Win Server 2008 Directory Services, GPMC 2.0
August 7, 2009
In the recent installments of our series dedicated to the most prominent features available in Windows Server 2008-based Active Directory, we have taken a closer look at its Group Policy characteristics. So far, we have presented client-side processing enhancements and explored new format of Administrative Templates (along with their improved storage mechanism). In this article, we will focus on the latest rendition (2.0) of Group Policy Management Console.
The initial version of Group Policy Management Console made its debut following the release of Windows Server 2003 platform. Prior to its introduction, accessing a specific, domain-based Group Policy Object required locating a target Active Directory container to which this GPO was linked (via Active Directory Users and Computers or Active Directory Users and Computers or Active Directory Sites and Services console, depending on whether that container was a domain, an organizational unit, or a site), displaying its Properties dialog box, and using options available on its Group Policy tab.
Unfortunately, such approach had a number of significant disadvantages. One of the more common complaints was inefficient design, lacking ability to present a comprehensive view of entire Group Policy environment within a forest or a domain. In many cases, removing links (without deleting corresponding GPOs) led to orphaned objects, which necessitated cumbersome cleanup (as described in the Microsoft Knowledge Base article 216359).
It also was not possible to quickly evaluate all settings configured in a particular GPO. Additional administrative overhead resulted from limited delegation capabilities, the need for custom-crafted backup and restore procedures, as well as the inability to perform copy/paste or import/export operations on an individual GPO level. All these issues have been successfully addressed by the first version of Group Policy Management Console (offered as a separate download). Along with the new utility, Microsoft published a set of APIs, that made possible to automate majority of GPO-management tasks (as demonstrated by a number of sample scripts included with the download).
While the new version of GPMC (2.0), included in the Remote Server Administrative Tools download for Vista with Service Pack 1 (which, incidentally removes GPMC version 1.0 during installation) and incorporated as a built-in feature in Windows Server 2008, does not constitute a significant departure from its predecessor, it offers a number of useful improvements. Implemented as a Microsoft Management Console 3.0 snap-in (stand-alone or running as part of Server Manager), it sports a new interface that introduces the following features:
Group Policy Editor available in earlier versions of Windows Server has been rebranded as Group Policy Management Editor (GPME). Along with the name change, there is a new MMC 3.0-based interface and ability to add comments using an extra tab in the
Properties dialog box of each GPO (to display it, select
Properties entry from the context sensitive menu of a GPO). Text entered in the
Comment box is arbitrary, however, you should consider adopting a meaningful convention that would document circumstances of GPO creation or edit (for example, identification of its implementor, corresponding Change Control number, purpose, and version history).
This content is automatically displayed on the
The text entered here will be automatically displayed when displaying summary of
Details tab of the GPO, when viewing its graphical representation in the
Group Policy Objects node of GPMC. Similarly, you can add comments to individual Administrative Templates-based settings (via
Comment tab and
Policy Setting Comment textbox available from that settings' Properties dialog box).
settings configured within a specific GPO (via
Settings tab, appearing when viewing a subnode representing that GPO under
Group Policy Objects node in GPMC). GPO-level comments get stored in a text file named
GPO.cmt located in the root of a GPO-specific folder (which name matches its GUID) under the
SYSVOLfully_qualified_domain_namePolicies folder, while the GPO-setting specific ones reside in an XML-formatted file
User subfolders within the same directory structure.
It appears under both Computer and User configuration nodes in the Group Policy Management Editor and gives you a comprehensive overview of all XML-based Administrative Templates settings, along with their
Path (representing their placement within the Administrative Templates hierarchy). Their scope is affected by the filtering configuration, which we are reviewing next. It is important to note that the displayed content does not include settings contained in legacy ADM templates (assuming that they are part of the GPO being viewed), which actually appear under a separate node labeled
Classic Administrative Templates (ADM), once loaded into the Group Policy Management Editor.
Group Policy Management Editor has a new set of filtering options that allow you to locate desired settings present in XML-based Administrative Templates (as before, this new functionality is contingent on the use of ADMX files). While similar capabilities were available in Group Policy Editor when working with legacy ADM templates in earlier versions of Windows, the corresponding feature set was somewhat limited, giving you the ability to filter policies matching specific set of requirements (such as a version and service pack level of the operating system, Internet Explorer, Windows Installer, or Windows Media Player), belonging in the fully managed category (also known as "true" policies that are automatically removed when target computer or user is no longer within their scope), or those that are actually configured.
The new options are considerably more versatile, enabling you to identify settings that are fully managed, configured, or commented, that match all, any, or exact set of keywords (within either
Comment tab of the setting's Properties dialog box), or that satisfy all or any designated software requirement (which you can construct, in addition to the criteria listed above, by checking against BITS and NetMeeting versions).
