Using Group Policy Modeling and Group Policy Results to Evaluate Group Policy Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before deploying your Group Policy solution, it is critical that you assess it to determine the effects of applying the various policy settings that you select, individually and in combination. The primary mechanism for assessing your Group Policy deployment is to create a staging environment and log on using a test account. This is the best way to understand the impact and interaction of all the applied GPO settings. Staging your Group Policy deployment is critical for creating a successful managed environment. For more information, see "Staging Group Policy Deployments" in this book.

For Active Directory networks with at least one Windows Server 2003 domain controller, you can use Group Policy Modeling in GPMC to simulate the deployment of GPOs to any destination computer running Windows 2000 Server or Professional, Windows XP Professional, or Windows Server 2003. The primary tool for viewing the actual application of GPOs is by using Group Policy Results in GPMC.

Group Policy Modeling was previously called Resultant Set of Policy (RSoP) planning mode, and Group Policy Results was previously called RSoP logging mode.

Using Group Policy Modeling to Simulate Resultant Set of Policy

The built-in Group Policy Modeling Wizard calculates the simulated net effect of GPOs. Group Policy Modeling can also simulate such things as security group membership, WMI filter evaluation, and the effects of moving user or computer objects to a different Active Directory container. The simulation is performed by a service that runs on domain controllers running Windows Server 2003. These calculated settings are reported in HTML and are displayed in GPMC on the Settings tab in the details pane for the selected GPO. To expand and contract the settings under each item, click hide or show all so that you can see all the settings, or only a few. To perform a Group Policy Modeling analysis, you must have at least one domain controller running Windows Server 2003, and you must have the Perform Group Policy Modeling analyses permission on the domain or organizational unit that contains the objects on which you want to run the query.

To run the wizard, right-click Group Policy Modeling (or an Active Directory container), and then click Group Policy Modeling Wizard. If you run it from an Active Directory container, the wizard fills in the Container fields for user and computer with the LDAP distinguished name of that container.

When you have answered all the questions in the wizard, your answers are displayed as if they were from a single GPO. They are also saved as a query represented by a new item under the Group Policy Modeling item. The display also shows which GPO is responsible for each setting, under the heading Winning GPO. You can also see more detailed precedence information (for example, which GPOs attempted to set the settings, but did not succeed). To do so, right-click the item, and then click Advanced View. This starts the traditional RSoP snap-in. Each setting has a Precedence tab.

Keep in mind that modeling does not include evaluating any LGPOs. Because of this, in some cases you might see a difference between the simulation and the actual results.

To save the results of the modeling, right-click the query, and then click Save Report.

Using Group Policy Results to determine Resultant Set of Policy

Use the Group Policy Results Wizard to see what Group Policy settings are actually in effect for a user or computer by gathering RSoP data from the destination computer. In contrast to Group Policy Modeling, Group Policy Results reveals the actual Group Policy settings that were applied to the destination computer. The target must be running Windows XP Professional or later.

The settings are reported in HTML and are displayed in a GPMC browser window on the Summary and Settings tabs in the details pane for the selected GPO. You can expand and contract the settings under each item by clicking hide or show all so that you can see all the settings, or only a few. To remotely access Group Policy Results data for a user or computer, you must have the Remotely access Group Policy Results data permission on the domain or organizational unit that contains the user or computer, or you must be a member of a local Administrator’s group on the appropriate computer and must have network connectivity to the destination computer. To delegate Group Policy Results, you need the Windows 2003 Server schema in your Active Directory. To update your schema, run ADPrep /forestprep on the domain controller with the schema operations master role.

To run the wizard, right-click the Group Policy Results container**,** and then click Group Policy Results Wizard.

When you have answered all the questions in the wizard, GPMC creates a report that shows the resultant set of policy for the user and computer you entered in the wizard. The display shows which GPO is responsible for each setting on the Settings tab, under the heading Winning GPO.

You can save the results by right-clicking the query and choosing Save Report.

Using Gpresult.exe to Evaluate Policy Settings

You can run Gpresult.exe on the command line of any remote computer within the scope of your management to get the same data you can get by using GPMC Group Policy Results. By default, Gpresult.exe returns settings in effect on the computer on which it runs.

For Windows Server 2003 and Windows XP Professional, Gpresult.exe uses the following syntax:

gpresult [/scomputer [/udomain\user/ppassword]] [/userTargetUserName] [/scope {user|computer}] [/v] [/z]

Table 2.8 describes the parameters for Gpresult.exe.

Table 2.8   Gpresult.exe Parameters

Parameter Description

/s computer

Specifies the name or IP address of a remote computer. (Do not use backslashes.) The default is the local computer.

/u domain\user

Runs the command using the account permissions of the user that is specified by User or Domain\User. The default is the permissions of the current logged-on user on the computer that issues the command.

/p password

Specifies the password of the user account that is specified in the /u parameter.

/user TargetUserName

Specifies the user name of the user whose RSoP data is to be displayed.

/scope {user|computer}

Displays either user or computer results. Valid values for the /scope parameter are user or computer. If you omit the /scope parameter, gpresult displays both user and computer settings.

/v

Specifies that the output display verbose policy information.

/z

Specifies that the output display all available information about Group Policy. Because this parameter produces more information than the /v parameter, redirect output to a text file when you use this parameter (for example, gpresult /z >policy.txt).

/?

Displays help at the command prompt.

To run Gpresult.exe on your computer

  1. Click Start, click Run, type cmd, and then press ENTER.

  2. Type gpresult /z>gp.txt to write the output to a text file that is named Gp.txt.

  3. Type notepad gp.txtto open the text file.

Note that using Group Policy Results is recommended over using Gpresult.exe. GPResult.exe is primarily useful if you desire command-line presentation of resultant set of policy data. If you require command-line access to RSoP data but not command-line presentation of the data, you can simply run a script based on the GPMC interfaces to generate an RSOP report in the form of an .htm file.