Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory...

5/20/2018 Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment

1/12

Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory Environment

Microsoft.com Home | Site Map

Search Microsoft.com for:

Search for

TechNet Home

Products & Technologies

IT Solutions

Security

Interop & Migration

Desktop Deployment

Script Center

Community

Downloads

IT Training & Certification

Troubleshooting &

Support

TechNet Program

Archive

TechNet Site Map

TechNet Worldwide

TechNet Home> Products & Technologies> Server Operating Systems> Windows Server 2003> Directory Services> Active Directory> Step By Step

Step-by-Step Guide to Using the Group Policy Management Console

Published: September 17, 2004

This step-by-step guide provides general guidance for using the Group Policy Management Console (GPMC) to support Group Policy Objects

(GPOs) in an Active Directory environment. This guide does not provide guidance on the implementation for GPOs.

On This Page

Introduction

Overview

Installing and Configuring GPMC

Managing Group Policy Objects

GPO Backup, Restore, Copy, and Import

GPO Modeling

Additional Resources

Introduction

Step-by-Step Guides

The Windows Server 2003 Deployment step-by-step guides provide hands-on experience for many common operating system

configurations. The guides begin by establishing a common network infrastructure through the installation of Windows Server 2003, the

configuration of Active Directory, the installation of a Windows XP Professional workstation, and finally, the addition of this workstation toa domain. Subsequent step-by-step guides assume that you have this common network infrastructure in place. If you do not want to follow

this common network infrastructure, you will need to make appropriate modifications while using these guides.

The common network infrastructure requires the completion of the following guides.

Part I: Installing Windows Server 2003 as a Domain Controller

Part II: Installing a Windows XP Professional Workstation and Connecting It to a Domain

Once the common network infrastructure is configured, any of the additional step-by-step guides may be employed. Note that some step-

by-step guides may have additional prerequisites above and beyond the common network infrastructure requirements. Any additional

requirements will be noted in the specific step-by-step guide.

Microsoft Virtual PCThe Windows Server 2003 Deployment step-by-step guides may be implemented within a physical lab environment or through virtualization

technologies like Microsoft Virtual PC 2004 or Microsoft Virtual Server 2005. Virtual machine technology enables customers to run multiple

operating systems concurrently on a single physical server. Virtual PC 2004 and Virtual Server 2005 are designed to increase operational

efficiency in software testing and development, legacy application migration, and server consolidation scenarios.

The Windows Server 2003 Deployment step-by-step guides assume that all configurations will occur within a physical lab environment,

although most configurations can be applied to a virtual environment without modification.

Applying the concepts provided in these step-by-step guides to a virtual environment is beyond the scope of this document.

Important Notes

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are

fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is

intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and Domain Name System (DNS) name

used in the common infrastructure are not registered for use on the Internet. You should not use this name on a public network or Internet.

The Active Directory service structure for this common infrastructure is designed to show how Windows Server 2003 Change and

Configuration Management works and functions with Active Directory. It was not designed as a model for configuring Active Directory for

any organization.

Top of page

Overview

Microsoft Group Policy Management Console (GPMC) is a new tool for Group Policy management that helps administrators manage an

enterprise more cost-effectively by improving manageability and increasing productivity. It consists of a new Microsoft Management Console

(MMC) snap-in and a set of scriptable interfaces.

GPMC simplifies Group Policy management by providing a single place for managing core aspects of Group Policy. It addresses the top

Group Policy deployment requirements, as requested by customers, by providing the following functionality.

A user interface (UI) that makes Group Policy much easier to use.

Backup/restore of Group Policy objects (GPOs).

http://www.microsoft.com/technet/prodtechnol/windowsserv...ogies/directory/activedirectory/stepbystep/gpmcinad.mspx (1 di 12)30/01/2005 18.33.59

Go

TechNet Go
http://www.microsoft.com/http://www.microsoft.com/library/toolbar/3.0/sitemap/en-us.mspxhttp://www.microsoft.com/technet/default.mspxhttp://www.microsoft.com/technet/prodtechnol/default.mspxhttp://www.microsoft.com/technet/itsolutions/default.mspxhttp://www.microsoft.com/technet/Security/default.mspxhttp://www.microsoft.com/technet/interopmigration/default.mspxhttp://www.microsoft.com/technet/desktopdeployment/default.mspxhttp://www.microsoft.com/technet/scriptcenter/default.mspxhttp://www.microsoft.com/technet/community/default.mspxhttp://www.microsoft.com/technet/Downloads/default.mspxhttp://www.microsoft.com/technet/traincert/default.mspxhttp://www.microsoft.com/technet/support/default.mspxhttp://www.microsoft.com/technet/support/default.mspxhttp://www.microsoft.com/technet/abouttn/default.mspxhttp://www.microsoft.com/technet/archive/default.mspxhttp://www.microsoft.com/technet/sitemap.mspxhttp://www.microsoft.com/technet/worldwide/default.mspxhttp://www.microsoft.com/technet/default.mspxhttp://www.microsoft.com/technet/prodtechnol/default.mspxhttp://www.microsoft.com/technet/prodtechnol/serveros.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domxppro.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/default.mspxhttp://www.microsoft.com/technet/prodtechnol/serveros.mspxhttp://www.microsoft.com/technet/prodtechnol/default.mspxhttp://www.microsoft.com/technet/default.mspxhttp://www.microsoft.com/technet/worldwide/default.mspxhttp://www.microsoft.com/technet/sitemap.mspxhttp://www.microsoft.com/technet/archive/default.mspxhttp://www.microsoft.com/technet/abouttn/default.mspxhttp://www.microsoft.com/technet/support/default.mspxhttp://www.microsoft.com/technet/support/default.mspxhttp://www.microsoft.com/technet/traincert/default.mspxhttp://www.microsoft.com/technet/Downloads/default.mspxhttp://www.microsoft.com/technet/community/default.mspxhttp://www.microsoft.com/technet/scriptcenter/default.mspxhttp://www.microsoft.com/technet/desktopdeployment/default.mspxhttp://www.microsoft.com/technet/interopmigration/default.mspxhttp://www.microsoft.com/technet/Security/default.mspxhttp://www.microsoft.com/technet/itsolutions/default.mspxhttp://www.microsoft.com/technet/prodtechnol/default.mspxhttp://www.microsoft.com/technet/default.mspxhttp://www.microsoft.com/technethttp://www.microsoft.com/library/toolbar/3.0/sitemap/en-us.mspxhttp://www.microsoft.com/


2/12


Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters.

Simplified management of Group Policy related security.

Hyper Text Markup Language (HTML) reporting of GPO settings and Resultant Set of Policy (RSoP) data.

Scripting of policy-related tasks that are exposed within this tool (not scripting of settings within a GPO).

In the past, administrators have been required to use several Microsoft tools to manage Group Policy, such as the Active Directory Users

and Computers, Active Directory Sites and Services, and Resultant Set of Policy snap-ins. GPMC integrates the existing Group Policy

functionality exposed in these tools into a single, unified console, along with several new capabilities.

Built in to GPMC is support for managing multiple domains and forests, enabling administrators to easily manage Group Policy across an

enterprise. Administrators have complete control of which forests and domains are listed in GPMC, making it possible to display only

pertinent parts of an environment.

Note: This step-by-step guide provides guidance only on the use of GPMC for managing GPOs. It does not provide guidance on their

configuration. For information on configuring GPOs, see the Step-by-Step Guide to Understanding the Group Policy Feature Set.

Prerequisites

Part 1: Installing Windows Server 2003 as a Domain Controller

Step by Step Guide to Setting Up Additional Domain Controllers

Step-by-Step Guide to Managing Active Directory

Step by Step Guide to Using the Delegation of Control Wizard

Step-by-Step Guide to Understanding the Group Policy Feature Set

Step-by-Step Guide to Enforcing Strong Password Policies

Top of page

Installing and Configuring GPMC

Installing GPMC

Installing GPMC is a simple process that involves running a Windows Installer (.MSI) package. To download the latest version, see the

Windows Server System site for Group Policy Management at http://www.microsoft.com/windowsserver2003/gpmc/default.mspx.

To install the Group Policy Management Console

1.On server HQ-CON-DC-01, navigate to the folder containing gpmc.msi, double-click the gpmc.msipackage, and then click Next.

2.Click I Agreeto accept the End User License Agreement (EULA), and then click Next.

3.Click Finishto complete the installation of GPMC.

