1. Filtering Administrative Templates in the GPME
The search tool is
designed to find specific GPOs that match specified criteria. As an
alternative to using the search tool, you can also filter settings
within a GPO to restrict what you see in the Group Policy Management
Editor (GPME). As stated, the filter tool is per GPO, whereas the search
tool is per forest or domain, so the scope of the two tools is quite
different.
Within
the GPME, you can filter on Administrative Template settings only. If
you right-click the Administrative Templates node in the GPME, you can
click Filter Options to open the Filter Options dialog box, as shown in Figure 1.
Filter Options
The
filter tool allows you to search on nearly every possible detail within
the Administrative Templates settings, both Computer and User. Each
element of the filter tool is described here.
Managed
These are GPO settings that fall under the Policies categories for both
Computer Configuration and User Configuration. These settings are
volatile because they are located in a special part of the registry that
is dynamic. The setting allows you to focus on GPO settings that are
managed or not managed.
Configured
By default, no GPO settings are configured. They appear as Not
Configured in the interface. As soon as a setting is enabled, disabled,
or set to anything but Not Configured, they will appear in the
Configured category.
Commented
All GPO settings can have a comment associated with them. These
comments are excellent for tracking, documenting, and troubleshooting.
Not all GPOs need to have comments, which is why it is good to have a
filter that allows you to view only those settings that have a comment
associated with them.
Enable Keyword Filters
The keyword filter allows you to search for settings that are more
general. For example, you might want to find all settings that contain
the words Internet, security, or desktop.
This filter can examine the Policy Setting Title, Explain Text, and
Comment and allows you to specify any combination of these settings for
searching.
Enable Requirements Filters
The requirements filter allows you to focus on the technology that the
policy setting controls, such as Microsoft Internet Explorer, as well as
the version of the technology supported. The possible platforms that
can be configured for the requirements filter include: options related
to BITS, Internet Explorer, the Windows Server 2008 family, the
Microsoft Windows Server 2003 family, the Windows 2000 family, the
Windows XP family, the Windows Vista family, Windows Installer, Windows
Media Player, and more.
Filter Option Operators
Each section in the
Filter Options dialog box has a set of operators that also must be
configured. These options allow you to include or exclude GPO settings
from your filter. Table 1 lists the operators available for each filter area.
Table 1. Filter Options Operators
| Type of Policy Setting | Operators |
|---|
| Managed | Any
Yes
No |
| Configured | Any
Yes
No |
| Commented | Any
Yes
No |
| Enable Keyword Filters (for keyword text that is entered) | Any
All
Exact |
| Within | Policy Setting Title
Explain Text
Comment |
| Enabled Requirements Filters | Include settings that match any of the selected platforms.
Include settings that match all of the selected platforms. |
2. Reporting on GPOs
You
can use two different methods to run reports on GPOs within the GPMC.
The first is a real-time view of the GPO settings that are currently
configured in the GPO, which lets you view settings without having to
search through the GPO for them. The second view is a slightly different
view of the GPO, including not just the settings, but also the links,
delegation, filtering, and so on. This view is excellent for
documentation of the GPO’s current state.
The
first view of the GPO is built directly into the interface. It is
referred to as the Settings report and is located in the details pane of
the GPMC window. To view the Settings report for any of the GPOs,
follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Select the GPO for which you want to see a report.
|
4. | In the details pane, click the Settings tab.
|
5. | In
the Internet Explorer warning dialog box, click Close or Add. (This
step might be optional, depending on your Internet Explorer security
settings.)
|
You will see the full list of settings within the GPO, for both Computer Configuration and User Configuration, as shown in Figure 2.
The second report that you
can run for a GPO is not as interactive as the Settings report, but it
is more thorough and ideal for documentation of all GPOs.
Best Practices
It
is a good idea to save reports for every GPO periodically, for
documentation and disaster recovery of all GPOs. Because the saved
reports of a GPO include all essential information about the GPO, they
provide an excellent tool for troubleshooting in case of an errant
setting or even complete disaster of your Group Policy infrastructure.
You should print the reports and keep them in a binder in the server
room for quick reference. You could also use the HTML reports on a
secure intranet site that only the administrators and Help desk staff
have access to for remote access to the settings in all GPOs. |
To run a report that you can save to HTML or XML format, follow these steps:
1. | In the GPMC, expand the forest node, and then expand the domain node.
|
2. | Expand the Group Policy Objects node.
|
3. | Right-click the GPO for which you want to save a report, and then click Save Report. The Save GPO Report dialog box appears.
|
4. | Click
Browse Folders, select the location where the report will be saved,
type a name for the report in the File Name box, and then select a file
type (HTML or XML) from the Save As Type list.
|
5. | Click Save.
|
After the report is
saved, browse to the location where you saved it and double-click it to
open it in Internet Explorer. HTML reports are extremely useful for
routine viewing of the GPO and the settings. Figure 3 shows what a typical report includes.
Note that the report contains almost every bit of information that you would want to document for the GPO. Table 2 lists the contents of the saved GPO report.
Table 2. Saved Report Information
| Report Section | Details Included |
|---|
| General - Details | Domain affiliation
Owner of GPO
Created and modified dates of GPO
User and computer versions
GUID of GPO
Status of GPO |
| General - Links | List of all GPO links to the domain node or organizational units (not including links outside the current domain or to sites) |
| General - Security Filtering | Access control list of users and groups that will be affected by GPO |
| General - WMI Filtering | List of Windows Management Instrumentation (WMI) filters linked to GPO |
| General - Delegation | Security delegation for GPO, including permissions for each user or group |
| Computer Configuration | All GPO settings that fall under the Computer Configuration portion of the GPO, listed by section |
| User Configuration | All GPO settings that fall under the User Configuration portion of the GPO, listed by section |
There is little else that you would want to document that the saved report does not provide.
