GPMC: Big Manager of group policies

GPMC is the Group Policy Management Console. Unlike the traditional Group Policy Editor on Windows 2000, GPMC is composed of a brand new MMC management unit and a complete set of scripted interfaces, A centralized group policy management solution is provided to greatly reduce network problems caused by incorrect group policies, simplify security issues related to group policies, and solve difficulties in Group Policy deployment, this reduces the burden on IT administrators when implementing group policies.

Group Policy Overview

I believe that the term "Group Policy" is already known to many Windows users. In Windows NT 4.0, Microsoft has a policy-based management-Policy Editor-a utility popular with NT administrators, but it is not mastered and applied by most users. To this end, Microsoft not only completely updated the directory service in Windows 2000, but also launched a policy management-Group Policy object (GPO) that is fully integrated with this directory ). With the deep application of Windows 2000, the application of Group Policy also blossomed everywhere, and its influence far exceeded its predecessor. It can be said that the correctness of the Group Policy configuration will be closely related to your entire network-although you can give up it completely, as a means, the successful application of the Group Policy will get twice the result with half the effort.

Origin of GPMC

Of course, not everyone has succeeded. With the deep application of group policies, the management of these group policies has become the greatest burden on users, and some users cannot predict the consequences of the group policies they have configured, in many cases, the results are far beyond their expectation. In Microsoft news groups, I am afraid the most famous problem with group policies is "local policies do not allow you to log on interactively ". GPMC (Group Policy Management Console) is developed by Microsoft based on its global partners and a large amount of customer feedback.

GPMC is composed of a new MMC management unit and a complete set of scripted interfaces. It provides a centralized group policy management solution, it can greatly reduce network problems caused by incorrect group policies, simplify security issues related to group policies, and solve difficulties in Group Policy deployment, this reduces the burden on IT administrators when implementing group policies.

Main functions

At the time of writing this article, GPMC is only a Beta 2 version, and Microsoft is constantly improving it to enhance its stability and ease of use. GPMC is only a practical software package provided by Microsoft to the majority of users and is not affiliated with Microsoft Server or Application products. The downloaded GPMC installer is only about 4 MB, which is small and practical. It should be noted that GPMC can only be installed on Windows XP with SP1 or a computer later than Windows Server 2003 Build 3602, although it does not support installation on Windows 2000 computers, however, you can still use it to manage group policies in a Windows 2000 Domain (but there are some differences in the supported functions ). After you install GPMC on a computer with a Management domain, the "Group Policy Management" (GPM) menu item is added to the Management tool. When you try to use the Active Directory user and Computer Management Unit to edit a group policy, the system automatically requires you to open GPMC to manage group policies, as shown in figure 1.

In addition to general group policy management tasks, such as creation, deletion, and modification, GPMC also provides the copy, import, backup, and recovery functions. It is worth mentioning that the Group Policy Report function in GPMC provides a detailed description of the effectiveness of the Group Policy on the computer.

Open GPM for the first time and only display as a blank MMC interface. First, let's look at the functions provided in the left panel of GPMC. Right-click "Group Policy Management" and click "Add Forest…" from the association menu... ", Enter an existing Windows 2000 or Windows 2003 domain name. GPM automatically connects to the corresponding domain controller and displays the organization unit level of the current domain, which is exactly the same as what you see in the Active Directory user and Computer Management Unit. In addition to the organizational unit levels in the Active Directory, the left panel also contains four notable names: Default Domain Policy, Group Policy Objects, Group Policy Results, and Group Policy Modeling. Let's take a look at these four functions. It is estimated that many readers can reach their functions literally.

Default Domain Policy. Every time you create a Windows 2000 Domain, the system automatically generates two Default group Policy objects: Default Domain Policy and Default Domain Controllers Policy (This group Policy is displayed in the Domain Controllers container ). If you connect multiple domains, the default domain group policies for multiple domains are displayed. On the right panel, you can view the settings of the domain group policy, and add or delete users entrusted by the management policy. Figure 2 shows a typical Default Domain Policy view.

Group Policy Objects. This object includes all Group Policy objects of the currently selected domain. You can add, back up, recover, rename, delete, and import group policies. Click a group policy name. A view similar to Figure 2 is displayed on the right panel. Note: When you click the Default Domain Policy or Default Domain Controller Policy in this object, the system automatically detects the permissions of the SYSVOL folder related to this object. If inconsistency exists, the system prompts you to fix the problem. Click "Yes" and the system automatically completes the repair process. Figure 3 shows a typical view of the Group Policy Objects object and a list of common tasks.

