How To: Setting Up Active Directory Group Policies
March 10, 2006
Group Policy Results is a logging tool. It shows how the GPOs were applied to a specific user and computer, so you won't have to visit the actual workstation to see how Group Policy is being applied. However, because of the tool's dependence on the Windows Management Instrumentation (WMI) service, you cannot log the Group Policy Results of older Windows 2000 computers or of XP/2003 computers not running WMI.
Group Policy Modeling lets you play out "what if" scenarios, rather than logging what actually happened. This tool can be used to observe what policy settings are applied, for example, when users from your PMG OU log on to a computer in the R&D group OU. To use this feature, the domain schema must be updated to support Windows 2003, and the domain must have at least one Windows 2003 domain controller. This tool also simulates advanced processing options, such as loopback processing, WMI filters on GPOs and slow-link processing. You can save your results from Group Policy Results and Modeling to an HTML report for documentation purposes. And each query is saved so it can be run after any GPOs are updated.
A further nuance complicates Group Policy a bit: GPOs get refreshed on the target computers and users differently in Windows XP, 2000 and 2003. Group Policy is a "pull" technology--clients poll the domain for GPO changes every 90 minutes to 120 minutes by default. There's no command you issue on your Domain to immediately apply GPOs to all targets.
There are tools available in Windows, however, that force a refresh from the client computer. These can be quite useful, especially when you're testing your policy settings. If the target workstation is Windows XP or 2003, the GPUPDATE command can pull down any GPOs that have changed since the last refresh from a command prompt. In Windows 2000, with no GPUPDATE command, you'll have to use the older SECEDIT command.
Sometimes, when dealing with firewalls, Windows 2000 computers or stringent corporate security policies, the only way to troubleshoot policy settings may be to log in as the user on the target computer. With a command prompt running GPRESULT, you can get information on the last time a Group Policy was applied, which GPOs were applied, computer and user account privileges, and group membership information. You also can run the older RSOP.MSC policy tool from the Windows workstation to display the applied computer and user settings from each GPO.