How To: Setting Up Active Directory Group Policies
March 10, 2006
The Group Policy Management Console SP1 (GPMC SP1,) is a free download from Microsoft that addresses several shortcomings of the Group Policy management interface in Windows. GPMC separates where the GPOs actually live in the domain from the places where they are linked. So, for any given GPO, it's easy to determine where it's being used in AD and what policy settings are configured without having to open the Group Policy object editor. In addition, it lets the system administrator easily view the GPOs linked at the site, domain and OU levels, along with the processing order of the GPOs at these levels. Bottom line: This new user interface offers a clearer relationship between GPOs and the containers (AD site, domain or OU) where they are actually being targeted.
Click to enlarge in another window
You also can more easily perform backups and restores of GPOs with GPMC, something severely lacking in the native GP management interface in Windows. It's also easy to manage multiple domains from within the GPMC and move GPOs from one domain to another. This feature is also useful if you need to test your GPOs on a separate domain and then migrate them into the production domain once they've been given a clean bill of health.
Despite the major improvements GPMC brings to Group Policy, there are still many complicated and counter-intuitive elements you'll have to contend with. Regardless of whether you click on the GPO link or the GPO itself using GPMC, you're manipulating the same thing--the GPO. There are only three things you can do to a GPO link without affecting the underlying GPO. First, you can toggle the enabled or disabled link, thereby controlling application of the GPO to the target container. Second, you can delete the link, which removes its association with the container. And third, you can enforce the GPO link. By enforcing the link, you're telling AD to process the GPO last. This setting is often used to prevent OU-level administrators from overriding domain level policy settings set by a higher-ranking administrator.