Windows Server 2008 R2 Unleashed (124 page)

Policy Management Tools

607

Policy Management Tools

Microsoft provides several different tools administrators can use to create and manage

local and domain group policies. The operating system version the administrator is using

to manage policies determines the functionality the tools provide. As an example, when

new group policies are created using the Windows Server 2008 or Windows Server 2008 R2

Group Policy Management Console, the GPO folder utilizes the new ADMX/ADML

templates, whereas the Windows XP and Windows Server 2003 tool uploads the original

ADM template files into the GPO folder.

This section of the chapter details the tools provided with Windows Vista, Windows 7,

Windows Server 2008, and Windows Server 2008 R2 to manage local and group policies.

Group Policy Management Console (GPMC)

The most functional and useful tool provided to create and manage Active Directory

group policies is the Group Policy Management Console (GPMC), shown in Figure 19.13.

The GPMC was introduced after the release of Windows Server 2003; the functionality

included with different operating systems produces different options and resulting opera-

tions when creating and managing Active Directory group policies.

ptg

19

FIGURE 19.13

Examining the Group Policy Management Console.

The GPMC is a Microsoft Management Console (MMC) snap-in and can be added to a

custom console. The GPMC snap-in provides the most functionality for administrators

608

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

who want to manage domain group policies. The GPMC provided with Windows Server

2008 R2 can perform the following Group Policy administrative functions:

. Enable starter GPO functionality and create new starter GPOs.

. Create new domain group policies.

. Create new group policies using starter GPOs as templates.

. Create and configure GPO links to sites, domains, and organizational units.

. View and manage GPOs in domains in the local and trusted Active Directory forests.

. Back up and restore a single or all GPOs in a domain.

. Back up and restore a single or all starter GPOs in a domain.

. Import group policies from external domains and migrate security settings using

migration tables to ensure proper import functionality.

. Manage GPO link enforcement, enable links, and disable links.

. Configure the block inheritance settings for sites, domains, and organizational units.

. Manage GPO status to control which nodes in a GPO are enabled or disabled.

ptg

. Create and link WMI filters for GPOs.

. Manage GPO security filtering.

. Manage GPO delegation and administrative security.

. Manage the GPO order of processing on containers with multiple GPO links.

. View all configured settings of existing group policies and any additional informa-

tion, such as the revision number, filtering, delegation, and create exported reports

of the configuration.

. Generate HTML reports used to summarize Group Policy configurations and settings.

. Run the Group Policy Modeling Wizard to determine how group policies will be

applied to users or computers in specific containers.

. Run the Group Policy Results Wizard to investigate how policies have been applied

to specific computer and/or user objects.

Many of the GPMC administrative functions in the previous list are detailed later in this

chapter.

Group Policy Object Editor (GPOE)

The Group Policy Object Editor (GPOE), shown in Figure 19.14, is the tool used to edit

local group computer and user policies. Each server and workstation computer has a

default local security policy. This policy is accessed through the shortcut to the specific

Local Security Policy MMC snap-in located in the Administrative Tools program folder.

Now that Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008

Policy Management Tools

609

R2 support multiple local group policies, the GPOE must be used to manage or create any

local group policies other than the default.

ptg

FIGURE 19.14

Examining the Group Policy Object Editor.

The GPOE is used to edit all of the configuration settings of a policy. This includes config-

uring security settings, installing software packages, creating restriction policies, defining

the scripts used by computers and users, and many other functions.

Group Policy Management Editor (GPME)

To manage domain group policies, the Group Policy Management Editor (GPME) is used

and provides the same functionality as the GPOE plus additional functionality only avail-

able with this tool. One of the biggest differences is that the GPME includes not only the

19

Policy Settings node, but it also includes the Preferences Settings node, which is only

available in domains. GPME is installed on Windows Vista and Windows 7 by download-

ing and installing the RSAT tools for the particular service pack and operating system. On

Windows Server 2008 and Windows Server 2008 R2 operating systems, the group policy

tools can be installed from the Add Features applet of Server Manager.

