Group Policy management for IT pros

This topic provides you with information about the common administration and troubleshooting tasks and tools associated with Group Policy.

Useful tools

This section describes the Microsoft Web site downloads and tools associated with this version of Windows that help you configure and manage Group Policy.

Local Group Policy Editor

Local Group Policy Editor is a Microsoft Management Console (MMC) snap-in that you can use to edit local Group Policy objects (GPOs). Local Group Policy Editor and the Resultant Set of Policy snap-in are available in Windows Server 2008 R2 and Windows 7 Professional, Windows 7 Ultimate, and Windows 7 Enterprise. For more information, see http://go.microsoft.com/fwlink/?LinkId=139815.

You can find this MMC snap-in in the following location: %windir%\System32\gpedit.msc

To open the Local Group Policy Editor, click Start, click Run, and then type gpedit.msc.

Group Policy Management Console

To manage domain Group Policy across an enterprise, you must first install the Group Policy Management Console (GPMC). The GPMC consists of a MMC snap-in and a set of scriptable interfaces for managing Group Policy. The GPMC is included with Remote Server Administration Tools (RSAT), which is available for download at http://go.microsoft.com/fwlink/?LinkId=130862.

RSAT enables IT administrators to remotely manage roles and features in Windows Server 2008 R2 from a computer that is running Windows 7. RSAT includes support for the remote management of computers that are running either a Server Core installation or the full installation option of Windows Server 2008 R2.

Important

  • Installing RSAT does not automatically install the GPMC. To install the GPMC after you install RSAT, click Programs in Control Panel, click Turn Windows features on or off, expand Remote Server Administration Tools, expand Feature Administration Tools, and select the Feature Administration Tools and Group Policy Management Tools check boxes. It may be necessary to run MMC with elevated privileges even if your account is in the Computer Administrators group. To open MMC with elevated privileges, click Start, click All Programs, click Accessories, right-click Command Prompt and then point to Run as administrator. If Windows displays a security message asking your permission to run this program, click Allow. In the command prompt that opens, type mmc.exe to start MMC. In the console tree of MMC, click File, click Add/Remove Snap-in, and then select Group Policy Object Editor and click Add.

Windows PowerShell Group Policy cmdlets

Windows PowerShell is a Windows command-line shell and scripting language that you can use to automate many of the same tasks that you perform in the user interface by using the Group Policy Management Console (GPMC). To help you perform these tasks, Group Policy provides more than 25 cmdlets. Each cmdlet is a simple, single-function command-line tool.

You can use the Group Policy cmdlets to perform the following tasks for domain-based Group Policy objects (GPOs):

  • Maintaining GPOs: GPO creation, removal, backup, and import.

  • Associating GPOs with Active Directory® containers: Group Policy link creation, update, and removal.

  • Setting inheritance flags and permissions on Active Directory organizational units (OUs) and domains.

  • Configuring registry-based policy settings and Group Policy Preferences Registry settings: Update, retrieval, and removal.

  • Creating and editing Starter GPOs.

To use the Windows PowerShell Group Policy cmdlets, you must be running either Windows Server 2008 R2 on a domain controller or on a member server that has the GPMC installed, or Windows 7 with Remote Server Administration Tools (RSAT) installed. RSAT includes the GPMC and its cmdlets.

You must also use the Import-Module grouppolicy command to import the Group Policy module before you use the cmdlets at the beginning of every script that uses them and at the beginning of every Windows PowerShell session.

You can use the GPRegistryValue cmdlets to change registry-based policy settings and the GPPrefRegistryValue cmdlets to change registry preference items. For information about the registry keys that are associated with registry-based policy settings, see the Group Policy Settings Reference. This reference is a downloadable spreadsheet.

Note

  • For more information about the Group Policy cmdlets, you can use the Get-Help<cmdlet-name> and Get-Help<cmdlet_name>-detailed cmdlets to display basic and detailed Help.

Downloads

Deployment

For information about deploying Group Policy, go to the following resources on the Microsoft Web site.

Operations

Technical reference

For more information about Group Policy, go to the following technical references on the Microsoft Web site: