Windows Server 2003 Group Policy Enhancements, Part IV

In this installment of our series covering Group Policy related features introduced in Windows Server 2003 platform, we will describe the Group Policy Management Console (GPMC).

Group Policy Management Console, while technically not part of the Windows Server 2003 platform, is intended to be used with the operating system. In part four of this multipart series, Marcin Policht explains how to use GPMC to simplify group policy management.

GPMC is not part of the operating system and is available as a separate download from Microsoft’s Web site. The final version was released around the same time as the OS and, obviously, is intended to work with it. You can also use GPMC to manage group policies in Windows 2000 Active Directory forests. (To satisfy licensing requirements you must have at least one license of Windows Server 2003 to run it, but it does allow you to run an unlimited number of copies of GPMC.)

The GPMC simplifies the management of group policies in one or more forests by providing access to them from a single interface. By default, the GPMC will contain a single node for the current forest. Other forests can be added as long as the following conditions are satisfied:

• The DNS infrastructure is properly configured so as to provide name resolution among all forests and domains.
• A trust relationship has been created between the current forest and target forest or between the current domain and target domain. (Remember that inter-forest trust relationships are not available in Windows 2000 Active Directory forests — they require Windows 2003 domain controllers operating at the Windows Server 2003 functionality level.)
• The account has sufficient privileges to manage group policies in the target forest (or domain). This can be done once the trust relationship is established. The level of permissions is highly dependent on the type of operations that will be performed (e.g., the editing of GPOs, linking GPOs to AD containers, edits, backup, restore, import, and copy)

Within each forest node (which appear in the left window pane), are the following subnodes:

• Domains contain the listing of all domains in Windows 2003 forest or target domain in the Windows 2000 forest. However, there seems to be a problem with adding multiple domains from the same forest to the same GPMC.
• Sites includes all sites within the target forest. Note that this subnode is initially empty and is populated with individually selected sites by using the Show Sites option from the Action menu.
• Group Policy Modeling is a new name for the Resultant Group Policies in Planning mode. This node appears only for Windows 2003 Server domains. For more information on this topic, refer to the previous article in this series.
• Group Policy Results is a new name for Resultant Group Policies in Logging mode. More information on this topic can also be found in Part III of this series.

You can access group policies for each domain in each forest by using one of two approaches:

The first approach is container-based, which means that you first select a target Active Directory container (domain, organizational unit, or site) that you are interested in. This gives you a listing of all group policy objects (GPOs) linked to it, along with their precedence, and delegation properties. For each link, you can quickly switch to the corresponding GPO by double-clicking on it. Note that modifications to the GPO affect all the containers to which the GPO is linked.

The second approach is GPO-based, which means that you deal with all GPOs for the domain. This is done by viewing the content of GPOs subnode residing in target domain node. It is a quick way to access each of the GPOs, regardless of how they are linked (or if they are linked at all). For each GPO you can view its:

• Scope, which lists all its links and security filtering scope, including group filtering and (in Windows Server 2003 domains only) WMI filtering
• Details, such as date of creation and latest modification, version number, GUID, and GPO status – enabled, partially (user configuration or computer configuration portion of the GPO), or fully disabled.
• Settings, which provides a report of all settings configured via this GPO
• Delegation, which contains permissions granted to users and groups on this GPO

There is also separate node called WMI filters, which is located within each node corresponding to Windows 2003 domain (but not Windows 2000 domain). As one would expect, this node contains a listing of all WMI filters defined for this domain, along with their properties.

However, appeal of the GPMC goes far beyond improved interface. With its introduction, Microsoft has finally provided a feature set previously available only with third-party tools (such as FAZAM from FullArmor) — backup and restore of individual GPOs in Windows 2000 and 2003 domains, and backup and import between two separate GPOs.

Backup and restore of individual GPOs in Windows 2000 and 2003 domains required fairly cumbersome workarounds (or third-party tools) before the release of GPMC. Now, prior to initiating the restore process, you have the option of verifying the settings of the backed-up GPO. You can also view these settings from Manage Backups dialog box (which can be accessed from the context sensitive menu of the previously described Domains node in the GPMC left window pane). Note that the restore process applies only to the GPO — not its links to Active Directory containers. The restore also does not include WMI filters linked to the GPO or IP Security Policies, but it does include the WMI filter and IPSec Policy links.

Backup and import between two separate GPOs is the other new key feature. Note that this is different from backup and restore, which applies to the same GPO. The destination GPO must exist (which means you cannot create a new GPO during the import operation. All of the settings of the destination GPO are replaced by the settings within the backup. Since no relationship is needed in this case, import provides a convenient method of transferring group policy settings from test environment to production, once testing has been successfully completed.

Note, however, that you might need to modify GPO settings in case they contain references to security principals or UNC paths (you will be notified by the Import Settings Wizard if this is the case). If these appear anywhere in GPO settings, you can convert them to values appropriate in the new domain by using a migration table. Each migration table (you can have any number of them, saved as files with extension .migtable) consists of three columns:

• Source Name: The name of a security principal or UNC path in the source domain,
• Source Type: User, computer, domain local group, domain global group, universal group, UNC path, or SID
• Destination Name: The name of an equivalent security principal or UNC path in the destination domain

You also have an option of populating the table based on a content of a GPO or its backup.

When creating a copy of a GPO and WMI filters (for review of WMI filter refer to the second article of this series), the main difference between the backup/import and copy/paste is that the second one results in the creation of a new object (while the first one requires existing destination object). The new object is assigned a new, unique GUID. Since the copy operation does not involve storing GPO or WMI filter settings in a backup file but instead is a direct operation between Active Directory objects, it requires a trust relationship between source and destination domain (in case they are different).

To copy a GPO or a WMI filter, right-click on it and select Copy from the context-sensitive menu (or the Action menu). To paste, right-click on GPOs node in the destination domain and select Paste from the context-sensitive menu (which also appears in the Action menu). If the source and destination domain are different, it will launch Cross-Domain Copying Wizard, which will lead you through the copying process by prompting for the new GPO’s permissions and checking for presence of security principals or UNC paths in the GPO settings. If security principals or UNC paths are present and need to be substituted with values from the destination domain, you can use the previously described migration table. When copying a GPO within the same domain, you must provide the permissions on the new GPO.

You can also use a GPO or WMI filter to run forest- or domain-wide searches for GPOs based on practically every imaginable criteria, such as names, links, security group that has a particular level of permissions, user or computer configuration settings, or GUID value.

Finally, GPMC is extensible (new functionality can easily be added to it) and scriptable (its actions can be automated through scripts).

Scripting GPMC functionality will be the topic of my next article.