لطفا منتظر باشید ...
Publisher| Group PolicyTasks |
I'll then describe how to configure different types
of GPO settings. After that, we'll examine the RSoP
tool and I'll explain how to use it. Finally,
we'll look at how to use the new Group Policy
Management Console (GPMC) that can be downloaded from
Microsoft's web site.
Manage Group Policy
The procedures described here use
different consoles in different situations:
- To work with GPOs in a domain or OU
Open the Active Directory Users and Computers console
right-click on a domain or OU Properties Group
Policy tab- To work with GPOs in a site
Open the Active Directory Sites and Services console
right-click on a site Properties Group Policy
tab
If the context described is not clear in the procedures that follow,
the console to be used is explicitly stated; otherwise, the
appropriate console is assumed to be already open at the start of the
procedure. You typically work with GPOs by creating and linking them
to a specific container (site, domain, or OU) in Active Directory
using the consoles, but you can also open GPOs directly using the
Group Policy Object Editor (GPOE).
Create a GPO
To create a GPO, you must first
decide which container you want it to be linked to in Active
Directory. This can be either a site, domain, or OU. By default, a
GPO is automatically linked to the container on which it is created.
To create a new GPO, access the properties sheet for the desired
container using the appropriate MMC console and:Right-click on a container
Properties Group Policy New specify a nameOnce a GPO has been created, it must be configured (seeConfigure a GPO later in this section).
|
Open a GPO
Open a GPO using an MMC console
that has the Group Policy snap-in installed. You can do this in
different ways:
- Open the Active Directory Users and Computers (or Sites and Services)
console, right-click a domain or OU (or site) to which the GPO is
linked, and then select:Properties Group Policy select the GPO EditThis opens the GPOE console and displays the different configurable
settings of your selected GPO. - Add the Group Policy Object Editor snap-in to a new or existing MMC
console, and then open the GPO in it. For example:Start Run mmc
OK Console Add/Remove Snap-in Add Group Policy Object Editor Add
Browse select a GPO
Link a GPO
When you create a new GPO, it is
automatically linked to the site, domain, or OU that you selected for
creating it (see Create a GPO earlier in this
section). You can also link a selected container (Site, Domain, or
OU) to a GPO as follows:Right-click on a container
Properties Group Policy Add select {Domain | OU | Sites | All} as focus look in domain or different OU select a GPOThe Group Policy Object Links listbox displays all the GPOs that arecurrently linked to your container. To unlink a GPO from a container,
do the following:Right-click on the container
Properties Group Policy select a linked GPO Delete Remove this link from the list Display Links for a GPO
You can view the containers your GPO is linked to in Active Directory
as follows:Right-click on a container
Properties Group Policy select a GPO Properties Links select domain Find NowAlternatively, you can find links by opening the GPO in a GroupPolicy console (see Open a GPO earlier in this
section) and then:Right-click on the GPO's root node in the console tree
Properties Links select domain Find NowFilter a GPO
Right-click on a container
Properties Group Policy Properties Security select {user | group | computer} you want the GPO not to apply to clear the Read and Apply Group Policy checkboxesAlternatively, you can filter
a GPO in the Group Policy console (see Open a
GPO earlier in this section) and then:Right-click on the GPO's root node in the console tree
Properties Security continue as beforeForce a GPO
Right-click on a container
Properties Group Policy select a GPO Options select No OverrideAny settings in this GPO are now applied to the entire subtree of theActive Directory hierarchy beneath the selected container, regardless
of any other GPOs linked to containers in the subtree.
Block GPO Inheritance
Right-click on a container
Properties Group Policy select Block Policy InheritanceBlocking GPO inheritance prevents settings from GPOs linked toparent containers from being inherited by the selected child
container. The exception is if parent GPO settings are forced (see
Force a GPO earlier in this section).
