[00:03] Now, we are going to…
Group Policy is a powerful tool to manage your environment.
However, some mistakes can make your policies didn't apply to the expected objects (users/computers), like wrong OU/group, misspelled computer name, gpupdate has not run yet, etc.
Fortunately, we have a tool to verify that applications: RSoP GUI.
In this demo, I will apply a small policy globally-wide; then I will use this tool to see it worked or not.
Policy creations will be covered in other videos.
Now, we "re-link " this policy to enable its effect then check how it was applied to objects of SnoOpy.com domain by using the Resultant Set of Policy GUI or gpresult CLI utility.
Do not forget to propagate this policy update!
Resultant Set of Policy (RSoP) is Administration console based on the MMC technology, thus we can add it as a snap-in from the MMC console.
RSoP is bundled with Group Policy that helps policy implementations, and error troubleshooting is easier.
It is a query engine that polls existing policies and planned policies, and then reports the results of those queries.
Technically, it polls existing policies, which based upon the site/domain/domain controller/OU.
RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (otherwise known as a CIM-compliant object repository) through the Windows Management Instrumentation (WMI) interface.
[1:02] "Group Policy Replication Inconsistencies
Problem: The storage for Group Policy Object (GPO) settings is split between the Group Policy Container (GPC) in Active Directory (AD) and the Group Policy Template (GPT) in SYSVOL. When you make a change to a GPO, the Group Policy Editor (GPE) writes changes to one or both, depending on what is being written" – itprotoday.com
[1:11] "We have configured the policy of automatic certificate distribution on all domain computers (on a certain container or a domain security group). The certificate will be automatically installed on all new computers without any tech support involvement" – woshub.com
[1:36] We need to view which policies were applied to this user/computer, thus leave them as default.
We need to view the status of policies only, thus enter Logging mode .
You can use Planning mode when you need to simulate a policy implementation by using data from the Active Directory Directory Services.
[1:45] "In the Windows world, Group Policy provides a way for network administrators to assign specific settings to groups of users or computers. Those settings then get applied whenever a user in the group logs in to a networked PC or whenever a PC in the group is started" – howtogeek.com
We can view the RSoP status of other computers by using this RSoP snap-in, but we have to specify the computer which we need to view.
First, make sure that the current account has enough permissions to view, usually; it must be: Administrator/Domain Administrator/Enterprise Administrator.
Okay, "Deny Control Panel" policy has been applied to this user/computer (obviously because it has the domain-wide scope).
[2:19] "Instead of just running Resultant Set of Policies (RSOP) on the client or from the GPMC console (which is extremely slow!), you can run this Powershell command to get the ouput in a nice, clean HTML file" – danielclasson.com
[2:28] “Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP
ports 139 and 445” – computerstepbystep.com
[2:37] Second, ensure that we have connectivity between the expected computer and local, as well as the remote computer's firewall has proper rules to allow the remote RSoP implementation.
For simply, we only need to allow a set of rules, which were defined by Windows in Firewall: File and Printer Sharing and Windows Management Instrumentation.
Even in a test lab, do not turn off the firewall completely, this may lead you to success faster but not so long!
[3:07] "Make sure you are editing your group policy object from a Windows 7 or Server 2008 R2 machine to ensure you are editing the policy with the same client-side extension present." – spiceworks.com
[3:15] Select all rules because they are necessary for successful remote RSoP management communications.
[3:27] Do the same for the Windows Management Instrumentation rule set.
[3:35] "RPC server not available? Replication errors in the Event viewer? Sound familiar?" – msmvps.com
[3:44] "Windows Firewall controls the incoming and outgoing traffic from and to the local system based on the criteria defined in the rules. The criteria can be program name, protocol, port, or IP address. In a domain environment, administrator can centrally configure Windows Firewall rule using Group Policy" – mustbegeek.com
[3:53] Now, let's allow them in the Outbound Rules section too, because this process needs two-way communication.
[4:38] Wait for episode 2 to see it in action!