Documente Academic
Documente Profesional
Documente Cultură
, the installation of a Windows XP Professional workstation, and finally, the addition of this workstation to
a domain. Subsequent step-by-step guides assume that you have this common network infrastructure in place. If you do not want to follow
this common network infrastructure, you will need to make appropriate modifications while using these guides.
The common network infrastructure requires the completion of the following guides.
A user interface (UI) that makes Group Policy much easier to use.
Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters.
Hyper Text Markup Language (HTML) reporting of GPO settings and Resultant Set of Policy (RSoP) data.
Scripting of policy-related tasks that are exposed within this tool (not scripting of settings within a GPO).
In the past, administrators have been required to use several Microsoft tools to manage Group Policy, such as the Active Directory Users
and Computers, Active Directory Sites and Services, and Resultant Set of Policy snap-ins. GPMC integrates the existing Group Policy
functionality exposed in these tools into a single, unified console, along with several new capabilities.
Built in to GPMC is support for managing multiple domains and forests, enabling administrators to easily manage Group Policy across an
enterprise. Administrators have complete control of which forests and domains are listed in GPMC, making it possible to display only
pertinent parts of an environment.
Note: This step-by-step guide provides guidance only on the use of GPMC for managing GPOs. It does not provide guidance on their
configuration. For information on configuring GPOs, see the Step-by-Step Guide to Understanding the Group Policy Feature Set.
Prerequisites
Click the Group Policy Management shortcut in the Administrative Tools folder on the Start menu or in the Control Panel.
Create a custom MMC console: click the Start button, click Run, type MMC, and then click OK. Point to File, click Add/Remove Snap-
in, and then click Add. Click to highlight Group Policy Management, click Add, click Close, and then click OK.
Configuring GPMC for Multiple Forests
Multiple forests can be easily added to the GPMC console tree. By default, you can only add a forest to GPMC if there is a two-way trust with
the forest of the user running GPMC. You can optionally enable GPMC to work with only one- way trust or even no trust. Adding an
additional forest to the GPMC is accomplished by highlighting Group Policy Management at the tree's root, selecting Action from the
context menu, and then clicking AddForest. Since the sample environment only contains a single forest, performing these steps is beyond
the scope of this step-by-step guide.
Note: When adding forests to which you have no trust, some functionality will not be available. For example, Group Policy Modeling is not
available, and it is not possible to open the Group Policy Object Editor on GPOs in the untrusted forest. The untrusted forest scenario is
primarily intended to enable copying GPOs across forests.
Managing Multiple Domains Simultaneously
GPMC supports management of multiple domains at the same time, with each domain grouped by forest in the console. By default, only a
single domain is shown in GPMC. When you first start GPMC using either the pre-configured snap-in (gpmc.msc) or a custom MMC console,
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (2 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
GPMC displays the domain that contains the user account you used to start GPMC. You can specify domains in each forest that you want to
manage using GPMC by adding and removing the domains shown in the console.
Note: You can add externally trusted domains, even if you do not have forest trust with the entire forest. By default, you must have two-
way trust between the domain you want to add and the domain of your user object. You can also add domains across a one-way trust by
disabling the trust detection feature of GPMC, using the Options dialog box on the View menu. To add externally trusted domains, you
must first use the AddForest dialog box to add one domain from a forest that contains the externally trusted domains. Once this forest is
added, you can add any domains in that forest that are trusted by right-clicking the Domains node of the forest, and then clicking Show
Domains.
To add the vancouver.contoso.com child domain to the console
1.In the Group Policy Management window, click the plus sign (+) next to Forest:contoso.com to expand the tree, and then click the
plus sign (+) next to Domains.
2.Right-click Domains, and then click Show Domains.
3.Select the check box next to vancouver.contoso.com as shown in Figure 1, and then click OK.
Figure 1. Show Domains
In each domain available to GPMC, the same domain controller is used for all operations in that domain. This includes all operations on the
GPOs, OUs, security principals, and WMI filters that reside in that domain. In addition, when the Group Policy Object Editor is opened from
GPMC, it always uses the same domain controller that is targeted in GPMC for the domain where that GPO is located.
GPMC allows you to choose which domain controller to use for each domain. You can choose from these four options.