When the installation is complete, the Group Policy tab that appeared on the Property pages of sites, domains, and organizational units

(OUs) in the Active Directory snap-ins is updated to provide a direct link to GPMC. The functionality that previously existed on the original

Group Policy tab is no longer available since all functionality for managing Group Policy is available through GPMC.

To open the GPMC snap-in

1.On server HQ-CON-DC-01, click the Startbutton, clickRun, type GPMC.msc, and then click OK.

Note: Alternatively, either of the following methods can be used to launch the GPMC.

Click the Group Policy Managementshortcut in the Administrative Tools folder on the Startmenu or in the Control Panel.

Create a custom MMC console: click the Startbutton, click Run, type MMC, and then click OK. Point to File, click Add/Remove Snap-in, and then click Add.Click to highlight Group Policy Management, click Add, click Close, and then click OK.

Configuring GPMC for Multiple Forests

Multiple forests can be easily added to the GPMC console tree. By default, you can only add a forest to GPMC if there is a two-way trust with

the forest of the user running GPMC. You can optionally enable GPMC to work with only one- way trust or even no trust. Adding an

additional forest to the GPMC is accomplished by highlighting Group Policy Managementat the tree's root, selecting Actionfrom the

context menu, and then clicking AddForest. Since the sample environment only contains a single forest, performing these steps is beyond

the scope of this step-by-step guide.

Note: When adding forests to which you have no trust, some functionality will not be available. For example, Group Policy Modeling is not

available, and it is not possible to open the Group Policy Object Editor on GPOs in the untrusted forest. The untrusted forest scenario is

primarily intended to enable copying GPOs across forests.

Managing Multiple Domains Simultaneously

GPMC supports management of multiple domains at the same time, with each domain grouped by forest in the console. By default, only a

single domain is shown in GPMC. When you first start GPMC using either the pre-configured snap-in (gpmc.msc) or a custom MMC console,

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/admng.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://www.microsoft.com/windowsserver2003/gpmc/default.mspxhttp://www.microsoft.com/windowsserver2003/gpmc/default.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/strngpw.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/admng.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/addomcon.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/domcntrl.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpfeat.mspx


3/12


GPMC displays the domain that contains the user account you used to start GPMC. You can specify domains in each forest that you want to

manage using GPMC by adding and removing the domains shown in the console.

Note: You can add externally trusted domains, even if you do not have forest trust with the entire forest. By default, you must have two-

way trust between the domain you want to add and the domain of your user object. You can also add domains across a one-way trust by

disabling the trust detection feature of GPMC, using the Optionsdialog box on the Viewmenu. To add externally trusted domains, you

must first use the AddForestdialog box to add one domain from a forest that contains the externally trusted domains. Once this forest is

added, you can add any domains in that forest that are trusted by right-clicking the Domainsnode of the forest, and then clicking Show

Domains.

To add the vancouver.contoso.com child domain to the console

1.In the Group Policy Managementwindow, click the plus sign (+) next to Forest:contoso.comto expand the tree, and then click the

plus sign (+) next to Domains.

2.Right-click Domains, and then click ShowDomains.

3.Select the check box next to vancouver.contoso.com as shown in Figure 1, and then click OK.

Figure 1. Show Domains

In each domain available to GPMC, the same domain controller is used for all operations in that domain. This includes all operations on the

GPOs, OUs, security principals, and WMI filters that reside in that domain. In addition, when the Group Policy Object Editor is opened from

GPMC, it always uses the same domain controller that is targeted in GPMC for the domain where that GPO is located.

GPMC allows you to choose which domain controller to use for each domain. You can choose from these four options.

Use the primary domain controller (PDC) emulator (default choice).

Use any available domain controller.

Use any available domain controller that is running a Windows Server 2003 family operating system. This option is useful if you arerestoring a deleted GPO that contains Group Policy software installation settings.

Use a specific domain controller that you specify.

To change the domain controller used by GPMC for the vancouver.contoso.com domain

1.In the Group Policy Managementwindow, under the Domainsfolder, right-click vancouver.contoso.com , and then click Change

Domain Controller.

2.In the Change Domain Controllerdialog box, click This domain controller, and then click to highlight hq-con-dc-03.vancouver.

contoso.comas shown in Figure 2.



4/12


3.Click OKto continue.

