• GPOs search engine
• Generate RSoP data (on client side)

When you have a lot of group policy objects and you use multi-bind, security filters, ... it quickly becomes interesting to be able to generate the resultant set for a specific computer and user.

From your domain controllers, you can :

• generate the resultant set of policies for a specific computer and user
• OR do a simulation to find out what should be applied on the desired client computer

1. Group Policy Results (RSoP)
2. Group Policy Modeling (simulation)

1. Group Policy Results (RSoP)

On one of your domain controllers, open the "Group Policy Management" console and select the "Group Policy Results" node.
Then, right click "Group Policy Results Wizard" on the right side.

The Group Policy Results wizard appears.

In our case, we're going to select "This Computer" to generate the resulting set of policy for the server we're connected to, but you could also do it for another computer if you want.

Select "Current user" or a specific user who has logged in at least once to this server.

Note : the resultant set of policy will be generated for this user.

A summary of the selections is displayed. Click on Next.

To view the results, click Finish.

In the "Summary" tab, you can quickly see if an error has been detected for the computer and user policies.
You will also be able to see if a fast link or a slow link has been detected.

In the "Details" tab, you will find a lot of information about the computer and the user affected by this report, as well as the GPOs and group policies applied on the affected computer.
Note that the report format is identical to that generated in HTML format by GPResult.
For more information about the information in this report, refer to our tutorial : WS 2016 - AD DS - Generate RSoP data (on client side)

In the "Policy Events" tab, you will be able to view the events related to group policies and thus detect errors that may have occurred on your domain controller.
Note that you can see events of type : information, warning or error.

By double clicking on an event, you can get a description of what happened.

By default, queries are kept, which allows you to run the same query later (even after closing this console) if you wish.
However, if you want to delete this element, you just have to right click "Delete" on it.

2. Group Policy Modeling (simulation)

Group Policy modeling allows us to simulate what we would get on a given computer with a specific user if we made a change in our Active Directory infrastructure (but without doing it on the real infrastructure).
In other words, it allows you to check whether your changes will have the desired effects and to check whether you are not granting rights by mistake to users with these changes.

To perform this simulation, in the "Group Policy Management" console, select the "Group Policy Modeling" node and right-click "Group Policy Modeling Wizard" in the right part.

The Group Policy Modeling wizard appears.

Select the desired Active Directory domain and the domain controller to use if you have more than one.

Note : selecting a specific domain controller can be useful for performance reasons if you have a multi-site Active Directory infrastructure.
But also to be sure that the results returned will be up to date (in the event that the data replication is not completed, for example).

Since the computer and the user both have an influence on the policy set that will be returned by your domain controller, the wizard allows you to select :

• a container where your users would be or a specific user
• a container where your computers would be or a specific computer

These choices will vary depending on your needs.

At the "Advanced Simulation Options" step, you can simulate :

• using a slow network connection. Which will influence the policy set that will be returned by your domain controller.
• use of loopback processing mode for group policies in "Replace" or "Merge" mode
• the positioning of the computer on a specific site

You can simulate that your user and/or your computer would be in a different location than their current actual location.

At the "User Security Groups" step, you can simulate your user's membership of one or more other security groups if you wish.

Same, but about the membership of your computer to one or more other security groups.

Since WMI filters can also be used for filtering the application of Group Policy, you can simulate the use of one or more WMI filters for the user.

And same for the computer account.

A preview of your selections is displayed.
Click on : Next.

Wait during the simulation of these changes on your domain controller.

When the simulation is complete, click Finish to view the results.

In the "Summary" tab, you can see if a fast or slow link has been detected (which depends on the option chosen in the wizard).

A report very similar to the one generated by GPResult is displayed, but as shown at the top of the report, this is a Group Policy Modeling.

So, this means that this is the set of policies that the affected computer should receive if you make the changes indicated through the wizard and that user logs on to the affected computer.
However, it's common for what is set on the domain controller and what is actually supported and applied by the remote computer is different.
It's therefore very important that you don't rely solely on this report to determine whether the configuration of your Group Policies is correct or not.
You should therefore then ensure on the client computer that what should be applied has been correctly used by it.

As with the Group Policy results, you will have information about :

• the targeted computer
• the policies that should be applied on it, if it supports them and applies them correctly
• the targeted user
• the policies that should be applied for the "User configuration" part of GPOs
• and more

To delete this simulation report, right click "Delete" on it.

And confirm its deletion.