Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
| ||
| ||
|
While using the GPMC throughout this chapter, you ran queries and created several reports. What you possibly didn't know is that all that time you were creating HTML reports that you can use to document your environment.
Back when you were first exploring a GPO's settings (see the graphic in the "Common Procedures with the GPMC" section earlier in the chapter) and when you were creating RSoP reports (that is, Figures 2.23 and 2.24 and what would result after Figure 2.26), you were really generating HTML reports. Any time you create those reports, you can right-click over any where in the report and choose "Save Report." Since these are standard HTML, you basically have an incredibly easy way to document just about every aspect of your Group Policy universe.
Backing up and restoring with the GPMC is simply awesome . But as you'll recall, when you restore a deleted GPO, you don't restore the links. You'll have to bring them back manually. Having good backups and good documentation where each GPO is linked will always be your ace in the hole (provided you have good backups ).
I stopped short in this chapter of demonstrating two of the GPMC's major additional functions. That is, the GPMC provides a scriptable interface many of our day to day GPO functions-including backups, creation, and management. You'll see that in Chapter 7.
Additionally, you can use the GPMC to migrate GPOs from one domain to another. I'll tackle that in the Appendix.
The GPMC isn't quite part of the Windows 2003 operating system, but I expect that someday it might be. I'm hoping the GPMC stays standalone and continues through incremental improvements. Then, once finally mature, the GPMC and Active Directory Users And Computers can merge into one unified tool, perhaps to be named the "Active Directory Management Console" to help me manage both my GPOs and my Active Directory objects, such as user accounts.
If Microsoft does come up with a tool, and names it that, I want royalties for the idea. Just $1 per Windows Client Access License they sell, and I'll be set for life.
Here are some parting tips for daily Group Policy Object management with the GPMC:
Check out these Microsoft documentation links. Microsoft GPMC documentation is available at http://go.microsoft.com/fwlink/?LinkId=14320 . Additionally, Microsoft has some other RSoP documentation available at www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/entserver/rspintro.asp (or shortened to http://tinyurl.com/4ngbw) .
Use "Block Inheritance" and "Enforced" sparingly. The less you use these features, the easier it will be to debug the application of settings. Figuring out at which level in the hierarchy one administrator has "Blocked Inheritance" and another has declared "Enforced" can eat up days of fun at the office. The GPMC makes it easier to see what's going on, but still, minimize your use of these two attributes.
Remember what can only be applied at the link. Three and only three attributes are set on a GPO link: Link Enable (Enable or Disable the settings to apply at this level), Enforce the link (and force the policy settings), and Delete the link.
Remember what can be applied only on the actual GPO itself. The following attributes must be set on the GPO itself: the policies and settings inside the GPO (found on the Settings tab), Security filters, and rights (as in the "Apply Group Policy" permission), and delegation (as in the "Edit this GPO" permission), Enabling/Disabling half (or both halves ) of the GPO via the GPO Status (found on the Details tab), and WMI filtering (discussed in Chapter 10).
Remember Group Policy is notoriously tough to debug. Once you start linking GPOs at multiple levels, throwing a "Block Inheritance," an "Enforced," and a filter or two, you're up to your eyeballs in troubleshooting. The best thing you can do is document the heck out of your GPOs. The GPMC helps you determine what a GPO does in the Settings tab, but your documentation will be your sanity check when trying to figure things out.
Use Microsoft's spreadsheet. Microsoft has an Excel spreadsheet of all the administrative templates for Windows 2000, Windows XP, and Windows 2003. My suggestion is to leverage this file every single time you create a new GPO and keep it in a common place for all administrators to reference to see what anyone else did inside a GPO. Be religious about it, and keep these files updated within your company. To locate the spreadsheet, go to www.GPanswers.com , where I always have a link to it that's easy to find.
| ||
| ||
|