Our source domain, AMRVM, has three global groups of interest: AMRVM Security Spooks, AMRVM Capacity Planning, and Server Operations. We need to map these groups to the destination groups GERVM Security Spooks, GERVM Capacity Planning, and Server Operations in the GERVM domain. Right-click the Destination Name field in the MTE and choose Browse. This action launches the AD object picker. Click the Locations button, enter all or part of the destination group's names, then click Check Names or press Enter. When you select the object and click OK, the wizard enters the groups, in user principal name (UPN) format, into the Destination Name field.
Because Server Operations (this isn't the Server Operators built-in group) has the same name in both the source and destination domains, right-click the Destination Name field, and choose Set Destination, Map By Relative Name, as Figure 3 shows. When you specify this mapping option, the GPMC will look for a security principal in the destination domain that has the same relative name and will replace the source security principal in the policy with the destination security principal.
The migration table is now complete, so select File, Exit, and answer "yes" when prompted to save your changes. The wizard will present a summary of the changes about to be made and will execute the Copy operation when you click Finish. To display the copied GPO's settings, select the new GPO in the GPMC scope pane and select the Settings tab in the results pane. Note how the security settings have changed from AMRVM to GERVM.
Scripting
The GPMC snap-in is based on a set of COM interfaces (also available to VBScript, Jscript, and Visual Basic—VB) that does most of the work. For the majority of us who never learned scripting well enough to take advantage of such an interface set, the GPMC development team has included a collection of GPMC scripts in the %programfiles%\gpmc\scripts directory. These scripts are almost as important as the UI because they let administrators control GPOs (although not their settings) programmatically. You can schedule the scripts to run regularly without operator intervention.
Using the sample scripts, you can back up or restore one GPO or all GPOs in a domain, copy them, delete them, create a GPO with default options, alter permissions, import one or many GPOs into a domain, and generate reports on any or all GPOs in a domain. Twelve other scripts let you query various aspects of the Group Policy environment, such as listing all GPOs in the domain with detailed information or listing all GPOs that aren't linked to a site, domain, or OU.
Two scripts demonstrate the power of this scripting interface and XML: CreateXMLFromEnvironment.wsf captures information about OUs, GPOs, GPO links, and GPO security settings in a domain and saves that information to an XML file. CreateEnvironmentFromXML.wsf reads XML files that CreateXMLFromEnvironment.wsf creates and builds an entire environment based on the saved information. With these scripts, you can quickly create a development or test environment that mimics your production environment.
RSoP
RSoP is one of Windows 2003's most exciting and most needed features. The policies that users end up with depend on many variables, so a challenge in working with Group Policy is figuring out how a set of GPOs linked to various sites and OUs in a domain actually affects users. RSoP lets you determine the effective policy—for a computer anywhere in the directory hierarchy or for any given user—of all GPOs that apply to that computer or user. RSoP has two aspects: logging mode and planning mode. RSoP logging provides a way to report on which GPOs are delivered to a particular user or computer and which GPO those settings came from. RSoP planning lets you perform what-if analyses to display the effect a GPO or combination of GPOs might have on a user or machine that's moved to a different OU or security group. Two methods exist to let you access RSoP without using GPMC. When you're logged on to your Windows 2003 or XP computer, you can quickly determine the effective policy for your user account by entering
RSoP.msc
from a command prompt. Displaying the policy settings that are in effect is the essence of logging mode. To run RSoP in planning mode without using GPMC, open MMC on a Windows 2003 server and add the RSoP snap-in to the console. You can then step through what-if scenarios to your heart's content.
Because GPMC is designed to be the central point of Group Policy administration, you can also run RSoP directly from GPMC. In GPMC, Microsoft has wisely renamed RSoP Logging Mode to Group Policy Results, and RSoP Planning Mode is now Group Policy Modeling.
Group Policy Results. You can obtain Group Policy Results from clients in a Win2K domain, but those clients must be running Windows 2003 or XP and you must have local administrator rights on the client you're getting results data from. To start the Group Policy Results Wizard, right-click the Group Policy Results icon in the left-hand pane of the GPMC snap-in and select Group Policy Results Wizard. The wizard will step you through specifying the computer and user whose settings you want to check. GPMC displays the extensive results in the results pane, as Figure 4 shows. Note the three tabs. The Summary tab shows summaries of the computer user configurations, the Settings tab displays the effective settings, and the Policy Events tab displays Group Policy–related event-log messages.
Group Policy Modeling. Group Policy Modeling lets you simulate applying GPOs to users and computers without all the time, hardware, and anguish that typically accompany a Group Policy deployment. Used in conjunction with the Copy and Import feature, you can use Group Policy Modeling to develop, test, and deploy GPOs in a fraction of the time it takes to do so in Win2K.
As with Group Policy Results, you start the wizard by right-clicking the Group Policy Modeling icon in GPMC's left-hand pane. For this icon to be available, you must have at least one Windows 2003 DC in the forest. Please see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/rspintro.asp for detailed information about Group Policy Modeling and Planning (described as Resultant Set Of Policy in the link).
An Indispensable Tool
GPMC provides sorely needed functionality for GPO development and management and consolidates many separate functions into one cohesive interface. But GPMC doesn't cover every aspect of Group Policy management (e.g., change management), so you'll have to investigate third-party applications that are more comprehensive. The synergy between the Copy, Import, and Group Policy Modeling features let you develop and deploy GPOs much faster and with greater confidence than you can with Win2K. GPMC is such an indispensable tool for Windows 2003 and Win2K that I think Microsoft should include the utility with the OS rather than provide it as an add-on.
End of Article
rlogan October 18, 2004 (Article Rating: