Active Directory By the Numbers: Windows Server 2003
Tutorial: Running an RSoP Simulation
In this tutorial, we create two conflicting GPOs: one enabling the Add/Remove Programs control panel and the other disabling access to Add/Remove Programs. We then run an RSoP simulation on the two GPOs to find out which one takes priority over the other. And last, we log into the domain with a client computer to confirm the results of the RSoP.
-
Open Active Directory Users and Computers and bring up the Properties for the North Wing OU.
-
On the Group Policy tab, create a new GPO and name it Remove Add/Remove Programs (Disabled) . Once you've created this new GPO, select it and click Edit .
-
Under the User configuration in the left column, disable the GPO rule labeled Remove Add or Remove Programs . This rule is located under Administrative Templates ˆ’ > Control Panel ˆ’ > Add or Remove Programs . Actively disabling this rule grants any user in the North Wing OU the ability to load the Add/Remove Programs control panel. Close the GPO Editor and click OK on the North Wing Properties window.
-
Back in Active Directory Users and Computers, bring up the Properties for the child OU Users located under the North Wing OU. As before, click the Group Policy tab, but this time add a new policy and name it Remove Add/Remove Programs (enabled) .
-
Edit the new GPO and enable the rule labeled Remove Add or Remove Programs under the User configuration. By actively enabling this GPO rule, we prohibit anyone in the selected GPO from accessing the Add/Remove Programs control panel. Close the GPO Editor and OK the Users Properties window.
We now have our GPO conflict. The higher based GPO allows users in the North Wing OU to open the Add/Remove Programs control panel. Naturally, this GPO applies to all children within the North Wing OU. But the child OU Users possesses the conflicting GPO, which restricts access to the Add/Remove Programs control panel. Recall that Windows gives priority to the GPO farther down the tree; in this case, the GPO applied to the Users OU. So the users contained in the Users OU should not be able to access the Add/Remove Programs control panel. But let's say that we didn't know this and didn't want to log into the domain from a client computer to test which GPO gets priority. This is where RSoP comes in very handy.
-
We wish to test how the conflicting GPOs will behave, and so we need to start our RSoP simulation at the point of conflict. In simple terms, everything is working just fine in our Remove Add/Remove Programs (Disabled) scheme until we hit the Users OU's Remove Add/Remove Programs (Enabled) GPO. This is the point at which we start the test. Right-click the Users OU, point to All Tasks , and click Resultant Set of Policy (Planning) .
-
The RSoP wizard appears designating the location of our OU in which we wish to test. Place a check in the box labeled Skip to the final page of this wizard without collecting additional data . ( Note: leaving this checkbox empty enables some additional options allowing you to enter more detailed information about the simulation such as simulating a slow network connection and specifying which groups to add in the simulation. For the purposes of this tutorial, we shall accept the default settings, which are usually sufficient ). Click Next .
-
Place a check in the box labeled Gather extended error information . Click Next .Windows Server 2003 runs the simulation. When it finishes, it presents a screen informing us that the RSoP process is complete. Click Finish .
-
The RSoP window appears. You may notice that it appears quite similar to the GPO Editor console. You may think of the RSoP console as a read-only informational version of the GPO Editor. In the left column, navigate to our Add/Remove Programs GPO rule in the Users configuration. Recall that this is located under Administrative Templates ˆ’ > Control Panel ˆ’ > Add or Remove Programs .
-
The right pane of the RSoP console contains the information we seek. Broken up into three columns , you should see something similar to the following:
Clearly we see that the rule Remove Add/Remove Programs is enabled. We also see that the GPO responsible for this action is the one that we applied to the Users OU. Double-clicking the GPO and selecting the Precedence tab gives us further data:
Here we see the two conflicting GPOs, listed in the order of priority. Notice that our "enabled" GPO appears higher in the list, overriding the "disabled" GPO. Close the RSoP console when you're finished looking at the results of the simulation.
-
From a client computer, log into the domain with a username and password from the User's folder in the North Wing OU.
-
Attempt to open the Add/Remove Programs control panel. You should see a message stating that this control panel has been restricted. Bingo! Our RSoP simulation paid off!
Категории