Mastering Windows Group Policy
上QQ阅读APP看书,第一时间看更新

Exploring the GPMC

You now have the knowledge to be able to open the GPMC in about a hundred different ways, and from all kinds of different places. If you've been following along with your own server or test lab, I am sure you have already spent some time poking around inside the console to take a look at what screens and options are available, but we are going to take a look together as well. Throughout the rest of this book, we will be making continual use of the GPMC, so the majority of learning about this console will be through direct experience. Even so, we can't wrap up a chapter about the GPMC without actually looking inside the GPMC, so let's do that together now.

The GPMC is made up of two primary window panes. The left side is an organizational tree where you will find the different layers of Active Directory administration—Forests, Domains, Sites, and Organizational Units (OUs). Expanding any of these sections shows you additional information listed underneath. For example, a forest can have multiple domains within it. Furthermore, currently expanding the Group Policy Objects folder won't show you a lot of information, but eventually you will have many GPOs listed here. You can even see and explore your Active Directory sites right from this window. Expanding the domain further shows you the Active Directory-based OU structure. You will be able to see and click on every one of the OUs that you have created inside AD users and computers. All of this information becomes very important for our next chapters, Chapter 3Daily Tasks in Group Policy and Chapter 4, Advanced Filtering of Group Policy Objects, when we start to discuss linking and filtering our GPO settings, which is the process of telling those GPOs where they need to apply.

In larger environments, it is easy to get lost while navigating through all of the various OUs and their corresponding GPOs. As you can see in the following screenshot, we can see multiple instances of what seems to be the same thing. The Default Domain Policy shows up twice, which can be confusing, but what is really happening here is that we are looking at both the actual GPO that is called Default Domain Policy, and also an active link to the Default Domain Policy GPO. When you expand the Group Policy Objects section, you are looking at the master list of Group Policy Objects that are stored inside Active Directory. So this is a common place to visit when you are looking for a particular GPO, perhaps to make a change to it. But up above where you see Default Domain Policy listed underneath mydomain.local, this is just a link to that GPO. In other words, links are associating the GPOs with different locations within Active Directory.  You can see the difference in the icon next to the text. The link has a little arrow on the icon. This is your visual indicator that the Default Domain Policy is linked on to the root of the domain:

Then the pane on the right-hand side shows additional information about whatever you have selected on the left. Sometimes, there is nothing listed on the right, but other times there are multiple settings and tabs on the right where you will need to be spending some time. One of the primary places you will find yourself revisiting time and time again inside the GPMC is the information that is presented whenever you have a particular Group Policy Object selected.

The following screenshot of the GPMC shows both the left and right sides, and you'll notice that I have clicked on a GPO—the Default Domain Policy—and on the right there are multiple options and tabs-worth of information that I can use that are related to this single GPO:

Whether you have clicked on the actual GPO listed under Group Policy Objects or if you have clicked on one of the links associated with the GPO, the right pane of the GPMC will display almost exactly the same tabs and information associated with that GPO. The only exception is that clicking on the GPO itself will display one extra tab called Status, which is not very commonly used. When needing to make changes to GPOs or GPO filtering, you can accomplish the same tasks whether you have chosen the GPO itself, or one of the links to that GPO.

We start out on the Scope tab, which is one of the most common places to visit inside the GPMC. Scope shows you information about where and to whom this GPO is applying. The links section shows you all of the locations that this GPO has been linked to. In the screenshot, you can see that the Default Domain Policy is linked to the domain. If we had selected a GPO here that was linked to five different OUs, you would see all five of those listed on this screen. Below the links we see the security filtering section. We will be doing some work here later on, but this is showing you that within those Links, this GPO is being filtered to only these users and/or devices. In this case, the Default Domain Policy is applying to Authenticated Users, which essentially means everyone.

Moving on to the Details tab gives you a little bit of information about the GPO itself. You can see some ownership settings, and important dates about when the GPO was created and last modified. Version numbering can become important when troubleshooting GPOs. Each time that you make changes to a GPO, versioning numbers increment, so this screen can be a nice resource when comparing GPOs between different DCs to make sure replication is happening properly, or to be able to help track changes:

The Settings tab is next, and this one is hugely important. The Settings tab will display for you all of the settings contained within a Group Policy Object. This is extremely useful for tracking down settings, and from which policies they are applying. I certainly expect that you will be visiting the Scope and Settings tabs much more frequently than any other location within the right pane of the GPMC. Here's a quick example that shows some of the settings that exist within the Default Domain Policy:

The Delegation tab gives us insight into the permissions associated with this GPO. Here, you can view the information that already exists about who has access to read or manipulate the GPO and its settings, and this is also the screen where you make modifications to these permissions. The Delegation tab can be important to your overall Group Policy security strategy:

The final tab (if you have selected the GPO itself and not just the link) is called Status. We don't need to take up any more space looking firsthand at this one because it's pretty self-explanatory, and won't show us very much information because my lab environment has only a single DC. In a larger environment with multiple DCs, this screen can be helpful, because it will poll and display some health information related to the DCs and their replication status. 

I also want to point out that right-click menus are just as important inside the GPMC. As with most Microsoft management screens, right-clicking on different things gives you different options. It will be a very common occurrence for you to utilize the right-click menus to create GPOs, link GPOs, and edit the settings within those GPOs. Just as a quick example, here is the menu when right-clicking on the root of your domain:

As one final example of the right-side window pane inside the GPMC, go ahead and click on the name of your domain. This changes the right side of your screen to display information that is no longer about a specific GPO, but rather information that is higher level, things associated with the domain as a whole. Go ahead and click on the Linked Group Policy Objects tab. As you can see, there is currently only one GPO linked at this level of the domain. This screen can become very useful, however, if you have multiple GPOs being linked at the same level (whether that level is here at the domain, or at one of the different levels, such as an OU). This screen can be helpful when troubleshooting GPO settings that seem to be contradicting each other, as you will be able to view the Link Order on this screen, and help determine which GPO is supposed to be processing last, aka winning the fight, between GPOs that contain conflicting settings: