Editing Group Policies without ADUC or GPMC

Under Windows Server 2003 (and 2000), Active Directory Users and Computers was always available by just launching dsa.msc. From there you could use the legacy Group Policy management interface if you didn’t have the GPMC loaded. Windows Server 2008 machines no longer have ADUC loaded by default unless you either are on a domain controller or install the management tools. This makes the scenario where you need to edit a Group Policy locally a bit more complicated.

The good news is that the Group Policy Editor itself is there on Windows Server 2008 machines, you just can’t graphically browse to a GPO (so far as I know). If you launch gpedit.msc, the local machine policy is pulled up. Adding the snap-in manually to an MMC allows you to target another machine for editing its’ local policy.

The gpedit.msc console will however accept an argument at startup pointing it to a GPO in the domain. To do this you’ll need the GUID of the policy you’re looking to edit. If you go to the Details tab after selecting the GPO in question from the GPMC on another machine, the GUID is adjacent to the Unique ID label, and you can select the GUID and copy it to the clipboard.

If for example you wanted to edit the GPO with GUID {0F0AB6A5-A700-4493-9D0E-DCCA40D2E27B} in domain briandesmond.net, you could run "gpedit.msc /gpobject:"LDAP://CN={0F0AB6A5-A700-4493-9D0E-DCCA40D2E27B},CN=Policies,CN=System,DC=briandesmond,DC=net".

Leave a Reply

Your email address will not be published. Required fields are marked *