How do I perform Resultant Set of Policy (RSOP) modeling?
September 9, 2007
A. Although RSOP logging is useful for seeing what and why policies are applied for a particular user on a particular system, another useful capability is the ability to model "what if" scenarios. For example, what policies would John get if he logged on to a computer in the Sales OU, and what if that computer failed this WMI Filter, and so on. Group Policy modeling does just that.
1. Start the GPMC. Right-click Group Policy Modeling, and select Group Policy Modeling Wizard. Click Next on the introduction screen.
2. Modeling must be run against a domain controller (DC) running Windows Server 2003 or later. The Domain Controller Selection dialog box allows the selection of a specific DC or just any DC running Windows 2003.
3. The next screen allows the selection of a specific user, computer, or container where the user or computer would exist. (Because GPO is applied at site, domain, or OU, we don’t need an actual computer or user. We can just say where it would exist.) Click Next once the settings are selected.
4. The next screen allows the selection of other GPO-affecting factors (e.g., a slow link), whether loopback processing is enabled, and which site the computer is located in. Click Next.
5. The next screen allows configuration of the groups the user would belong to. By default, the only security groups selected are Authenticated Users and Everyone; however, any group in the enterprise can be selected, which is pertinent if security filtering is used to restrict application of certain GPOs. Click Next after any additional groups for the modeling have been selected.
6. The next screen allows the same selection of groups but for the computer object. Once selected, click Next.
7. The WMI Filters for Users allows selection of WMI filters that would be deemed as passed (and so GPOs restricted by the WMI Filter would be applied). By default, it’s assumed that all linked filters were passed; however, you can select “Only these filters” and click List Filters, which checks all GPOs that match the user/computer or the selected containers that were chosen in the first screen, and individually select only the ones you want to pass. This is useful if you want to examine the policy applied if, for example, an OS check failed. Click Next once complete.
8. The next screen allows the selection of WMI Filters for Computers in the same way as per users. Click Next.
9. The final screen displays a confirmation of all the options selected for the modeling. Click Next.
10. Once the modeling is complete, click Finish on the confirmation dialog box. The output will be displayed as a child item of the Group Policy Modeling in the same way as the Group Policy Logging Results.
About the Author
You May Also Like