In contemporary computing networks, network administrators define policies for users and computer systems of that network. With a Microsoft Windows®-based operating system, administrators use Group Policy technology to define the state of users' work environment, and rely on the system to enforce the defined policies. In general, those policies are then applied to determine how the various computer systems are configured. For example, the configuration that a user sees when logged onto any computer system of the network depends on the policy settings for that machine combination with the policy settings for that user.
In such a network, Group Policy can be used to specify many of the settings for a user and computer, including registry-based policy settings used to configure and specify behavior of the operating system and optionally application programs based on settings in various computer systems' registries, and script-related policy settings control scripts for computer startup and shutdown, and user logon and logoff. Group policy can also specify particular software programs for groups of users and/or machines, as Group Policy includes settings for centrally managing the installation, updates, and removal of application programs and components. Security options are also provided by policy settings, e.g., for local computer, domain, and network security settings. Folder redirection options, which allow administrators to redirect users' special folders to the network, also may be managed via Group Policy, as can Internet Explorer Maintenance, which is used to manage settings related to Internet Explorer and Remote Installation Services options, which are used to manage client configuration options that users see when performing Remote Installation Services-based installs. Internet Protocol Security Settings and Wireless settings can also be deployed through Group Policy, and public key policy settings, as well as software restriction policies can also be managed.
To apply and enforce the policy in a Windows®-based operating system, the Group Policy settings that administrators create are contained in group policy objects (GPOs), which in turn are applied to one or more scopes of management, such as a site, domain, or organizational unit (OU) in Active Directory®. A site, domain, or organizational unit may also be referred to as a scope of management, or SOM. In this manner, administrators centrally apply policy to users and computers of those sites, domains, and organizational units. Policy settings from each of these different hierarchical levels are combined and applied to the policy recipients. Any conflicting policy among the levels is resolved via various rules, as generally described in U.S. Pat. No. 6,466,932, herein incorporated by reference.
While group policy is a very powerful technology, and group policy objects greatly simplify network administration, group policy objects are not simple objects, but rather virtual objects comprising complex pieces of setting definitions that are stored on the domain. In general, each group policy object comprises multiple subcomponents, typically including a collection of many files, other objects and attributes, that reference one another in various ways.
Furthermore, managing Group Policy in an enterprise environment requires an understanding multiple sets of data, simultaneously. For example to understand which computers and users will receive and apply the settings in a group policy object, the administrator has to access and understand multiple sets of information, including the scopes of management to which the group policy object is linked, the security filtering on a group policy object, and the WMI filter, if any. Heretofore, this data was not available to an administrator in one consolidated view.
Another problem is that a group policy object can be associated with multiple scopes of management, and thus when editing the contents of a group policy object, the administrator needs to fully understand that a group policy object may be linked to more than one scope of management, which is not readily apparent on prior tools, nor is it apparent that a link to a group policy object is not the group policy object itself. Inheritance adds further complexity, because multiple group policy objects can be applied to a given scope of management, and group policy objects can be also inherited from parent scopes of management, whereby it may be very difficult for an administrator to understand which group policy objects apply at a given scope of management. Furthermore, although group policy object are inherited by default, it is possible to block this, as well as selectively enforce some links. Although this provides significant flexibility to the administrator, complexity is also increased.
As a result, managing group policy requires a sophisticated understanding of various sets of data. At the same time, the prior toolset for managing group policy is complex yet fairly limited, making it difficult for administrators to understand the group policy environment and thus make effective use of group policy. In sum, what is a needed is a user interface managing group policy that makes the interrelationships between the various sets of group policy related data clear, and enables the administrator to more easily and efficiently focus on the management task at hand.