What's new with status GPOs?

As your Active Directory environment grows and you create multiple sub-layers of OU containers, you'll find that determining the effective GPO status can be a daunting task. That is, unless you understand the tools accompanying Windows Server 2003 (some native and some via the Administrators Tools add-on from the distribution CD).

Before exploring the tools that display the current state of GPO application, it is usually a good idea to update all applied and relevant GPOs. This can be done by waiting (upwards of 4 hours in some cases) or by using the GPUPDATE command line tool to force a refresh of GPO settings. Just execute "gpupdate /force" from a command prompt on the system you want to refresh. Or using "/target:<computer>" to update across the network.

Once you are sure that all relevant and applicable GPOs have been applied, you can seek out status data. One method to obtain the Resultant Set of Policy is to use the GPRESULT command line tool. You'll probably want to pipe the output into a file to allow for easier review (and text searching), by using a command line such as "gpresult > rsop1.txt".

If you prefer a GUI-based display, you can open the RSOP MMC snap-in or use the Help and Support Center. To use the latter, click "Performance and maintenance" under the Pick a Help topic column, then click Tools under See Also, then click Advanced System Information under Tools, then click View Group Policy settings applied in the right-pane.

Requires Free Membership to View

If you just want to see the configured items in a GPO in one single easy to use list rather than having to dig around manually to discover configured settings, use the Group Policy Reporting tool. In the Group Policy Management MMC snap-in, select the GPO you want to view, then in the details pane click on the Settings tab. This will display a report of only those settings with defined changes for the selected GPO.

If you have just created a GPO and want to test its effects, you can perform a simulation of GPO application without actually deploying the GPO. This is known as Group Policy Modeling. This is another feature of the Group Policy Management MMC snap-in. Just run the Group Policy Modeling Wizard by right clicking the Group Policy Modeling item and selecting it from the pop-up menu and select the appropriate items for your desired GPO test. This is a great tool for checking dependencies, inheritance, and conflicts before rolling out a new GPO.

James Michael Stewart has co-authored numerous books on Microsoft, security certification and administration and is a regular speaker at NetWorld+Interop. Stewart holds the following certifications: MCSE, MCT, CTT+, CISSP, TICSA, CIW SA, CCNA, MCSE NT & W2K and iNet+. He can be reached at michael@impactonline.com.

This was first published in July 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.