Using GPMC Group Policy Results to Evaluate Group Policy Settings After Deployment
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use Group Policy Results to see what Group Policy settings are actually in effect for a user or computer. Use this GPMC feature in your staging environment before you deploy managed software in your production environment. The settings are reported in HTML and appear in a GPMC browser window on the Settings tab in the Details pane for the selected GPO. You can expand and contract the settings under each item by clicking hide or show so that you can see all the settings, or only a few. To access Group Policy Results data for a user or computer, you must have the Remotely access Group Policy Results data permission on the domain or organizational unit that contains the user or computer, or you must be a member of a local Administrator’s group on the appropriate computer
To run the wizard, right-click Group Policy Results, and then click Group Policy Results Wizard.
When you have answered all the questions in the wizard, your answers are saved as a query that is represented by a new item under the Group Policy Results item. Your answers appear as if they were from a single GPO. However, the display does show which GPO is responsible for each setting, under the heading Winning GPO.
To save the results, right-click the query, and then click Save Report. You can also print the results by right-clicking the query, and then clicking Print.
Preventing and Resolving Software Deployment Issues Examples
You can use the Group Policy Modeling feature of GPMC to prevent or resolve software deployment problems. Perhaps more importantly, you can use Software Restriction Policies to control the running of code and prevent future problems.
Example one
By using Group Policy Modeling in GPMC, an administrator simulated moving a user from one OU to another to see what effect it might have on that user. Each of these OUs had two separate GPOs applied to it. By seeing the results of the simulated move, the administrator discovered that the user’s spreadsheet application had been downgraded to an earlier version. Additionally, the user no longer had access to a word processor application.
Before the actual move, the administrator of the existing OU contacted the administrator of the target OU to request that the most recent version of the spreadsheet and word processor applications be made available to the migrating user in the target OU. The target administrator did this by creating a security filter, and then making the user a member of either one or the other, and then filtering.
Example two
An administrator wanted to examine the result of deploying a software upgrade of an existing application that was assigned to a particular group of users. When the administrator ran the scenario by using Group Policy Modeling in GPMC, the following unexpected result occurred: The GPO that contained the package was not visible to users in the Sales and Marketing departments. By examining the HTML results of the Group Policy Modeling, the administrator verified that another GPO was taking precedence over the GPO that contained the new upgrade. In this case, the administrator configured the GPO that contained the new upgrade to override the GPO that was already in place.
For more information about using GPMC to prevent software deployment issues, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at https://www.microsoft.com/reskit).
Troubleshooting by Using GPMC Modeling Examples
The following situations demonstrate ways to use GPMC Modeling at the organization level.
Example one
A help desk administrator used logging mode to locate and determine the reason that a user received the wrong version of an application. The user received a less-powerful version of the required software.
The administrator used the Group Policy Modeling in GPMC to verify which version was installed. The HTML report showed that the client computer did not have the correct language version.
After diagnosing the problem, the administrator published the correct version of the application. The user could then install it by using Add or Remove Programs.
Example two
A sales employee from Seattle accepted a new position in the Boston Human Resources department. The standard applications that were available in Seattle were Microsoft® Exchange E-mail, Office, a sales database, and an order entry application. In Boston, the employee discovered that he did not have access to the Human Resources database, so he contacted the help desk for assistance.
The help desk administrator started Group Policy Modeling, and then viewed the software installation extension part of the HTML report. The report showed which applications appeared in Add or Remove Programs on the client computer. The Origin field in the list of available applications showed that all the applications were coming from the GPO that was linked to the Seattle OU.
Because GPOs are set at the OU level, the administrator moved the user from the Seattle OU to the Boston OU. After that, the user could install the Human Resources database by using Add or Remove Programs.
For more information about using GPMC for troubleshooting software deployment issues, see the Windows Security Collection of the Windows Server 2003 Technical Reference (or see the Windows Security Collection on the Web at https://www.microsoft.com/reskit).
Blocking a Malicious Script by Using Software Restriction Policies Example
The organization wanted to protect itself from script-based viruses. The LoveLetter virus, technically called a worm, had cost the organization considerable expense. This worm has over 80 variants. The LoveLetter worm, written in the language Visual Basic Script, appears as LOVE-LETTER-FOR-YOU.TXT.VBS.
Administrators at the organization created a software restriction policy to block this worm from running by explicitly blocking LOVE-LETTER-FOR-YOU.TXT.VBS. They used a hash rule to prevent this script from running regardless of whether the file name changed. In the past, the organization had used VB Script files for systems management and logon scripts. By blocking all .vbs files from running, they would have protected the organization. However, they also would have penalized it because users could not have use VB Scripts for legitimate purposes.
For information about how to obtain a certificate and digitally sign files to increase the level of security in your environment, see Help and Support Center for Windows Server 2003.