Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment

Microsoft.com Home | Site Map

Search Microsoft.com for:
Search for
TechNet Home
Products & Technologies
IT Solutions
Security
Interop & Migration
Desktop Deployment
Script Center
Community
Downloads
IT Training & Certification
Troubleshooting &
Support
TechNet Program
Archive
TechNet Site Map
TechNet Worldwide
TechNet Home > Products & Technologies > Server Operating Systems > Windows Server 2003 > Directory Services > Active Directory > Step By Step
Step-by-Step Guide to Using the Group Policy Management Console
Published: September 17, 2004
This step-by-step guide provides general guidance for using the Group Policy Management Console (GPMC) to support Group Policy Objects
(GPOs) in an Active Directory environment. This guide does not provide guidance on the implementation for GPOs.
On This Page
Introduction
Overview
Installing and Configuring GPMC
Managing Group Policy Objects
GPO Backup, Restore, Copy, and Import
GPO Modeling
Additional Resources
Introduction
Step-by-Step Guides
The Windows Server 2003 Deployment step-by-step guides provide hands-on experience for many common operating system
configurations. The guides begin by establishing a common network infrastructure through the installation of Windows Server 2003, the
configuration of Active Directory

, the installation of a Windows XP Professional workstation, and finally, the addition of this workstation to
a domain. Subsequent step-by-step guides assume that you have this common network infrastructure in place. If you do not want to follow
this common network infrastructure, you will need to make appropriate modifications while using these guides.
The common network infrastructure requires the completion of the following guides.

Part I: Installing Windows Server 2003 as a Domain Controller

Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain

Once the common network infrastructure is configured, any of the additional step-by-step guides may be employed. Note that some step-
by-step guides may have additional prerequisites above and beyond the common network infrastructure requirements. Any additional
requirements will be noted in the specific step-by-step guide.
Microsoft Virtual PC
The Windows Server 2003 Deployment step-by-step guides may be implemented within a physical lab environment or through virtualization
technologies like Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005. Virtual machine technology enables customers to run multiple
operating systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are designed to increase operational
efficiency in software testing and development, legacy application migration, and server consolidation scenarios.
The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur within a physical lab environment,
although most configurations can be applied to a virtual environment without modification.
Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the scope of this document.
Important Notes
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is
intended or should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company name and Domain Name System (DNS) name
used in the common infrastructure are not registered for use on the Internet. You should not use this name on a public network or Internet.
The Active Directory service structure for this common infrastructure is designed to show how Windows Server 2003 Change and
Configuration Management works and functions with Active Directory. It was not designed as a model for configuring Active Directory for
any organization.
Top of page
Overview
Microsoft Group Policy Management Console (GPMC) is a new tool for Group Policy management that helps administrators manage an
enterprise more cost-effectively by improving manageability and increasing productivity. It consists of a new Microsoft Management Console
(MMC) snap-in and a set of scriptable interfaces.
GPMC simplifies Group Policy management by providing a single place for managing core aspects of Group Policy. It addresses the top
Group Policy deployment requirements, as requested by customers, by providing the following functionality.

A user interface (UI) that makes Group Policy much easier to use.

Backup/restore of Group Policy objects (GPOs).

http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (1 di 12)30/01/2005 18.33.59
Go
TechNet Go
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment

Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters.

Simplified management of Group Policy related security.

Hyper Text Markup Language (HTML) reporting of GPO settings and Resultant Set of Policy (RSoP) data.

