What is Group Policy Management Console (GPMC)?
Group Policy Management Console (GPMC) is a Microsoft Management Console snap-in that provides a graphical user interface that enables Active Directory (AD) administrators to manage Group Policy Objects (GPOs) from one console.
Before GPMC, administrators had to use many tools to create, edit and import settings; back up and manage GPOs; and apply them to specific users or computers in the domain. GPMC provides a view of all GPOs, organizational units (OUs), domains and sites across an enterprise and enables editing settings within individual GPOs. Also, GPMC combines the functionality of such tools as AD Users and Computers, AD Sites and Services, Resultant Set of Policy, Access Control List Editor and GPMC Delegation Wizard.
For developers, GPMC includes a set of programmable interfaces for managing Group Policy with scripts or C/C++, which permits the creating, backing up, restoring, importing, copying, deleting and renaming of GPOs; linking GPOs and Windows Management Instrumentation filters; and completing several reporting tasks.
What is Enforce in Group Policy Management Console?
Enforce is a setting in GPMC that determines whether the policy settings configured in a GPO are actively enforced on computers and users covered by those settings. Whenever GPMC is set to Enforce, it applies all configured policy settings to those computers and users. Whenever it is not set to Enforce, none of the GPO’s policy settings are applied, even if configured.
Group Policy settings are inherited from parent containers to child containers in a hierarchical structure by default. If a setting does not define a child container’s GPO, it inherits the setting from its parent container’s GPO.
When a GPO is enforced, it ensures that its settings are applied across all users and computers within its scope, regardless of any other conflicting GPOs linked to parent containers.
Enforcing a GPO creates a “no override” policy setting on the GPO, which prevents any other GPOs linked to parent containers from overriding the GPO’s settings. When enforcing multiple GPOs at various levels in the hierarchy, the GPO with the highest enforcement level precedes any conflicting settings from lower-level GPOs.
The Enforce option must be used with caution because it can result in unexpected consequences, especially when it is not managed correctly. Organizations must Enforce a GPO only when necessary, for example, to ensure that critical settings are applied consistently and without conflict.
How to open Group Policy Management Console
To open GPMC on a Windows device, follow these steps:
- Press the Windows key + R to open the Run dialog box.
- In the Run dialog box, type gpmc.msc, and press Enter or click OK.
- The GPMC window opens and displays a hierarchical view of the AD forest and domains.
Alternatively, you can also open GPMC using the following method:
- Click on the Start menu. Search for Group Policy Management Console or GPMC.
- Click on the search result to open GPMC.
How to edit GPO in Active Directory
To edit a GPO in AD, follow these steps:
- Open GPMC by typing gpmc.msc in the Run dialog box or by searching for Group Policy Management Console in the Start menu.
- Navigate to the GPO folder for the domain or OU, and locate the GPO you want to edit.
- Right-click on the GPO you want to edit, and select Edit from the context menu. This opens the GPO in Group Policy Object Editor.
- You can navigate the different policy sections by expanding the folders in the left pane of Group Policy Editor. Each policy section contains a set of policies that can be configured for the GPO.
- To edit a policy setting, double-click on it, or right-click on it and select Edit. This opens the policy configuration dialog box, where you can modify the setting.
- After making changes to the policy settings, click OK to save the changes and close the configuration dialog box.
Once you have finished editing, close Group Policy Object Editor and GPMC. It is important to note that changes do not take effect until the GPO links to a site, domain or OU. All affected users or computers must also reboot or update their Group Policy.