- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
Group Policy Management Console (GPMC) explained
The Group Policy Management Console is a unified interface that helps administrators manage all aspects of Group Policy Objects (GPOs) across an Active Directory (AD) environment. It allows you to view GPO configurations, link and unlink GPOs, backup and restore GPOs, and more. Similar to Active Directory Users and Computers (ADUC), the GPMC is a Microsoft Management Console snap-in. By centralizing Group Policy administration, the GPMC increases efficiency, improves security, and provides better control over your IT infrastructure.
What is a Group Policy Object?
A GPO is a group of settings that can be customized to define the resources a user or computer can view or access. The scope of a GPO can be limited to a single local computer or extended to organizational units (OUs), domains, or sites. When you assign a GPO to a container, it is called "linking" the GPO. You can restrict how the GPOs are applied by using security groups to filter which users or groups the GPO will affect, or you can block GPOs by disabling inheritance. A Windows Management Instrumentation (WMI) filter can also be used to restrict the application of a GPO.
Before the GPMC was introduced, there was no single unified tool for Group Policy management. Users had to use multiple tools like the ADUC snap-in, the Active Directory Sites and Services snap-in, the Resultant Set of Policy snap-in, Delegation Wizard within GPMC, and the ACL Editor for GPO management. The GPMC does not replace the ADUC snap-in but instead provides a unified console for managing GPOs.
What can you do with the GPMC?
With GPMC, you can perform the following operations:
- Create, modify, delete, and report on GPOs, as well as manage their application scope
- Link or unlink GPOs to OUs as needed
- Set and delegate permissions for secure GPO management
- Monitor and manage the status of GPOs
- Search for GPOs across the entire forest or specific domains
- Run Group Policy modeling to simulate and analyze policy impact
- Back up, restore, and import GPOs for disaster recovery or migration
Why use the GPMC?
GPMC offers several benefits that make managing policies across AD environments more efficient and secure. Here are four reasons to use GPMC:
- Centralized management
GPMC provides a unified interface for managing all aspects of Group Policy, eliminating the need to switch between multiple tools like ADUC and Active Directory Sites and Services. Administrators can also manage GPOs across different domains and even forests from a single console, offering a holistic view and control over the entire Group Policy infrastructure.
- Simplified GPO Operations
GPMC features a user-friendly, hierarchical tree structure that makes it easy to navigate through Active Directory and locate specific domains, OUs, and GPOs. Applying policies to domains or specific OUs is simplified through easy linking and unlinking functionalities. GPMC also clearly visualizes the link order, helping you understand which link takes precedence over the others.
- Enhanced troubleshooting and planning
The Group Policy Modeling feature allows you to simulate the effect of GPOs on specific users and computers before deployment. This helps you understand and troubleshoot unintended outcomes before you apply the GPOs organization-wide.
- Improved security and compliance
GPMC enables consistent application of security policies, password complexity requirements, user rights assignments, and other configurations across your AD environment. This helps enforce a standardized security posture and reduce vulnerabilities. The ability to apply GPOs to specific OUs, users, or computers—combined with WMI filtering—helps ensure that the right policies are applied to the right objects.
How to install the Group Policy Management Console?
To install the GPMC on Windows Server 2012 or later, follow the steps below:
- Go to Start > Control Panel > Programs and Features and select Turn Windows features on or off.
- In the Add Roles and Feature Wizard window that opens, proceed to the Features tab in the left pane.
- From the list of features, select Group Policy Management and click Next.
- Click Install.
To install GPMC on Windows 10 version 22H2 or later, follow the steps below:
- Go to Start > Settings > System.
- Select Optional features from the left pane and click + Add a feature.
- Select RSAT: Group Policy Management Tools and click Add.
To install GPMC on Windows 8 or later, follow the steps below:
- Download and install Remote Server Administration Tools from here for Windows 8, Windows 8.1, and Windows 10.
- Navigate to Start > Control Panel > Programs and Features > Turn Windows features on or off.
- Navigate to Remote Server Administration Tools > Feature Administration Tools and select Group Policy Management Tools.
- Click Install.
Once installed, you can open the GPMC by following the steps below:
- Press the Windows key + R to open the Run dialog box.
- Type gpmc.msc and click OK.
- Alternatively, you click Start and search for Group Policy Management Console.
- Open the GPMC.
- Expand the domain tree and right-click the container you wish to create the GPO in.
- Click New.
- In the New GPO window that opens, enter a name for the new GPO, and then click OK.
Limitations of the GPMC
While the GPMC is the primary tool for managing Group Policy in AD, it presents several challenges, particularly in large and dynamic environments. Here are four limitations of the GPMC:
- Lack of bulk operations: While you can manage GPOs and links, performing bulk operations such as linking a single GPO to multiple OUs simultaneously, or enabling/disabling multiple GPOs at once is time-consuming.
- Limited reporting capabilities: GPMC's reporting is good for individual GPOs or specific user and computer results but lacks advanced insight to identify unused, unlinked, or disabled GPOs.
- No workflow or automation: GPMC lacks native support for automating routine GPO-related tasks and requires external scripts which requires advanced knowledge and are prone to errors.
- Complex delegation: While GPMC allows for delegation of GPO management, setting up granular, role-based access control (RBAC) can be complex and requires deep understanding of AD permissions.
How ADManager Plus simplifies Group Policy management
ManageEngine ADManager Plus is an integrated AD management and reporting solution with GPO management and reporting capabilities. You can simplify GPO management by configuring GPOs in bulk and monitor compliance with access to the audit trail of all changes via GPO reports.
Here are some of the supported GPO capabilities in ADManager Plus:
- Create GPOs and instantly link them.
- Edit GPOs and their user and computer settings.
- Manage GPOs by enabling, disabling, or deleting them.
- Manage GPO links by enabling, disabling, or removing them.
- Enforce GPOs and block or unblock inheritance of GPO links.
- Generate reports on GPO status, settings, scope, and more.
- Migrate GPOs across domains in a forest.
- Gain insights on frequently modified GPOs, recently created GPOs, and more.