Group Policy Starter GPO Editor

The Group Policy Starter GPO Editor is used to edit starter GPOs created by Group Policy

administrators. This console only shows the Administrative Templates nodes under the

Computer Configuration and User Configuration sections of a starter GPO. By default, the

settings available in the Administrative Templates sections are all that can be set in a

610

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

starter GPO; however, Microsoft provides read-only starter GPOs for Windows Vista and

Windows XP and will later release starter GPOs for Windows 7 that can be downloaded

and imported into the domain starter GPO repository that includes additional settings,

including security- and firewall-related settings. The Group Policy Starter GPO Editor is

included with the Windows Vista, Windows 7, Windows Server 2008, and Windows Server

2008 R2 Remote Server Administration Tools.

Print Management Console

First introduced with Windows Server 2003 R2 edition, the Print Management console is

used to manage Active Directory and local server and workstation printers. The Print

Management console, shown in Figure 19.15, can be used to view settings, configure

drivers and options, and manage printer and print jobs on a particular system or Active

Directory–wide. The Print Management console can also be used to deploy printers to

computers or users using the Deployed Printers node. Deploying printers is a function that

extends Group Policy functionality to allow printers to be deployed to a predetermined set

of users or computer objects to which a GPO is linked.

ptg

FIGURE 19.15

Examining the Print Management console.

The GPOE and the GPME on Windows Vista and Windows 7 will include the Deployed

Printers node beneath the Windows Settings node in both the Computer Configuration

and User Configuration settings nodes. On Windows Server 2008 and Windows Server

2008 R2, the Print Management console will need to be installed from the Server Manager

Features, Add Features link before the Deployed Printers node will be available in the

Group Policy Editor consoles. If a policy contains printers defined in the Deployed

Policy Management Tools

611

Printers nodes, and the policy is viewed using the GPMC or GPME on Windows XP, the

deployed printers will not be viewed. Furthermore, if the policy is opened on a Windows

Server 2003 R2 server, and if the Print Management console is not installed from Windows

components, the Deployed Printers node will not be shown. As a best practice, only create

GPOs to deploy printers using the GPMC and GPME on Windows Vista, Windows 7, and

Windows Server 2008 R2 systems. To install the Print Management console on Windows

Server 2008 R2, run the Add Features applet from Server Manager and select the Print and

Document Services Tools from the Remote Administration Tools submenu.

gpupdate.exe

The gpupdate.exe tool is a command-line tool that assists administrators in troubleshoot-

ing GPO processing and initiating GPO processing on demand. Certain sections of group

policies will only be applied at computer startup and user logon, whereas others will be

applied during these intervals as well as during the periodic refresh interval. For the

settings that apply during the computer startup and user logon intervals, if network

connectivity to the domain controllers is not available during this interval, these settings

might not ever be applied. Also, remote or mobile workstations, systems that are put to

sleep or hibernated, and users logging on using cached credentials usually do not get these

policies applied. This is where the new Network Location Awareness service for Windows

ptg

Vista, Window 7, Windows Server 2008, and Windows Server 2008 R2 comes into play as

it will notify the system that a domain controller is available and that will trigger a group

policy refresh cycle.

The gpupdate.exe tool provides the ability for user and computer policies to be applied

immediately. One common use of this tool was to add the gpupdate.exe to a VPN post

connection script to allow these settings to be applied to remote workstations that belong

to the Active Directory infrastructure. This tool provides the following options:

. gpupdate.exe /Target:{Computer|user}—This function allows the tool to process

only the specified node of the group policy.

. gpupdate.exe /Force—This option reapplies all policy settings. This option does not

automatically reboot the computer or log off the users.

. gpupdate.exe /Wait—This option defines how many seconds to allow GPO process-

19

ing to complete. The default is 600 seconds, or 10 minutes.

. gpupdate.exe /Logoff—This option logs off the user account after GPO processing

has completed.

. gpupdate.exe /Boot—This option reboots the computer after Group Policy process-

ing completes. This is to apply the GPO settings that are only applied during

computer startup.

. gpupdate.exe /Sync—This option processes GPO settings that normally only occur

during computer startup and user logon. This option requires that the administrator

designate whether the system can restart the computer or log off the user.

612

CHAPTER 19

Windows Server 2008 R2 Group Policies and Policy Management

PowerShell Management of Group Policies

With the release of Windows 7 and Windows Server 2008 R2, Microsoft has now added

functionality to manage group policies with PowerShell. This functionality will be auto-

matically enabled once the Group Policy Management feature is installed on a Windows

7 or Windows Server 2008 R2 system. Microsoft has included 25 out-of-the-box

PowerShell cmdlets for Group Policy. The cmdlets allow a Group Policy administrator to

perform a number of different functions from within PowerShell, including, but not

limited to, the following:

. Create new GPOs and create new starter GPOs.

. Create new GPO links.

. Restore or import GPOs.

. Remove GPOs and GPO links.

. Read and/or set the properties of an OU to inherit parent GPO links or to block