|This chapter excerpt from Microsoft Windows Vista Management and Administration, by Andrew Abbate, James Walker, Scott Chimner and Rand Morimoto, is printed with permission from Pearson Education,|
Although GPOs generally work very well in Active Directory environments, occasionally administrators will encounter issues when working with GPOs. If this should occur, there are several client and server side tools that can be used to determine the issue that is preventing a given GPO from applying properly.
Using the Resultant Set of Policies Tool
Resultant Set of Policies (RSoP) is part of the GPMC that provides a GUI interface that enables you to test a policy implementation prior to rolling it out in production and also enables you to view what policies a user or computer is actually receiving. The RSoP allows an administrator to pick a computer and user object and determine which GPOs would get applied. This allows an administrator to model the results without needing access to the user or the user's computer.
Group Policy Modeling Using RSoP
RSoP Planning mode enables you to simulate the deployment of a specified Group Policy, check the results, change, and then test the deployment again. This is very helpful in a lab environment where you can create and test a new set of policies. After RSoP shows that the GPO is correct, you can then use the backup functionality to back up the GPO configuration and import it into production.
To run RSoP in simulation mode, right-click Group Policy Modeling in the forest that will be simulated, and choose Group Policy Modeling Wizard. The wizard allows for inputting the possibility of slow links, loopback configuration, and WMI filters as well as other configuration choices. Each modeling is presented in its own report as a subnode under the Group Policy Modeling mode.
Using RSoP Logging Mode to Discover Applied Policies
RSoP in Logging mode enables you to view what exact policies a user or computer might be receiving. It shows in a readable format what polices are enforced, where conflicts exist, and what different policies are being applied to the user/computer. It can be run either on the local computer or on a remote computer by choosing the proper options in the wizard. To run RSoP in Logging mode, right-click Group Policy Results in the GPMC, and then click the Group Policy Modeling Wizard selection and follow the wizard that appears.
One of the most common questions in GPO troubleshooting is, "How do I know it even tried to apply my GPO?" This is a very easy thing to test, and it tends to provide a lot of interesting information. Vista workstations have a utility available called GPResult. To run this, open a command prompt, type gpresult, and press Enter.
The utility will determine what groups the user and the computer belong to, and it will show you what GPOs it found linked to the OU hierarchy. It will point out GPOs that were skipped because of security filtering, and it will show you which ones were applied. It will even go so far as to tell you what OU your user and computer objects are in. This can be very helpful in determine why a GPO was or was not applied.
Another helpful tool for testing out GPOs is the GPUpdate utility. This will trigger a download and application of GPOs outside of the normal GPO processing schedule.
You can limit the tool to only request updates to user or computer GPOs by using:
Gpupdate /target:computerYou can force the system to immediately apply changes by using:
or Gpupdate /target:user
Gpupdate /forceAnd you can even use Gpupdate /sync to include a reboot of the system to process GPO settings that occur only on system startup.
GROUP POLICY BASICS FOR WINDOWS VISTA
Tip 1: A basic primer on Microsoft Group Policy
Tip 2: How to configure GPOs
Tip 3: What's new in Vista Group Policy?
Tip 4: How to manage GPOs
Tip 5: Troubleshooting GPOs for Vista
Tip 6: Group Policy best practices
ADVANCED GROUP POLICY FOR WINDOWS VISTA
Tip 1: Which GPOs are available
Tip 2: Further understanding GPOs in Vista
Tip 3: Examples of useful GPOs in Vista
Tip 4: Moving policies between domains
Tip 5: Recommended practices with Vista Group Policy
This was first published in December 2007