Scripting of policy-related tasks that are exposed within this tool (not scripting of settings within a GPO).
In the past, administrators have been required to use several Microsoft tools to manage Group Policy, such as the Active Directory Users
and Computers, Active Directory Sites and Services, and Resultant Set of Policy snap-ins. GPMC integrates the existing Group Policy
functionality exposed in these tools into a single, unified console, along with several new capabilities.
Built in to GPMC is support for managing multiple domains and forests, enabling administrators to easily manage Group Policy across an
enterprise. Administrators have complete control of which forests and domains are listed in GPMC, making it possible to display only
pertinent parts of an environment.
Note: This step-by-step guide provides guidance only on the use of GPMC for managing GPOs. It does not provide guidance on their
configuration. For information on configuring GPOs, see the Step-by-Step Guide to Understanding the Group Policy Feature Set.
Prerequisites

Part 1: Installing Windows Server 2003 as a Domain Controller

Step by Step Guide to Setting Up Additional Domain Controllers

Step-by-Step Guide to Managing Active Directory

Step by Step Guide to Using the Delegation of Control Wizard

Step-by-Step Guide to Understanding the Group Policy Feature Set

Step-by-Step Guide to Enforcing Strong Password Policies

Top of page
Installing and Configuring GPMC
Installing GPMC
Installing GPMC is a simple process that involves running a Windows Installer (.MSI) package. To download the latest version, see the
Windows Server System site for Group Policy Management at http://www.microsoft.com/windowsserver2003/gpmc/default.mspx.
To install the Group Policy Management Console
1.On server HQ-CON-DC-01, navigate to the folder containing gpmc.msi, double-click the gpmc.msi package, and then click Next.
2.Click I Agree to accept the End User License Agreement (EULA), and then click Next.
3.Click Finish to complete the installation of GPMC.
When the installation is complete, the Group Policy tab that appeared on the Property pages of sites, domains, and organizational units
(OUs) in the Active Directory snap-ins is updated to provide a direct link to GPMC. The functionality that previously existed on the original
Group Policy tab is no longer available since all functionality for managing Group Policy is available through GPMC.
To open the GPMC snap-in
1.On server HQ-CON-DC-01, click the Start button, click Run, type GPMC.msc, and then click OK.
Note: Alternatively, either of the following methods can be used to launch the GPMC.

Click the Group Policy Management shortcut in the Administrative Tools folder on the Start menu or in the Control Panel.

Create a custom MMC console: click the Start button, click Run, type MMC, and then click OK. Point to File, click Add/Remove Snap-
in, and then click Add. Click to highlight Group Policy Management, click Add, click Close, and then click OK.
Configuring GPMC for Multiple Forests
Multiple forests can be easily added to the GPMC console tree. By default, you can only add a forest to GPMC if there is a two-way trust with
the forest of the user running GPMC. You can optionally enable GPMC to work with only one- way trust or even no trust. Adding an
additional forest to the GPMC is accomplished by highlighting Group Policy Management at the tree's root, selecting Action from the
context menu, and then clicking AddForest. Since the sample environment only contains a single forest, performing these steps is beyond
the scope of this step-by-step guide.
Note: When adding forests to which you have no trust, some functionality will not be available. For example, Group Policy Modeling is not
available, and it is not possible to open the Group Policy Object Editor on GPOs in the untrusted forest. The untrusted forest scenario is
primarily intended to enable copying GPOs across forests.
Managing Multiple Domains Simultaneously
GPMC supports management of multiple domains at the same time, with each domain grouped by forest in the console. By default, only a
single domain is shown in GPMC. When you first start GPMC using either the pre-configured snap-in (gpmc.msc) or a custom MMC console,
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (2 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
GPMC displays the domain that contains the user account you used to start GPMC. You can specify domains in each forest that you want to
manage using GPMC by adding and removing the domains shown in the console.
Note: You can add externally trusted domains, even if you do not have forest trust with the entire forest. By default, you must have two-
way trust between the domain you want to add and the domain of your user object. You can also add domains across a one-way trust by
disabling the trust detection feature of GPMC, using the Options dialog box on the View menu. To add externally trusted domains, you
must first use the AddForest dialog box to add one domain from a forest that contains the externally trusted domains. Once this forest is
added, you can add any domains in that forest that are trusted by right-clicking the Domains node of the forest, and then clicking Show
Domains.
To add the vancouver.contoso.com child domain to the console
1.In the Group Policy Management window, click the plus sign (+) next to Forest:contoso.com to expand the tree, and then click the
plus sign (+) next to Domains.
2.Right-click Domains, and then click Show Domains.
3.Select the check box next to vancouver.contoso.com as shown in Figure 1, and then click OK.
Figure 1. Show Domains
In each domain available to GPMC, the same domain controller is used for all operations in that domain. This includes all operations on the
GPOs, OUs, security principals, and WMI filters that reside in that domain. In addition, when the Group Policy Object Editor is opened from
GPMC, it always uses the same domain controller that is targeted in GPMC for the domain where that GPO is located.
GPMC allows you to choose which domain controller to use for each domain. You can choose from these four options.

