Group Policy

Each new operating system brings with it a paradox.  On the one hand the new version is meant to be easier, whilst on the other hand it brings more features to master, more sub menus to explore and more settings to configure.  When I apply this paradox to Group Policies, my conclusion is this:  Windows 2003 produces a significantly better managed desktop than NT or even Windows 2003, however, Group Policies are more difficult to master because there are more features, components and settings.

 

The concept behind Group Policies is that administrators configure settings just once, and then the settings apply continuously to the users.  Furthermore, you can apply Group Policies to computers, the benefit is that you can control the settings no matter who logs on.  Such a locked down machine is often referred to as a 'Kiosk'.

 

The old saying 'Prevention is better than cure', definitely applies to Group Policies. A good Group Policy provides greater productivity for the users, and reduce your time fixing silly problems. Think of all the damage and time wasting caused by users fiddling with control panel settings.

 

GPMC (Group Policy Management Console)

 

Remember that Microsoft designed the GPMC for Windows Server 2003 rather than W2K. The GPMC unifies Group Policy management across your Active Directory forest.  Before the GPMC, administrators needed multiple tools to manage Group Policy; the Microsoft Active Directory Users and Computers, the Delegation Wizard, and the ACL Editor.  Not only does the GPMC integrate the existing Group Policy tools, but also it brings the following exciting new capabilities:

 

  • A user interface that makes it easier to create and edit each Group Policy.
  • New WMI filtering means that you can apply policies to particular machine, or only if there is enough disk space.
  • Interfaces to Backup, restore, import, and copy Group Policy Objects (GPOs).
  • Simplified management of Group Policy-related security.
  • Reporting for GPO settings and Resultant Set of Policy (RSoP) data.

 

Right from you outset GPMC gives you the big picture.  The GUI encourages you to survey the range of places to look for Group Policies, from the Forest at the top, through to the Domain and down to the Sites.  The OU Group Policies are hidden under the domain, note that OUs have a little book symbol that is absent from container objects such as Users, Builtin and Computers.  What this means is that if you see the book symbol then you can create a Group Policy, whereas if all you see is a blank yellow folder, then you cannot create a Group Policy at that location.  The GPMC also lists any Models or Policy Results.

 

 

RSoP Snap-in (Resultant Set of Policy)

 

Microsoft provide a snap-in called RSoP for showing a given combination of policy settings.  I find that if you install the GPMC, then you do not really do not need this RSoP.  However, if you have Windows 2000 and no GPMC then the RSoP is intuitive to use and comes in two modes:

 

  • Logging mode. In logging mode, the RSoP snap-in tracks the policies that you apply. In this mode, the tool shows the actual policies for a given user or computer.
     
  • Planning mode. In planning mode, the snap-in indicates the set of policies that would be applied if you deployed the policy. You can perform what-if analyses on the user and computer; the domain, and organizational unit.

 

 

Gpupdate

 

I am so pleased that Windows 2000's Secedit has been superseded by Gpupdate on XP, the old Secedit syntax was horrendous.   Mostly, I just run plain Gpupdate in a 'Dos Box',  occasionally, I append the following switches:

 

  • /force reapplies all settings.
     
  • /target:computer  or /target:user applies only the user or computer section of your policy.  Normally I would use plain Gpupdate without the optional target switch.
     
  • /logoff   Useful for settings that do not apply until the user logs on again.
     
  • /boot   Handy for configurations which need the computer to restart.  
           N.B. /boot does not mean apply the settings every time the computer reboots.

 

 

Gpresult

 

While, I prefer the GPMC console above, Gpresult is a handy command line utility to display the results of Group Policy.  What I particularly like is the /user switch.  Take the example where you are logged on as the administrator, but wish to test a user called Psycho's settings.  Rather than logoff then logon as that user, just type: gpresult /USER psycho.  Do remember the /USER.  This command would be a mistake: gpresult /psycho.

 

 

Dcgpofix

 

This handy command line utility restores the two default Group Policy objects to their original state  (Domain and Domain Controllers).  You find this 'get out of jail card' = Dcpgofix in the \windows\repair folder.  However because the \windows folder is in the 'Path' you can just run Dcpgofix in a 'Dos Box.

 

Syntax and Switches

 

dcgpofix [/ignoreschema][/target: {domain | dc | both}]

 

Example: dcgpofix /target: NewDom

 

Caution

 

This tool will restore the default domain policy and also the default domain controllers policy to their state just after installation.  Naturally, when you run dcgpofix, you lose all changes made to these Group Policies.

 

By specifying the /ignoreschema parameter, you can enable Dcgpofix.exe to work with different versions of Active Directory. However, default policy objects might not be restored to their original state. To ensure compatibility, use the version of Dcgpofix.exe that is installed with the operating system.