Group Policy Object Modeling in Windows Server 2008
If you have ever done much work with group policies, then you have undoubtedly found out that managing group policies are an organization wide basis can be a complicated endeavor. That’s primarily due to the hierarchical nature of group policies. Group policy settings can be applied at the OU, site, domain, and local computer levels. All of these various group policy objects combine to form the effective policy.
As if combining settings for multiple group policy objects were not enough, contradictory settings can, and often do exist within the various group policy objects. Not only can two separate group policy objects contained directly contradictory settings, the group policy settings that apply to the computer can sometimes also contradict with group policy settings applied to a user.
Windows has all kinds of rules for automatically dealing with contradictory group policy settings. Even so, you as an administrator need to know the outcome of these conflict resolutions and what the effective policy look like once the various policy elements have been combined. In Windows Server 2003 this was known as the resultant set of policy. In Windows Server 2008, Microsoft has changed the name to group policy modeling.
Why Do Group Policy Modeling?
There are several different reasons why you might want to engage in group policy modeling. For starters, even if everything appears to be running smoothly is a good idea to periodically use group policy modeling just to make sure that group policies are being applied in the way that you think that they are. Group policy modeling is also extremely useful in situations in which you are reorganizing the Active Directory or creating new group policy objects.
Performing Group Policy Modeling
To perform group policy modeling begin by opening the Group Policy Management Console. When the console opens, right-click on the Group Policy Modeling container and choose the Group Policy Modeling Wizard command from the shortcut menu. When you do, Windows will launch the Group Policy Modeling Wizard.
Click Next to bypass the wizard’s welcome screen, and you will be taken to the Domain Controller Selection screen, shown in Figure A. As you can see in the figure, the screen asks you to choose the domain that you want to analyze, and then asks you to either choose a domain controller or specify that any domain controller can be used.
Figure A You must specify the domain that you want to analyze.
Click Next, and you will be taken to a screen that asks which user and/or computer you want to simulate the policy settings for. In both cases, you can either specify a particular container or an individual user and/or computer. That way, you can either evaluate a specific user and/or computer, or you can about your weight all of the users and/or computers within a particular container. You can see what this screen looks like in Figure B.
Figure B This is where you specify the Active Directory objects that you want to evaluate.
Click Next, and you will be taken to a page that gives you the chance to select a particular site. If you do not have any non-default sites defined, then you can just skip this page by clicking Next.
The next page that you will see allows you to enter alternate network location for a user and computer containers. The basic idea behind this screen is that it allows you to perform various what if scenarios. For example, you can see what would happen to the group policy settings if you were to move the computer in question to a different Active Directory container. Of course you do not have to specify an alternate location unless there is a particular location that you need to test.
When you click Next, you will see a screen listing all of the security groups that the currently selected user is a member of. You have the option of simulating changes to the users group membership if you want. When you’re done entering any desired changes, click Next. You will now be given the chance to entering WMI filters that you want to use. Add any desired filters, and click Next.
You should now see a summary screen listing the options that you have specified. Make sure that everything looks okay, and then click Next, followed by Finish. When you do, Windows will display a screen similar to the one that is shown in Figure C. This screen allows you to see the outcome of your proposed configuration.
Figure C Your proposed changes are displayed in the Group Policy Management Console.
In this article, I have explained that it is sometimes difficult to evaluate the outcome of changes to the group policy. I then went on to show you how to use group policy modeling as a way of testing your proposed changes before you actually implement them.
Got a question? Post it on our Windows Server 2008 forums!