Here is the Group Policy Management Console and if we right click Group Policy and hit edit, we are live. We are definitely making a live edit here, which can obviously be a little dangerous. A lot of organizations will try to put some policy restrictions around editing these things live. Just so they don’t trash their environment by mistake, but it can be difficult.
You know, change control, if you are disciplined enough to remember to back this thing up every single time you go in to edit it, then you have always got that back up to roll back to. So if you do trash your environment then there is a way to get yourself back out of it. But it is something that requires discipline, you have to specifically remember to do that.
We do have good support for Resultant Set of Policy we can pop up the Group Policy Results Wizard, now we can test for any computer in the environment. We’ll just do this one. We can display the policy settings for any user in the environment, so you can do neat little testing with Resultant Set of Policy. Depending on how many policies have to apply it might take it a while to run. The result is this report which is very similar to the tree breakdown that you would see in the Group Policy Editor, but it’s obviously a read only thing. You can flip through here and see exactly which settings are being applied and so forth. That’s over here. You can go down and look at every single individual setting and see what the Resultant Set of Policy was.
You can also do modeling, which is a little bit more flexible. You can actually say we are going to use this particular Domain Controller, we are going to pretend that the user is in this container and that the computer is in this container and so forth, and put together a what-if situation. However, you are not going to be able to compare that to user’s real situation. It’s one of the big things missing from the Group Policy Management Console, is any kind of comparison capability and that would be tremendously useful in a lot of different situations. Not to mention having some kind of off-line editing.
Speaking of off-line editing. I am actually working in a virtual machine. This was created by using a P2V (physical to virtual) conversion of a real domain controller in my environment. So this is representative of my production environment. It is configured exactly the way my production Domain Controller is and I have the virtual machine configured as an isolated network. In other words, it’s not participating in the rest of my network, it does not really know that the rest of my network exists. That does upset it occasionally because it does try to replicate with other Domain Controllers that don’t exist in this virtual environment. It is the price I pay when it gets too upset and none functional I just have to recreate the virtual machine from the physical one. But it does give me that off-line environment. It means I can come over here and I can edit a Group Policy and I don’t have to worry about it affecting the production environment right away.
Of course the problem is getting that over to production can be difficult. Usually what I will do is keep track of what setting I have changed. As I drill down here and change setting I will write it down to the side. If everything works okay, after I have done my modeling and testing, I will go duplicate those same changes back in production. That can be kind of a hassle. If I have a bunch of changes, sometimes doing a back-up restore trick is a little bit easier, back it up in the virtual environment and restore it to production. But there is definitely a lot of room for error. And I have transposed things occasionally when I was moving them over to the production environment and trashed the environment anyway. But this is the tool set we have got. We certainly can put better management practices in place with it if you take the time to do so and if you have a little bit of discipline to follow to make sure that you are keeping with those practices.