Figure 2. Changing Domain Controllers

Top of page

Managing Group Policy Objects

Viewing Domain GPOs

Within each domain, GPMC provides a policy-based view of Active Directory and the components associated with Group Policy, such as

GPOs, WMI filters, and GPO links. The view in GPMC is similar to the view in Active Directory Users and Computers MMC snap-in in that it

shows the OU hierarchy. However, GPMC differs from this snap-in because instead of showing users, computers, and groups in the OUs, it

displays the GPOs that are linked to each container, as well as the GPOs themselves.

Each domain node in GPMC displays the following items.

All GPOs linked to the domain.

All top-level OUs and a tree view of nested OUs and GPOs linked to each of the OUs.

The Group Policy Objects container showing all GPOs in the domain.

The WMI Filters container showing all WMI filters in the domain.

To view GPOs associated with a particular container

1.Under the Domainstree, click the contoso.comtree. The GPOs associated with the container (domain root) appear as shown in Figure

3. This concept can be applied to any domain container.

Figure 3. GPOs in the Domain Root

See full-sized image

http://www.microsoft.com/technet/images/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/images/gpmcin03_big.gifhttp://www.microsoft.com/technet/images/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/images/gpmcin03_big.gif


5/12


To view all GPOs associated with a particular domain

1.Under the Domainstree, click the plus sign (+) next to contoso.com, and then click Group Policy

Objects.

Searching for GPOs

Searching for GPOs is available at the forest or domain level. Individual or multiple search parameters can assist in narrowing search results

within a large set of GPOs.

To find a specific GPO within the contoso.com forest using multiple search parameters

1.In the console tree, right-click Forest:contoso.com, and then click Search.

2.In the Search itembox, select GPO Name, type Passwordfor Value, and then click Add.

3.In the Search itembox, select Computer Configuration, select Securityfor Value, and then click Add.

4.Click Search. The results should appear as shown in Figure 4.

Figure 4. Criteria-Based GPO Searches

5.Once the search results are returned, you may do one of the following:

To open the GPO for editing, click Edit.

To save the search results, click Save results. In the Save GPO Search Resultsdialog box, specify the file name for the saved results,and then click Save.

To navigate to a GPOfound in the search, double-click the GPOin the search results list.

To clear the search results, click Clear.

To close the Search for Group Policy Objectsdialog box, click Close.

Scoping GPOs

The value of Group Policy can only be realized through properly applying the GPOs to the Active Directory containers you want to manage.

Determining which users and computers will receive the settings in a GPO is referred to as scoping the GPO. Scoping a GPO is based on

three factors.

The site(s), domain(s), or OU(s) where the GPO is linked The primary mechanism by which the settings in a GPO are applied tousers and computers is by linking the GPO to a site, domain, or OU in Active Directory. The location where a GPO is linked is referred to as

the Scope of Management or SOM (also seen as SDOU in previous white papers). There are three types of SOMs: sites, domains, and OUs.

A GPO can be linked to multiple SOMs, and an SOM can have multiple GPOs linked to it. A GPO must be linked to an SOM for it to be

applied.



6/12


The security filtering on the GPO By default all Authenticated Users that are located in the SOM (and its children) where a GPO islinked will apply the settings in the GPO. You can further refine which users and computers will receive the settings in a GPO by managing

permissions on the GPO. This is known as security filtering. For a GPO to apply to a given user or computer, that user or computer must

have both Read and Apply Group Policy permissions on the GPO. By default, GPOs have permissions that allow the Authenticated Users

group both of these permissions. This is how all authenticated users receive the settings of a new GPO when it is linked to a SOM (OU,

domain, or site). These permissions can be changed, however, to limit the scope of the GPO to a specific set of users, groups, and/or

computers within the SOM(s) where it is linked.

The WMI filter on the GPO WMI filters allow an administrator to dynamically determine the scope of GPOs based on attributes(available through WMI) of the target computer. A WMI filter consists of one or more queries that are evaluated to be either true or false

against the WMI repository of the target computer. The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter

to a GPO, you link the f ilter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one

WMI filter; however, the same WMI filter can be linked to multiple GPOs. When a GPO that is linked to a WMI filter is applied on the target

computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied. If the WMI filter

evaluates to true, the GPO is applied.

To scope the Domain Password Policy GPO found in the previous search

1.In the Search for Group Policy Objectssearch results pane, double-click Domain Password Policy, and then click Close.

Note: Once the Search for Group Policy Objectsdialog box is closed, the previously selected GPO will have focus in the GPMC. The

GPO Scope page will appear as shown in Figure 5.

Figure 5. Scoping a GPO

To review the policies that will be applied by a GPO

1.In the Domain Password Policy results pane, click the Settingstab, and then click Show All. A summary of all defined policy settings

will appear as shown in Figure 6. Undefined settings are not displayed.

Figure 6. Reviewing GPO Settings



7/12


GPO Policy Inheritance and Link Order

The Group Policy Inheritance tab for a given container shows all GPOs (except for GPOs linked to sites) that would be inherited from parent

containers. The precedence column on this tab shows the overall precedence for all the links that would be applied to objects in that

container, taking into account both Link Order and the Enforcement attribute of each link, as well as Block Inheritance.

To view policy inheritance on a container

1.In the Group Policy Managementwindow, under the contoso.comtree, expand the AccountsOU, and then click the Headquarters

OU as shown in Figure 7.

Figure 7. Group Policy Inheritance


If multiple GPOs are linked to the same container and have settings in common, there must be a mechanism for reconciling the settings.

This behavior is controlled by the link order. The lower the link order number, the higher the precedence. Information about the links for a

given container is shown on the Linked Group Policy Objects tab of a given container. This pane shows if the link is enforced, if the link isenabled, the status of the GPO, if a WMI filter is applied, when it was modified, and the domain container where it is stored. An

administrator or users who have been delegated permissions to link GPOs to the container can change the link order by highlighting a GPO

link and using the up and down arrows to move the link higher or lower in the link order list.

To change policy link order on a container

1.On the Headquartersscreen, click the Linked Group Policy Objects.

2.Under the GPOcolumn, click Linked Policies, and then click the up arrow just to the left of the Link Ordercolumn. When finished, the

linking order for GPOs under the Headquarters OU should appear as shown in Figure 8.

Figure 8. GPO Link Order



8/12



Top of page

GPO Backup, Restore, Copy, and Import

Backing Up a GPO

Backing up a GPO copies the data in the GPO to the file system. The backup function also serves as the export capability for GPOs. A GPO

backup can be used to restore the GPO to the backed-up state, or to import the settings in the backup to another GPO.

Backing up a GPO saves all information that is stored inside the GPO to the file system. This includes the following:

The GPO globally unique identifier (GUID) and domain GPO settings

The discretionary access control list (DACL) on the GPO

The WMI filter link, if there is one, but not the filter itself

Links to IP Security policies, if any

Extensible Markup Language (XML) report of the GPO settings, which can be viewed as HTML from within GPMC

Date and time stamp of the backup

User-supplied description of the backup

Backing up a GPO only saves data that is stored inside the GPO. Data that is stored outside the GPO includes the following:

Links to a site, domain, or OU

WMI filter

IP Security policy

This data is not available when the backup is restored to the original GPO or imported into a new one.

To backup the Domain Password Policy GPO

1.In the Group Policy Managementwindow, under the contoso.comtree, click the Group Policy Objectsfolder.

2.In the Group Policy Objects folder, right-click the Domain Password PolicyGPO, and then click Back Up.

3.In the Back Up Group Policy Objectdialog box, type c:\windowsfor Location, type Domain Password Policy Backupfor

Description, and then click Back Up.

4.Once the backup is complete, click OKto continue.

Managing Backups

Multiple backups of the same or different GPO can be stored in the same file system location. Each backup is identified by a unique backup

ID. The collection of backups in a given file system location can be managed using the Manage Backups dialog box in GPMC or through the

scriptable interfaces. The Manage Backups dialog box is available by right-clicking either the Domains node or the Group Policy Objects

node in a given domain. When you open Manage Backups from the Group Policy Objects node, the view is automatically filtered to show

only backups of GPOs from that domain. When opened from the Domains node, the Manage Backups dialog box shows all backups,

regardless of which domain they are from.

To manage available GPO backups

1.In the Group Policy Managementwindow, under the contoso.comtree, right-click the Group Policy Objectsfolder, and then click

Manage Backups. The Manage Backups window should appear as shown in Figure 9.



9/12


Figure 9. Managing Backups

2.In the Manage Backupswindow, click to highlight the Domain Password Policy Backupcreated previously, and then click View

Settings.

3.Review the detailed GPO information, and then close InternetExplorer.

Restoring from Backup

Restoring a GPO re-creates the GPO from the data in the backup. A restore operation can be used in both of the following cases: the GPO

was backed up but has since been deleted, or the GPO is live and you want to roll back to a known previous state. A restore operation

replaces the following components of a GPO.

GPO settings

The DACL on the GPO

WMI filter links (but not the filters themselves)

The restore operation does not restore objects that are not part of the GPO. This includes links to a site, domain, or OU; WMI filters, and

IPSec policies.

To restore the Domain Password Policy GPO

1.In the Manage Backupswindow, click Restore.

2.When prompted, click OKto restore the selected backup.

3.Click OKafter the GPO restoration is complete.

4.In the Manage Backupsdialog box, click Close.

Copying a GPO

A copy operation allows you to transfer settings from an existing GPO in Active Directory directly into a new GPO. The new GPO created

during the copy operation is given a new GUID and is unlinked. You can use a copy operation to transfer settings to a new GPO in the same

domain, another domain in the same forest, or a domain in another forest. Because a copy operation uses an existing GPO in Active

Directory as its source, trust is required between the source and destination domains. Copy operations are suited for moving Group Policy

between production environments. They are also used for migrating Group Policy that has been tested in a test domain or forest to a

production environment, as long as there is trust between the source and destination domains.

To copy a GPO

1.Under the contoso.comtree in the Group Policy Objects folder, right-click the Enforced User PoliciesGPO, and then click Copy.

2.Click the plus sign (+) next to vancouver.contoso.comto expand the domain, and then click the plus sign (+) next to Group Policy

Objectsto expand the tree.

3.Right-click Group Policy Objects, and then click Paste.

4.On the Cross-Domain Copying Wizard, click Nextto continue.



10/12


5.On the Specify Permissionsscreen, select Use the default permissions for new GPOs(default) as shown in Figure 10, and then

click Next.

Figure 10. Cross-Domain Copying Wizard

6.Once the original GPO is scanned, click Nextto continue.

7.On the Completing the Cross-Domain Copying Wizardscreen, verify settings, and then click Finish.

8.Once the copy operation is complete, click OK.

Note: The Enforced User Policies GPO has been copied to the vancouver.contoso.com domain; however, it has not been linked to any

container.

To link the Enforced User Policies GPO to the root of vancouver.contoso.com

1.Right-click vancouver.contoso.com, click Link an Existing GPO, click to highlight Enforced User Policies, and then click OK.

Importing a GPOThe import operation transfers settings into an existing GPO in Active Directory using a backed up GPO in the file system location as its

source. Import operations can be used to transfer settings from one GPO to another GPO within the same domain, to a GPO in another

domain in the same forest, or to a GPO in a domain in a different forest. The import operation always places the backed up settings into an

existing GPO. It erases any pre-existing settings in the destination GPO. Import does not require trust between the source domain and

destination domain; therefore, it is useful for transferring settings across forests and domains that do not have trust. Importing settings

into a GPO does not affect its DACL, links on sites, domains, or OUs to that GPO, or a link to a WMI filter.

To import the contoso.com Domain Password Policy into vancouver.contoso.com Domain Password Policy

1.In the Group Policy Managementwindow, right-click vancouver.contoso.com , and then click Create and Link a GPO here.

2.In the New GPOdialog box, type Domain Password Policyfor the Name, and then click OK.

3.Under Group Policy Objectsin the vancouver.contoso.comtree, right-click the Domain Password PolicyGPO, and then click

Import Settings.

4.On the Import Settings Wizard, click Nextto continue.

5.On the Backup GPOscreen, click Nextto continue without backup as the GPO currently has no policy definitions.

6.Accept the default backup folder, c:\windows, and then click Nextto continue.

7.Since the Domain Password Policyis the only current backup, it is selected by default. Click Nextto begin importing the settings from

this GPO.

8.Click Nextafter the GPO is scanned for security principals, and then click Finish.

9.When the Import Settings Wizardcompletes, click OK.

To verify the vancouver.contoso.com Domain Password Policy

http://www.microsoft.com/technet/prodtechnol/windowsser...gies/directory/activedirectory/stepbystep/gpmcinad.mspx (10 di 12)30/01/2005 18.33.59


11/12


1.Under Group Policy Objectsin the vancouver.contoso.comtree, click Domain Password Policy, and then click Show Allin the

results pane. The settings should be identical to those shown in Figure 11.

Figure 11. Domain Password Policy for vancouver.contoso.com


Top of page

GPO Modeling

Group Policy Modeling

Group Policy Modeling is a simulation of what would happen under circumstances specified by an administrator. It requires that you have at

least one domain controller running Windows Server 2003 because this simulation is performed by a service running on a domain controller

that is running Windows Server 2003.

With Group Policy Modeling, you can either simulate the RSoP data that would be applied for an existing configuration, or you can perform

"what-if" analyses by simulating hypothetical changes to your directory environment and then calculating the RSoP for that hypothetical

configuration. For example, you can simulate changes to security group membership, or changes to the location of the user or computer

object in Active Directory. Outside of GPMC, Group Policy Modeling is referred to as RSoP - planning mode.

To simulate the effects of GPOs

1.In the Group Policy Managementwindow, click the minus sign (-) next to Domainsto collapse the tree.

2.Under the Forest: contoso.comtree, right-click Group Policy Modeling, and then click Group Policy Modeling Wizard.

3.On the Group Policy Modeling Wizardscreen, click Next.

4.On the Domain Controller Selectionscreen, leave the default settings, and then click Next.

5.On the User and Computer Selectionscreen, under User information, click User. Click Browse, type Christineunder Enter objectname to select, and then click OK. Select the Skip to the final page of this wizard without collecting additional data check box,

and then click Next. Your settings should appear as shown in Figure 12.



12/12


Figure 12. Group Policy Modeling Wizard

6.On the Summary of Selectionsscreen, click Nextto start the simulation.

7.Click Finish. The right pane will contain the simulation results.

Top of page

Additional Resources

For more information, see the following resources.

Download the Group Policy Management Console with Service Pack 1 at http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Administering Group Policy with GPMC Whitepaper at http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspx

For the latest information about Windows Server 2003, see the Windows Server 2003 Web site at http://www.microsoft.com/windowsserver2003

Top of page

Printer-Friendly Version Send This Page Add to Favorites Comments

Manage Your Profile|Contact Us|Newsletter

2005 Microsoft Corporation. All rights reserved. Terms of Use|Trademarks|Privacy Statement

http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=enhttp://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspxhttp://www.microsoft.com/windowsserver2003http://www.microsoft.com/windowsserver2003http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspx?pf=truemailto:?subject=Step-by-Step%20Guide%20to%20Using%20the%20Group%20Policy%20Management%20Console&body=http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspxhttp://register.microsoft.com/contactus30/feedback40.asp?domain=technethttp://go.microsoft.com/?linkid=317027http://www.microsoft.com/technet/contactus.mspxhttp://www.microsoft.com/technet/abouttn/subscriptions/flash_register.mspxhttp://www.microsoft.com/info/cpyright.mspxhttp://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspxhttp://www.microsoft.com/info/privacy.mspxhttp://www.microsoft.com/info/privacy.mspxhttp://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspxhttp://www.microsoft.com/info/cpyright.mspxhttp://www.microsoft.com/technet/abouttn/subscriptions/flash_register.mspxhttp://www.microsoft.com/technet/contactus.mspxhttp://go.microsoft.com/?linkid=317027http://register.microsoft.com/contactus30/feedback40.asp?domain=technethttp://register.microsoft.com/contactus30/feedback40.asp?domain=technetmailto:?subject=Step-by-Step%20Guide%20to%20Using%20the%20Group%20Policy%20Management%20Console&body=http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspxmailto:?subject=Step-by-Step%20Guide%20to%20Using%20the%20Group%20Policy%20Management%20Console&body=http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspxhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspx?pf=truehttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/gpmcinad.mspx?pf=truehttp://www.microsoft.com/windowsserver2003http://www.microsoft.com/windowsserver2003http://www.microsoft.com/windowsserver2003/gpmc/gpmcwp.mspxhttp://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=enhttp://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en

Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory...

Documents

Transcript of Using the Group Policy Management Console (GPMC) in a Windows Server 2003 Active Directory...