Delegate Control of a GPO
Administrators can give trusted users
administrative control over a GPO linked to a container. These users
can manage the GPO settings even if they don't have
administrative privileges over the container itself. Management is
limited to modifying GPO settings and not creating new GPOs linked to
the container. To do this:Right-click on a container
Properties Group Policy select a GPO Properties Security Add select user account Add select user account allow Read and Write permission Or you can open the GPO in a Group Policy console and then:Right-click on the GPO's root node in the console tree Properties Security continue as before
|
Disable a GPO
Right-click on the container
Properties Group Policy select a linked GPO Options select DisabledDisabling a GPO lets youmodify its settings without worrying about having these modifications
applied until you are ready.
Delete a GPO
Right-click on the container
Properties Group Policy select a linked GPO Delete Remove the link and delete the Group Policy Object permanently Deleting a GPO deletes all the links between that GPO and differentcontainers.
Configure a GPO
To configure the settings
of
a GPO, first open it for editing and then configure settings by
double-clicking on them. The kind of configuration you can perform on
a setting depends on the type of setting involved.
|
Configure Administrative Templates Settings
These settings usually have three states you can choose from:
- Enabled
The setting is applied when Group Policy is applied.- Disabled
The setting is removed when Group Policy is applied.- Not configured
The setting is ignored when Group Policy is applied.
Of course, the actual results of configuring an administrative
template setting depend on the number of different GPOs applied, the
containers they are linked to, whether GPO inheritance is blocked or
forced, and so on. In addition to specifying the state, many
administrative template settings require further information as well,
depending on the type of operating-system function being controlled.
Configure Folder Redirection Settings
Before you can configure the settings on a redirected folder, you
need to redirect it as described in the following procedures. To
configure a redirected folder:User Configuration
Windows Settings Folder Redirection right-click on a folder to redirect Properties Settings If you want a user to have exclusive rights to her redirected folder,select "Grant the user exclusive
rights." If multiple users will be sharing the same
redirected folder, clear this setting. If you later unlink the GPO
containing the folder-redirection policies from the OU where the
users reside in Active Directory, you can specify whether to leave
folders in their present (redirected) location or restore them to the
local user profile for each user.
Redirect All Users' Folders to the Same Share
User Configuration
Windows Settings Folder Redirection right-click on a folder to redirect Properties Target Setting Basic \\<server>\<share>For example, you could redirect the Start menu folder to\\<server>\<share> for all users and
set the NTFS permission to Read for the Users group on the
<share> folder. In this way, all
your users will have a common, standard Start menu that they can use
but not modify.
Redirect Each User's Folders to a Different Share
User Configuration
Windows Settings Folder Redirection right-click a folder to redirect Properties Target Setting Basic \\<server>\<share>\%<username>%Using the %<username>% replaceablevariable in this case causes a separate subfolder named
%<username>% to be created for each user
within <share>.
Redirect Folders Based on Group Membership
User Configuration
Windows Settings Folder Redirection right-click on a folder to redirect Properties Target Setting Advanced Add Security Group Membership Browse select a group OK Target Folder Location \\ <server>\<share>\<folder> The option "Move the contents of Application Data tothe new location" should be selected on the Settings
tab; otherwise, redirection will not occur!
Configure Script Settings
Use these three steps to implement a startup/shutdown/logon/logoff
script using Group Policy:
- Create the script file using Notepad or some other editor.
- Copy the script file to the GPT for the GPO in the SYSVOL share. This
is necessary because the script file must be stored in the GPT so the
GPO can run it when Group Policy is applied to the client. A simple
way to copy the script file to the correct GPT folder is to do the
following:Right-click on the script file in Windows Explorer or My Computer select CopyOpen the GPO that will run the script (see Open a
GPO earlier in this section) and:- For startup/shutdown scripts
Computer Configuration Windows Settings Scripts- For logon/logoff scripts
User Configuration Windows Settings ScriptsDouble-click on the appropriate policy in the details pane to open
its properties sheet, and click Show Files to open a window for the
script folder in the GPT. Then paste the script into the GPT window.
- Finally, add the script to the GPO by opening the properties sheet of
the scripts setting and:Add Browse select script OK specify parameters needed for the script to run (optional)
If a startup or logon script fails to terminate properly, it must
time out before another startup script can execute. The default
timeout value is 10 minutes, which means that if your startup script
has a problem, users are going to be pretty frustrated. You can
configure the timeout value using the following GPO setting which
applies globally to all scripts:Computer Configuration
Administrative Templates System Logon Maximum wait time for Group Policy scriptsIf multiple startup scripts are configured, they execute in the orderin which they are listed on the Script tab of Startup Properties.
|
Configure Security Settings
You can configure security settings at the local, domain, or
domain-controller level. The settings you configure may be overridden
by Group Policy, however, depending on how Group Policy has been
configured.
Configure a Local Security Policy
Open the Local Security Policy console
expand console tree and select a policy container double-click on a policy setting in details pane configure setting as desired The changes you make to a Local Security Policy are appliedimmediately to the local machine.
Configure a Domain Security Policy
Start
Administrative Tools Domain Security Policy modify settings as desiredA better method is to create custom GPOs linked to the domain andselected OUs using Active Directory Users and Computers. You then
configure the security settings in each GPO as desired by opening the
GPO and:Computer Configuration
Windows Settings Security Settings modify settings as desiredConfigure Software-Installation Settings
Prior to configuring your method of software deployment, you need to
perform the following preparatory steps:
- Create or obtain a Windows Installer package
A Windows Installer package (an .msi file) must
first be created or obtained for the application you want to remotely
deploy on your client computers. You may obtain a package from
Microsoft or a third-party vendor, or you may create your own package
using a third-party packaging tool.
|
- Create a software distribution point
Share a folder on a file server on your network, and assign users
Read and Execute permissions on the contents of the share. Create a
subfolder that has the same name as the application you want to
deploy, and store the .msi package file and any
other files required for the application in the subfolder.- Create or edit a GPO
If you want to deploy software for all user or computer objects
within a container (a site, domain, or OU), you need to create a new
GPO and link it to the container or edit an existing GPO that is
linked to the container.
The remaining procedures assume that you have already opened the GPO
for editing unless otherwise specified.
Add a New Package for Deployment
Select {Computer | User} Configuration
Software Settings right-click on Software installation New Package select package Open At this point you have three options:- Assigned
This causes the application to be automatically deployed the next
time the user logs on (if User Configuration was chosen) or the
client computer boots up (if Computer Configuration was chosen). You
can further configure the package for deployment by right-clicking
the package in the details pane to open its properties sheet.- Published
This causes the application to appear as available for installation
in Add/Remove Programs in the Control Panel, as well as automatically
installed if the user double-clicks on a file whose file association
matches the application. You can further configure the package for
deployment by right-clicking the package in the details pane to open
its properties sheet.- Advanced published or assigned
This simply opens the properties sheet for the new package and lets
you configure the deployment method (assigned or published) and other
options.
After you add a new package, you can further configure the deployment
method, add software modifications, or create software categories.
See the relevant headings in this section for more details.
Add Software Modifications to a Package
You can add and remove software modifications only when you are
preparing to deploy the package. You can't add
software modifications to the application once it has been installed
on the client machines. Transform files (.mst
files) are typically supplied by the vendor that created the package:Select {Computer | User} Configuration
Software Settings Software installation right-click a package Properties Modifications Add select an .mst file Open If you have multiple software modifications added, they are appliedin the order displayed.
Change the Deployment Method for a Package
Select {Computer | User} Configuration
Software Settings Software installation right-click a package select a new deployment methodIf your package is assigned, you can change it to published. If it ispublished, you can either change it to assigned or leave it as
published but enable or disable automatic installation by users
double-clicking on the appropriate file association for the
application.
