With all the complexity of GPO processing through the
series of L-S-D-OU-OU-OU, and with Block Inheritance and Enforced
settings, you might easily recognize that, on occasion, what you get
from your collection of GPOs isn’t exactly what you expected. To help
you sort through this maze of policies and settings, Microsoft has
provided several different tools.
Group Policy Results
and Group Policy Modeling
The first two tools, and
probably the most recommended, can be accessed within the Group Policy
Management Console (GPMC):
Group Policy Results
Group Policy Modeling
These two tools and a summary
from the Group Policy Results tool, are shown in Figure 1.
The Group Policy
Results Tool
The
Group Policy Results tool allows you to identify the effective GPOs and
their settings that configure and control the user’s session on the
computer. You specify which computer and which user to run the analysis
on. The Group Policy Results tool performs its analysis based on where
the specified computer account actually is located within AD and where a
specified user account actually is located within AD to produce the
effective GPO results. The Group Policy Results tool is often called the
“What is” analysis tool.
The Group Policy
Modeling Tool
The Group Policy
Modeling tool is used to experiment with “What if” scenarios. It allows
you to specify a computer account and a user account to analyze. It then
allows you to manipulate where the computer account might be placed
within AD and where the user account might be placed within AD. Finally,
the Group Policy Modeling tool calculates the effective GPOs and their
settings that configure and control the user’s session on the computer,
based on their newly proposed positions within AD.
Resultant Set of
Policies (RSoP)
Another tool that is
available in Windows Vista was available in earlier operating systems.
It is called the Resultant Set of Policies (RSoP) tool. This tool is
still available in Windows Vista as a snap-in to the Microsoft
Management Console (MMC) and must be assembled to be accessed.
Just like the Group Policy
Results tool, you select which computer and which user to run the
analysis on. The RSoP tool performs its analysis based on where the
specified computer account actually is located within AD and where a
specified user account actually is located within AD to produce the
results. The Resultant Set of Policy tool is also called a “What is”
analysis tool because it too is based on the objects’ actual locations
in AD.
As shown in Figure 2, the RSoP tool presents the results like a GPO is
formatted. This makes a quick overview more difficult than the summary
of settings that is presented with the newer Group Policy Modeling and
Group Policy Results tools inside the GPMC, and explains why this might
not be your first choice of GPO analysis tools.
The X icon in Figure 2 identifies that a security identifier (SID) failed to
resolve to a name. This is usually the result of a renamed or deleted
user or computer account.
Alert
This
RSoP tool is not the recommended tool to use for GPO analysis and
troubleshooting but is still available to analyze the effective policies
for a computer and user session based on their actual positions within
AD.
GPResult.exe
Command-Line Tool
A third tool to perform a
similar analysis is the command-line tool called GPResult.exe. This tool analyzes only the local machine where
the command is executed and the user who is currently logged on to that
machine. The output is ASCII text. It identifies the computer and its
configuration and status on the network and also its position in AD.
Then GPResult reports on all the GPOs that affect the computer.
GPResult then repeats the process for
the user who is logged on to the computer.