Group Policy Modeling and Results

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Group Policy Modeling and Group Policy Results is a feature of Group Policy that makes implementation, troubleshooting, and planning of Group Policy easier. When multiple GPOs apply to a given user or computer, they can contain conflicting policy settings. For most policy settings, the final value of the policy setting is set only by the highest precedence GPO that contains that setting. Group Policy Modeling and Group Policy Results uses the Resultant Set of Policy (RSoP) infrastructure, available on Windows XP and Windows Server 2003, to present the final set of policy that is applied as well as settings that did not apply as a result of policy inheritance.

Specifically, RSoP helps you determine the following:

• The final value of the setting that is applied as a result of all the GPOs.

• The final GPO that set the value of this setting (also known as the winning GPO).

Precedence details that show any other GPOs that attempted to set this setting and the value that each GPO attempted to set for that policy setting.

Group Policy Results

This represents the actual policy data that is applied to a given computer and user. It is obtained by querying the target computer and retrieving the RSoP data that was applied to that computer. The Group Policy Results capability is provided by the client operating system and requires Windows XP, Windows Server 2003 or later. Outside of GPMC, Group Policy Results is referred to as RSoP - logging mode.

Group Policy Modeling

This is a simulation of what would happen under circumstances specified by an administrator. Group Policy Modeling requires that you have at least one domain controller running Windows Server 2003 because this simulation is performed by a service running on a domain controller that is running Windows Server 2003. With Group Policy Modeling, you can either simulate the RSoP data that would be applied for an existing configuration, or you can perform "what-if" analyses by simulating hypothetical changes to your directory environment and then calculating the RSoP for that hypothetical configuration. For example, you can simulate changes to security group membership, or changes to the location of the user or computer object in Active Directory. Outside of GPMC, Group Policy Modeling is referred to as RSoP - planning mode. Note that although Windows 2000 does not provide the RSoP infrastructure, Group Policy Modeling can be used as an effective way to simulate the affect of Group Policy on Windows 2000 computers.

Using GPMC Reports

In GPMC, resultant set of policy data is obtained using Group Policy Modeling or Group Policy Results wizards. GPMC provides an HTML report of the RSoP data. This report shows the final value of the winning settings and the winning GPO that set that value. When you create a Group Policy Modeling or Group Policy Results report, the report is shown in GPMC under the appropriate node. Right-clicking this report and choosing Advanced View opens the RSoP snap-in, which provides additional information, enabling you to verify precedence for a policy setting. In the RSoP snap-in, the dialog box for a policy setting contains a Precedence tab, which shows all GPOs that attempted to set a particular setting and the value for each GPO.

RSoP Architecture

Figure 2 below shows the high-level architecture of RSoP for Group Policy Results and Group Policy Modeling.

Figure 2. RSoP high-level architecture

Take for example, a standard logon procedure in Windows 2000: a client computer logs onto the network and Winlogon runs. The domain controller passes a list of pointers to the GPOs that are to apply. This list is passed to each of the client-side extensions (CSEs) such as Software Installation, Scripts, Security, Administrative Templates, and so on. Each CSE processes this list of GPOs.

Windows Server 2003 uses the same process but improves on Windows 2000 by collecting all the Group Policy processing information and storing it in a Common Information Model Object Management (CIMOM) database on the local computer. This information, such as the list, content and logging of processing details for each GPO, can then be accessed by tools using WMI.

In Group Policy Results, RSoP queries the CIMOM database on the target computer, receives information about the policies and displays it in GPMC. In Group Policy Modeling, RSoP simulates the application of policy using the Group Policy Directory Access Service (GPDAS) on a Domain Controller. GPDAS simulates the application of GPOs and passes them to virtual client-side extensions on the Domain Controller. The results of this simulation are stored to a local CIMOM database on the domain controller before the information is passed back and displayed in GPMC.

Security and RSoP

By default, access to Group Policy Results is restricted to enterprise, domain, and local administrators although users can still perform logging on their own computer. In Windows XP, non-administrators can run Group Policy Results for their computer and user account; in Windows Server 2003 non-administrators can only run Group Policy Results for their own user account. Group Policy Modeling is restricted to enterprise and Domain Admins. However, organizations can delegate access to Group Policy Results and Modeling using GPMC. For step-by-step instructions, see Group Policy Help.

Group Policy Results and Modeling Examples

Group Policy Results and Modeling allow administrators to solve problems for specific scenarios. Some examples are included below.

Group Policy Results

What is the current state of Folder Redirection for the current user?

Example: User Paul has four computers, and contacts help desk because they cannot find files on computer D that are on computer A, even though Paul is set up to use folder redirection. The administrator runs Group Policy Results and sees that on computer D, redirection is different than the others because a different GPO applies.

What is the current state of Folder Redirection for a sampling of users?

Example: An administrator wants to profile different sets of users. Using Group Policy Results, the administrator picks a sample user from each user group and uses the RSoP information to model redirection within the organization.

Why did this happen?

Example: An administrator is confused as to why Paul's documents are being redirected to the SuperUsers server. The administrator uses Group Policy Results to look at the current redirection path, and the GPO and security group that caused the redirection.

The administrator notices that of the three GPOs specifying folder redirection policy, the winning GPO has the advanced option set to redirect users in different security groups to different locations. The administrator notices that Paul is a member of both the VanillaUsers group and the SuperUsers group and realizes that this caused Paul's folders to be redirected to the SuperUsers server.

Group Policy Modeling

Precedence Details

In processing Group Policy, administrators determine which GPOs were in conflict to configure folder redirection for this user.

Change of Site

Example: An administrator can model site and domain changes for individual users or using a sample target to assess what would happen to an entire group of users under different combinations of sites, domains, and so forth. By comparing what should be seen, by what actually exists under the new GPO structure, the administrator can avoid problems before the move actually takes place.

Example: User Jane is going to move from one department to another. The administrator uses Group Policy Modeling to model the move under the different site condition and finds out that a GPO conflict exists that redirects Jane's folder to an alternate location.

Change of Folder Redirection Mode

An Administrator wants to configure folder redirection to use the advanced options to redirect users to alternate locations based on their security group membership. The administrator uses Group Policy Modeling to configure Group Policy for the desired folder redirection behavior.

By comparing the current results of folder redirection for the users, with the results of the desired changes, the administrator can avoid problems before the move actually takes place.

RSoP Schema

For information about the RSoP schema, see the RSoP SDK, available as part of the Microsoft Windows Platform SDK at https://www.microsoft.com/downloads/details.aspx?FamilyId=A55B6B43-E24F-4EA3-A93E-40C0EC4F68E5\&displaylang=en.