What's new with status GPOs?

Determining the effective GPO status can be daunting until you know about these simple shortcuts.

As your Active Directory environment grows and you create multiple sub-layers of OU containers, you'll find that determining the effective GPO status can be a daunting task. That is, unless you understand the tools accompanying Windows Server 2003 (some native and some via the Administrators Tools add-on from the distribution CD).

Before exploring the tools that display the current state of GPO application, it is usually a good idea to update all applied and relevant GPOs. This can be done by waiting (upwards of 4 hours in some cases) or by using the GPUPDATE command line tool to force a refresh of GPO settings. Just execute "gpupdate /force" from a command prompt on the system you want to refresh. Or using "/target:<computer>" to update across the network.

Once you are sure that all relevant and applicable GPOs have been applied, you can seek out status data. One method to obtain the Resultant Set of Policy is to use the GPRESULT command line tool. You'll probably want to pipe the output into a file to allow for easier review (and text searching), by using a command line such as "gpresult > rsop1.txt".

If you prefer a GUI-based display, you can open the RSOP MMC snap-in or use the Help and Support Center. To use the latter, click "Performance and maintenance" under the Pick a Help topic column, then click Tools under See Also, then click Advanced System Information under Tools, then click View Group Policy settings applied in the right-pane.

If you just want to see the configured items in a GPO in one single easy to use list rather than having to dig around manually to discover configured settings, use the Group Policy Reporting tool. In the Group Policy Management MMC snap-in, select the GPO you want to view, then in the details pane click on the Settings tab. This will display a report of only those settings with defined changes for the selected GPO.

If you have just created a GPO and want to test its effects, you can perform a simulation of GPO application without actually deploying the GPO. This is known as Group Policy Modeling. This is another feature of the Group Policy Management MMC snap-in. Just run the Group Policy Modeling Wizard by right clicking the Group Policy Modeling item and selecting it from the pop-up menu and select the appropriate items for your desired GPO test. This is a great tool for checking dependencies, inheritance, and conflicts before rolling out a new GPO.

James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and is a regular speaker at NetWorld+Interop. Stewart holds the following certifications: MCSE, MCT, CTT+, CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K and iNet+. He can be reached at michael@impactonline.com.

This was first published in July 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close