Configure Default Deployment Settings for All Packages
Select {Computer | User} Configuration
Software Settings right-click Software installation PropertiesThe key options to configure on these tabs are:- General
You can change the location where your packages are assumed to be
stored. The default location is on domain controllers in the relevant
GPT within the SYSVOL share:sysvol\<domain>\Policies\<GPT_GUID>\Machine\Scripts\Startup You can configure deployment options so that new packages are
automatically published or assigned by default, so that a dialog box
prompts whether you want to assign or publish the packages, or so
that the properties sheet for the package lets you configure its
deployment options in detail.The Basic installation, user-interface option enables automatic
installation using the default, Windows Installer, package settings.
Maximum allows users to manually specify the installation options
instead. Most .msi packages support both of
these options.If you want the application to be uninstalled automatically when the
GPO containing the software-installation policy no longer applies to
the users and computers for which it was configured (either by
unlinking the GPO from the OU or by moving users and computers to a
different OU), select "Uninstall the applications
when they fall out of the scope of management."- File extensions
See Modify File-Extension Priorities later in
this section.- Categories
See Create and Assign Software Categories later
in this section.
Configure Deployment Settings for a Package
Select {Computer | User} Configuration
Software Settings Software installation right-click a package PropertiesHere are the key options on the Deployment tab:- Deployment type
Lets you change how your software is deployed (either Assigned or
Published). If you choose Published, you can enable or disable either
or both of the two installation methods used to install published
software (by document activation or by using Add/Remove Programs).- Deployment options
Lets you choose to have the application installed automatically when
the GPO used to deploy software is unlinked from the OU or when the
user or computer objects are moved to a different OU where the GPO
doesn't apply.- Installation user-interface options
Basic installation provides automatic installation using the default
Windows Installer package settings, while Maximum lets you specify
installation options.- Advanced
Displays the product code for the application and advanced diagnostic
information.
Create and Assign Software Categories
To create a new category for software you are publishing:Select {Computer | User} Configuration
Software Settings right-click on Software installation Properties Categories Add enter a category nameOnce the category is created, you can assign it to a package:Select {Computer | User} Configuration Software Settings Software installation right-click on a package Properties Categories select a category SelectModify File-Extension Priorities
If you are deploying two different versions of an application that
creates files with the same file extension, you can specify which
extension's priority will be used to deploy
published software using document activation (i.e., double-clicking
on a document). To do this:Select {Computer | User} Configuration
Software Settings right-click on Software installation Properties File extensions use Up or Down buttonsThe application at the top of the list is installed. This affects allusers or computers that have the currently selected GPO applied to
them.
Redeploy Software
Use this procedure to apply a fix (service pack or patch) to a
deployed application. This works only if the fix comes as a Windows
Installer package file (an .msi file). First,
place the fix in the appropriate location (where the original package
file was placed). To apply the fix, open the GPO that was used to
deploy the application and:Select {Computer | User} Configuration
Software Settings Software installation right-click on a package All Tasks Redeploy application YesRemove Deployed Software
To remove deployed software:Select {Computer | User} Configuration
Software Settings Software installation right-click on a package All Tasks Remove You can either choose to have the application removed immediately(i.e., when users' client computers next reboot or
users next log on), or you can leave existing deployments as they are
and prevent any new deployments from occurring. Either action removes
the policy for the package from the Software Installation container
in the GPO but doesn't delete the package itself
from its distribution point. If you choose to leave existing
deployments intact, users may be able to delete them manually using
Add/Remove Programs in the Control Panel, depending on Group Policy
settings for their domain or OU.
Upgrade Deployed Software
To deploy a newer version of software you have already deployed using
Group Policy, add a new package for the upgraded version of the
software (see Add a New Package for Deployment
earlier in this section). Then do the following:Select {Computer | User} Configuration
Software Settings Software installation right-click on the new package Properties Upgrades Add Browse select package for previous version OK specify whether to uninstall previous application first or perform the upgrade over it The previous version may have been selected automatically with theright uninstallation/upgrade option. At this point, if you select the
option "Required upgrade for existing
packages," then a mandatory upgrade will be
performed, replacing the previous version with the new version when
the client computers boot up next or the user logs on next. If you
deselect this option, the upgrade is optional and users can choose
whether to continue working with the previous version or upgrade to
the new version.Note that upgrading a deployed application to a new version is
different from applying a service pack or a fix to the application.