Use the primary domain controller (PDC) emulator (default choice).

Use any available domain controller.

Use any available domain controller that is running a Windows Server 2003 family operating system. This option is useful if you are
restoring a deleted GPO that contains Group Policy software installation settings.

Use a specific domain controller that you specify.

To change the domain controller used by GPMC for the vancouver.contoso.com domain
1.In the Group Policy Management window, under the Domains folder, right-click vancouver.contoso.com, and then click Change
Domain Controller.
2.In the Change Domain Controller dialog box, click This domain controller, and then click to highlight hq-con-dc-03.vancouver.
contoso.com as shown in Figure 2.
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (3 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
3.Click OK to continue.
Figure 2. Changing Domain Controllers
Top of page
Managing Group Policy Objects
Viewing Domain GPOs
Within each domain, GPMC provides a policy-based view of Active Directory and the components associated with Group Policy, such as
GPOs, WMI filters, and GPO links. The view in GPMC is similar to the view in Active Directory Users and Computers MMC snap-in in that it
shows the OU hierarchy. However, GPMC differs from this snap-in because instead of showing users, computers, and groups in the OUs, it
displays the GPOs that are linked to each container, as well as the GPOs themselves.
Each domain node in GPMC displays the following items.

All GPOs linked to the domain.

All top-level OUs and a tree view of nested OUs and GPOs linked to each of the OUs.

The Group Policy Objects container showing all GPOs in the domain.

The WMI Filters container showing all WMI filters in the domain.
To view GPOs associated with a particular container
1.Under the Domains tree, click the contoso.com tree. The GPOs associated with the container (domain root) appear as shown in Figure
3. This concept can be applied to any domain container.
Figure 3. GPOs in the Domain Root
See full-sized image
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (4 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
To view all GPOs associated with a particular domain
1.Under the Domains tree, click the plus sign (+) next to contoso.com, and then click Group Policy
Objects.
Searching for GPOs
Searching for GPOs is available at the forest or domain level. Individual or multiple search parameters can assist in narrowing search results
within a large set of GPOs.
To find a specific GPO within the contoso.com forest using multiple search parameters
1.In the console tree, right-click Forest:contoso.com, and then click Search.
2.In the Search item box, select GPO Name, type Password for Value, and then click Add.
3.In the Search item box, select Computer Configuration, select Security for Value, and then click Add.
4.Click Search. The results should appear as shown in Figure 4.
Figure 4. Criteria-Based GPO Searches
5.Once the search results are returned, you may do one of the following:

To open the GPO for editing, click Edit.

To save the search results, click Save results. In the Save GPO Search Results dialog box, specify the file name for the saved results,
and then click Save.

To navigate to a GPO found in the search, double-click the GPO in the search results list.

To clear the search results, click Clear.

To close the Search for Group Policy Objects dialog box, click Close.
Scoping GPOs
The value of Group Policy can only be realized through properly applying the GPOs to the Active Directory containers you want to manage.
Determining which users and computers will receive the settings in a GPO is referred to as scoping the GPO. Scoping a GPO is based on
three factors.

