Using the Group Policy Tools | Microsoft Windows XP Registry Guide (Bpg-Other)

The Group Policy tools in Windows XP contain a lot of improvements. The sections following this one describe each of these tools and how to use them. Some of these enhancements deserve special mention, though. First is Group Policy Update Tool (Gpupdate.exe). Group Policy refreshes policies every 90 minutes by default. In Windows 2000, if you change a policy and want to see the results immediately, you had to use the commands secedit /refreshpolicy user_policy and secedit /refreshpolicy machine_policy. Gpupdate.exe replaces both of these commands in one easy to use command. You don't need to use this tool when updating the local GPO, though, because changes to the local GPO are instant.

Second is Resultant Set of Policy (RSoP). Windows XP includes new tools for seeing which policies the operating system is applying to the current user and computer and the location where they originated. One of the toughest parts of administering Group Policy on a large network is tracking down behaviors that result from combinations of GPOs that you didn't intend or didn't know were occurring. These tools help you track down these behaviors much faster than you could with Windows 2000 because they give you a snapshot of how the operating system is applying them and where they originated.

Gpresult

Group Policy Result Tool displays the effective policies and RSoP for the current user and computer. This section describes its command-line options.

Syntax

 gpresult [/s Computer [/u Domain\User /p Password]] [/user TargetUserName [/ scope {user|computer}] [/v] [/z]

/s Computer	This specifies the name or IP address of a remote computer (don't use backslashes). It defaults to the local computer.
/u Domain\User	This runs the command with the account permissions of the user specified by User or Domain \User. The default is the permissions of the current console user.
/p Password	This specifies the password of the user account that the /u option specifies.
/user TargetUserName	This specifies the user name of the user for whom you want to display RSoP.
/scope {user\|computer}	This displays either user or computer results. Valid values for the /scope option are user or computer. If you omit the /scope option, Gpresult.exe displays both user and computer settings.
/v	This specifies that the output display verbose policy information.
/z	This specifies that the output display all available information about Group Policy. Because this option produces more information than the /v option, redirect output to a text file when you use this parameter: gpresult /z >policy.txt.
/?	This displays help.

Examples

 gpresult /user jerry /scope computer gpresult /s camelot /u honeycutt\administrator /p password /user jerry gpresult /s camelot /u honeycutt\administrator /p password /user jerry /z >policy.txt

Gpupdate

Group Policy Update Tool (Gpupdate.exe) refreshes local and network policy settings, including registry-based settings. As I mentioned, this command replaces the obsolete command secedit /refreshpolicy.

Syntax

 gpupdate [/target:{computer|user}] [/force] [/wait:value] [/logoff] [/boot]

/target:{computer\|user}	This processes only the computer settings or the current user settings. By default, both the computer and user settings are processed.
/force	This ignores all processing optimizations and reapplies all settings.
/wait:value	This is the number of seconds that policy processing waits to finish. The default is 600 seconds. 0 means don't wait, and -1 means wait forever.
/logoff	This logs the user off after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.
/boot	This restarts the computer after the refresh is finished. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.
/?	This displays help.

Examples

 gpupdate gpupdate /target:computer gpupdate /force /wait:100 gpupdate /boot

Simulating Folder Redirection

IT professionals often ask me about Folder Redirection. Specifically, they want to know how to simulate this policy when they haven't yet deployed Active Directory. Active Directory is a requirement for this policy, after all.

Not so fast! Although you can't achieve automatic folder redirection without Active Directory, you can simulate it. Configure the key User Shell Folders to redirect My Documents and other folders to a network location. This key is in HKCU\Software\Microsoft\Windows \CurrentVersion\Explorer and contains one value for each of the special folders that Windows XP supports. They are REG_EXPAND_SZ values, so you can use environment variables, such as %USERNAME% and %HOMESHARE%, in the path. This means that even on a Windows NT-based network, you can use redirected folders.

I suggest you script this customization so you can apply it uniformly. Chapter 4, "Hacking the Registry," describes the key User Shell Foldersin great detail, and it also contains a sample script that automatically redirects folders.

Help and Support Center

Although of limited use for IT professionals because you can't use it remotely, users can run Help and Support Center's Resultant Set of Policy Report on their own computers to check policy settings. This tool provides a user-friendly, printable report of most policies in effect for the computer and console user. Figure 6-7 on the next page shows a sample of this report. Here's how to use this tool:

Click Start, and then click Help And Support Center.
Under Pick A Task, click Use Tools To View Your Computer Information And Diagnose Problems.
Click Advanced System Information, and then click View Group Policy Settings Applied.

click to expand
Figure 6-7: Help and Support Center's RSoP report contains the same type of information as Gpresult.exe, but it's more readable and more suitable for printing.

Resultant Set of Policy

Although Help and Support Center's RSoP report isn't suitable for use by IT professionals, the RSoP snap-in is suitable because you can use it to view RSoP data for remote computers. You use this tool to predict how policies work for a specific user or computer, as well as for entire groups of users and computers. Sometimes, GPOs applied at different levels in Active Directory conflict with each other. Tracking down these conflicting settings is difficult without a tool like this snap-in.

The RSoP snap-in checks Software Installation for applications associated with the user or computer. It reports all other policy settings, too, including registry-based policies, redirected folders, Internet Explorer maintenance, security settings, and scripts. You've already seen two tools that report RSoP data: Gpresult.exe and Help and Support Center. The RSoP snap-in is almost as easy to use (your account must be in the computer's local Administrators group to use this tool):

Click Start, Run, and type mmc.
Click File, Add/Remove Snap-In; and then click Add.
In the Available Standalone Snap-Ins dialog box, select Resultant Set Of Policy, and then click Add.
Click Next in Resultant Set of Policy Wizard; and click Next again.
On the Computer Selection page, click Another Computer, type the name of the computer you want to inspect, and then click Next.
On the User Selection page, select the user for which you want to display RSoP data, and then click Next.
Click Next, and then click Finish to close the wizard.

Figure 6-8 shows the results. In this example, you see the password policies applied to the computer. For each setting, you see the GPO that's the source for it.

click to expand
Figure 6-8: The RSoP snap-in is the best tool for figuring out the source of policy settings when multiple GPOs apply to a computer.