다음을 통해 공유


What Is Group Policy Management Console?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

What Is Group Policy Management Console?

In this section

  • Group Policy Management Console Core Scenarios

  • Group Policy Management Console Dependencies

  • Related Topics

The Group Policy Management Console (GPMC) is a new and comprehensive administrative tool for Group Policy management.

Prior to GPMC, administrators used property pages in various Active Directory administrative tools to manage Group Policy. For example, an administrator who wanted to implement policy for users might open the Active Directory Users and Computers snap-in, find an appropriate Organizational Unit (OU) and open its property page to access the Group Policy tab. On the Group Policy tab, the administrator might do any of a dozen or so administrative tasks, like creating Group Policy object links or manipulating their order to achieve the desired results. Whatever the tasks, when the administrator leaves the Group Policy tab, access to a visual representation of Group Policy ends and a view that focuses on Active Directory’s user and computer objects appears.

GPMC integrates the existing Group Policy functionality of the property pages on the Active Directory administrative tools into a single, unified console dedicated to Group Policy management tasks; GPMC also expands management capabilities with new features. Administrators still use Active Directory administrative tools to manage Active Directory, but GPMC replaces the Group Policy management functionality of those tools with its own.

Group Policy Management Console Core Scenarios

There are many core scenarios for GPMC. Administrators use GPMC to perform all Group Policy management tasks, with the exception of configuring individual policy settings in Group Policy Objects themselves, which is done with Group Policy Object Editor. The scenarios below describe how an administrator uses GPMC to manage Group Policy.

Creating and Editing GPOs

Administrators use GPMC to create a GPO with no initial settings. An administrator can also create a GPO and linking it to an Active Directory container at the same time. To configure individual settings within a GPO, an administrator edits the GPO from within GPMC and Group Policy Object Editor appears with the GPO loaded. An administrator can use either GPMC or Group Policy Object Editor to disable or enable computer, user, or both computer and user nodes within a GPO.

Scoping GPOs

An administrator can use GPMC to link GPOs to sites, domains, or OUs in the Active Directory. Administrators must link GPOs to apply settings to users and computers in Active Directory Containers. Linking GPOs is the primary mechanism by which administrators apply Group Policy settings.

In addition to linking, an administrator can manipulate permissions on GPOs to manage how Group Policy applies. Prior to GPMC, an administrator would have to manually manipulate access control entries (ACE) to modify the scope of the GPO. For example, the administrator might remove Read and Apply Group Policy from the Authenticated Users group for GPO1. This effectively disables GPO1, since users in the Authenticated Users group require both Read and Apply Group Policy permissions to process Group Policy. To apply the settings in GPO1 to select network users or computers, the administrator would add a new security principal (typically a security group containing the target users or computers) to the ACL on the GPO and set Read and Apply Group Policy permissions. This is known as security filtering.

With GPMC, security filtering has been simplified. The administrator adds the security principal to the GPO, and GPMC automatically sets the Read and Apply Group Policy permissions.

Administrators can also use GPMC to link WMI Filters to GPOs. WMI Filters allow an administrator to dynamically determine the scope of GPOs based on attributes (available through WMI) of the target computer. A WMI filter consists of one or more queries that are evaluated to be either true or false against the WMI repository of the target computer. The WMI filter is a separate object from the GPO in the directory.

Manipulating Inheritance

Group Policy can be applied to users and computers at the site, domain, or OU level. GPOs from parent containers are inherited by default. When multiple GPOs apply to these users and computers, the settings in the GPOs are aggregated. For most policy settings, the final value of a given policy setting is set only by the highest precedent GPO that contains that setting. (However, the final value for a few settings will actually be the combination of values across GPOs.)

Group Policy determines precedence of GPOs by the order of processing for the GPOs. GPOs processed last have highest precedence. GPOs follow the SDOU rule for processing; site first, then domain, and then followed by OU, including nested OUs. A nested OU is one that has another OU as its parent. In the case of nested OUs, GPOs associated with parent OUs are processed prior to GPOs associated with child OUs. In this processing order, sites are applied first but have the least precedence. OUs are processed last and have the highest precedence.

When a container has multiple GPO links, administrators can use GPMC to manipulate the link order for every container. GPMC assigns each link a Link Order number; the GPO link with Link Order of 1 has highest precedence on that container.

Administrators can use GPMC to Block Inheritance. This is the ability to prevent an OU or domain from inheriting GPOs from any of its parent container. Note that Enforced GPO links (see below) will always be inherited.

Administrators can use GPMC to set GPO links to Enforced (previously known as No Override). This is the ability to specify that a GPO should take precedence over any GPOs that are linked to child containers. Enforcing a GPO link works by moving that GPO to the end of the processing order.

An administrator can also use GPMC to enable or disable a GPO link. If an administrator enables a GPO link, Group Policy processes the linked GPO. If the link is not enabled, Group Policy does not process the linked GPO.

GPO Operations

GPO operations refer to the ability to backup (export), restore, import, and copy GPOs. Backing up a GPO consists of making a copy of GPO data to the file system. Note that the Backup function also serves as the export function for GPOs. Backed up GPOs can be used either in conjunction with Restore or Import operations.

Restoring a GPO takes an existing GPO backup and re-instantiates it back in the domain. The purpose of a restore is to reset a specific GPO back to the identical state it was in when it was backed up. This restoration does not include GPO links. This is because the links are a property of the container the GPO is linked to, not the GPO itself. Since a restore operation is specific to a particular GPO, it is based on the GUID and domain of the GPO. Therefore, a restore operation cannot be used to transfer GPOs across domains.

Importing a GPO allows you to transfer settings from a backed up GPO to an existing GPO. You can perform this operation within the same domain, across domains, or across forests. This allows for many interesting capabilities such as staging of a test GPO environment in a lab before importing into a production environment.

Restoring and Importing a GPO will remove any existing settings already in the target GPO. Only the settings in the backup will be in the GPO when these operations are complete.

Copying a GPO is similar to an export/import operation only the GPO is not saved to a file system location first. In addition, a copy operation creates a new GPO as part of the operation, whereas an import uses an existing GPO as its destination.

Reporting of GPO Settings

GPMC can display a report of the defined settings in a given GPO. This report can be generated by any user with read access to the GPO. Without GPMC, users that did not have write access to a GPO could not read and view the settings in that GPO. This is because the Group Policy Object Editor requires the user to have read and write permissions to the GPO to open it. Some examples of users that might need to read and view but not edit a GPO include security audit teams that need to read but not edit GPO settings, helpdesk personnel that are troubleshooting a Group Policy issue, and OU administrators that may need to read and view the settings from inherited GPOs. With GPMC these users now have read access to the settings.

The HTML reports also make it easy for the administrator to view settings that are contained in a GPO at a glance. Alternatively, administrators can expand and contract individual sections within the report by clicking the heading for each section.

GPMC also solves some common reporting requirements including the ability to document all the settings in a GPO to a file for printing or viewing. Using a context menu, users can either print the reports, or save them to a file in either HTML or XML format.

Search for GPO

GPMC provides extensive capabilities to search for GPOs within a domain or across all domains in a forest. This search feature allows an administrator to search for GPOs based on the following criteria:

  • Display name of the GPO.

  • Whether or not a specific domain has containers that link to the GPO.

  • The permissions set on the GPO.

  • The WMI filter that is linked to the GPO.

  • The type of policy settings that have been set in the User Configuration or Computer Configuration in the GPO, such as folder redirection or security settings. Note that you cannot search based on the individual settings configured in a GPO.

  • GUID of the GPO.

Group Policy Modeling

Windows Server 2003 has a powerful new Group Policy management feature that allows the user to simulate a policy deployment that would be applied to users and computers before actually applying the policies. This feature, known in Windows Server 2003 as Resultant Set of Policy (RSoP) Planning Mode, is integrated into GPMC as Group Policy Modeling. This feature requires a domain controller that is running Windows Server 2003 in the forest, because the simulation is performed by a service that is only present on Windows Server 2003 domain controllers. However, with this feature, you can simulate the resultant set of policy for any computer in the forest, including those running Windows 2000.

Group Policy Results

This feature allows administrators to determine the resultant set of policy that was applied to a given computer and (optionally) the user that logged on to that computer. The data that is presented is similar to Group Policy Modeling data, however, unlike Group Policy Modeling, this data is not a simulation. It is the actual resultant set of policy data obtained from the target computer. Unlike Group Policy Modeling, the data from Group Policy Results is obtained from the client, and is not simulated on the DC. The client must be running Windows XP, Windows Server 2003 or later. It is not possible to get Group Policy Results data for a Windows 2000 computer. (However, with Group Policy Modeling, you can simulate the RSoP data).

GPMC Scripting

The GPMC user interface is based on a set of COM interfaces that accomplish all of the operations performed by GPMC. These interfaces are available to Windows scripting technologies like JScript and VBScript, as well as programming languages such as Visual Basic and VC++. An administrator can use these interfaces to automate many Group Policy management tasks.

These interfaces are discussed in detail in the GPMC software development kit (SDK) located in the %programfiles%\gpmc\scripts\gpmc.chm Help file on systems where GPMC has been installed. The contents of the GPMC SDK are also available in the Platform SDK.

For more information about GPMC interfaces, see MSDN.

Group Policy Management Console Dependencies

Group Policy Management Console requires the MMC infrastructure to function. In addition, GPMC has its own set of system installation requirements, as well as requirements for certain GPMC features to function.

GPMC System Installation Requirements

Although GPMC can manage both Windows 2000 and Windows Server 2003 domains with Active Directory, the tool itself must be installed on a computer running Windows Server 2003 or Windows XP Professional (with Windows XP Service Pack 1 (or later) and the Microsoft .NET Framework). Note that when installing GPMC on Windows XP Professional SP1, a hotfix is required. This hotfix (Q326469) is included with GPMC. GPMC Setup prompts you to install Windows XP QFE Q326469 if it is not already present.

GPMC Feature Requirements

GPMC exposes features that are available in the underlying operating system. Because new features have been added to Group Policy since Windows 2000, certain features will only be available in GPMC depending on the operating system that has been deployed on the domain controllers and clients. This section describes these dependencies. In general, there are four key issues that determine whether a feature is available in GPMC:

  • Windows Server 2003 Active Directory schema must be available to delegate Group Policy Modeling or Group Policy Results.

  • Windows Server 2003 domain controller must be available to run Group Policy Modeling.

  • Windows Server 2003 domain configuration (ADPrep /DomainPrep) must be available to use WMI Filters.

  • Clients must be running Windows XP or Windows Server 2003 in order to generate Group Policy Results data.

GPMC dependencies upon Windows and Active Directory platform appear below:

GPMC Dependencies on Windows and Active Directory

Dependency Feature Reason

Windows Server 2003 Active Directory Schema

Delegation of Group Policy Modeling and Group Policy Results

The Generate Resultant Set of Policy (Logging) and Generate Resultant Set of Policy (Planning) permissions needed for this operation are only available with the Windows Server 2003 Active Directory schema.

Windows Server 2003 Domain Controller in the forest

Group Policy Modeling

The simulation is performed by the Resultant Set of Policy Service which is only available on domain controllers running Windows Server 2003.

Windows Server 2003 domain configuration (DomainPrep)

WMI Filters

ADPREP /DomainPrep configures the domain for Windows 2003 Active Directory including configuration for WMI Filters.

Clients must be running Windows XP or Windows Server 2003

Group Policy Results

Clients must be instrumented to log Group Policy Results data when policy is processed. This capability is only available on the listed systems.

There is no dependency from the Group Policy perspective on whether a domain is in native mode or mixed mode.

The following resource contains additional information that is relevant to this section:

  • GPMC Interfaces on MSDN.