Group Policy Results. Unexpectedly, after you click this object, no objects are displayed on the right panel by default (especially when used for the first time. Here, it is actually a very good Group Policy Verification "Environment". Using the Group Policy Result can verify that the Group Policy deployed to the specified user or computer is correct. Right-click the blank area on the right panel, and select "Group Policy Result Wizard... ", The wizard allows you to specify the computer on which you want to verify the results of the Group Policy (the queried computer must support RSoP Logging, which is supported in Versions later than Windows XP ), then GPMC checks the Group Policy objects loaded on the computer (generally, for a computer that is added to the domain, there are at least two group policy objects, that is, the default domain group policy and local policy ), after confirming the identity, GPMC queries the policy settings list on the computer and automatically generates a group policy report. The report is displayed on the right panel. Figure 4 shows a typical example of the report. You can also obtain more valuable information from the "Settings" and "Policy Events" (the data is actually taken from the event viewer) in the report.

Some experienced users will find that the function of this node is similar TO that of Microsoft's gpresult.exe program in Windows 2000 Resource kit. the Microsoft documentation "how to: Use thesgroupsPolicy Results Tool in Windows 2000 (support.microsoft.com /? Id = 321709) "describes how to use the gpresult.exe program. It can be said that in addition to the gpresult.exe function, Group Policy resultsprovides more information and is based on the GUI-obviously easier to use.

Group Policy Modeling. As the name suggests, you can simulate the running results of the Group Policy and finally get valid settings in the selected container. Especially for containers that repeatedly load Group Policy objects after multiple inheritance, the effective status of the policy is the most difficult to distinguish. Group Policy Modeling is designed to get effective settings after all Group policies are combined from a specific query in the container. The results are displayed as HTML reports. Note that group policy simulation only supports domain controllers of Windows Server 2003. If your GPMC is connected to the domain controller of Windows 2000, this node is invisible. For earlier versions of group policies, Group Policy Modeling is implemented in the policy result set (RSoP) planning mode.

Right-click "Group Policy Modeling" to start (you can also start from the association menu of any container) the Group Policy Simulation wizard. The wizard collects data by Step. The more precise the data you specify (because the wizard allows you to skip some steps), the more accurate the query results. However, the most important step is to specify the computer configuration and user configuration container.

After the related data is collected, the system immediately executes the query, and the query result is displayed on the right panel. The created query is automatically saved in the Group Policy Modeling node. When you click the query name next time, the system automatically refreshes the query results. Group Policy Simulation provides the best solution for efficiently and concisely deploying group policies in complex environments. What's more attractive is that group policy simulation also supports the Back-to-loop processing function of group policies. We can see from the group policies section of Microsoft Windows 2000 newsgroups, loop processing of group policies has always been the most difficult and difficult part for many IT administrators to understand and control.

Click the name of any organizational unit in the left pane. GPMC displays the Group Policy configurations related to the organizational unit or domain in the right pane. You can say, the content shown here is the center of the entire GPM. Here, you can easily and clearly view the selected Organization Unit link group policy. For example, if multiple Group Policy objects are assigned to an organizational unit, when you click the organizational unit, the Group Policy object linked to the organizational unit is automatically displayed in the right window (the default domain policy is automatically applied to each organizational unit, so it is not displayed in the organizational unit group ), the result also includes whether the Group Policy is valid and the current status. You can change it immediately. Group Policy inheritance, the delegate is displayed in the same window as the separated tab, that is, now, you can view all the information that you need to click and switch multiple pages to view in a single window. Figure 6 shows the default view displayed after a group policy is specified by an organizational unit. Right-click any group policy name in the right window, and select "Edit" from the association menu to open the standard group policy editing box.

Right-click the Windows 2000 Domain Name or organizational unit name, and the associated menu is displayed. From this menu, you can complete almost all tasks related to the Group Policy. Figure 7 shows the association menu that appears when you right-click the domain name. It is not difficult to see that, except for the Management Group Policy, the menu also provides functions such as searching, changing domain controllers, and opening Active Directory users and computer management units.

The most attractive menu is "Search... "Function item. In retrospect, when you create a series of group policies in the Windows 2000 Active Directory, it may be the most time-consuming work to be applied for a while and try to find them again. Windows 2000 does not provide a mechanism for you to retrieve a list of group policies from the Active Directory. As the depth of the organizational unit hierarchy increases, the search group policy is often unable to cope (maybe this is why Microsoft recommends that the organizational unit hierarchy not be too deep ). GPMC provides a complete solution for searching Group Policy objects. It allows you to list all Group Policy objects that match conditions in the entire site by specifying the Group Policy Object Name, the Group Policy Object User Group, GUID, and other values of specific keywords in the project. I believe that the search function is the most attractive aspect for group policy administrators to use GPMC. Figure 8 shows a typical Search dialog box.

