Testing Group Policy in the Staging Environment

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

After you have created your staging environment and synchronized Group Policy with your production environment, you can begin to test planned Group Policy changes. The best mechanism for testing Group Policy is by using a combination of the Results and Modeling tools provided with GPMC and exercising real user accounts and computers in the test environment to process actual GPOs.

The Group Policy Results tool is useful when you have applied new GPO settings to a computer and user, and need to verify that all of the expected settings were actually applied. Group Policy Modeling can be used to determine the effects of changing the location of a user or computer within the Active Directory namespace, changing the group membership of a user or computer, or to observe the effects of a slow link or loopback policy. The Group Policy Modeling tool lets you test the effects of a change without actually making the change, while Group Policy Results tool tells you what actually happened. Group Policy Results runs on the target computer, so you must have access to that computer. Group Policy Modeling runs on a Windows Server 2003 Domain Controller, so there must be one available to run the modeling process. Note that with Group Policy Modeling, you can model policy settings on computers running Windows 2000 and Windows XP Professional as well as Windows Server 2003. Bear in mind that the Group Policy Modeling tool simulates processing of policy, while the Group Policy Results tool shows the effects of policies actually processed.

Figure 3.7 illustrates this step in the process.

Figure 3.7   Testing Group Policy in the Staging Environment

Testing by Logging on as Test User

The first and best method for testing Group Policy is to make the actual changes to your staging domain GPOs and then test the results by logging on to workstations with test user accounts to observe the effect of the changes. In this way you can see first hand how the user has been affected by the changes.

Testing by Using Group Policy Results

You can use the Group Policy Results Wizard in GPMC to get detailed reports of which policies are applied to users and computers. You can then make any needed changes in your test GPOs accordingly. The Group Policy Results Wizard is used after all Group Policy is processed for a given user and computer to inform you as to what settings were applied. The results are gathered by querying the WMI-instrumented Group Policy logging facility on a Windows XP–based computer or Windows Server 2003–based server that processed Group Policy. The wizard thus returns the settings that were actually applied rather than expected settings.

For more information about the Group Policy Results Wizard, see "Designing a Group Policy Infrastructure" in this book.

Testing by Using Group Policy Modeling

The second method for testing Group Policy is to use the Group Policy Modeling Wizard in GPMC to model changes to your environment before you actually make them. Group Policy Modeling lets you perform hypothetical tests on user and computer objects prior to a production rollout to see how Group Policy settings would be applied if you made changes such as moving the user or computer objects to a different OU, changing their security group membership, or changing the effective WMI filters. Be aware, however, that results obtained using Modeling are modeled rather than actual policy settings. Therefore, once you have modeled the scenario that meets your needs, it is always best to use the GP Results wizard to verify the expected settings.

Because Group Policy Modeling does not let you specify proposed changes to settings in a GPO, you need to make the proposed changes to your staging GPOs and then run the Group Policy Modeling Wizard for a given OU, user, or computer to determine the resultant set of policy.

Group Policy Modeling also gives you the ability to model Group Policy behavior when your computers are processing policy across a slow network link, which can affect which Group Policy extensions are processed. For example, if a computer connects to a domain controller over a slow network link (defined by default as any rate slower than 500 kilobits per second (Kbps)) then Group Policy extensions such as Software Installation and Folder Redirection are not processed. Group Policy Modeling can simulate a slow link speed and use it to determine what the effective policy settings will be for the user and computer being modeled. In addition, Group Policy Modeling supports testing the effects of Group Policy loopback processing. With loopback processing enabled, the same settings are applied to a computer regardless of the user who logs on to it. Note that you must specify that you want to model loopback processing within the Modeling wizard; loopback processing is not modeled by default.

You can specify slow-link detection, loopback processing, or both when using the Group Policy Modeling Wizard. For loopback processing, you can choose whether to replace or merge user-specific policy. The replace mode replaces all of a user’s normal policy settings with those defined in the user configuration of the GPOs that apply to the computer object (the loopback settings). Merge mode merges the user’s normal policy settings and the loopback settings. In the case where a policy item in the user’s normal policy conflicts with the loopback settings, the loopback settings are applied.

Note that the Group Policy Modeling process actually runs on a Windows Server 2003 domain controller in your Active Directory domain. By contrast, the Group Policy Results Wizard runs at the Windows XP–based workstation or Windows Server 2003–based server that is processing Group Policy. Group Policy Results uses the RSoP WMI provider to generate information about policy processing. Group Policy Modeling relies on the Windows Server 2003 Resultant Set of Policy Provider service to perform its analysis.

For more information about the Group Policy Modeling Wizard, see "Designing a Group Policy Infrastructure" in this book.