Core Group Policy Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
Group Policy Tools
Group Policy Settings
Group Policy WMI Classes
This section summarizes the tools and settings associated with Group Policy.
Group Policy Tools
The following is a list of administrative tools associated with Group Policy. For more information about Group Policy administrative tools, see the following topics in this collection:
For information about tools specific to Group Policy extensions, see the appropriate Group Policy Components topics in this collection. For more information about other Resource Kit tools, see the Windows Server 2003 Deployment Kit Tools page.
This tool is used for refreshing local and Active Directory policy settings on the computer from which you run the GPUpdate command.
This command-line tool is included in Windows XP and Windows Server 2003.
You can use GPUpdate locally on Windows XP and higher computers to refresh policy immediately. On computers running Windows 2000, this behavior is provided by the using the secedit.exe command line tool, with a specific parameter.
GPUpdate refreshes local Group Policy settings and Group Policy settings that are stored in Active Directory, including security settings, on the computer from which it is run. This command supersedes the now obsolete /refreshpolicy option for the secedit command line tool. For more information about GPUpdate, type GPUpdate /? at the command line.
GPResult.exe is a Group Policy tool for examining the settings applied during Group Policy refresh.
There are two versions of GPResult: One shipped with the Windows 2000 Resource Kit; the other is included with Windows XP and Windows Server 2003. The Windows 2000 version runs only locally on Windows 2000. The windows Server 2003 version runs locally or remotely on Windows XP or Windows Server 2003.
The different versions are not compatible.
GPResult utilizes Resultant Set of Policy (RSoP) data. You can use GPResult that shipped with Windows Server 2003 family on Windows XP and higher computers. You can use GPResult that shipped with Windows 2000 Resource Kit for Windows 2000.
GPResult for Windows Server 2003 displays Group Policy settings and Resultant Set of Policy (RSoP) for a user or a computer. Because you can apply overlapping levels of policies to any computer or user, the Group Policy feature generates a resulting set of policies at logon. GPResult displays the resulting set of policies that were enforced on the computer for the specified user at logon.
GPResult for Windows 2000 estimates the Group Policy settings that would be applied at a specific computer. Full documentation for this version of GPResult is available in the readme file distributed with the tool.
Dcgpofix ships with Windows Server 2003.
You can run Dcgpofix only on servers running Windows Server 2003 family. This tool can restore default domain policy and default domain controllers policy to their original state after installation, except for some security-related settings that are impossible to return to their exact original state. When you run Dcgpofix, you will lose any changes made to these Group Policy objects. For more information about Dcgpofix, type Dcgpofix /? at the command line.
This tool should be used as a last-resort disaster-recovery tool. A better solution is to use GPMC to back up and restore these GPOs.
GPMonitor.exe: Group Policy Monitor Tool
Group Policy Monitor tool is included in the Windows Server 2003 Deployment Kit.
The Group Policy Monitor tool works on Windows XP and higher computers. Group Policy Monitor tool collects Group Policy information at every Group Policy refresh and sends that information to a centralized location that you specify. You can then use the Group Policy Monitor user interface (UI) to view the data. The Group Policy Monitor UI can provide a historical view of policy changes. The UI is also designed to make it easy to navigate through historical snapshots of data and trace changes. For more information about the Group Policy Monitor tool, type GPMonitor /? at the command line. You can find full documentation for the Group Policy Monitor tool in the Windows Server 2003 Deployment Kit Tools.
GPOTool.exe: Group Policy Verification Tool
Group Policy Verification tool is included in the Windows Server 2003 Deployment Kit.
The Group Policy Verification tool works on Windows 2000 and higher computers. You use Group Policy Verification tool to check the health of the Group Policy objects on domain controllers. The tool checks GPOs for consistency on each domain controller in your domain. The tool also determines whether the policies are valid and displays detailed information about replicated Group Policy objects (GPOs).
GPOTool.exe ships with the Microsoft Windows 2003 Server Resource Kit and is also available as a free download at the Gpotool.exe: Group Policy Verification Tool page.
For more information about the Group Policy Verification tool, type GPOTool /? at the command line. You can find full documentation for Group Policy Verification tool in the Windows Server 2003 Deployment Kit Tools.
AdmX.exe: ADM File Parser
The ADM File Parser (AdmX) is a command-line tool that enables an administrator to export Group Policy settings to a tab-delimited text file. The administrator can then use the text produced by ADM File Parser (AdmX) to find changes for the policy settings between different versions of the operating systems. AdmX is for use only with policies based on administrative templates.
The AdmX.exe tool runs on Windows 2000, Windows Server 2003, and Windows XP Professional. AdmX.exe also requires the Microsoft .NET Framework 1.0.
Administrators use AdmX.exe to extract policy setting information from .adm files and to list differences between two .adm files.
For more information about the ADM File Parser, type AdmX.exe /? at the command line.
For information about tools specific to Group Policy extensions, see the appropriate Group Policy Components Tools topics in this collection.
Group Policy Settings
Many Group Policy settings are configurable within the Administrative Template (.adm) files supplied with Windows 2000 and Windows Server 2003. Administrators can access these files from the Group Policy Object Editor for a specific GPO, and can configure Group Policy settings contained in the template files.
A registry setting exists for a Group Policy template setting only when the setting state has been changed from Not Configured to either Enabled or Disabled. You can change the setting state from the appropriate Administrative Template node in the Group Policy Object Editor.
To download a complete reference to the Group Policy settings in the .adm files supplied with Windows Server 2003, see the Group Policy Settings Reference for Windows Server 2003. This reference is in Microsoft Excel spreadsheet format.
For a reference to settings specific to Group Policy behavior, and for a list of registry locations that are associated with Group Policy on the domain controller, target, or both, see the Group Policy Object Editor Tools and Settings topic in this collection.
For a reference to settings specific to Group Policy extensions, see the appropriate Group Policy Components topics in this collection.
Group Policy WMI Classes
For complete information about WMI classes associated with Group Policy, see the WMI SDK documentation on MSDN.
The following resources contain additional information that is relevant to this section.
The Group Policy Administrative Tools topic in this collection.
The Group Policy Object Editor Tools and Settings topic in this collection.
The What Is Group Policy Management Console? topic in this collection.
The What Is Resultant Set of Policy? topic in this collection.
The appropriate Group Policy Components Tools topics in this collection.
The Group Policy Management Console page.
The Group Policy Settings Reference for Windows Server 2003.
The Microsoft Platform SDK page.
The Windows Server 2003 Deployment Kit Tools page.