Launching the GPMC from Windows Server 2008
To access the GPMC from a
computer running Windows Server 2008, you should first ensure that the
GPMC is installed on your computer before trying to run it from the
command prompt or Run menu option. With Windows Server 2008, you can
access the GPMC locally without any additional installations. The easiest way to do this is to perform one of the following two tasks:
Option 1:
1. | On the taskbar, click Start, and then click Run.
|
2. | In the Run dialog box, type gpmc.msc.
|
Option 2:
1. | On the taskbar, click Start, and then click Administrative Tools.
|
2. | On the Administrative Tools menu, click Group Policy Management.
|
Note
Windows
Server 2008 does not come with the GPMC installed on nondomain
controllers. For these computers, you must install it from the Server
Manager. |
Launching the GPMC from Windows Vista
To
launch the GPMC from a computer running Windows Vista, you must first
consider the service pack you are running. With no service packs,
Windows Vista comes with the older version of the GPMC installed and
ready to go, similar to Windows Server 2008. However, because of the
dramatic GPMC advancements shipping with Windows Server 2008, Service
Pack 1 for Windows Vista removes the GPMC, providing a clean slate for
the improved GPMC that is compatible with Windows Server 2008. To access
the new GPMC for Windows Vista, you must download and install the
Remote Server Administrative Tools (RSAT).
Domain Views in the GPMC
The GPMC allows you to
view your entire Group Policy infrastructure, whether you have a single
domain, a single forest that includes multiple domains, or multiple
forests. By default, the GPMC displays the domain in which the
administering computer has membership. For example, if you are using
Windows Vista to manage GPOs, the GPMC will default to the domain of
which the Windows Vista machine is a member.
If you want to add additional domains from the same forest to the GPMC interface, you can do so in just a few clicks:
1. | In the GPMC, expand the forest node in which you want to add a domain.
|
2. | Right-click the Domains node, and then click Show Domains.
|
3. | In the Show Domains dialog box, select the check box for each domain that you want to add to the GPMC.
|
This
process allows you to add all of the domains within the forest to the
GPMC for centralized management of all Group Policy for the entire
forest.
Forest Views in the GPMC
The
GPMC offers the ability to add additional domains from other forests
for Group Policy management. The process is a bit different for these
domains because they fall outside of the current forest and therefore
require additional security measures.
To add a domain from
another forest into the GPMC, some form of trust must be established
with the other domain or forest. Microsoft Windows Server 2003
introduced the ability to establish forest trust. A forest trust is not
required to manage domains from another forest, but it provides the
greatest flexibility and efficiency for managing all domains in another
forest; a domain trust is simply a one-to-one connection to a single
domain. The following options and configurations provide access to a
domain in another forest for managing Group Policy from within the GPMC:
Forest trust
between the resident forest and the desired forest containing the domain
you want to manage. This requires Windows Server 2003 or greater domain
and forest functional levels.
Two-way trust between the resident domain and the domain that you want to manage.
One-way
trust between the resident domain and the domain that you want to
manage. In addition to the trust, the trust detection configuration must
be disabled, as shown in Figure 1.
With one of these options
configured, you can add a domain from another forest to the GPMC for
administration by following these steps:
1. | In the GPMC, right-click the Group Policy Management node, and then click Add Forest.
|
2. | In the Add Forest dialog box, type the domain name for the forest you want to add; this should be the DNS domain name.
|
Note
Administrators
must establish appropriate permissions and delegations to administer
any object, including GPOs, from another domain. Ensure that the
delegations are correct before attempting to administer GPOs from
another domain. |