To apply a service pack or fix to a deployed application, see
Redeploy Software earlier in this section.
Assign an Application
If you are deploying software on client computers using Windows
Installer technologies, Windows Installer packages are published
automatically in Active Directory when you add a new package to the
Software installation container in a GPO. Some packages,
howeverparticularly those you create using
.msi filesmust be published manually or
assigned in Active Directory, as follows:Right-click on the OU to which the GPO for deploying the application is linked
Properties Group Policy select the GPO Edit {User | Computer} Configuration Software Settings Software Installation New Package specify UNC path to share on file server where .msi file resides select .msi file Open select Assign Assigning the application results in its appearance in Add/RemovePrograms in the Control Panel for users or computers in the OU
where the GPO is configured to deploy the application.
Use RSoP
RSoP queries can be
run various ways to simulate the effect of
Group Policy on a domain, OU, or site. For example, to run an RSoP
query on a domain or OU:Active Directory Users and Computers
right-click on domain or OU All Tasks Resultant Set of Policy (Planning)This starts the RSoP Wizard that can be used to view simulated policysettings for a selected user and computer. You can either skip to the
end of the wizard immediately to see the result of your policies or
click Next to simulate slow WAN links or loopback processing, specify
a site, simulate the groups to which the user and computer might
belong, and specify WMI filters linked to the GPO. When the wizard
completes, the results of the RSoP query are displayed in a new
console.Next, you can run an RSoP query on a user or computer:Active Directory Users and Computers
right-click on computer or user All Tasks Resultant Set of Policy (Planning) or Resultant Set of Policy (Logging)Logging mode reviews the settings currently applied to a user orcomputer, while planning mode simulates the application of a Group
Policy you are considering:Logging mode
specify computer specify user view resultsPlanning mode starts Resultant Set of Policy WizardYou can also run an RSoP query on a site:Active Directory Sites and Services right-click on a site All Tasks Resultant Set of Policy (Planning)RSoP in planning mode lets you simulate the effect of Group Policywithout actually applying it, allowing you to see what would happen
if you selected the policy you are examining. You can also run RSoP
in logging mode, which displays the settings that result from
applying the current Group Policy to a specified user or computer. To
do this, you first create a custom MMC console containing the RSoP
snap-in:Start
Run mmc OK Add/Remove Snap-in Add Resultant Set of Policy AddNow do the following:Right-click on Resultant Set of Policy node Generate RSoP Data Logging Mode select {this computer | another computer (specify)} optionally display resulting user settings only select {this user | another user (specify)} optionally display resulting computer settings onlySave an RSoP Query
You can save RSoP queries for later analysis:RSoP query
View Archive data in console file File Save specify filenameChange an RSoP Query
If you want to rerun RSoP with a different user or computer, do this:Right-click on RSoP query
Change Query specify computer specify userView an RSoP Report in HTML
Finally, try this:Start
Help and Support Support Tasks Tools System Information View Advanced System Information View Group Policy Settings AppliedYou can print this!Manage Group Policy Using the GPMC
This section provides a brief overview
of Group Policy management tasks performed using Version 1.0 of the
GPMC, an optional add-on for WS2003 that can be downloaded from
Microsoft's web site. To open the GPMC console, do
one of the following:Administrative Tools
Active Directory Users and Computers right-click on a domain or OU Properties Group Policy OpenAdministrative Tools Active Directory Sites and Services right-click on a site Properties Group Policy
OpenAdministrative Tools Group Policy ManagementStart Run gpmc.mscYou can also add the Group Policy Management snap-in to a new orexisting MMC console to create your own custom tool for managing
Group Policy (see the "Microsoft Management
Console" sections later in this
chapter for more information).
|
Create a GPO
There are several ways to create
new GPOs using the GPMC. For example, to create a GPO and link it
automatically to a domain or OU, do this:Right-click on domain or OU
Create and Link a GPO Here specify name for new GPOTo create an unlinked GPO, do this:Select a domain right-click on Group Policy Objects New specify name for new GPODon't forget that the new GPO must first be linkedto a domain, OU, or site before it can be used.
