Group Policy Management Console Overview (Administering Group Policy with Group Policy Management Console)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In the past, administrators have been required to use several Microsoft tools to manage Group Policy, such as the Active Directory Users and Computers, Active Directory Sites and Services, and Resultant Set of Policy snap-ins. GPMC integrates the existing Group Policy functionality exposed in these tools into a single, unified console, along with several new capabilities.

Built-in to GPMC is support for managing multiple domains and forests, making it possible for administrators to easily manage Group Policy across an enterprise. Administrators have complete control of which forests and domains are listed in GPMC, making it possible to display only pertinent parts of an environment.

By default, the first time GPMC is started it loads the forest and domain containing the user object logged on to the computer. Administrators can then specify which forests and domains to display. When the console is closed, GPMC automatically saves the last view and will return to that view the next time the user opens that console.

The console tree on the left side of the snap-in contains GPMC’s root node Group Policy Management. Each forest appears as a sub node of GPMC’s root node, and is named after the forest root domain for that forest, pre-pended with the word “Forest.” Each forest has either three or four sub nodes of its own: Domains, Sites, Group Policy Modeling, and Group Policy Results. The Group Policy Modeling node is only shown in a forest that has the Windows Server 2003 schema for Active Directory. To perform a Group Policy Modeling analysis, you must also have at least one domain controller that is running Windows Server 2003.

Figure 1 shows GPMC with two forests, Contoso.com and Tailspintoys.com, added to the console. Tailspintoys.com is a Windows 2000 forest so the Group Policy Modeling node is not available.

Figure 1

Below is a description of each of the four major sub node types within each forest:

• Domains: This node contains sub nodes corresponding to domains within the forest. The domain nodes are named after the DNS names of the domain. Users can choose which domains to display within the console, by right clicking this node and selecting the Show Domains context menu option. Domain nodes are always shown as peers of one another, regardless of the actual DNS relationship between them. This is because Group Policy is not inherited across domains. The list in the details pane of Figure 2 shows the name of the domain and the domain controller in that domain used during GPMC operations.

  Figure 2

• Sites: This node contains sub nodes corresponding to sites within the forest. Users can choose which sites to display within the console, by right clicking this node and selecting the Show Sites context menu option. All sites are shown as peers of one another. As with forests and domains, the list of sites displayed is preserved for future use when the console is closed. No sites are displayed by default. This is done to speed up console performance by not enumerating a potentially large number of sites in the forest, unless explicitly requested by the user.

• Group Policy Modeling: This node allows you to access the Resultant Set of Policy (RSoP) – Planning Mode capabilities of Windows Server 2003. This is a powerful new Group Policy management feature that allows the user to simulate policy settings applied to users and computers via Group Policy before actually applying the policies. You can simulate the policy deployment for any user and computer in the forest. This feature, known as Resultant Set of Policies (RSoP) – Planning Mode in Windows Server 2003, is integrated into GPMC as Group Policy Modeling. This feature requires at least one domain controller in the forest running Windows Server 2003, since the simulation is performed by a service that is only present on domain controllers running Windows Server 2003. Each Group Policy Modeling simulation is displayed as an individual sub node.

• Group Policy Results: This node allows you to access the Resultant Set of Policy (RSoP) – Logging Mode capabilities. In contrast to Group Policy Modeling, which is a simulation, Group Policy Results represents the actual resultant set of policy that was applied to a given user and computer. This information is obtained by directly querying the target user/computer. Each sub node represents a different RSoP query for a given user/computer combination. You can only obtain Group Policy Results data from computers that are running Windows XP or Windows Server 2003 and later.

Managing Multiple Forests

Multiple forests can be easily added to the console tree:

1. Right-click the root node Group Policy Management, and select Add Forest…

   Figure 3

2. Specify the DNS or NetBIOS name of the desired domain in a forest that is not already loaded in GPMC, and click OK. If you specify a NetBIOS name, GPMC will attempt to determine the corresponding DNS name and will prompt you with a dialog box to confirm the entry.

The specified forest will appear as a sub node in the console tree and the forest is loaded into the console with the domain that was entered in the Add Forest dialog box.

To remove a forest node, simply right-click the node, and then select Remove.

By default you can only add a forest to GPMC if there is a 2-way trust with the forest of the user running GPMC. You can optionally enable GPMC to work with only 1 way trust or even no trust. To enable this functionality, clear the Enable Trust Detection check box on the General tab in the Options dialog box of GPMC.

If you need to add a forest to which you have no trust, you must also use the Stored User Names and Passwords tool to add credentials for the forest you want to connect to using the procedure below. For this procedure, assume you have no trust to a domain called "mydomain.myforest.contoso.com" and you want to manage that domain.

1. Start the Stored User Names and Passwords tool:

   • In Windows XP, click Start, click Control Panel, double-click User Accounts, click Advanced, and then click Manage Passwords.

   • In Windows Server 2003, click Start, click Control Panel, and then double-click Stored User Names and Passwords.

2. Add an entry for the forest containing the domain you want to manage. In this example, add the following entry:

   *.myforest.contoso.com

   For the user name and password, enter the name and password of an account that has the rights to access the domain you want to manage.

