A Group Policy Modeling Tool

FAZAM 2000 RFV helps you determine which Group Policies are in effect

Last year, Christmas arrived around Thanksgiving. The November 2000 TechNet shipment included a CD-ROM that contained the Microsoft Windows 2000 Server Resource Kit Supplement 1. The original Win2K Server resource kit was terrific, except for that poisonous buy-a-copy-for-each-person license agreement that I described in "The Win2K Server Resource Kit," December 2000. But Supplement 1 contains some even better tools, including a much-needed tool for scripting DNS administration. (Unfortunately, Microsoft hasn't made the software license any more palatable.)

Perhaps the most-awaited tool in Supplement 1 is FullArmor's FAZAM 2000, Reduced Functionality Version (FAZAM 2000 RFV), a Resultant Set of Policies (RSoP) modeling tool. FAZAM 2000 RFV is a nice—although not perfect—lite version of the commercial tool. (For a review of the full-featured product, see Larry J. Seltzer, "FAZAM 2000 1.1," page 99.) For those who haven't used Group Policy, let me provide a bit of an introduction before I discuss FAZAM 2000 RFV.

Group Policy under Win2K is like Windows NT 4.0 system policies but considerably enhanced. Group Policy lets you control from a central location characteristics such as how user desktops behave, security policies, and software deployment. Your enterprise can have many Group Policies. When users log on, their workstations gather policies associated with the site, domain, and organizational unit (OU). Policies can override and nullify the effects of other policies, and a feature called policy filtering can negate a policy's effects. Thus, when users call the Help desk and ask why their computer is behaving oddly upon logon, answering the question can be difficult. Which policies actually take effect in a given situation? FAZAM 2000 RFV can answer that question.

You must install fazam2000rfv.msi from the Supplement 1 CD-ROM's W2Ksupp1appsfazam2000 directory. Then, click Start, Programs, FAZAM 2000 RFV to start the Microsoft Management Console (MMC) FAZAM 2000 RFV snap-in. You'll see two objects in the left-hand pane: FAZAM 2000 RFV Administrator and FAZAM 2000 RFV Policy Analysis.

To begin an RSoP analysis, click the plus (+) sign next to the Policy Analysis icon to display the Choose Domain dialog box. Select a domain, then click Finish. An object representing the domain will appear in the treeview. Right-click the object, and choose Perform Analysis. The program will ask you to choose a user and a machine. Choosing the machine determines the site, and therefore the site policies, as well as the machine and user policies. Choose a machine, and click OK.

The system will show a new object labeled user at machine—for example, Joe at Mypc. Under the new object, three objects will appear: User Hierarchy, Machine Hierarchy, and Resultant Policy. Open Resultant Policy, and you'll see a Settings object. Click Settings, and a Launch Group Policy Snap-In object will appear in the right-hand pane.

The snap-in object launches the standard Group Policy snap-in. Inside the Computer Configuration and User Configuration objects, you'll see the typical Group Policy subcategories, such as Software Settings and Windows Settings. Unfortunately, FAZAM 2000 RFV doesn't tell you that site policy X was in effect but policy Y overrode policy X. Instead, FAZAM 2000 RFV boils down the RSoP into one imaginary Group Policy Object (GPO), then uses the Group Policy snap-in to display that policy. You need to dig into the policy to determine which folders (e.g., Software Settings, Windows Settings, Administrative Templates) actually have something in them. But at least FAZAM 2000 RFV gives you a start.