Group Policy Modeling

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Windows Server 2003 has a powerful new Group Policy management feature that allows the user to simulate a policy deployment that would be applied to users and computers before actually applying the policies. This feature, known as Resultant Set of Policy (RSoP) – Planning Mode in Windows Server 2003, is integrated into GPMC as Group Policy Modeling. This feature requires a domain controller that is running Windows Server 2003 in the forest, because the simulation is performed by a service that is only present on Windows Server 2003 domain controllers. However, with this feature, you can simulate the resultant set of policy for any computer in the forest, including those running Windows 2000.

In Figure 25, note that the Windows Server 2003 forest has a Group Policy Modeling container in the tree pane and the Windows 2000 forest does not have this container.


Figure 25

The contents tab on the Group Policy Modeling node displays a summary of all Group Policy Modeling queries that the user has performed. This is shown in Figure 25. For each query, GPMC shows the following data:

  • Name – This is the user-supplied name of the modeling results.

  • User – This is the user object (or the OU where the user object is located) that forms the basis of the modeling query.

  • Computer – This is the computer object (or the OU where the computer object is located) that forms the basis of the modeling query.

  • Last refresh time – This is the last time the planning query was refreshed.

The Group Policy Modeling Wizard can be opened from the Group Policy Modeling container, the domain node, or from any OU. When the Group Policy Modeling Wizard is started from one of the SOM containers, the wizard automatically passes the SOM data to the wizard and pre-populates the User and Computer Selection page of the wizard.


For users that are familiar with the RSoP MMC snap-in in Windows Server 2003, the Group Policy Modeling Wizard is a newer version of the RSoP wizard, running in Planning mode. Because all RSoP functionality provided by the RSoP MMC snap-in is included in GPMC, along with new functionality such as HTML reporting of RSoP data, it is recommended that users access all RSoP functionality primarily through GPMC, rather than the standalone RSoP MMC snap-in.

Figure 26 shows the Group Policy Modeling Wizard’s Summary of Selections dialog box prior to running the modeling analysis. The settings in the summary pane are the answers supplied by the user while running the modeling wizard.


Figure 26

Once the user completes the Group Policy Modeling Wizard, a new node in the console is created to display the results. These nodes are persistent across GPMC console sessions. The user must manually remove any Group Policy Modeling nodes that are no longer desired.

For a given Group Policy Modeling query, the node contains three tabs as shown in Figure 27.

  • Summary - this contains an HTML report of the summary information including the list of GPOs, security group membership, and WMI filters.

  • Settings - this contains an HTML report of the simulated policy settings that would be applied in this simulation.

  • Query - this lists the parameters that were used to generate the query.

Using the context menu on this new node, the user is able to:

  • Save the results report to the file system. This saves the contents of both the Summary and Settings tabs as a single file (either HTML or XML).

  • Re-run the query. Choosing the option to re-run the query will re-run the simulation and re-generate the data displayed in the report.

  • Create a new query using the original as a template.

  • Start the RSoP MMC snap-in, by choosing the “Advanced View” option. The RSoP snap-in includes the same data that is shown in the HTML report, but also shows precedence information. For example, if three GPOs set the same setting, only 1 GPO will actually set that setting. The HTML will tell you the final value and which GPO actually set it, whereas the traditional RSoP snap-in will also identify all GPOs that attempted to set that setting and the corresponding value of that setting. This is shown on the precedence tab when you double click a setting in the RSoP MMC snap-in.

The summary tab (shown in Figure 27) shows a summary of the RSoP data for the user configuration and computer configuration. For both sections, the following information is shown:

  • General information including the name of the user, computer, and/or SOM for which the RSOP data was gathered.

  • A list of GPOs that are in scope for the given user, computer, computer, and/or container, and the SOM to which each GPO was linked. This includes a list of GPOs that would be applied, as well as GPOs that were in scope, but would not be applied on the target.

  • Simulated security group membership of the targeted user and/or computer.

  • List of WMI filters that are linked to the GPOs and whether they were assumed in the query to be true or not.


Figure 27

The settings tab (shown in Figure 28) displays a report of the final value of all policy settings that would be applied, and the GPO (for example, “Winning GPO”) that would be responsible for setting each value.


Figure 28

The query tab displays the parameters of the query entered by the user that were used to generate the data. This tab includes data that the user entered in the wizard to generate the query such as:

  • Last time the query was refreshed.

  • Domain controller on which the simulation was run.

  • User name or SOM name for user settings.

  • Computer name or SOM name for computer settings.

  • If slow link processing was simulated.

  • The site that the computer is assumed to be in, for this simulation.

  • Whether Loopback processing was assumed, and if so, the mode (“none”, “merge mode”, or “replace mode”).

  • Simulated alternate user location.

  • Simulated alternate computer location.

  • Simulated security group membership of user object.

  • Simulated security group membership of computer object.

  • WMI filters that were assumed to be true for the computer object

  • WMI filters that were assumed to be true for the user object