Managing Browser Settings with Group Policy Tools
If you use Active Directory Domain Services (AD DS) to manage your network, you can use the comprehensive set of policy settings that Group Policy provides to manage Internet Explorer 10 after you have deployed it to end users' computers. The following tools provide different ways to manages policies and settings.
Administrative Templates. You can use the Administrative Template policy settings to manage registry-based policies for hundreds of Internet Explorer 10 options, including security options.
Group Policy preferences. You can use Group Policy preference settings to configure options that users can change later.
We recommend that you manage Internet Explorer 10 by using the Administrative Template settings in Group Policy whenever possible, because these settings are always written to secure Policy branches in the registry. Additionally, we recommend that you deploy standard user accounts instead of allowing users to log on to their computers as administrators, preventing users from making unwanted changes to their systems or overriding Group Policy settings.
Users are unable to change managed settings through the Internet Explorer 10 user interface or by modifying the registry. Most of the browser settings managed through the Internet Explorer Administration Kit 10 (IEAK 10) provide preferences that users can modify after they are applied.
Group Policy management tools
Several tools are available to create, manage, view, and troubleshoot GPOs. The following sections describe many of these tools and provide links for learning more about them. These include:
Group Policy Management Console (GPMC)
Group Policy Management Editor (GPME)
Advanced Group Policy Management (AGPM)
Group Policy Management Console
The GPMC provides unified management of all aspects of Group Policy across multiple forests in an organization. By using the GPMC, you can manage all GPOs, Windows Management Instrumentation (WMI) filters, and Group Policy–related permissions on your network. The GPMC is your window into Group Policy, with all the Group Policy management tools available from the GPMC interface.
The GPMC provides a Microsoft Management Console (MMC)-based user interface and a set of scriptable interfaces for managing Group Policy. The 32-bit and 64-bit versions of the GPMC are included with Windows Server 2008 and Windows Server 2008 R2. Capabilities that the GPMC provide include:
Importing and exporting GPOs.
Copying and pasting GPOs.
Backing up and restoring GPOs.
Searching for existing GPOs.
Reporting capabilities, including Resultant Set of Policy (RSoP) data in HTML reports that you can save and print.
Group Policy Modeling, which allows you to simulate RSoP data for planning Group Policy deployments before implementing them in the production environment.
Group Policy Results, which allows you to obtain RSoP data for viewing GPO interaction and for troubleshooting Group Policy deployments.
Migration tables, which facilitate importing and copying of GPOs across domains and across forests. A migration table is a file that maps references to users, groups, computers, and Universal Naming Convention (UNC) paths in the source GPO to new values in the destination GPO.
Scriptable interfaces, which support all operations that are available within the GPMC. You cannot, however, use scripts to edit individual policy settings in a GPO.
For more information about the GPMC, see the article Group Policy Management Console on TechNet.
Group Policy Management Editor
When you open a GPO to edit it, the GPMC opens the GPME window. The GPME provides a user interface for editing settings within an individual GPO. Examples of the types of settings you can configure by using the GPME include:
|Computer Policies||User Policies|
Advanced Group Policy Management
Part of MDOP, AGPM is an add-on license for Software Assurance customers that extends Group Policy. It provides a robust delegation model and change control to help organizations optimize Group Policy management, reduce the risk of widespread failures, and quickly recover when problems do arise.
Three concepts are important to understanding AGPM.
Edit GPOs offline. First, you use AGPM to edit GPOs, outside of the production environment. AGPM stores GPOs in the AGPM archive. Only after editing, reviewing, and approving a GPO for deployment does AGPM move the GPO into production.
Three user roles. Second, you can delegate three roles to users:
Reviewer. Reviewers can view and compare GPOs in the AGPM archive, but they cannot edit or deploy GPOs.
Editor. Editors can view and compare GPOs in the AGPM archive. They can also check GPOs out of the archive, edit GPOs, check GPOs in to the archive, and request GPO deployment.
Approver. Approvers can approve GPO creation in the AGPM archive and GPO deployment to production. (When Approvers create or deploy a GPO, approval is automatic.)
You can delegate these roles to users and groups for all controlled GPOs within the domain (that is, domain delegation). You can also delegate these roles for individual controlled GPOs.
Advanced change-control features. Third, AGPM provides advanced change-control features that can help you manage the lifecycle of GPOs. Many of the AGPM change-control concepts will be familiar to administrators who have experience using common version-control tools, such as the version-control feature in Microsoft SharePoint® Server 2010.
To change and deploy a GPO:
Check out the GPO from the archive
Edit the GPO offline as necessary.
Check in the GPO to the archive.
Request GPO deployment to production.
AGPM keeps a history of changes for each GPO. You can deploy any version of a GPO to production, so you can quickly roll back a GPO to an earlier version, if necessary. AGPM can also compare different versions of a GPO, showing added, changed, and deleted settings. Therefore, you can easily review changes before approving and deploying them to the production environment. A complete history of each GPO enables you to audit not only changes but also all activities related to that GPO.
For more information about AGPM, see the Advanced Group Policy Management 4.0 Documents.
Windows PowerShell is a command-line shell and scripting language. With Windows PowerShell, you can automate Windows and application administration on a single computer locally or many computers remotely. To help you automate Group Policy administration, Group Policy offers more than 25 “cmdlets” for Windows PowerShell. Each is a simple, single-function command-line tool. You can use the Group Policy cmdlets to perform tasks for domain-based GPOs, such as:
Create, remove, back up, and import GPOs.
Create, update, and remove Group Policy links.
Set inheritance flags and permissions on organizational units (OU) and domains.
Configure registry-based policy settings and registry settings for Group Policy preferences.
Create and edit started GPOs.
For more information about Windows PowerShell, see the Use Windows PowerShell to Manage Group Policy on the Script Center TechCenter.
Group Policy logs event messages in the System log. You can view these messages by using the Event Viewer. The event source is Microsoft-Windows-GroupPolicy.