Group Policy Modeling is a
feature of the GPMC that allows administrators to see what settings will
apply to a specific user or computer if that object is placed in a
specified location in Active Directory. This allows the administrator to
see and evaluate the potential GPO settings, before the settings
actually apply to the object. This modeling can make administrative
tasks much more efficient and reduce downtime that could result from
settings causing negative effects on the target objects.
The
Group Policy Modeling utility is a built-in feature of the GPMC that
you can easily configure with a wizard. The wizard helps with all of the
important configurations necessary to model the environment of the user
or computer object when it is moved to a different location in Active Directory. To generate a report using the Group Policy Modeling utility, follow these steps:
1. | In the GPMC, right-click the Group Policy Modeling node, and then click Group Policy Modeling Wizard.
|
2. | On the Welcome to the Group Policy Modeling Wizard page, click Next.
|
3. | On
the Domain Controller Selection page, select the domain from the Show
Domain Controllers In This Domain list and the domain controller from
the Process The Simulation On This Domain Controller options that you
want to use for the model, and then click Next.
Note Ensure
that you select a domain controller running Windows Server 2003 or
later if you want to include settings and results that only Windows 2003
is aware of. Examples of these settings include wireless settings and
some security settings. |
|
4. | On the User and Computer Selection page, select information about the user and computer objects, and then click Next.
You can choose information about both types of objects, or just
one of them. Here, you can choose an Active Directory path (using the
LDAP syntax, such as CN=OU1, DC=fabrikam, DC=com), or you can specify
the exact object (using the domain name followed by a slash and the
object name, such as FABRIKAM\Administrator). You can either type the
information directly or click Browse to find the container or object
that you want to use in the report.
Note At
this point, or after any of the subsequent dialog boxes, you can choose
to collect information only to that point and run the report based on
what you have collected. You can do this by selecting the check box
labeled Skip To The Final Page Of This Wizard Without Collecting
Additional Data, and then clicking Next. |
|
5. | On the Advanced Simulation Options page, you have the option to configure the following considerations, as shown in Figure 1:
- Slow links: Select the Slow Network Connection (For Example, A Dial-Up Connection) check box.
- Loopback: Select the Loopback Processing check box, and then select either Replace or Merge.
- Site GPOs: Select the appropriate Active Directory site from the Site list.
|
6. | On
the Alternate Active Directory Paths page, select an optional new
network location for the user or computer. You can enter the path
manually by using the LDAP syntax, or you can browse for the path by
clicking Browse.
|
7. | On
the User Security Groups page, click Add to include additional security
groups that the user has membership in, or will have membership in when
running the model. Click Remove to remove unwanted security groups from
the list box. Then click Next.
|
8. | On
the Computer Security Groups page, click Add to include additional
security groups that the computer has membership in, or will have
membership in when running the model. Click Remove to remove unwanted
security groups from the list box. Then click Next.
|
9. | On
the WMI Filters for Users page, select the WMI filters that should be
considered for the user object in the model. You can select all of the
WMI filters that are available or select just a few by selecting the
Only These Filters option. Then click Next.
|
10. | On
the WMI Filters for Computers page, select the WMI filters that should
be considered for the computer object in the model. You can select all
of the WMI filters that are available or select just a few by selecting
the Only These Filters option. Then click Next.
|
11. | On the Summary of Selections page, review your selections, and then click Next.
|
12. | On the Completing the Group Policy Modeling Wizard page, click Finish.
|
Results Pane for Group Policy Modeling
After you generate a
report using the Group Policy Modeling utility, you can see the results
in the details pane after clicking the Group Policy Modeling node in the
GPMC. Each report displays information on three tabs: Summary,
Settings, and Query.
Summary
The Summary tab
displays all of the essential information that you need regarding the
objects, the location of the objects, and the GPOs that affected them,
as shown in Figure 2.
The important sections of this tab include:
Settings
The
Settings tab is similar to the Settings tab that you read about
earlier. This tab is for the GPOs that affected the user and computer
that were specified in the generation of the report.
Query
The Query tab
summarizes all of the settings that you made while completing the
wizard. Because you can skip information within the wizard, it is
important to know which settings were selected and are associated with
the results. You cannot change the settings here, but you can generate
another report based on the existing settings by right-clicking the node
you want to alter under the Group Policy Modeling node, and then
clicking Create New Query From This One.
Controlling Results of Group Policy Modeling Post Query
After you generate a
report using Group Policy Modeling, you have some advanced options for
working with the results. The options are similar to the Group Policy
Results options, with some variation. Four options are available when
you right-click the result under the Group Policy Modeling node.
Advanced View
This option displays the results in the traditional RSoP format, which organizes the settings like they are in the GPME.
Rerun Query
You have the option to
rerun the query. This will be important if there are any new settings in
a GPO that affect the objects, or if there are any new GPOs that are
linked to the nodes in Active Directory that would affect the objects.
Create New Query From This One
Some queries can
be quite complex, so it is nice to be able to use the existing settings
and modify them slightly. This allows for efficient control over the
modeling of user and computer objects that are in different locations in
Active Directory or that have membership in different groups.
Save Report
This option allows you to
document the output of the report. When you save a report, the Save GPO
Report dialog box appears from which you need only specify the name of
the file, the format of the file (HTML or XML), and the location where
you want to save the file.
Best Practices
The
Group Policy Modeling Wizard is a newer version of the RSoP wizard MMC
snap-in available in Windows Server 2003, running in Planning mode.
Because all RSoP functionality provided by the RSoP MMC snap-in is
included in the GPMC, along with new functionality such as HTML
reporting of RSoP data, it is recommended that users access all RSoP
functionality primarily through the GPMC, rather than the stand-alone
RSoP MMC snap-in. |
Resultant Set of Policy Provider
This is the service
that runs on the domain controller to simulate the application of Group
Policy for Group Policy Modeling. The Resultant Set of Policy Provider
(RSPP) passes the simulated
results to the domain controller’s client-side extensions (CSEs). All
of this information is stored in a WMI database, which displays the
report and retains the model for future use.
The
RSPP works in conjunction with a WMI provider to perform the same
function that the Group Policy service provides. The RSPP accepts the
information regarding which portion of Active Directory should be
considered, security group memberships, and any WMI filters. The RSPP
runs under the system context to perform the report.