The site(s), domain(s), or OU(s) where the GPO is linked The primary mechanism by which the settings in a GPO are applied to
users and computers is by linking the GPO to a site, domain, or OU in Active Directory. The location where a GPO is linked is referred to as
the Scope of Management or SOM (also seen as SDOU in previous white papers). There are three types of SOMs: sites, domains, and OUs.
A GPO can be linked to multiple SOMs, and an SOM can have multiple GPOs linked to it. A GPO must be linked to an SOM for it to be
applied.
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (5 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment

The security filtering on the GPO By default all Authenticated Users that are located in the SOM (and its children) where a GPO is
linked will apply the settings in the GPO. You can further refine which users and computers will receive the settings in a GPO by managing
permissions on the GPO. This is known as security filtering. For a GPO to apply to a given user or computer, that user or computer must
have both Read and Apply Group Policy permissions on the GPO. By default, GPOs have permissions that allow the Authenticated Users
group both of these permissions. This is how all authenticated users receive the settings of a new GPO when it is linked to a SOM (OU,
domain, or site). These permissions can be changed, however, to limit the scope of the GPO to a specific set of users, groups, and/or
computers within the SOM(s) where it is linked.

The WMI filter on the GPO WMI filters allow an administrator to dynamically determine the scope of GPOs based on attributes
(available through WMI) of the target computer. A WMI filter consists of one or more queries that are evaluated to be either true or false
against the WMI repository of the target computer. The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter
to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one
WMI filter; however, the same WMI filter can be linked to multiple GPOs. When a GPO that is linked to a WMI filter is applied on the target
computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied. If the WMI filter
evaluates to true, the GPO is applied.
To scope the Domain Password Policy GPO found in the previous search
1.In the Search for Group Policy Objects search results pane, double-click Domain Password Policy, and then click Close.
Note: Once the Search for Group Policy Objects dialog box is closed, the previously selected GPO will have focus in the GPMC. The
GPO Scope page will appear as shown in Figure 5.
Figure 5. Scoping a GPO
To review the policies that will be applied by a GPO
1.In the Domain Password Policy results pane, click the Settings tab, and then click Show All. A summary of all defined policy settings
will appear as shown in Figure 6. Undefined settings are not displayed.
Figure 6. Reviewing GPO Settings
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (6 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
GPO Policy Inheritance and Link Order
The Group Policy Inheritance tab for a given container shows all GPOs (except for GPOs linked to sites) that would be inherited from parent
containers. The precedence column on this tab shows the overall precedence for all the links that would be applied to objects in that
container, taking into account both Link Order and the Enforcement attribute of each link, as well as Block Inheritance.
To view policy inheritance on a container
1.In the Group Policy Management window, under the contoso.com tree, expand the Accounts OU, and then click the Headquarters
OU as shown in Figure 7.
Figure 7. Group Policy Inheritance
See full-sized image
If multiple GPOs are linked to the same container and have settings in common, there must be a mechanism for reconciling the settings.
This behavior is controlled by the link order. The lower the link order number, the higher the precedence. Information about the links for a
given container is shown on the Linked Group Policy Objects tab of a given container. This pane shows if the link is enforced, if the link is
enabled, the status of the GPO, if a WMI filter is applied, when it was modified, and the domain container where it is stored. An
administrator or users who have been delegated permissions to link GPOs to the container can change the link order by highlighting a GPO
link and using the up and down arrows to move the link higher or lower in the link order list.
To change policy link order on a container
1.On the Headquarters screen, click the Linked Group Policy Objects.
2.Under the GPO column, click Linked Policies, and then click the up arrow just to the left of the Link Order column. When finished, the
linking order for GPOs under the Headquarters OU should appear as shown in Figure 8.
Figure 8. GPO Link Order
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (7 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
See full-sized image
Top of page
GPO Backup, Restore, Copy, and Import
Backing Up a GPO
Backing up a GPO copies the data in the GPO to the file system. The backup function also serves as the export capability for GPOs. A GPO
backup can be used to restore the GPO to the backed-up state, or to import the settings in the backup to another GPO.
Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following:

The GPO globally unique identifier (GUID) and domain GPO settings

The discretionary access control list (DACL) on the GPO

The WMI filter link, if there is one, but not the filter itself

Links to IP Security policies, if any

Extensible Markup Language (XML) report of the GPO settings, which can be viewed as HTML from within GPMC

Date and time stamp of the backup

User-supplied description of the backup

Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO includes the following:

Links to a site, domain, or OU

WMI filter

IP Security policy
This data is not available when the backup is restored to the original GPO or imported into a new one.
To backup the Domain Password Policy GPO
1.In the Group Policy Management window, under the contoso.com tree, click the Group Policy Objects folder.
2.In the Group Policy Objects folder, right-click the Domain Password Policy GPO, and then click Back Up.
3.In the Back Up Group Policy Object dialog box, type c:\windows for Location, type Domain Password Policy Backup for
Description, and then click Back Up.
4.Once the backup is complete, click OK to continue.
Managing Backups
Multiple backups of the same or different GPO can be stored in the same file system location. Each backup is identified by a unique backup
ID. The collection of backups in a given file system location can be managed using the Manage Backups dialog box in GPMC or through the
scriptable interfaces. The Manage Backups dialog box is available by right-clicking either the Domains node or the Group Policy Objects
node in a given domain. When you open Manage Backups from the Group Policy Objects node, the view is automatically filtered to show
only backups of GPOs from that domain. When opened from the Domains node, the Manage Backups dialog box shows all backups,
regardless of which domain they are from.
To manage available GPO backups
1.In the Group Policy Management window, under the contoso.com tree, right-click the Group Policy Objects folder, and then click
Manage Backups. The Manage Backups window should appear as shown in Figure 9.
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (8 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
Figure 9. Managing Backups
2.In the Manage Backups window, click to highlight the Domain Password Policy Backup created previously, and then click View
Settings.
3.Review the detailed GPO information, and then close Internet Explorer.
Restoring from Backup
Restoring a GPO re-creates the GPO from the data in the backup. A restore operation can be used in both of the following cases: the GPO
was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state. A restore operation
replaces the following components of a GPO.

GPO settings

The DACL on the GPO

WMI filter links (but not the filters themselves)

