Group Policy Management Editor (GPME)
To manage domain
group policies, the Group Policy Management Editor (GPME) is used and
provides the same functionality as the GPOE plus additional
functionality only available with this tool. One of the biggest
differences is that the GPME includes not only the Policy Settings node,
but it also includes the Preferences Settings node, which is only
available in domains. GPME is installed on Windows Vista and Windows 7
by downloading and installing the RSAT tools for the particular service
pack and operating system. On Windows Server 2008 and Windows Server
2008 R2 operating systems, the group policy tools can be installed from
the Add Features applet of Server Manager.
Group Policy Starter GPO Editor
The Group Policy Starter
GPO Editor is used to edit starter GPOs created by Group Policy
administrators. This console only shows the Administrative Templates
nodes under the Computer Configuration and User Configuration sections
of a starter GPO. By default, the settings available in the
Administrative Templates sections are all that can be set in a starter
GPO; however, Microsoft provides read-only starter GPOs for Windows
Vista and Windows XP and will later release starter GPOs for Windows 7
that can be downloaded and imported into the domain starter GPO
repository that includes additional settings, including security- and
firewall-related settings. The Group Policy Starter GPO Editor is
included with the Windows Vista, Windows 7, Windows Server 2008, and
Windows Server 2008 R2 Remote Server Administration Tools.
Print Management Console
First introduced
with Windows Server 2003 R2 edition, the Print Management console is
used to manage Active Directory and local server and workstation
printers. The Print Management console, shown in Figure 3,
can be used to view settings, configure drivers and options, and manage
printer and print jobs on a particular system or Active Directory–wide.
The Print Management console can also be used to deploy printers to
computers or users using the Deployed Printers node. Deploying printers
is a function that extends Group Policy functionality to allow printers
to be deployed to a predetermined set of users or computer objects to
which a GPO is linked.
The GPOE and the GPME on
Windows Vista and Windows 7 will include the Deployed Printers node
beneath the Windows Settings node in both the Computer Configuration and
User Configuration settings nodes. On Windows Server 2008 and Windows
Server 2008 R2, the Print Management console will need to be installed
from the Server Manager Features, Add Features link before the Deployed
Printers node will be available in the Group Policy Editor consoles. If a
policy contains printers defined in the Deployed Printers
nodes, and the policy is viewed using the GPMC or GPME on Windows XP,
the deployed printers will not be viewed. Furthermore, if the policy is
opened on a Windows Server 2003 R2 server, and if the Print Management
console is not installed from Windows components, the Deployed Printers
node will not be shown. As a best practice, only create GPOs to deploy
printers using the GPMC and GPME on Windows Vista, Windows 7, and
Windows Server 2008 R2 systems. To install the Print Management console
on Windows Server 2008 R2, run the Add Features applet from Server
Manager and select the Print and Document Services Tools from the Remote
Administration Tools submenu.
gpupdate.exe
The gpupdate.exe
tool is a command-line tool that assists administrators in
troubleshooting GPO processing and initiating GPO processing on demand.
Certain sections of group policies will only be applied at computer
startup and user logon, whereas others will be applied during these
intervals as well as during the periodic refresh interval. For the
settings that apply during the computer startup and user logon
intervals, if network connectivity to the domain controllers is not
available during this interval, these settings might not ever be
applied. Also, remote or mobile workstations, systems that are put to
sleep or hibernated, and users logging on using cached credentials
usually do not get these policies applied. This is where the new Network
Location Awareness service for Windows Vista, Window 7, Windows Server
2008, and Windows Server 2008 R2 comes into play as it will notify the
system that a domain controller is available and that will trigger a
group policy refresh cycle.
The gpupdate.exe tool provides the ability for user and computer policies to be applied immediately. One common use of this tool was to add the gpupdate.exe
to a VPN post connection script to allow these settings to be applied
to remote workstations that belong to the Active Directory
infrastructure. This tool provides the following options:
gpupdate.exe /Target:{Computer|user}— This function allows the tool to process only the specified node of the group policy.
gpupdate.exe /Force— This option reapplies all policy settings. This option does not automatically reboot the computer or log off the users.
gpupdate.exe /Wait— This option defines how many seconds to allow GPO processing to complete. The default is 600 seconds, or 10 minutes.
gpupdate.exe /Logoff— This option logs off the user account after GPO processing has completed.
gpupdate.exe /Boot—
This option reboots the computer after Group Policy processing
completes. This is to apply the GPO settings that are only applied
during computer startup.
gpupdate.exe /Sync—
This option processes GPO settings that normally only occur during
computer startup and user logon. This option requires that the
administrator designate whether the system can restart the computer or
log off the user.
PowerShell Management of Group Policies
With
the release of Windows 7 and Windows Server 2008 R2, Microsoft has now
added functionality to manage group policies with PowerShell. This
functionality will be automatically enabled once the Group Policy
Management feature is installed on a Windows 7 or Windows Server 2008 R2
system. Microsoft has included 25 out-of-the-box PowerShell cmdlets for
Group Policy. The cmdlets allow a Group Policy administrator to perform
a number of different functions from within PowerShell, including, but
not limited to, the following:
Create new GPOs and create new starter GPOs.
Create new GPO links.
Restore or import GPOs.
Remove GPOs and GPO links.
Read and/or set the properties of an OU to inherit parent GPO links or to block inheritance.
Rename a GPO.
Generate a report of GPO settings and configurations.
Generate a Resultant Set of Policies report.
Set GPO administrative permissions and delegation.
Set GPO policy and preference settings that are stored in the Registry.
Two important points that
need to be stated about managing GPOs though PowerShell is that in
order to manage or report on any existing GPO, the Group Policy
administrator must know the GUID ID of the GPO or the exact spelling of
the name. The second point is that currently there is no PowerShell GPO
cmdlet that can configure or report on the GPO link precedence of a
particular domain or organizational unit.
