This video will look at how to troubleshoot which setting in Group Policy are applied by using the internal modeling tools and Resultant Set of Policy (RSOP). RSOP is the actual settings that are applied to the computer taking into account factors like WMI filters and groups.
Group Policy ResultsThe actual settings that are applied to a computer using Group Policy can be affected by many different things. For example, security, groups and WMI filters. The actual settings that are applied to a computer are known as the Resultant Set of Policy (RSOP). Windows has a number of tools that can read the RSOP data stored on a computer to help you troubleshoot Group Policy.
Requirements
In order to use the tools in this video you need to be logged in as an administrator and running Windows XP or above. If you plan on using the RSOP tools from remote, the remote computer will need ports 135, 445 open. Also the computer will need the WMI service to be running. To get results for a particular user, the user will have needed to logon to that computer once. They do not need to be logged on the computer when the tools are being run.
Demonstration Group Policy results
When you open Group Policy Management there is a section called Group Policy Results. To start the wizard, right click on Group Policy Results and select the option Group Policy Results Wizard. The wizard can be run on the local computer or a remote computer. If the user that you want to run the wizard on does not appear in the wizard you will need to login into that computer using that user. The user must have logged into that computer at least once. Once the wizard is complete, it will show you all the Group Policy settings that have been applied to that computer for that user and also any Group Policy related events from the event logs.
To connect to a remote computer, make sure the service WMI Performance Adapter is running and the firewall is configured. To configure the firewall, open Windows Firewall with Advanced Configuration and make sure the following settings are enabled in in-bound rules.
Firewall Settings that need to be enabled
Remote Event Log Management (NP-in)
Remote Event Log Management (RPC)
Remote Event Log Management (RPC-EPMAP)
Windows Management Instrumentation (WMI-in)
Group Policy Modeling
The modeling wizard allows you to simulate changes in Group Policy and Active Directory without making any changes. For example, if you want to test the effects of moving a user to a different part of Active Directory will have on their Group Policy settings, you can do this without having to move the user account. Other options you can choose include slow network connection, loopback processing, Security Groups and which site to use.
Group Policy modeling is available in the GPMC. All you need to do to use it is right click on Group Policy Modeling and select Group Policy Modeling Wizard.
GPResult
When run, this gives you information about which settings were applied to the computer. The command supports the following parameters.
/r use the RSOP data on the computer to generate results.
/v verbose mode which provides more information.
/Scope User | Computer To limit the results to user or computer settings.
/x Output the results to XML
/h Output the results to HTML
References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition” pg 303 – 307
“Configure Firewall Port Requirements for Group Policy” http://technet.microsoft.com/en-us/library/jj572986.aspx
“Use Resultant Set of Policy to Manage Group Policy” http://technet.microsoft.com/en-us/library/cc754269.aspx
Credits
