The Group Policy Modeling Tool in Windows Server 2008



The Group Policy Modeling snap-in can be used to show the effective policy settings for a user who logs on to a server or workstation after all the respective policies have been applied. This tool is good for identifying which policies are being applied and what the effective setting is.

To simulate the policies for a user, use the Group Policy Modeling snap-in as shown below:

1. Launch Server Manager on a domain controller.

2. Expand the Features folder.

3. Expand the Group Policy Management Console.

4. Expand the Forest folder.

5. Select the Group Policy Modeling snap-in.

6. Select Action and then Group Policy Modeling Wizard to launch the wizard.

7. Click Next.

8. Leave the default domain controller selection, which chooses any available domain controller. The domain controller must be Windows Server 2003 or Windows Server 2008. Click Next.

9. Select the User option button in the User Information box, and click Browse.

10. Enter the name of a user to check, and click OK. Click Next to accept the user and computer selection.

NOTE: In the Group Policy Modeling Wizard, the net effect of the group policies can be modelled for specific users, computers, or entire containers for either object. This allows an administrator to see the effects for individual objects or for objects placed within the containers, making the tool very flexible.

11. Click Next on the Advanced Simulation Options page. The advanced simulation options allow you to model slow network connections or specific sites.

12. Click Next to skip the Alternate AD Paths.

13. The User Security Groups page shows the groups that the user is a member of. You can add additional groups to see the effects of changes. Leave as it is and click Next.

14. Click Next to skip the WMI Filters for Users page.

15. Click Next to run the simulation.

16. Click Finish to view the results.

17. Click the Show link next to Group Policy Objects.

18. Click the Show link next to Denied GPOs.

Within the console, you can review each particular setting to see whether a setting was applied or the desired setting was overwritten by a higher-level policy. The report shows why specific GPOs (Group Policy Objects) were denied.