The restore operation does not restore objects that are not part of the GPO. This includes links to a site, domain, or OU; WMI filters, and
IPSec policies.
To restore the Domain Password Policy GPO
1.In the Manage Backups window, click Restore.
2.When prompted, click OK to restore the selected backup.
3.Click OK after the GPO restoration is complete.
4.In the Manage Backups dialog box, click Close.
Copying a GPO
A copy operation allows you to transfer settings from an existing GPO in Active Directory directly into a new GPO. The new GPO created
during the copy operation is given a new GUID and is unlinked. You can use a copy operation to transfer settings to a new GPO in the same
domain, another domain in the same forest, or a domain in another forest. Because a copy operation uses an existing GPO in Active
Directory as its source, trust is required between the source and destination domains. Copy operations are suited for moving Group Policy
between production environments. They are also used for migrating Group Policy that has been tested in a test domain or forest to a
production environment, as long as there is trust between the source and destination domains.
To copy a GPO
1.Under the contoso.com tree in the Group Policy Objects folder, right-click the Enforced User Policies GPO, and then click Copy.
2.Click the plus sign (+) next to vancouver.contoso.com to expand the domain, and then click the plus sign (+) next to Group Policy
Objects to expand the tree.
3.Right-click Group Policy Objects, and then click Paste.
4.On the Cross-Domain Copying Wizard, click Next to continue.
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (9 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
5.On the Specify Permissions screen, select Use the default permissions for new GPOs (default) as shown in Figure 10, and then
click Next.
Figure 10. Cross-Domain Copying Wizard
6.Once the original GPO is scanned, click Next to continue.
7.On the Completing the Cross-Domain Copying Wizard screen, verify settings, and then click Finish.
8.Once the copy operation is complete, click OK.
Note: The Enforced User Policies GPO has been copied to the vancouver.contoso.com domain; however, it has not been linked to any
container.
To link the Enforced User Policies GPO to the root of vancouver.contoso.com
1.Right-click vancouver.contoso.com, click Link an Existing GPO, click to highlight Enforced User Policies, and then click OK.
Importing a GPO
The import operation transfers settings into an existing GPO in Active Directory using a backed up GPO in the file system location as its
source. Import operations can be used to transfer settings from one GPO to another GPO within the same domain, to a GPO in another
domain in the same forest, or to a GPO in a domain in a different forest. The import operation always places the backed up settings into an
existing GPO. It erases any pre-existing settings in the destination GPO. Import does not require trust between the source domain and
destination domain; therefore, it is useful for transferring settings across forests and domains that do not have trust. Importing settings
into a GPO does not affect its DACL, links on sites, domains, or OUs to that GPO, or a link to a WMI filter.
To import the contoso.com Domain Password Policy into vancouver.contoso.com Domain Password Policy
1.In the Group Policy Management window, right-click vancouver.contoso.com, and then click Create and Link a GPO here.
2.In the New GPO dialog box, type Domain Password Policy for the Name, and then click OK.
3.Under Group Policy Objects in the vancouver.contoso.com tree, right-click the Domain Password Policy GPO, and then click
Import Settings.
4.On the Import Settings Wizard, click Next to continue.
5.On the Backup GPO screen, click Next to continue without backup as the GPO currently has no policy definitions.
6.Accept the default backup folder, c:\windows, and then click Next to continue.
7.Since the Domain Password Policy is the only current backup, it is selected by default. Click Next to begin importing the settings from
this GPO.
8.Click Next after the GPO is scanned for security principals, and then click Finish.
9.When the Import Settings Wizard completes, click OK.
To verify the vancouver.contoso.com Domain Password Policy
http://www.microsoft.com/technet/prodtechnol/windowsser...gies/directory/activedirectory/stepbystep/gpmcinad.mspx (10 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
1.Under Group Policy Objects in the vancouver.contoso.com tree, click Domain Password Policy, and then click Show All in the
results pane. The settings should be identical to those shown in Figure 11.
Figure 11. Domain Password Policy for vancouver.contoso.com
See full-sized image
Top of page
GPO Modeling
Group Policy Modeling
Group Policy Modeling is a simulation of what would happen under circumstances specified by an administrator. It requires that you have at
least one domain controller running Windows Server 2003 because this simulation is performed by a service running on a domain controller
that is running Windows Server 2003.
With Group Policy Modeling, you can either simulate the RSoP data that would be applied for an existing configuration, or you can perform
"what-if" analyses by simulating hypothetical changes to your directory environment and then calculating the RSoP for that hypothetical
configuration. For example, you can simulate changes to security group membership, or changes to the location of the user or computer
object in Active Directory. Outside of GPMC, Group Policy Modeling is referred to as RSoP - planning mode.
To simulate the effects of GPOs
1.In the Group Policy Management window, click the minus sign (-) next to Domains to collapse the tree.
2.Under the Forest: contoso.com tree, right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.
3.On the Group Policy Modeling Wizard screen, click Next.
4.On the Domain Controller Selection screen, leave the default settings, and then click Next.
5.On the User and Computer Selection screen, under User information, click User. Click Browse, type Christine under Enter object
name to select, and then click OK. Select the Skip to the final page of this wizard without collecting additional data check box,
and then click Next. Your settings should appear as shown in Figure 12.
http://www.microsoft.com/technet/prodtechnol/windowsser...gies/directory/activedirectory/stepbystep/gpmcinad.mspx (11 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
Figure 12. Group Policy Modeling Wizard
6.On the Summary of Selections screen, click Next to start the simulation.
7.Click Finish. The right pane will contain the simulation results.
Top of page
Additional Resources
For more information, see the following resources.

Download the Group Policy Management Console with Service Pack 1 at http://www.microsoft.com/downloads/details.aspx?
FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Administering Group Policy with GPMC Whitepaper at http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/
windowsserver2003
Top of page

Printer-Friendly Version Send This Page Add to Favorites Comments
Manage Your Profile |Contact Us |Newsletter
2005 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
http://www.microsoft.com/technet/prodtechnol/windowsser...gies/directory/activedirectory/stepbystep/gpmcinad.mspx (12 di 12)30/01/2005 18.33.59