GPMC Eases Management of GPOs

Microsoft Corp.'s new group policy management console tool will make it much easier for administrators to roll out and manage Group Policy.

Microsoft Corp.s new group policy management console tool, which will be downloadable from in conjunction with the release of Windows .Net Server 2003, will make it much easier for administrators to roll out and manage Group Policy.

Although some of the tools new features apply only to .Net systems and domains, eWeek Labs tests of GPMC Beta 2 showed this tool will be valuable to administrators who have been using GPOs (Group Policy Objects) to manage users and computers in Windows .Net and Windows 2000 environments.

GPOs are a powerful way for IT managers to handle large Windows 2000 environments. Its not easy to roll out and manage them with the tools provided in Windows 2000, and effective group policy management requires tools such as Active Directory MMC (Microsoft Management Console) snap-ins, the Access Control List editor and Delegation Wizards. Having to use so many GUIs to manage GPOs across multiple domain structures is a burden.

The new GPMC provides a centralized user interface that integrates Group Policy management functions with robust new features that make it much easier to manage GPOs.

For example, GPMC allowed us to use a single MMC to perform Group Policy migration tasks such as Copy, Backup, Restore or Import/Export GPOs across multiple domains or forests (forests are the top level in the Active Directory hierarchy). GPMC provided detailed HTML reports of GPO settings and Resultant Set of Policy data we could save to a file for reporting purposes.

GPMC will enable administrators to use Visual Basic Script to automate GPO operations such as backup and restoration. A new VBScript in GPMC Beta 2 also allows administrators to quickly grant user permissions on all GPOs.

GPMC can be installed only on Windows .Net Server 2003 or Windows XP Professional but can be used to manage Windows 2000 and .Net domains.

GPMC can be installed on a computer that resides on Windows .Net or Windows 2000 domains, but to manage Group Policy in the Windows 2000 forest from a GPMC system within the Windows .Net forest, the Windows 2000 domain controllers must have Service Pack 3 installed. This is because GPMC and other .Net Active Directory administration tools digitally sign and encrypt all LDAP communications. This applies only to Windows 2000 domains not within the same forest as the .Net Server domain.

Sites with trusts between Windows 2000 and .Net domains in different forests can update all Windows 2000 domain controllers with SP3 or disable LDAP signing and encryption for .Net Active Directory administration tools.

We tested GPMC on a server running Windows .Net Server 2003 Enterprise Edition Release Candidate 2 and easily managed GPOs within our Windows .Net forest. We used GPMC to back up and restore multiple GPOs and import GPOs to computers in a Windows 2000 domain. The HTML reports for GPOs provided quick access to our policy settings; the reports provided read-only access, so we had to use Group Policy Editor to modify settings.