Windows Server 2. Group Policy Management Console Group Policy is near the top of any list of Windows 2. Windows release. The ability to control the characteristics of large numbers of servers and clients is crucial at a time when just one incorrectly configured computer can spread a virus in seconds. Unfortunately, Group Policy is also near the top of any list of Win. K's most complex features. The high point of Win. K Group Policy is its strong capabilities; its low points become obvious when you try to manage these policies across an enterprise. GPMC is a new, free Microsoft Management Console (MMC) snap- in for Windows Server 2. Group Policy administrator might want to do. GPMC's UI makes working with Group Policy much simpler. GPMC's Features GPMC's list of features reads like a Group Policy administrator's wish list. Windows 2003 Group Policies allow the administrators to manage a group of people accessing a resource efficiently. The group policies can be used to control both the. GPMC has a new UI that lets you view Group Policy Objects (GPOs) across domains—and even forests—in an intuitive and useful way. You can now generate HTML reports on GPO settings even if you don't have write access to the GPO. You can back up and restore GPOs, export them from one domain and import them into another, and even perform mapping operations to a different set of security principals and Universal Naming Convention (UNC) paths between domains. GPMC also incorporates Resultant Set of Policies (RSo. P), the most requested Group Policy enhancement for Windows 2. You can use the Windows Management Instrumentation Query Language (WQL) to build Windows Management Instrumentation (WMI) filters. GPMC even has a tool that lets you search for GPOs within a domain or across all domains in a forest. Requirements and Installation Although GPMC is associated with the Windows 2. OS, but the GPMC license agreement stipulates that you can install the GPMC only on a network on which you're running at least one copy of Windows 2. You can install GPMC on Windows 2. Windows XP with both Service Pack 1 (SP1) and the Windows . NET Framework (available from Windows Update) installed. ![]() Microsoft has now release to the world Windows 10, and if you are running one of the 14 million devices that now have Windows 10 installed you might be wondering what. Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. ![]() If you're installing GPMC on XP, the installation package will automatically install XP Quick Fix Engineering (QFE) update Q3. This QFE updates your version of gpedit. GPMC requires. GPMC doesn't run on 6. Windows because the Framework doesn't yet have a 6. ![]() GPMC and related documents are available from http: //www. The Win. 2K DCs should be running at least SP2 and preferably SP3. Be forewarned that editing GPOs in a Win. K forest using uplevel clients such as Windows 2. XP can result in a subtle consequence. If you use an uplevel client to edit a Win. K GPO, the client's newer policy settings will by default automatically upgrade the GPO without informing you. The Microsoft article . Win. 2K clients will ignore the new settings, but you should be aware that this guerilla upgrade is taking place. To prevent the upgrade, enable the policy User Configuration/Administrative Templates/System/Group Policy/Turn off automatic update of ADM files in the GPOs you don't want automatically updated. The administrative templates are automatically updated based on a simple timestamp, and the timestamps for the newly installed SP3 templates indicate that those files are newer than the XP files. The result is that the Win. ![]() K SP3 admin templates (newer in timestamp) overwrite the XP Group Policy templates (newer in code development), which can result in a corrupt admin template. Both the prevention of this problem and its fix are straightforward: Use a Windows 2. XP SP1, or Win. 2K client to edit your Win. K GPOs because the timestamps for those OSs' Group Policy administrative templates are newer than the timestamps for Win. K SP3's templates. Because the utility is an MMC snap- in, you can also create a customized MMC console that contains GPMC by launching MMC and adding Group Policy Management from the Add/Remove Snap- in menu. The UI Let's take a look at GPMC's main console, which Figure 1 shows. ![]() The scope pane shows an Active Directory (AD) structure in a layout similar to the MMC Active Directory Users and Computers snap- in. If you look closely, however, you'll see several important differences. The first difference is that you can include multiple forests (e. Figure 1). The second difference is that, within each forest, GPMC shows only containers that can have GPOs linked to them—sites, domains, and organizational units (OUs). ![]()
Microsoft calls sites, domains, and OUs the scope of management (SOM). The third difference is how this pane shows the true relationship of GPOs to the SOM. As Figure 1 shows, the GPOs associated with these containers are depicted as shortcuts or links (note the little arrows on the icons). GPOs aren't stored in the containers in which they're created; they're stored on a per- domain basis (shown in the GPMC UI within the Group Policy Objects container) and linked to their target SOMs. For example, you can link a GPO to an OU simply by selecting the GPO in the Group Policy Objects container and dragging it to the DC's OU. A dialog box confirms most GPO drag- and- drop operations; these kinds of operations can have wide- ranging consequences such as inadvertently linking a GPO to the wrong container, and you don't want to let a slip of the wrist screw up your default domain policy or other policies. The results pane has four property sheets that describe each GPO's scope, details, settings, and delegation. Discovering which containers a user- created GPO is linked to can be a time- consuming process in Win. K. The result pane's Scope tab lets you determine which SOM the GPO is linked to. The Links list box presents all links to the GPO in one location. The Security Filtering section of the results pane shows which users and computer will process the GPO. This information includes the GPO's domain and owner, when the GPO was created and modified, the version numbers of the user and computer settings in AD and on SYSVOL, the GPO's globally unique identifier (GUID), and the GPO's enabled/disabled status. Only the sections that have enabled settings are listed, and only the enabled settings are shown. You can expand or collapse each section by selecting show or hide. By right- clicking anywhere in the report, you can edit the GPO (through the standard MMC Group Policy Object Editor snap- in), print the report, or save it as an HTML file that expands and collapses as the original does. This view is clear and simple compared with the Byzantine complexity of the ACL editor for AD objects. Any listed security principal can have five possible setting combinations: Read, Edit settings, Edit settings/delete/modify security, Read (from Security Filtering) and (if you select the Advanced button on the Delegation tab and use the ACL editor to edit permissions directly) Custom. Security principals that have the Read (from Security Filtering) setting have security filtering applied to them and appear in the Security Filtering section of the Scope tab. To trigger a Group Policy update, open a command prompt from the appropriate client and run one of the above commands. GPO Operations One of the most frustrating aspects of working with Win. K Group Policy is that you can't manipulate GPOs the way you manipulate file system objects. Unlike pure file system objects or purse AD objects, GPOs are hybrid constructs unique in Win. K; each GPO has an AD component as well as a file system component. The AD component is distributed through AD replication, and the file system component is circulated around the DCs' SYSVOLs through the File Replication Service (FRS). This is one reason GPOs are so hard to manipulate. Group Policy is a power tool that lets you access advanced system settings. We'll show you how to access it or set it up in Windows Home and 5+ powerful Group.You can create and delete them and edit their settings and security, but performing other kinds of operation against a GPO is just about impossible. You can't back up the GPO for safekeeping, restore it if you mess up something, or make a copy of it for a test forest. However, GPMC makes all these operations easy. Backup To back up a GPO, simply right- click the GPO in the scope pane and choose Backup. The system will prompt you to enter the save location and a description before it begins backing up the GPO. You can back up all GPOs in the domain by right- clicking the Group Policy Objects container and selecting Back Up All. GPMC will show the progress of the backup, as Figure 2 shows. The same context menu also has a Manage Backups utility that lists all the backed- up GPOs in a specified folder. Restore When you restore a GPO, the GPO's existing settings are deleted and the backed- up settings are restored to their state at the time you backed them up. You can use the restore operation to roll back a GPO that's in an unhealthy or unwanted state or recover a deleted GPO. GPMC doesn't restore the links to the GPO if you've deleted them, but because the GPO's GUID remains the same, existing links will work on the restored GPO the way they did with the original. If you've deleted the GPO, right- click the GPO container, select Manage Backups, and choose the GPO you want to restore. When you select the particular backup you want to use, you can view the backed up GPO's settings (in the same report format as the Settings tab) to be sure it's the GPO you want. Copy and Import The Copy and Import operations transfer an existing GPO's settings to a new GPO. The new GPO can be located in the same domain, in another domain, or even in another forest. Import requires that the destination GPO exist before you import the settings, whereas the Copy operation creates the destination GPO. Copy requires a trust relationship between the source and target domains so that you can perform the operation in one step, whereas Import doesn't have this requirement because it works off a backed- up GPO. In a configuration in which no trust relationship exists between the domains, you can't use Copy; you must back up the GPO to a common file system location, then import the backed- up GPO into the destination domain.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |