Читать книгу Group Policy - Jeremy Moskowitz - Страница 15

The Group Policy Management Console (GPMC) was created to help administrators work in a “one-stop-shop” place for all Group Policy management functions. Since 2003, it was freely downloadable as an add-on to either Windows XP or Windows Server 2003 systems.

Today, the GPMC is built into the server operating systems (Server 2008 R2, Windows Server 2016, etc.). And it’s also available for download as part of the RSAT tools for your own machine (say, Windows 7 or 10).

Even though I’ve said it before, it bears repeating: it doesn’t matter if your Active Directory or domains or Domain Controllers are Windows 2000, Windows 2003, Windows 2008, Windows 2008 R2, Windows 2012, Windows 2012 R2, Windows Server 2016, or whatever. The Group Policy infrastructure doesn’t care what domain type or Domain Controllers you have.

The GPMC’s name says it all. It’s the Group Policy Management Console. Indeed, this will be the MMC snap-in that you use to manage the underlying Group Policy mechanism. The GPMC just helps us tap into those features already built into Active Directory. I’ll highlight the mechanism of how Group Policy works throughout the next three chapters.

One major design goal of the GPMC is to get a Group Policy–centric view of the lay of the land. The GPMC also provides a programmatic way to manage your GPOs. In fact, the GPMC scripting interface allows just about any GPO operation. You can do the same “stuff” with the GPMC that you do with the mouse programmatically with VBScript and PowerShell.

We’ll explore scripting Group Policy operations normally performed with the GPMC, but instead using PowerShell in Appendix A, a downloadable bonus chapter, “Scripting Group Policy Operations with Windows PowerShell.”

The VBScript GPMC scripts, which were previously part of the downloadable GPMC package, are not included in the newest GPMC. You have to specifically download them from the GPMC scripting center at http://tinyurl.com/23xfz3 or search for “Group Policy Management Console Sample Scripts” in your favorite search engine.

There are lots of ways you could manage your Group Policy universe. Some people walk up to their Domain Controllers, log onto the console, and manage their Group Policy infrastructure there. Others use a management workstation and manage their Group Policy infrastructure from their own Windows 10 workstation (suggested).

I’ll talk more about the use and best practices of a Windows 10 management workstation in Chapter 6.

Implementing the GPMC on Your Management Station

As I mentioned, the GPMC isn’t built into Windows 10. But it is built into Windows Server 2016. Remember earlier I stated that you could manage your Active Directory from anywhere. And this is true. You could walk up to a Domain Controller, you could install the GPMC on a Windows Server 2016 server, or you could use Terminal Services to remotely connect to a Domain Controller.

But in this book, you won’t be. Your ideal management station is a Windows 10 machine (where we’ll manually introduce the GPMC) or a Windows Server 2016 machine (which is ready to go, no pesky downloads needed).

Windows 7 and Windows Server 2008 R2 are perfectly fine choices as well, but there is a small downside with those GPMCs. That is, they aren’t the “latest, greatest” and do lack some of the newest features, which we’ll explore in the next chapter. One good example of this is that the Windows 7 version of GPMC will not have the Group Policy Preferences item type for Internet Explorer 10. The idea is that Microsoft will only put new or updated functionality in the latest, greatest GPMC, and today, that GPMC is Windows 10’s (and Windows Server 2016’s). (They share the same guts.) That being said, if you only had a Windows 7 GPMC to use, it wouldn’t be the end of the world, and you’ll likely be pretty happy.

If you must use something else (Windows XP, Windows Server 2003, or Windows Vista), you’ll see me pepper in some advice for those. But you’ll really want to use the recommended set to get the most out of this book

Using a Windows 10 or Windows Server 2016 Management Station

For this book, and for real life, I recommend that you use what’s known as a Windows 10 management station. And, to make use of it to implement Group Policy in your domain, you’ll need to introduce the downloadable GPMC on it.

Note that you could also use a Windows Server 2016 machine as your management station. Honestly, the Windows 10 GPMC that you’ll download and the built-in GPMC for Windows Server 2016 are equals. There’s no difference. But it’s simply not likely you’re going to install Windows Server 2016 on your laptop or desktop.

So, just to be clear, the following two ways to create and manage GPOs are equal:

● Windows 10 and the downloadable GPMC (contained within the RSAT tools)

● Windows Server 2016 with its built-in GPMC

I’ll usually just refer to a Windows 10 management station, and when I say that, I mean what I have in that first bullet point. Just remember that you can use a Windows Server 2016 machine as your management station, too.

Now, to be super-crazy, ridiculously clear: you could also use any of the other GPMCs out there, and things will basically “work.” I delve into this in serious detail in Chapter 6, but here’s the CliffNotes, er, JeremyNotes version of “What GPMC should I use?”:

● Always strive to use Windows 10 (or Windows Server 2016) as your management station and you’ll always be able to control all operating systems’ settings from all operating systems. If by the time you read this book, something after Windows 11 is out – use that GPMC. Always use the latest GPMC.

● The next best choice would be Windows 8.1 (with Update 1) and RSAT or Server 2012 R2.

● After that, the next best choice would be Windows 7 or Windows Server 2008 R2, which has “almost” all the same stuff as Windows 8’s GPMC (but not quite).

Everything else would be suboptimal to use.

But if you have even one Windows 10 client machine (say in Sales or Marketing), in order to manage all its settings you’re going to need to manage the machine using a “modern” GPMC. So I’m suggesting you just bite the bullet and get yourself a copy of Windows 10 and do your management from there.

Again, more details later, but here’s the warning. If you create a GPO using a “newer GPMC” (say, using a Windows 10 or Windows Server 2016 GPMC) but then edit it using an older operating system (say, a Windows 7 or XP GPMC), you might not be able to “see” all the configurable options. And what’s worse, some settings might be set (but you wouldn’t be able to see them!). Only the newest GPMC can see the “stuff” that the newest GPMC puts into the GPO.

What if you’re not “allowed” to load Windows 10, 8.1, or 7 on your own management station? Well, you’ve got another option. Perhaps you can create a Windows 10 or Windows Server 2016 machine to act as your management station, say in the server room. Or, use VMware Workstation or another virtualization tool to make an “almost real” management machine. Or, do create a real machine but set up Terminal Services or Remote Desktop to utilize the GPMC remotely.

Again, in our examples we’ll call our machine WIN10MANAGEMENT, but you can use either a Windows 10 or Windows Server 2016 for your best management station experience.

Using a Windows Server 2016 Machine as Your Management Station

The latest GPMC is available in Windows Server 2016. However, it’s not magically installed in most cases. The only time it is just “magically there” is when you make your Windows Server 2008, Windows Server 2008 R2, or Windows Server 2016 machine a Domain Controller. In that case, the GPMC is automatically installed for you. You don’t need to do the following procedure.

And, if you’re following along in the labs, you’ve likely already made your server a Domain Controller. But for practice, if you want to learn how to install it for when your server is not acting as a Domain Controller, there are two ways to install the GPMC: using Server Manager and also by the command line.

To install the GPMC using Server Manager:

1. From the Start screen, select Server Manager.

2. Click Dashboard, then select “Add roles and features.”

3. In the “Add Roles and Features” wizard, you’ll eventually get to the Features screen. Be sure Group Policy Management is selected.

4. Click Install.

Close Server Manager once you’re done.

You can also install the GPMC using the command line:

1. Open a PowerShell prompt as an Administrator.

2. In PowerShell, type Add-WindowsFeature GPMC.

3. Close the command prompt when the installation has been completed.

Using Windows 10 as Your Management Machine

The first step on your Windows 10 management-station-to-be is to install Windows 10.

RSAT comes as a Microsoft Update Standalone Package and installs like a hotfix, and you may or may not need to reboot after installation. At last check, you can download the Windows 10 RSAT from www.microsoft.com/en-us/download/details.aspx?id=45520.

All the tools installed automatically when you install the Update Package. You can see the tools already installed in Figure 1-7.

Once you’re done, close the Windows Features window and, if prompted, reboot your Windows 10 machine. The next time you boot, you’ll have Active Directory Users and Computers, the GPMC, and other tools available for use in the rest of the book.

If you cannot use a Windows 10 management machine and can only use a Windows 8.1 or 7 management machine, then the steps are the same for Windows 7, except the RSAT download is different. The RSAT for Windows 8.1 RSAT can be found at http://tinyurl.com/win81rsat and the Windows 7 SP1 can be found at http://tinyurl.com/win7rsat-sp1.

Figure 1-7: The RSAT tools installed in Windows Features in the Control Panel ⇒ Programs ⇒ “Turn Windows features on or off”

Creating a One-Stop-Shop MMC

As you’ll see, the GPMC is a fairly comprehensive Group Policy management tool. But the problem is that right now the GPMC and the Active Directory Users and Computers snap-ins are, well, separate tools that each do a specific job. They’re not integrated to allow you to work on the idea of Users and Computers and Group Policy at the same time.

Often, you’ll want to change a Group Policy linked to an OU and then move computers to that OU. Unfortunately, you can’t do so from the GPMC; you must return to Active Directory Users and Computers to finish the task. This can get frustrating quickly. But that’s the deal.

As a result, my preference is to create a custom MMC that shows both the Active Directory Users and Computers and GPMC in a one-stop-shop view. You can see what I mean in Figure 1-8.

You might be wondering at this point, “So, Jeremy, what are the steps I need in order to create this unified MMC console you’ve so neatly described and shown in Figure 1-8?”

Just click Start and type MMC at the Search prompt. Then add in both the Active Directory Users and Computers and Group Policy Management snap-ins, as shown in Figure 1-9.

You won’t need the Group Policy Management Editor (which allows you to edit one Group Policy Object at a time), the Group Policy Object Editor (for Local Group Policy), or the Group Policy Starter GPO Editor (which we use in Chapter 2).

Figure 1-8: Use the MMC to create a unified console.

Figure 1-9: Add Active Directory Users and Computers and Group Policy Management to your custom view.

Once you have added both snap-ins to your console, you’ll have a near-unified view of most of what you need at your fingertips. Both Active Directory Users and Computers and the GPMC can create and delete OUs. Both tools also allow administrators to delegate permissions to others to manage Group Policy, but that’s where the two tools’ functionality overlap ends.

The GPMC won’t show you the actual users and computer objects inside the OU, so deleting an OU from within the GPMC is dicey at best because you can’t be sure of what’s inside!

You can choose to add other snaps-ins, too, of course, including Active Directory Sites and Services or anything else you think is useful. The illustrations in the rest of this book will show both snap-ins loaded in this configuration. I suggest you save your “one-stop shop” to the Desktop and give it catchy name so you can quickly find it later when you need to.