Use any available domain controller that is running a Windows Server 2003 family operating system. This option is useful if you are
restoring a deleted GPO that contains Group Policy software installation settings.
All top-level OUs and a tree view of nested OUs and GPOs linked to each of the OUs.
The Group Policy Objects container showing all GPOs in the domain.
The WMI Filters container showing all WMI filters in the domain.
To view GPOs associated with a particular container
1.Under the Domains tree, click the contoso.com tree. The GPOs associated with the container (domain root) appear as shown in Figure
3. This concept can be applied to any domain container.
Figure 3. GPOs in the Domain Root
See full-sized image
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (4 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
To view all GPOs associated with a particular domain
1.Under the Domains tree, click the plus sign (+) next to contoso.com, and then click Group Policy
Objects.
Searching for GPOs
Searching for GPOs is available at the forest or domain level. Individual or multiple search parameters can assist in narrowing search results
within a large set of GPOs.
To find a specific GPO within the contoso.com forest using multiple search parameters
1.In the console tree, right-click Forest:contoso.com, and then click Search.
2.In the Search item box, select GPO Name, type Password for Value, and then click Add.
3.In the Search item box, select Computer Configuration, select Security for Value, and then click Add.
4.Click Search. The results should appear as shown in Figure 4.
Figure 4. Criteria-Based GPO Searches
5.Once the search results are returned, you may do one of the following:
To save the search results, click Save results. In the Save GPO Search Results dialog box, specify the file name for the saved results,
and then click Save.
To navigate to a GPO found in the search, double-click the GPO in the search results list.
To close the Search for Group Policy Objects dialog box, click Close.
Scoping GPOs
The value of Group Policy can only be realized through properly applying the GPOs to the Active Directory containers you want to manage.
Determining which users and computers will receive the settings in a GPO is referred to as scoping the GPO. Scoping a GPO is based on
three factors.
The site(s), domain(s), or OU(s) where the GPO is linked The primary mechanism by which the settings in a GPO are applied to
users and computers is by linking the GPO to a site, domain, or OU in Active Directory. The location where a GPO is linked is referred to as
the Scope of Management or SOM (also seen as SDOU in previous white papers). There are three types of SOMs: sites, domains, and OUs.
A GPO can be linked to multiple SOMs, and an SOM can have multiple GPOs linked to it. A GPO must be linked to an SOM for it to be
applied.
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (5 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
The security filtering on the GPO By default all Authenticated Users that are located in the SOM (and its children) where a GPO is
linked will apply the settings in the GPO. You can further refine which users and computers will receive the settings in a GPO by managing
permissions on the GPO. This is known as security filtering. For a GPO to apply to a given user or computer, that user or computer must
have both Read and Apply Group Policy permissions on the GPO. By default, GPOs have permissions that allow the Authenticated Users
group both of these permissions. This is how all authenticated users receive the settings of a new GPO when it is linked to a SOM (OU,
domain, or site). These permissions can be changed, however, to limit the scope of the GPO to a specific set of users, groups, and/or
computers within the SOM(s) where it is linked.
The WMI filter on the GPO WMI filters allow an administrator to dynamically determine the scope of GPOs based on attributes
(available through WMI) of the target computer. A WMI filter consists of one or more queries that are evaluated to be either true or false
against the WMI repository of the target computer. The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter
to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one
WMI filter; however, the same WMI filter can be linked to multiple GPOs. When a GPO that is linked to a WMI filter is applied on the target
computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied. If the WMI filter
evaluates to true, the GPO is applied.
To scope the Domain Password Policy GPO found in the previous search
1.In the Search for Group Policy Objects search results pane, double-click Domain Password Policy, and then click Close.
Note: Once the Search for Group Policy Objects dialog box is closed, the previously selected GPO will have focus in the GPMC. The
GPO Scope page will appear as shown in Figure 5.
Figure 5. Scoping a GPO
To review the policies that will be applied by a GPO
1.In the Domain Password Policy results pane, click the Settings tab, and then click Show All. A summary of all defined policy settings
will appear as shown in Figure 6. Undefined settings are not displayed.
Figure 6. Reviewing GPO Settings
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (6 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
GPO Policy Inheritance and Link Order
The Group Policy Inheritance tab for a given container shows all GPOs (except for GPOs linked to sites) that would be inherited from parent
containers. The precedence column on this tab shows the overall precedence for all the links that would be applied to objects in that
container, taking into account both Link Order and the Enforcement attribute of each link, as well as Block Inheritance.
To view policy inheritance on a container
1.In the Group Policy Management window, under the contoso.com tree, expand the Accounts OU, and then click the Headquarters
OU as shown in Figure 7.
Figure 7. Group Policy Inheritance
See full-sized image
If multiple GPOs are linked to the same container and have settings in common, there must be a mechanism for reconciling the settings.
This behavior is controlled by the link order. The lower the link order number, the higher the precedence. Information about the links for a
given container is shown on the Linked Group Policy Objects tab of a given container. This pane shows if the link is enforced, if the link is
enabled, the status of the GPO, if a WMI filter is applied, when it was modified, and the domain container where it is stored. An
administrator or users who have been delegated permissions to link GPOs to the container can change the link order by highlighting a GPO
link and using the up and down arrows to move the link higher or lower in the link order list.
To change policy link order on a container
1.On the Headquarters screen, click the Linked Group Policy Objects.
2.Under the GPO column, click Linked Policies, and then click the up arrow just to the left of the Link Order column. When finished, the
linking order for GPOs under the Headquarters OU should appear as shown in Figure 8.
Figure 8. GPO Link Order
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (7 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
See full-sized image
Top of page
GPO Backup, Restore, Copy, and Import
Backing Up a GPO
Backing up a GPO copies the data in the GPO to the file system. The backup function also serves as the export capability for GPOs. A GPO
backup can be used to restore the GPO to the backed-up state, or to import the settings in the backup to another GPO.
Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following:
The GPO globally unique identifier (GUID) and domain GPO settings
The WMI filter link, if there is one, but not the filter itself
Extensible Markup Language (XML) report of the GPO settings, which can be viewed as HTML from within GPMC
WMI filter
IP Security policy
This data is not available when the backup is restored to the original GPO or imported into a new one.
To backup the Domain Password Policy GPO
1.In the Group Policy Management window, under the contoso.com tree, click the Group Policy Objects folder.
2.In the Group Policy Objects folder, right-click the Domain Password Policy GPO, and then click Back Up.
3.In the Back Up Group Policy Object dialog box, type c:\windows for Location, type Domain Password Policy Backup for
Description, and then click Back Up.
4.Once the backup is complete, click OK to continue.
Managing Backups
Multiple backups of the same or different GPO can be stored in the same file system location. Each backup is identified by a unique backup
ID. The collection of backups in a given file system location can be managed using the Manage Backups dialog box in GPMC or through the
scriptable interfaces. The Manage Backups dialog box is available by right-clicking either the Domains node or the Group Policy Objects
node in a given domain. When you open Manage Backups from the Group Policy Objects node, the view is automatically filtered to show
only backups of GPOs from that domain. When opened from the Domains node, the Manage Backups dialog box shows all backups,
regardless of which domain they are from.
To manage available GPO backups
1.In the Group Policy Management window, under the contoso.com tree, right-click the Group Policy Objects folder, and then click
Manage Backups. The Manage Backups window should appear as shown in Figure 9.
http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (8 di 12)30/01/2005 18.33.59
Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment
Figure 9. Managing Backups
2.In the Manage Backups window, click to highlight the Domain Password Policy Backup created previously, and then click View
Settings.
3.Review the detailed GPO information, and then close Internet Explorer.
Restoring from Backup
Restoring a GPO re-creates the GPO from the data in the backup. A restore operation can be used in both of the following cases: the GPO
was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state. A restore operation
replaces the following components of a GPO.
GPO settings
Download the Group Policy Management Console with Service Pack 1 at http://www.microsoft.com/downloads/details.aspx?
FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/
windowsserver2003
Top of page
Printer-Friendly Version Send This Page Add to Favorites Comments
Manage Your Profile |Contact Us |Newsletter
2005 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement
http://www.microsoft.com/technet/prodtechnol/windowsser...gies/directory/activedirectory/stepbystep/gpmcinad.mspx (12 di 12)30/01/2005 18.33.59