3. Start GPMC and disable trust detection by deselecting the Enable Trust Detection check box: on the General tab in the Options dialog box of GPMC.

4. Add the forest to the GPMC console by right-clicking Group Policy Management and then clicking Add Forest. Enter the name of the domain in the forest that you want to manage.

Domain Controllers in GPMC

In each domain, GPMC uses the same domain controller for all operations in that domain. This includes all operations on the GPOs, OUs, security principals, and WMI filters that reside in that domain. In addition, when the Group Policy Object Editor is opened from GPMC, it always uses the same domain controller that is targeted in GPMC for the domain where that GPO is located.

In addition, GPMC uses the same domain controller for all operations on sites. Note that this domain controller is used to read and write information about what links to GPOs exist on any given site, but information regarding the GPO itself is obtained from the domain controller of the domain hosting the GPO.

Group Policy Management Console allows you to choose which domain controller to use for each domain, as well for all sites in a forest in Group Policy Management Console. You can choose from among these four options:

• Use the primary domain controller (PDC) emulator (default choice).

• Use any available domain controller.

• Use any available domain controller that is running a Windows Server 2003 family operating system. This option is useful is you are restoring a deleted GPO that contains Group Policy software installation settings. See Restore for more details.

• Use a specific domain controller that you specify.

Right-click the desired domain node and select Change Domain Controller to specify a particular domain controller to use for domain operations.

To specify a domain controller to use for operations on sites, right click the Sites node and click Change Domain Controller.

In either case, the Change Domain Controller dialog box appears. This dialog box provides four options for specifying a domain controller as shown in Figure 4. Selecting the This domain controller: radio button activates the list of domain controllers allowing GPMC to target any desired domain controller in a given domain.

Figure 4

Selection of Domain Controllers

By default, when you add a new domain to the console, GPMC uses the PDC emulator in that domain. For managing sites, GPMC uses the PDC emulator in the user’s domain by default.

It is important to consider the choice of domain controller in order to avoid replication conflicts. This is especially important to consider since GPO data resides in both Active Directory and on SYSVOL, and two independent replication mechanisms must be used to replicate GPO data to the various domain controllers in the domain. If two administrators are simultaneously editing the same GPO on different domain controllers, it is possible for the changes written by one administrator to be overwritten by another administrator, depending on replication latency.

To avoid this situation, GPMC uses the PDC emulator in each domain as the default to help ensure that all administrators are using the same domain controller. However, it may not always be desirable to use the PDC. For example, if the administrator resides in a remote site, or if the majority of the users or computers targeted by the GPO are in a remote site, then the administrator may want to choose to target a domain controller at the remote location.

Domain Contents Overview

Within each domain, GPMC provides a policy-based view of Active Directory and the components associated with Group Policy, such as GPOs, WMI filters, and GPO links. The view in GPMC is similar to the view in Active Directory Users and Computers MMC snap-in in that it shows the OU hierarchy. However, GPMC differs from this snap-in because instead of showing users, computers, and groups in the OUs, it displays the GPOs that are linked to each container, as well as the GPOs themselves.

Each domain node in GPMC displays the following items (see Figure 5):

• All GPOs linked to the domain.

• All top-level OUs and a tree view of nested OUs and GPOs linked to each of the OUs.

• The Group Policy Objects container showing all GPOs in the domain.

• The WMI Filters container showing all WMI Filters in the domain.

Figure 5

The Group Policy Objects container shows all of the GPOs for the domain. Each node in this container represents the actual GPO components from Active Directory and SYSVOL that collectively define that GPO. Figure 6 shows an expanded Group Policy Objects container for the Contoso.com domain containing 12 GPOs.

Figure 6

GPOs are not useful until they are linked to a site, domain, or OU (Scope of Management, or SOM). The settings defined in a GPO can only be applied when the GPO is linked to one or more of these SOMs. The link is not a component of the GPO; it is a component of the SOM to which it is linked. Therefore, the ability to manage links for a given SOM must be delegated on that SOM, not the GPO. In the GPMC tree view, GPO-links on a given SOM are shown as child nodes of that container.

This distinction between GPOs and GPO links was not readily apparent in Windows 2000, and a key goal for GPMC was to make this distinction clearer. The GPMC user interface distinguishes between GPO-links and GPOs as follows:

• Location in the tree view. Actual GPOs are always shown under the Group Policy Objects node for a given domain, whereas links appear as child nodes of a site, domain, or OU. Note that the contents of the result panes for GPOs and GPO-links are identical.

• When you click a GPO-link, a confirmation dialog box is shown by default to indicate that you are viewing a GPO-link, not a GPO.

• The icons for GPO-links have a shortcut icon, to indicate that they are pointers to another object. For example, in Figure 5, note the Default Domain Policy GPO link at the domain level. The icon for this link has a shortcut icon to differentiate it from the icon for the actual Default Domain Policy GPO under the Group Policy Objects node (see Figure 6).

• The context menu that appears when you right click in the tree view is different depending on whether you are managing a GPO-link or a GPO. Right clicking a GPO exposes options that are primarily relevant for the actual GPO (such as backup and restore), whereas right clicking a GPO-link exposes options that are relevant to managing the link (such as “Enforced”). Note that some options, such as “Edit” are available on both context menus.