Open a GPO
To open a GPO in the GPOE from
the GPMC, do this:Right-click on GPO
EditYou can also right-click on a GPO link to do thisnote that GPOlinks have shortcut icons to distinguish them from GPOs. A dialog box
appears when you click on a GPO link to remind you that actions you
perform affect the GPO and all links for that GPO.Here is a new way of displaying GPO settings in HTML format:Select a GPO or GPO link
Settings show settings as desiredNote that this displays only defined GPOsettings, together with other information about the GPO itself. If
the new Internet Explorer Enhanced Security Configuration component
is enabled, the first time you follow this procedure, a dialog box
appears prompting you to add the HTML page displayed to the Trusted
Sites zone. To save the HTML file for later viewing, do this:Right-click on a GPO or GPO link
Save ReportLink a GPO
To link an existing GPO to a
domain, OU, or site, do this:Right-click on domain, OU, or site
Link an Existing GPO select GPO(s) to linkYou can also drag and drop a GPO onto a domain, OU, or site to linkit. Once a GPO is linked, the link can be enabled or disabled anytime
using this toggle:Right-click on GPO link
Link EnabledDisplay Links for a GPO
To view which domains, OUs, or sites a GPO is linked to, do this:Select a GPO
Scope specify location LinksModify GPO Link Order
To modify the order in which multiple GPOs linked to a domain, OU, or
site are applied, do this:Select domain, OU, or site
Linked Group Policy Objects move up or downThe GPO with a link order of 1 has the highest precedence for thatdomain, OU, or site.
Scope a GPO
To scope a linked
GPO
(specify which users and computers will receive the settings in the
GPO), do this:Right-click on GPO
Scope Security Filtering Add users, groups, or computersEnforce a GPO
To force a GPO to apply to the entire subtree of Active Directory
beneath a domain, OU, or site, do this:Right-click on a GPO link
EnforcedTo undo this, repeat. A GPO link that is enforced displays with agray padlock on its icon. This procedure of enforcing a GPO link
corresponds to the No Override option in the standard Group Policy
interface that the GPMC replaces when it is installed.
Block GPO Inheritance
To prevent a domain,
OU, or site from inheriting GPOs from any parent container, do this:Right-click on domain, OU, or site
Block InheritanceTo undo this, repeat. When this is enabled, the domain, OU, or sitedisplays a blue exclamation point on its icon.
Delegate Group Policy
By default, the ability to
create
GPOs is a right of the Group Policy Creator Owners (GPCO) group, but
an administrator can also delegate this right to any other user or
group by adding the user or group to the GPCO group. Another way of
granting this right is by:Select Group Policy Objects
Delegation Add select user or groupTo delegate limited ability to manage specify aspects of GPOs, dothis:Select a GPO
Delegation Add select user or group specify permissionsPossible permissions are:- Read
- Edit Settings
- Edit Settings, Delete, Modify Security
You can also assign custom permissions by clicking the Advanced
button, which corresponds to the Security tab on the standard Group
Policy interface.To delegate the ability to manage certain aspects of GPOs and GPO
links using the GPMC, do this:Select a domain, OU, or site
Delegation Add select user or group select {This container | This container and all child containers} select permission {Link GPOs | Perform Group Policy modeling analyses Read Group Policy results data}This procedure can assign only one permission at a time, but you canrepeat it to assign multiple permissions to the same user or group.
