to define a policy setting and then set available parameters.

The Group Policy Object Editor provides different ways of learning about the function or definition of specific policy settings. In most cases, when you can double click the title of a policy setting, the dialog box contains any relevant defining information about the policy setting. For Administrative Templates policy settings, the Group Policy Object Editor provides explain text directly in the Web view of the console. You also can find this explain text by double-clicking the policy setting and then clicking the Explain text tab. In either case, this text shows operating system requirements, defines the policy setting, and includes any specific details about the effect of enabling or disabling the policy setting.

Managing Multiple Platforms in Group Policy Object Editor

Because new Administrative Template policy settings have been added that only work on specific versions of the operating system such as Windows XP Professional or Windows Server 2003, the Group Policy Object Editor enables you to view only the Administrative Template policy settings that might be applied in your users' work environment. For example, you may want to edit only policy settings that could be applied on client computers running Windows 2000 Service Pack 3. You can specify these options in the Filtering dialog box, available by clicking a node in the Administrative Templates section, clicking the View menu and then clicking Filtering.

For more information about editing Group Policy objects see:

To learn how Group Policy tasks differ after you install GPMC, see New ways to do familiar tasks using GPMC.

Opening Group Policy Object Editor from the command line

It is sometimes useful to open Group Policy Object Editor from the command line. By specifying the appropriate command line switches, you can automatically connect to a specific machine or GPO.

The following table illustrates the available command-line switches used to open Group Policy Object Editor under different circumstances.

Command-line parameters Effect

gpedit.msc

Edit the local GPO on the local computer.

gpedit.msc /gpcomputer:"Computer1"

Notes

  • The quotation marks are mandatory.

  • There is no space after /gpcomputer:

You can edit the local GPO on Computer1.

gpedit.msc /gpcomputer:"ThisComputer.TailspinToys.com"

Notes

  • The quotation marks are mandatory.

  • There is no space after /gpcomputer:

You can edit the local GPO on Computer1, with the computer specified in the DNS style rather than the NetBIOS style.

gpedit.msc /gpobject:"LDAP:"LDAP_PATH_TO_GPO"

Notes

  • LDAP path to the GPO is based on the GUID of the GPO, for example: "LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=WingTipToys,DC=com".

  • You can optionally specify the domain controller to use in the LDAP path as the first item in the LDAP path. You can use either a NETBIOS or DNS format for the name of the domain controller. For example, this path would specify that GPEdit could use domain controller named DC13.TailspinToys.com: "LDAP://DC13.TailspinToys.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=WingTipToys,DC=com".

You can edit an Active Directory–based GPO by passing in the LDAP path to the GPO.

See Also

Concepts

Group Policy objects overview for GPMC
Control Group Policy Object Scope
Group Policy Object Editor Extensions
Edit a Group Policy object from GPMC