You probably noticed another folder listed near the bottom of GPMC, labeled Group Policy Modeling. This is another wizard-driven interface that allows you to configure some fictitious options and create a model of what might happen to a user and computer, should the options that you select during the wizard become true. Basically, you can use this wizard to pretend that you are making changes to a user, a computer, an OU membership, a group membership, and so on, and then take a look at all of the GPO settings that would be put into place in the event that you actually made these changes in production.
While this modeling wizard won't give you a perfect answer that you can 100% rely upon, it is an interesting feature. After running through one of these models, the results presented will be similar to those of the Group Policy Results wizard.
Begin creating a model by right-clicking on Group Policy Modeling and choosing the Group Policy Modeling Wizard....
Choose the Domain Controller where you want to run this model, and on the next screen you get to identify the user and computer for which you want to create this model. I have never logged in to any system with the Laura user account, so I am going to try to answer the question "What would happen if Laura logged in to LAPTOP1?"
If you simply want to run a quick test for this user+computer combination, you may select the checkbox to skip providing the rest of the optional information and take a look at your results. Proceeding without that checkbox, however, brings you some additional interesting options to add to your model. There are a few more screens where you can create additional pretend information about what the user and computer accounts could look like:
On the Advanced Simulation Options screen, you can do any of the following:
- Slow network connection: Select this option to cause the model to pretend the computer is connected via a slow link
- Loopback processing: Model what RSOP would look like if loopback processing were enabled
- Site: Pretend that the computer is sitting in a specific Active Directory site
After making these selections, you come to the Alternate Active Directory Paths option. This one is particularly interesting. Here, you get to model what would happen if the user and/or computer accounts resided in a different OU inside Active Directory. Remember that we are providing all fictitious information here; we are just creating a possible scenario. In production, moving computers or users from one OU to another is always a little bit scary. This is because any AD administrator knows that changing OU membership will affect the processing of Group Policy, possibly changing the GPOs that are being applied to the user and computer. By using Group Policy Modeling, we can take the guesswork out of that move, and create a model of what exactly would happen in the event that we moved those objects:
Next, you choose to add the user and/or computer to new Active Directory Security Groups, or remove them from existing groups. Remember that this isn't actually changing anything; we are still just pretending that we are going to make these changes.
The last option to select is whether to apply WMI Filters. After making all of the selections about your modeling scenario, the wizard will then generate a modeling report. This modeling report is presented in the same format as the Group Policy Results RSOP data, so you can sift through it and then decide whether you want to pursue turning the pretend settings into reality in your production environment. Group Policy Modeling is such a great feature: