Windows Server 2003 – GPMC (Group Policy Management Console)

Microsoft GPMC (Group Policy Management Console)GPMC Group Policy Management Console

The GPMC is one of Microsoft’s best new features in all of Windows Server.  Within the GPMC is a rich variety of tools for creating, editing, observing, modeling and reporting on all aspects of Group Policy. 

As an example, my old friend ‘Barking Eddie’ spent two week’s documenting all the Group Policies for one company, when I showed him the GPMC, he was crestfallen and said he could have done that same job in half an hour with GPMC.


GPMC (Group Policy Management Console) Introduction

Microsoft designed the GPMC for Windows Server 2003.  For this version get your copy of GPMC.msi as a download from Microsoft’s site.  ForWindows Server 2008 GPMC you optain this MMC via ‘Add Features’.

The GPMC unifies Group Policy management across your Active Directory forest.  Before the GPMC, administrators needed multiple tools to manage Group Policy; the Microsoft Active Directory Users and Computers, the Delegation Wizard, and the ACL Editor.  Not only does the GPMC integrate the existing Group Policy tools, but also it brings the following exciting new capabilities:

  • A user interface that makes it easier to create and edit each Group Policy.
  • New WMI filtering means that you can apply policies to particular machine, or only if there is enough disk space.
  • Interfaces to Backup, restore, import, and copy Group Policy Objects (GPOs).
  • Simplified management of Group Policy-related security.
  • Reporting for GPO settings and Resultant Set of Policy (RSoP) data.

Getting Started with Windows Server Group Policy Management ConsoleGPMC Group Policy Management Console

After I downloaded the GPMC from Microsoft’s site (or Added Feature), I installed the application by double clicking GPMC.msi.  At first I carried on in my old ways.  When I wanted to check a group policy I launched Active Directory Users and Computer and right-clicked the domain, properties, and thence to the Group Policy tab.  (See Diagram.) Windows 8 Gpedit.msc

However I soon found that you could add a GPMC snap-in to the MMC, and this is now my preferred method of accessing the GPMC.  Right from you outset GPMC gives you the big picture.  The GUI encourages you to survey the range of places to look for Group Policies, from the Forest at the top, through to the Domain and down to the Sites. 

The OU Group Policies are hidden under the domain, note that OUs have a little book symbol that is absent from container objects such as Users, Builtin and Computers.  What this means is that if you see the book symbol then you can create a Group Policy, whereas if all you see is a blank yellow folder, then you cannot create a Group Policy at that location.  The GPMC also lists any Models or Policy Results.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.


I am so pleased that Windows 2000’s Secedit has been superseded by Gpupdate on XP and later, the old Secedit syntax was horrendous.   Mostly, I just run plain Gpupdate in a ‘Dos Box’,  occasionally, I append the following switches:

/force reapplies all settings.

/target:computer  or /target:user applies only the user or computer section of your policy.  Normally I would use plain Gpupdate without the optional target switch.

/logoff   Useful for settings that do not apply until the user logs on again.

/boot   Handy for configurations which need the computer to restart. 
          N.B. /boot does not mean apply the settings every time the computer reboots.


While, I prefer the 2003 Group Policiy Management Console above, Gpresult is a handy command line utility to display the results of Group Policy.  What I particularly like is the /user switch.  Take the example where you are logged on as the administrator, but wish to test a user called Psycho’s settings.  Rather than logoff then logon as that user, just type: gpresult /USER psycho.  Do remember the /USER.  This command would be a mistake: gpresult /psycho.

Engineer's Toolset v10Guy Recommends: SolarWinds Engineer’s Toolset v10

This Engineer’s Toolset v10 provides a comprehensive console of 50 utilities for troubleshooting computer problems.  Guy says it helps me monitor what’s occurring on the network, and each tool teaches me more about how the underlying system operates.

There are so many good gadgets; it’s like having free rein of a sweetshop.  Thankfully the utilities are displayed logically: monitoring, network discovery, diagnostic, and Cisco tools.  Try the SolarWinds Engineer’s Toolset now!

Download your fully functional trial copy of the Engineer’s Toolset v10


This handy command line utility restores the two default Group Policy objects to their original state  (Domain and Domain Controllers).  You find this ‘get out of jail card’ = dcGPOfix in the \windows\repair folder.  However because the \windows folder is in the ‘Path’ you can just run dcGPOfix in a ‘Dos Box.

Syntax and Switches

dcgpofix [/ignoreschema][/target: {domain | dc | both}]

Example: dcgpofix /target: GuyDom


This tool will restore the default domain policy and also the default domain controllers policy to their state just after installation.  Naturally, when you run dcgpofix, you lose all changes made to these Group Policies.

By specifying the /ignoreschema parameter, you can enable Dcgpofix.exe to work with different versions of Active Directory. However, default policy objects might not be restored to their original state. To ensure compatibility, use the version of Dcgpofix.exe that is installed with the operating system.


Here is a command-line tool for quering the security attributes.  You can also employ Dsacls to change permissions and security attributes of Active Directory objects.

Think of Dsacls as the command-line equivalent of the Security tab in the Active Directory Users and Computers .  It’s also handy to lock out Terminal Services end-users from files and folders on a Windows Server 2003 computer.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

RSoP Snap-in (Resultant Set of Policy)

Microsoft provide a snap-in called RSoP for showing a given combination of policy settings.  I find that if you install the GPMC, then you do not really do not need this RSoP.  However, if you have Windows 2000 and no GPMC then the RSoP is intuitive to use and comes in two modes:

  • Logging mode. In logging mode, the RSoP snap-in tracks the policies that you apply. In this mode, the tool shows the actual policies for a given user or computer.
  • Planning mode. In planning mode, the snap-in indicates the set of policies that would be applied if you deployed the policy. You can perform what-if analyses on the user and computer; the domain, and organizational unit.

Changes to Group Policy Management Console in Windows Server 2008

The idea of Windows Server 2008 ‘Preferences’ the administrator establishes the very best first logon settings for the users.  Thereafter, each individual can over-ride the ‘Suggestons’ without fear of having their new settings reversed by ‘big brother’.

Other benefits include the ability to set preferences for applications and registry settings which are outside the scope of traditional Group Policy templates.  If you need fine-control over who starts with which setting lookout for: ‘Preference item-level targeting’.

Should Group Policy Preferences appear too slack, you can regain control through the ability to ‘refresh’ the users settings.  However, by default, and in keeping with the whole spirit of preferences, the principle is to advise, but then let the user chose their own environment.

See more on Windows Server 2008 Group Policies.

Summary of Windows Server 2003 Group Policy Management Console

You can use Group Policy Management Console (GPMC) to manage Group Policy.  Remember that you need Active Directory to make use of the GPMC.  The traditional clients are running Windows XP while the servers are running Windows 2003.  

Group Policy ebook Windows 2003Download my ‘Master Group Policies’ ebook only $6.25

The extra features you get in your eBook include: Spreadsheet with over 850 policies.  Printer friendly version over Word A4 pages in Word.

See more User Group Policies for Windows

Group Policy Overview  • Group Policies   • Control Policies   • Desktop Policies

Logon Script Group Policies   • Administrative Template Policies   •Group Policy Results

Group Policy Management Console   • Folder Redirection Windows Server 2003

If you like this page then please share it with your friends