Microsoft
provides several different tools administrators can use to create and
manage local and domain group policies. The operating system version the
administrator is using to manage policies determines the functionality
the tools provide. As an example, when new group policies are created
using the Windows Server 2008 or Windows Server 2008 R2 Group Policy
Management Console, the GPO folder utilizes the new ADMX/ADML templates,
whereas the Windows XP and Windows Server 2003 tool uploads the
original ADM template files into the GPO folder.
Group Policy Management Console (GPMC)
The most functional and
useful tool provided to create and manage Active Directory group
policies is the Group Policy Management Console (GPMC), shown in Figure 1.
The GPMC was introduced after the release of Windows Server 2003; the
functionality included with different operating systems produces
different options and resulting operations when creating and managing
Active Directory group policies.
The GPMC is a Microsoft
Management Console (MMC) snap-in and can be added to a custom console.
The GPMC snap-in provides the most functionality for administrators who
want to manage domain group policies. The GPMC provided with Windows
Server 2008 R2 can perform the following Group Policy administrative
functions:
Enable starter GPO functionality and create new starter GPOs.
Create new domain group policies.
Create new group policies using starter GPOs as templates.
Create and configure GPO links to sites, domains, and organizational units.
View and manage GPOs in domains in the local and trusted Active Directory forests.
Back up and restore a single or all GPOs in a domain.
Back up and restore a single or all starter GPOs in a domain.
Import
group policies from external domains and migrate security settings
using migration tables to ensure proper import functionality.
Manage GPO link enforcement, enable links, and disable links.
Configure the block inheritance settings for sites, domains, and organizational units.
Manage GPO status to control which nodes in a GPO are enabled or disabled.
Create and link WMI filters for GPOs.
Manage GPO security filtering.
Manage GPO delegation and administrative security.
Manage the GPO order of processing on containers with multiple GPO links.
View
all configured settings of existing group policies and any additional
information, such as the revision number, filtering, delegation, and
create exported reports of the configuration.
Generate HTML reports used to summarize Group Policy configurations and settings.
Run
the Group Policy Modeling Wizard to determine how group policies will
be applied to users or computers in specific containers.
Run the Group Policy Results Wizard to investigate how policies have been applied to specific computer and/or user objects.
Group Policy Object Editor (GPOE)
The Group Policy Object Editor (GPOE), shown in Figure ,
is the tool used to edit local group computer and user policies. Each
server and workstation computer has a default local security policy.
This policy is accessed through the shortcut to the specific Local
Security Policy MMC snap-in located in the Administrative Tools program
folder. Now that Windows Vista, Windows 7, Windows Server 2008, and
Windows Server 2008 R2
support multiple local group policies, the GPOE must be used to manage
or create any local group policies other than the default.
The GPOE is used to
edit all of the configuration settings of a policy. This includes
configuring security settings, installing software packages, creating
restriction policies, defining the scripts used by computers and users,
and many other functions.