Despite rather misleading interface (
Filter Options... and
Filter On entries are present in the context sensitive menu of the
Administrative Templates folder level as well as of each subfolder within its hierarchy), filtering options can be configured only for full set ADMX-based Administrative Templates, so it is not possible to turn them on or off for arbitrary groups of settings (as a matter of fact, the same filter applies automatically to both Computer and User Configuration nodes). The results are displayed in the
All Settings subnode (described previously) as well as in individual subfolders under
Administrative Templates folder (within Computer or User Configuration node, for user or computer specific settings, respectively).
Despite these limitations, this is a significant improvement over previous version of Group Policy Editor, in which case it was necessary to resort to Group Policy Settings Reference, in the form of a spreadsheet available from the Microsoft Download Center, summarizing all built-in GPO settings (you can find there also an equivalent information for Windows Server 2008 and Windows Vista Service Pack 1 systems).
Starter GPOs serve as the basis for creation of new Group Policy Objects within the Group Policy Management Console, giving you ability to pre-define initial Administrative Templates-based settings (as before, this functionality is restricted to entries derived from ADMX-files) that you want to keep consistent across multiple Group Policy Objects linked to distinct Active Directory locations. They are represented by subnodes under the
Starter GPO node within a domain (it is possible to copy them across domains or forests by using
Save as Cabinet... and
Load Cabinet... command buttons exposed in the GPMC interface). When accessing that node for the first time (via its
Details pane of the GPMC), you will be presented with the
Create Starter GPOs Folder command button. Clicking on it will automatically generate
StarterGPOs subfolder under the
SYSVOLfully_qualified_domain_name share on a domain controller you are connected to (typically the holder of PDC Emulator Operations Master role), which will subsequently replicate the same action across entire domain. At that point, you can create a new Starter GPO (using
New... entry in the context sensitive menu of the
Starter GPO subnode) and modify its settings. Modifications are performed with the Group Policy Starter GPO Editor, which interface is almost identical to Group Policy Management Editor (as well as support for filtering and comment functionality). The notable exceptions include lack of
PoliciesWindows Settings, or
Preferences nodes (since, as explained earlier, Starter GPOs contain only ADMX-based items) and inability to load custom templates. The outcome can be examined by reviewing the
Setttings pane of the resulting Starter GPO (displayed in the same manner in which GPO properties are presented).
While configuration of a Starter GPO is entirely arbitrary and depends on the specifics of your environment, you might want to leverage documentation provided by Microsoft in the form of Group Policy Common Scenarios Using GPMC and Windows Vista Security Guide.
In addition, Microsoft offers sample Starter GPOs for Windows XP and Vista clients from its Download Center in the form of .CAB files (to make them available for deployment, use
Load Cabinet... option we mentioned earlier). Each of two sets consists of four distinct groups of configuration settings intended for users and computers operating in Specialized Security Limited Functionality (SSLF) or Enterprise Client (EC) mode. Note that since these samples belong to the
System category (as indicated by the content of
Type column in the
Details pane of the Starter GPOs node in GPMC), they are read-only and cannot be directly modified, commented, or even copied (unlike
Custom ones, such as those created directly from within the GPMC).
Once Starter GPOs are created, you can use them when defining new GPOs. This is done either via the context sensitive menu of a Starter GPO (
New GPO From Starter GPO... entry) or by taking advantage of the
Source Starter GPO listbox in the
New GPO dialog box. Commands required to carry out other common management tasks also exposed in the GPMC interface. In particular, by right-clicking on the
Starter GPOs node, you will be able locate option to
Back Up All... existing subnodes (equivalent action is available for individual Starter GPOs using their
Back up... menu entry).
Manage Backups... item gives you ability to determine backup availability and perform restores. Keep in mind that this process is separate from GPO Backup, so to ensure full recoverability, you should incorporate both in your regular maintenance procedures. Delegating permissions involves granting the ability to create Starter GPOs (via
Delegation tab in the
Details pane of the
Starter GPOs node in GPMC) or managing individual Starter GPOs, including reading, editing settings, deleting, and modifying security (via
Delegation tab in the
Details pane of individual Starter GPOs).
Unlike the original version of GPMC, its successor does not include sample scripts. In order to made them available on a Windows Server 2008 system, you must once again refer to the Microsoft Download Center. Unfortunately, you will not find any examples demonstrating the use of new features presented in this article. If you are looking for information regarding their automation, you might want to review PowerShell-based code published on TechNet by Darren Mar-Elia.
In the next installment of our series, we will focus on Group Policy Preferences, which greatly extend centralized management capabilities available in Active Directory environment.
Follow ServerWatch on Twitter