Disable a GPO
You can disable all or part
(user or computer configuration) of a GPO by:Right-click on a GPO
GPO Status disable user, computer, or all configuration settings as desiredYou can also do this by:Select a GPO Details GPO Status disable user, computer, or all configuration settings as desiredDelete a GPO
To delete a GPO:Right-click on GPO
Delete Manage Multiple Forests
By default, the GPMC displays only
the forest to which the user account
running the console belongs. To use this tool to manage another
forest with which a two-way, cross-forest trust has already been
established, do the following:Right-click on root node
Add Forest specify DNS or NetBIOS name of remote forestYou can also remove a forest from the GPMC by right-clicking on theforest node and selecting Remove.
Back Up/Export a GPO
New to the GPMC is the ability
to
back up (or export) a GPO to a file:Right-click on a GPO
Backup specify location specify a nameTo view the defined settings of a backed-up GPO, do this:Right-click on Group Policy Objects Manage Backups select a backed-up GPO View SettingsYou can also back up GPOs from the command line using theBackupGPO.wsf and
BackupAllGPOs.wsf scripts installed with the
GPMC.
Restore a GPO
Restoring a backed-up GPO
resets
the GPO to the state it had before it was backed-up:Right-click on Group Policy Objects
Manage Backups select a backed-up GPO RestoreYou can also do this by:Right-click on the GPO Restore from Backup follow wizard to select backup fileYou can also restore GPOs from the command line using theRestoreGPO.wsf and
RestoreAllGPOs.wsf scripts installed with the
GPMC.
Import a GPO
You can import a GPO that
was
previously exported (backed up) to transfer GPO settings from a
backed-up GPO to a different existing GPO. This operation can be
performed within a domain, between domains, or between forests. To do
this:Right-click on a GPO
Import follow wizard to select backup fileYou can also import GPOs from the command line using theImportGPO.wsf and
ImportAllGPOs.wsf scripts installed with the
GPMC.
Copy a GPO
Copying a GPO is like backing
it
up or exporting it, except that the GPO is not saved as a file but
instead is used to create a new (identical) GPO:Right-click on a GPO
Copy right-click on the Group Policy Objects container in any domain in the forest Paste specify permissions {Use default permissions for the new GPO (default) | Preserve the existing permissions} If you copy a GPO to the same container in which it resides, itsresulting name will begin with "Copy
of." You can also copy GPOs between forests that
have two-way trusts established between them. You can also copy GPOs
from the command line using the CopyGPO.wsf
script installed with the GPMC.
|
Search for a GPO
New to the GPMC is the
ability
to search a forest for a GPO:Right-click on a forest
Search specify search range and criteriaPerform Group Policy Modeling
Group Policy Modeling corresponds
to RSoP planning mode and allows you to simulate how Group Policy
will be applied to a user or computer before you actually try
applying it. Group Policy Modeling uses a wizard as follows:Right-click on Group Policy Modeling
Group Policy Modeling Wizard select a WS2003 domain controller select a user or container and/or select a computer or container skip to end of wizard or configure advanced modeling optionsThe advanced options include:- Slow WAN link simulation
- Loopback processing (replace or merge)
- Select a site
- Modify alternate Active Directory paths for user and/or computer
containers - Modify user's and computer's
security group membership - Specify WMI filters for users and computers
The result of running the wizard is a saved query in the Group Policy
Modeling container. By right-clicking on this query, you can:
- Display the applied GPO settings in detail in RSoP console
- Rerun the query
- Create a new query based on the original one
- Save the results displayed in the details pane as an HTML report
Obtain Group Policy Results
Group Policy results correspond
to RSoP logging mode and let you obtain the actual resultant Group
Policy settings that have been applied to a user or computer (unlike
Group Policy Modeling, which is only a simulation). You obtain Group
Policy results using a wizard:Right-click on Group Policy Results
Group Policy Results Wizard select this computer or another computer optionally display resulting user settings only select {this user | another user (specify)} optionally display resulting computer settings onlyThe results node is placed in the Group Policy Results container, andby right-clicking on it, you can:
- Display the applied GPO settings in detail in the RSoP console
- Rerun the query
- Save the results displayed in the details pane as an HTML report
