- By Orin Thomas
Lesson 1: Maintaining Group Policy Object
As an experienced systems administrator pursuing certification, you have a reasonable idea of how to use Group Policy. The administration of Group Policy doesn’t just occur at the level of configuring individual policies. In large organizations with many policies, it’s necessary to have a maintenance strategy. Ensuring that important Group Policy Objects (GPOs) are backed up and recoverable is as important as backing up and recovering other critical services such as DNS and Dynamic Host Configuration Protocol (DHCP). In this lesson, you’ll learn how to back up, restore, import, and copy GPOs. You’ll also learn how to delegate the management of GPOs.
Managing Group Policy Objects
As an experienced systems administrator, you are aware that GPOs enable you to configure settings for multiple users and computers. After you get beyond editing GPOs to configure settings, you need to start thinking about issues such as GPO maintenance. For example, if an important document is lost, you need to know how to recover it from backup. Do you know what to do if someone accidentally deletes a GPO that has hundreds of settings configured over a long period of time?
The main tool you’ll use for managing GPOs is the Group Policy Management Console (GPMC), shown in Figure 5-1. You can use this console to back up, restore, import, copy, and migrate. You can also use this console to delegate GPO management tasks.
FIGURE 5-1 GPMC
There are also a substantial number of cmdlets available in the Windows PowerShell Group Policy module, including the following:
Get-GPO Enables you to view GPOs. The output of this cmdlet is shown in Figure 5-2.
FIGURE 5-2 Output of the Get-GPO cmdlet
- Backup-GPO Enables you to back up GPOs.
- Import-GPO Enables you to import a backed-up GPO into a specified GPO.
- New-GPO Enables you to create a new GPO.
- Copy-GPO Enables you to copy a GPO.
- Rename-GPO Enables you to change a GPO’s name.
- Restore-GPO Enables you to restore a backed-up GPO to its original location.
- Remove-GPO Enables you to remove a GPO.
Backing up a GPO enables you to create a copy of a GPO as it exists at a specific point in time. A user must have read permission on a GPO to back it up. When you back up a GPO, the backup version of the GPO is incremented. It is good practice to back up GPOs prior to editing them so that if something goes wrong, you can revert to the unmodified GPO.
To back up a GPO, perform the following steps:
- Open the GPMC.
Right-click the GPO that you want to back up, and click Back Up. In the Back Up Group Policy Object dialog box, shown in Figure 5-3, enter the location of the backup and a description for the backup.
FIGURE 5-3 Backing up a GPO
You can restore a GPO using the Restore-GPO cmdlet. Restoring a GPO overwrites the current version of the GPO if one exists or re-creates the GPO if the GPO has been deleted. To restore a GPO, right-click the Group Policy Objects node in the GPMC, and click Manage Backups. In the Manage Backups dialog box, shown in Figure 5-4, select the GPO that you want to restore and click Restore. If multiple backups of the same GPO exist, you can select which version of a GPO to restore.
FIGURE 5-4 Restoring a GPO from backup
Import and copy GPOs
Importing a GPO enables you to take the settings in a backed-up GPO and import them into an existing GPO. To import a GPO, perform the following steps:
- Right-click an existing GPO in the GPMC and click Import Settings.
- In the Import Settings Wizard, you are given the option of backing up the destination GPO’s settings. This enables you to roll back the import.
- Specify the folder that hosts the backed-up GPO.
On the Source GPO page of the Import Settings Wizard, shown in Figure 5-5, select the source GPO. You can view the settings that have been configured in the source GPO prior to importing it. Complete the wizard to finish importing the settings.
FIGURE 5-5 Importing GPO settings
Remember that when you import settings from a backed-up GPO, the settings in the backed-up GPO overwrite the settings in the destination GPO.
Copying a GPO creates a new GPO and copies all configuration settings from the original to the new. You can copy GPOs from one domain to another. You can also use a migration table when copying a GPO to map security principals referenced in the source domain to security principals referenced in the destination domain.
To copy a GPO, perform the following steps:
- Right-click the GPO that you want to copy and click Copy.
- Right-click the location that you want to copy the GPO to and click Paste.
In the Copy GPO dialog box, choose between using the default permissions and preserving the existing permissions assigned to the GPO (see Figure 5-6).
FIGURE 5-6 Copying a GPO
Fixing GPO problems
Windows Server 2012 and Windows Server 2012 R2 include command line utilities that allow you to repair GPO after you perform a domain rename or recreate default GPOs. If you need to recreate the default GPOs for a domain, use the DCGPOFix.exe command. If you perform a domain rename, you can use the GPFixup.exe command to repair name dependencies in GPOs and Group Policy links.
Migrate Group Policy Objects
When moving GPOs between domains or forests, you need to ensure that any domain-specific information is accounted for, so locations and security principals in the source domain aren’t used in the destination domain. You can account for these locations and security principals using migration tables. You use migration tables when copying or importing GPOs.
Migration tables enable you to alter references when moving a GPO from one domain to another, or from one forest to another. An example is when you are using GPOs for software deployment and need to replace the address of a shared folder that hosts a software installation file so that it is relevant to the target domain. You can open the Migration Table Editor (MTE), shown in Figure 5-7, by right-clicking Domains in the GPMC, and clicking Open Migration Table Editor.
FIGURE 5-7 Opening the MTE
When you use the MTE, you can choose to populate from a GPO that is in the current domain, or choose to populate the MTE from a backed-up GPO. When you perform this action, the MTE will be populated with settings that reference local objects. If, when you perform this action, there are no results, then no local locations are referenced in the GPO that you are going to migrate.
Delegate GPO management
In larger environments, there is more than one person in the IT department. In very large organizations, one person’s entire job responsibility might be creating and editing GPOs. Delegation enables you to grant the permission to perform specific tasks to a specific user or group of users. You can delegate some or all of the following Group Policy management tasks:
- GPO creation
- GPO modification
- GPO linking to specific sites, organizational units (OUs), or domains
- Permission to perform Group Policy Modeling analysis at the OU or domain level
- Permission to view
- Group Policy Results information at the OU, or domain level
- Windows Management Instrumentation (WMI) filter creation
Users in the Domain Admins and Enterprise Admins groups can perform all Group Policy management tasks. Users that are members of the Group Policy Creator Owners domain group can create GPOs. They also have the right to edit and delete any GPOs that they have created.
You can delegate permissions to GPOs directly using the GPMC, as shown in Figure 5-8.
FIGURE 5-8 Group Policy permissions
If you want to delegate the ability for users to create GPOs, you can add them to the Group Policy Creator Owners group. You can also explicitly grant them permission to create GPOs using the GPMC. To do this, perform the following steps:
- Open the GPMC from the Tools menu of Server Manager.
- Expand the domain in which you want to delegate the ability to create GPOs, click Group Policy Objects, and click the Delegation tab.
- Click Add and select the group or user that you want to give the ability to create GPOs in that domain.
To edit a GPO, users must be either a member of the Domain Admins or Enterprise Admins group. They can edit a GPO if they created it. They can also edit a GPO if they have been given Read/Write permissions on the GPO through the GPMC.
To grant a user permission to edit a GPO, perform the following steps:
- Click the GPO in the GPMC.
Click the Delegation tab, as shown in Figure 5-9.
FIGURE 5-9 Delegating permissions
Click Add, specify the user or group that should have permission to edit the GPO, and then specify the permissions that you want to give this user or group. You can choose from one of the following permissions:
- Edit Settings
- Edit Settings, Delete, Modify Security
To enable a user to link a GPO to a specific object, you need to edit the permission on that object. You can perform this task in the GPMC, as shown in Figure 5-10. For example, to grant a user or group permission to link a GPO to an OU, select the OU in the GPMC, select the Delegation tab, click Add, and then select the user or group to which you want to grant this permission.
FIGURE 5-10 Delegating link GPO permission
Modeling, results, and WMI filters
Delegating permissions to perform tasks related to Group Policy Modeling and Group Policy Results is performed at the domain level, as shown in Figure 5-11. You can delegate the ability to create WMI filters by selecting the WMI Filters node in the GPMC and granting the permission on the Delegation tab.
FIGURE 5-11 Delegating Group Policy Modeling and Group Policy Results permissions
- Each time you back up a GPO, it creates a copy of that GPO at a particular point in time.
- Restoring a GPO overwrites the existing GPO if it still exists, or recovers it if it has been deleted.
- Importing a GPO overwrites the settings in the destination GPO with the settings from the imported GPO.
- Copying a GPO creates a duplicate of the GPO.
- You use migration tables when moving GPOs between domains and forests to account for local references in the source domain.
- You can delegate the permission to create, edit, and link using the GPMC. Non-administrative users can then perform some Group Policy tasks, such as editing policies, without giving them unnecessary privileges.
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
You have 200 individual GPO settings in a backed-up GPO named Melbourne-2012 that you want to include in an existing GPO named Sydney-2013. Which of the following Windows PowerShell cmdlets should you use to accomplish this goal?
Prior to editing a Group Policy, your assistant makes a backup of the GPO that she is going to edit. Unfortunately, she makes a mistake in configuring the GPO. You need to revert the GPO to the state it was in prior to your assistant’s edits. Which of the following Windows PowerShell cmdlets should you use to accomplish this goal?
You want to copy a GPO from one domain to another in a forest. Which tool should you use to ensure that references to objects in the source domain updated are relevant to the destination domain? (Choose all that apply.)
- Active Directory Sites and Services
- Active Directory Users and Computers
- Migration Table Editor
- Group Policy Management Editor
Which of the following security groups have the right to create GPOs by default? (Choose all that apply.)
- Group Policy Creator Owners
- Enterprise Admins
- Domain Admins
- Domain Controllers
You are about to make substantial modifications to the default domain GPO. You want to ensure that you can return to the current state of the GPO if the modifications cause problems. Which of the following Windows PowerShell cmdlets should you use?