لطفا منتظر باشید ...
Publisher| Group PolicyTools |
tools for administering it.
GUI Tools
First, let's summarize the various
GUI tools included in WS2003 for managing Group Policy:
- Active Directory Users and Computers
This console can be used to create, delete, edit, and link GPOs to
domains and OUs.- Active Directory Sites and Services
This console can be used to create, delete, edit, and link GPOs to
sites.- Group Policy Object Editor (GPOE)
This MMC snap-in is used to edit the settings of existing GPOs, but
you can't use it to create a new GPO. This snap-in
was named Group Policy in W2K.- Local Security Policy
This console can be used on standalone and member servers to verify
the security settings on the local machine.- Domain Controller Security Policy
This console can be used on domain controllers to verify the security
settings for the domain controller.- Domain Security Policy
This console can be used on domain controllers to verify the security
settings for the domain.- Resultant Set of Policies (RSoP)
This MMC snap-in is new to WS2003 and can be used to analyze how GPOs
combine to produce effective settings on the local machine. RSoP can
run in one of two modes:- Planning Mode
Simulates the effect of Group Policy without actually applying it- Logging Mode
Obtains the results of Group Policy that have been applied
Related Security Tools
The use of two other MMC snap-ins has a bearing on Group Policy:
- Security Configuration and Analysis
Analyzes and configures security on the local computer- Security Templates
Defines security templates that can be applied to a GPO to define its
security settings
These tools are discussed later in this chapter under
Security Templates .
Command-Line Tools
Useful command-line tools for
managing Group Policy include
gpupdate, which refreshes Group Policy settings
(replacing secedit used in W2K), and
gpresult, which displays the RSoP settings for a
target user on a specified computer. See gpupdate
and gpresult in Chapter 5 for
more information.
Group Policy Management Console (GPMC)
The fact that the GUI tools for managing
Group Policy aren't well-integrated and have no
provision for backing up, exporting, or copying GPOs can make
managing Group Policy difficult in a large enterprise environment
with multiple domains and sites and a large OU hierarchy. To
alleviate this problem, Microsoft has released a new integrated tool
for administering Group Policy called the Group Policy Management
Console (GPMC). Unfortunately, this tool was developed too late to be
included with the Gold Release of the WS2003 product CD, but it is
downloadable from Microsoft's web site at
www.microsoft.com/downloads/ and
is free, provided you comply with the licensing agreement, which
requires that you have at least one WS2003 license. Note that you
don't have to actually have a WS2003 machine
installed; just having a license is sufficient. See the GPMC EULA for
details.
Features of GPMC
The GPMC can be installed on either a WS2003 machine or on a client
computer running Windows XP Professional with SP1 or later. Once
installed, the GPMC replaces the Group Policy tab of the properties
sheet with a domain or OU in Active Directory Users and Computers or
with a site in Active Directory Sites and Services. If desired, GPMC
can be uninstalled later by rerunning the downloaded
GPMC.msi Windows Installer file to restore the
original Group Policy tab for these consoles. The new GPMC console
can be used to:
- Manage GPOs and GPO links for domains, sites, and OUs. The GPMC can
also manage Group Policy across multiple forests even if there is no
trust relationship between them. - Model and report RSoP in HTML format.
- Back up and restore GPOs.
- Export and import GPOs.
- Copy GPOs.
- Perform script operations on GPOs (but not on actual GPO settings).
- Manage WMI filters for GPOs. WMI filters let administrators who write
scripts for the Windows Management Interface dynamically determine
the scope of GPOs based on attributes of the target computer. WMI is
an interesting feature, but beyond the scope of this book.
The GPMC isn't used to configure actual GPO
settings; this is still done using the Group Policy Object Editor
(GPOE) snap-in (see Configure a GPO in
Group PolicyTasks ).
GPMC Console Tree
The hierarchical structure of the GPMC console tree typically looks
like this:
Group Policy Management
Forest: DNS_name_of_forest
Domains
Sites
Group Policy Modeling
Group Policy Results
The pattern repeats if there are additional forests under the root
Group Policy Management node. The four nodes under Forest are
described next in detail.
Domains
The Domains container displays a flat list of each domain in the
forest regardless of its parent domain or tree. The container for
each individual domain typically looks like this:
Domain
GPO links to domain...
OUs...
Group Policy Objects
WMI Filters
At the minimum, the GPO link to the Default Domain Policy is
displayed under the Domain node, which displays the domain using its
DNS name. Each OU can also contain one or more GPO links to the OU
(if there are any), while the Group Policy Objects container holds
the actual GPOs created within the domain. Note that GPO links are
displayed using shortcut icons to distinguish them from GPO objects.
Sites
The Sites container initially can be used to display a flat list of
all sites in the forest. By default, however, the Sites container
displays nothing when it is selected, since querying Active Directory
across the enterprise to determine information about all sites in the
forest can take some time if slow WAN links are involved. To make
certain sites visible, right-click on the container and select Show
Sites. Like domains, all sites are displayed as peers of one another.
Group Policy Modeling
This node provides similar functionality to RSoP running in planning
mode and lets you simulate or model how Group Policy settings are
applied to users and computers without actually applying the
settings. Note that this node isn't present if a W2K
forest is selected; the node is visible only if the selected forest
has at least one WS2003 domain controller present in itin
other words, if the Active Directory schema of the forest is WS2003
level.
Group Policy Results
This node provides similar functionality to RSoP running in logging
mode and lets you query target users and computers to obtain
information about existing Group Policy settings. Note that while
this node is present regardless of whether the schema is WS2003 or
W2K, the node can display RSoP results only on
target computers running either WS2003 or XP.To see what the GPMC can actually do, see Manage Group
Policy Using GPMC in the next section.
