Group Policy Administrative Tools

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy Administrative Tools

There are three primary tools used to administer Group Policy: Microsoft Group Policy Management Console (GPMC), Group Policy Object Editor, and Resultant Set of Policy (RSoP) snap-in. Each of these tools is a Microsoft Management Console (MMC). Administrators use GPMC for the bulk of Group Policy management tasks. Group Policy Object Editor is for editing Group Policy objects. Although administrators can still use the RSoP snap-in for reporting and planning the effects of Group Policy, much of its functionality has been subsumed into GPMC.

Group Policy Administrative Tools Architecture

The diagram below illustrates the relationship between the domain controller, client, and the three primary tools used to administer Group Policy.

Group Policy Administrative Tools Architectural Diagram

Group Policy Administrative Tools Architecture

Components of Group Policy Administrative Tools Architectural Diagram

Component Description

Group Policy Object Editor

The Group Policy Object Editor is used to edit GPOs. It was previously known as the Group Policy snap-in, Group Policy Editor, or Gpedit. A notable feature of the Group Policy Object Editor is its extensibility. Developers can extend the server-side snap-ins that ship with Group Policy Object Editor or they can develop completely new extensions for implementing Group Policy.

The Group Policy Object Editor is capable of read and write access to Active Directory, Sysvol, and the Local GPO.

Server-Side Snap-Ins

The nodes of the Group Policy Object Editor are MMC snap-ins. These snap-ins include Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, and Internet Explorer Maintenance. Snap-ins may in turn be extended. For example, the Security Settings snap-in includes several extension snap-ins. Developers can also create their own MMC extension snap-ins to the Group Policy Object Editor to provide additional policy settings. Extensions are capable of read and write access to the Local GPO.

Group Policy Management Console (GPMC)

GPMC makes Group Policy much easier to manage by providing a view of GPOs, sites, domains, and organizational units (OU) across an enterprise. GPMC can be used to manage either Windows Server 2003 or Windows 2000 domains.

GPMC simplifies the management of Group Policy by providing a single place for managing core aspects of Group Policy, such as scoping, delegating, filtering, and manipulating inheritance of GPOs. You can also back up GPOs to the file system as well as restore GPOs from backups. GPMC includes features that enable an administrator to predict how GPOs are going to affect the network as well as to determine how GPOs have actually changed settings on any particular computer or user.

GPMC is capable of read and write access to the Sysvol using the SMB protocol. It is also capable of read and write access to Active Directory via the LDAP protocol. In addition, GPMC is capable of read access to the event log and RSoP infrastructure.

Resultant Set of Policy (RSoP) snap-in

The Resultant Set of Policy snap-in is an MMC used to determine which policy settings are in effect for a given User or Computer, or to predict the effect of applied policy.

The snap-in itself is contained within the same binary as the Group Policy Object Editor snap-in (gpedit.dll). The user interface is mostly a read-only view of the same information available in the Group Policy Object Editor. However there is one important difference: While the Group Policy Object Editor can show only a single GPO setting at a time, the RSoP snap-in shows the cumulative effect of many GPOs.

For RsoP functionality it is recommended to use GPMC, which includes its own integrated RsoP features.

The RSoP snap-in is capable of read access to the Active Directory, Sysvol, Event Log, RSoP infrastructure, and Local GPO. Although the RSoP snap-in is capable of read only access to the Active Directory and Sysvol, most of the work of predicting or reporting Group Policy is done using RPC/COM communication with the RSoP provider, either on the client or the domain controller.

Domain Controller (Server)

In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. GPOs are stored in two parts of domain controllers: The Active Directory database and the Sysvol share.

Client

In an Active Directory forest, settings from GPOs are applied to clients. GPMC and the RSoP snap-in query the client to determine how policy has been applied to a particular user or computer.

Active Directory

Active Directory, the Windows-based directory service, stores information about objects on a network and makes this information available to users and network administrators. Administrators link GPOs to Active Directory containers such as sites, domains, and OUs that include user and computer objects. In this way, policy settings can be targeted to users and computers throughout the organization.

Sysvol

Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the largest part of a GPO: the Group Policy template (GPT), which includes Administrative Template-based policy settings, security settings, and script files. File Replication Service (FRS) replicates this information throughout the network.

RsoP infrastructure

All Group Policy processing information is collected and stored in a Common Information Model Object Management (CIMOM) database on the local computer. This information, such as the list of GPOs that have been processed, as well as content and logging of processing details for each GPO, can then be accessed by tools using Windows Management Instrumentation (WMI).

With Group Policy Results in GPMC, or logging mode for the RSoP snap-in, the RSoP service is used to query the CIMOM database on the target computer; it receives information about the policies that were applied and displays the resulting information in GPMC or the RSoP snap-in.

With Group Policy Modeling in GPMC, or planning mode for the RSoP snap-in, the RSoP service simulates the application of policy using the Group Policy Directory Access Service (GPDAS) on a Domain Controller. GPDAS simulates the application of GPOs and passes them to virtual client-side extensions on the Domain Controller. The results of this simulation are stored in a local CIMOM database on the domain controller before the information is passed back and displayed in either GPMC or the RSoP snap-in.

Group Policy Administrative Tools Components

The following is a list of Group Policy administrative tools.

Group Policy Management Console

In the past, administrators have been required to use several Microsoft tools to manage Group Policy, such as the Active Directory Users and Computers, Active Directory Sites and Services, Group Policy Object Editor and Resultant Set of Policy snap-ins. With the introduction of Group Policy Management Console (GPMC), most administrative tasks have been integrated into a single, unified console that also offers several new capabilities.

Group Policy Object Editor

Group Policy Object Editor is an MMC snap-in used to edit the policy settings in Group Policy objects (GPOs). Like all MMC snap-ins, its functionality can be customized or extended by means of MMC snap-in extensions. When you use Group Policy Object Editor, various extensions are included by default, including Administrative Templates, Scripts, Security Settings, Software Installation, Folder Redirection, Remote Installation Services, and Internet Explorer Maintenance. Snap-ins may in turn be extended. For example, the Security Settings snap-in includes several extension snap-ins. Developers can also create their own MMC extension snap-ins to the Group Policy Object Editor to provide additional policy settings.

Resultant Set of Policy Snap-in

Resultant Set of Policy (RSoP) snap-in is an MMC used to predict the effect of GPOs on the network as a whole, or to determine the effect Group Policy has had on a specific user or computer. Although administrators can use the RSoP snap-in, much of its functionality has been subsumed into GPMC.

Group Policy Administrative Tools Deployment Scenarios

The following is a list of common scenarios supported by each of the Group Policy Administrative Tools.

Group Policy Management Console

An administrator uses GPMC to manage Group Policy in an Active Directory environment. Although the majority of computers on the network might be running Windows 2000 server or Windows 2000 professional, the administrator might download and install GPMC on a machine running Windows XP SP1 or later. GPMC requires Windows XP or later.

GPMC offers the administrator a persistent view of the Group Policy environment on the network, including icons that represent GPOs, GPO links, sites, domains, and organizational units (OU) in the selected forest. With GPMC, an administrator can do any of the administrative tasks previously only available from the Group Policy tab of the Active Directory administrative tools.

GPMC can also be used to generate RSoP data that either predicts the cumulative effect of GPOs on the network, or reports the cumulative effect of GPOs on a particular user or computer. In addition, the administrator can use GPMC to perform GPO operations never possible before, like backing up and restoring a GPO, copying a GPO, or even migrating a GPO to another forest. Reading or generating HTML or XML reports of GPO settings is also possible.

Group Policy Object Editor

An administrator uses Group Policy Object Editor to manipulate settings in a GPO. Typically an administrator accesses Group Policy Object Editor by electing to edit a GPO from within GPMC. The Group Policy Object Editor opens, allowing the administrator to change settings for that GPO. If the administrator had two GPOs linked to an OU and wanted to manage settings in both, he would have to open them one at a time. This is because Group Policy Object Editor can only display settings for GPOs one at a time. To see how settings for multiple GPOs might affect an OU, the administrator would use a different tool — either GPMC or the RSoP snap-in.

Resultant Set of Policy snap-in

An administrator uses Resultant Set of Policy snap-in to predict the cumulative effect of GPOs on the network, or report the cumulative effect of GPOs on a particular user or computer. With the advent of GPMC, the administrator can generate reports with most of the information formerly only available through the RSoP snap-in. The RSoP snap-in does provide some information that GPMC does not. For example, when multiple GPOs attempt to set the same Group Policy setting differently, both GPMC and RSoP snap-in report how the setting is ultimately set and which GPO is responsible for the setting, but only RSoP snap-in can report all the GPO(s) that attempted and failed to manipulate the setting.