WMI Filter is also an attractive but powerful option. As we all know, WMI plays an important role in Windows network management. With the constant update of Windows versions, WMI is constantly updated. In Windows XP, Microsoft launched WMIC. Now, WMI is involved in the Group Policy, which is implemented in the form of WMI Filter. WMI filters in GPMC support filtering group policies in CIMON (Common Information Model (CIM)-compliant object repository, general Information Model compatible with object knowledge base) databases based on WMI-compliant queries. GPMC provides the ability to link each group policy to a WMI filter for filtering. On the "Group Policy Objects" node, double-click any Group Policy object and click "Scope" on the right panel ", at the bottom of the page, you can easily assign a WMI filter to this Group Policy (this option is invisible if your GPMC is connected to the Windows 2000 forest, WMI filters only support domain controllers of Windows Server 2003 ).

Best practices

We roughly browsed the powerful functions provided by GPMC. Let's take a look at the powerful role of GPMC in the actual environment. Right-click any Group Policy object in the "Group Policy Objects" node and you will find that this association Menu provides three functions: backup, recovery, and import settings. Similar to backup, recovery, and import in other applications, these functions are the best way to effectively solve the problems of Group Policy damage and abnormal operations, GPMC provides powerful backup and recovery capabilities.

Right-click the Group Policy Name and select "Back Up…" from the association menu... ", The system only prompts you to enter a secure folder name for the backup file (to ensure the security of the Group Policy file, it is strongly recommended that only the specified administrator can access the backup folder ), then the system automatically completes the backup process. The entire process is very simple and supports backing up multiple group policies in a folder or backing up the same Group Policy multiple times in the same directory. However, it should be noted that this backup is not a full backup. Compared with GPO "external" components, such as WMI Filter, the IPSec Policy will not be backed up at the same time.

The recovery process is unexpectedly simple. Right-click the Group Policy object you want to Restore and select "Restore from Backup... ", After you click" Next "twice in a row, the system requires that you select a group policy from the recovery list (you must back up this group policy before resuming, otherwise, the list is empty. Similarly, if the same group of policies have been backed up multiple times, multiple recovery versions are displayed based on the backup time, as shown in Figure 9 ), if you cannot recall the pre-backup policy Settings, click "View Settings" in the dialog box to View all the Settings in HTML (in fact, this is the report generated by GPMC ), after you select a recovery version, click "Next" * "complete ". For Windows 2000 users, note that if you use the domain controller of Windows 2000 to restore the Group Policy and the Group Policy includes the Software Distribution Function, after the Group Policy takes effect, the distributed software may be installed again. Therefore, we recommend that you use the domain controller of Windows 2003 to restore the Group Policy object.

The most interesting feature is probably "Import Settings... . When you perform import settings for a group policy object, GPMC deletes all the original settings (therefore, we recommend that you back up the data before import. I have been thinking, since it is import, why does Microsoft not merge the old and new policies, but does it have to delete the original settings? In the official version, Microsoft may set "merge Settings" as an option), including user settings and computer settings, and then import all the settings in the specified group policy. After analysis, you will find that the Group Policy object displayed in the import list is the group policy you have backed up. You may be deeply attracted by this function. Even though the settings are imported, the most critical part is that the security settings of the Group Policy have not changed, that is, the original application scope (object) of the Group Policy object has not been changed ), other settings that have not been changed include the delegate, Link, and WMI filters, which are exactly the same as the preceding "incomplete" backup.

You may think: If I have a long backup time and a large backup volume, the corresponding management volume will also increase. Isn't that counterproductive? Microsoft is better than us. Right-click "Group Policy Objects" and select "Manage Backups... ", The Group Policy backup file dialog box is displayed, as shown in 10. The dialog box shows that you can directly restore, delete, and view the backup files. If you are interested in this backup, open the folder that saves the backup file of the Group Policy object and you will find that all files are in XML format.

Summary

Based on the above GPMC overview, GPMC provides a new mechanism for managing group policy objects in the Active Directory, its functions in backup, recovery, import, and management of Group Policy objects far exceed those provided by the Windows operating system. Of course, it is not limited to this. GPMC is a solution and a means. HTML-based reports provide a clear view of each group's policy information. The reports play an important role in GPMC. It is easy to see that GPMC is designed for Windows Server 2003. Although you can apply it to a Windows 2000 domain, it will always receive a variety of "Warnings. However, GPMC Can Help You With group policies wherever you are. At the same time, we are more eager to look forward to Microsoft's launch of a more complete and easier-to-use GPMC.