dcsimg

Examining Windows Server 2003 Group Policy Enhancements, Part III

By Marcin Policht (Send Email)
Posted May 21, 2003


In the first two articles of this series, I provided general overview of the changes to Group Policies and explained in detail the new WMI filtering capabilities. In this article, I will describe the Resultant Set of Policies. Its functionality has been available in Windows 2000 only via third party software (FAZAM from Full Armor Software). Microsoft licensed it and included its limited version in Widows XP. With the advent of Windows 2003 server, its features have been further enhanced. With Windows 2003, your ability to discern the effects of your group policies has been enhanced with the Resultant Set of Policies tool. Marcin Policht offers a look at this feature.

The mechanism used by the Resultant Set of Policies tool relies on the Windows Management Instrumentation (WMI) Group Policy provider, which is a software component capable of collecting Group Policy associated data. This data is extracted based on the information stored in the WMI CIMOM database (residing in the %windir%\system32\wbem\Repository folder on every computer with WMI installed). The tool has been implemented as Microsoft Management Console snap-in. The original Windows XP version was limited, since it worked only in logging mode - which means that you could use it only to evaluate impact of group policy settings on an existing user or computer after these settings have been already applied (assuming that a user has logged on to the target computer at least once - the RSoP is able to pull the necessary information from the cached profile). The primary purpose of the logging mode is troubleshooting - in case of problems you can quickly evaluate what policies impact current setting.

The quickest way to launch the Resultant Set of Policies in logging mode is to enter RSOP.MSC in the Start->Run text box and press the Enter key. This will automatically launch the snap-in focused on the local computer and currently logged on user account. The display is in the format of the Group Policy Editor, which makes it really straightforward to analyze particular Group Policy settings. For each setting you can find out the list of Group Policy Objects that affected its final value as well as their precedence.

The ease of use of the Resultant Set of Policies in logging mode has been improved comparing with Windows XP, where you had to keep re-adding the snap-in to a Microsoft Management Console in order to obtain the information on another computer or user. In the version included with Windows 2003, you can right-click on the topmost node in the left window pane and select Change Query option from the context-sensitive menu. This will launch he Resultant Set of Policy wizard, which will prompt you for the target computer name and target user whose profile exists on that computer. You can also, as in Windows XP version, launch the wizard by adding Resultant Set of Policies snap-in to a Microsoft Management Console. In this case, from the MMC interface, you need to select Add/Remove Snap-in from the File menu, select, click on Add from the Add/Remove Snap-in dialog box that will appear next, and double-click on the Resultant Set of Policies item in the long list of available snap-ins. After you click on OK, and close the Add/Remove Snap-in dialog box, you will see the Resultant Set of Policies node appearing under the Console Root. To launch the Wizard, right-click on this node and select Generate RSoP Data (this wizard was launched automatically as soon as you added Resultant Set of Policies snap-in in Windows XP). As mentioned before, in Windows XP you could only select the logging mode, however, in Windows 2003, you will have two choices: Logging mode (previously discussed) and Planning Mode.

While logging mode relies on the information collected from existing users and computers, planning mode allows you to find out what would happen as the result of implementing Group Policy in Windows 2003 Active Directory. The containers to which the Group Policy objects are linked do not have to contain actual user or computer objects, so you can safely simulate "what if?" scenarios without affecting your production environment First you need to make sure that your intended Group Policy settings have been applied to a target domain, site, or organizational unit. Once this is done, you can proceed with the wizard.

After selecting the Planning Mode option of the wizard, you will need to traverse through a fairly long sequence of pages, prompting you to choose different configuration settings affecting the way your Group Policy settings will apply.

  • On the initial page, you need to decide the location of the computer and user objects for which you will be simulating the impact of group policies. This can be done either by selecting an Active Directory container where they will be located, or by selecting target user and/or computer. Clearly, in the second case, these accounts would need to exist and reside in the proper containers. Once you made both choices, click on the Next button to get to the next page.

  • From here, you can specify:

    • whether you want to simulate slow network connection: Processing some policy settings, such as software installation, is affected by speed of the link),
    • replace or merge loopback processing: Loopback processing impacts processing of the user configuration portion of group policy. In the replace mode, group policy objects linked to the Active Directory containers where the user account resides are irrelevant. Instead, user is only affected by user configuration portion of group policy objects linked to the containers where the computer account resides. In other words, user configuration settings from the group policy objects that apply to the computer account replace user configuration settings from group policy objects that apply to the user account. In the merge mode, user configuration settings from both set of policy objects are merged).
    • site membership of the computer

  • On the next page, you can specify a different container for user and computer accounts that will be used during simulation. This option is available providing that you selected existing user and computer account (and is grayed out if you specified existing containers to be used for simulation on the first page).

  • The page that follows contains security group membership for the user (which might have impact on group policy processing if group filtering is in place). You can modify it from here. Note that the changes you make do not affect groups that the actual user account belongs to - these changes are used only for the purpose of the simulation. You can make the analogical changes for the computer account on the next page.

  • The final two configurable pages contains the WMI filters (for Users and Computers, respectively) that will be used during the simulation. For introduction to the WMI filtering, refer to my previous article of this series.

  • After reviewing the summary of selections you made and clicking on the Next button, you will be presented with the final page of the Wizard. Close it, and you will see the window that looks practically identical to the one produced by running Resultant Set of Policies in the Logging mode. Just as before, you can determine the resulting group policy settings, although this time, the settings are the result of simulation only.

There are two additional ways of launching the Resultant Set of Policies wizard in planning mode:

  • The first one involves Active Directory Users and Computers or Active Directory Sites and Services (depending on whether the target container is a domain/organizational unit or a site. From either one, select the target container, and select from its right-click menu All Tasks->Resultant Set of Policy (Planning) option.

  • The second one requires Group Policy Management Console to be installed. As I explained before, GPMC is available as a separate download from the Microsoft Web site . Once you install it and launch it, you will notice that Microsoft decided to update its terminology again - the logging mode is represented by the folder Group Policy Results, and the planning mode became Group Policy Modeling. Right-click menus of both folders have the options allowing you to launch their respective wizards. The Group Policy Results wizard is identical to the one we described before. The Group Policy Modelling Wizard is slightly modified and allows you to designate a domain controller that will process the simulation.

Group Policy Management Console will be the topic of my next article in this series. As you will find out, this new utility provides solution to many administrative headaches related to group policy management.

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.