Predict Changes with Group Policy Modeling

Imagine that someone in your company was about to change jobs.

Maybe they get a promotion and get to live in Paris. Or, perhaps they get a demotion and have to live in.. well, you get the picture.

And when these events occur, your boss might ask you to predict the future. Not like, “Who’s going to win the big game next week” but rather, “What is going to happen when Jane moves from here and gets her new job in the company and moves over there?”

That’s what Group Policy Modeling can enable you to know. You can predict the future by looking into the existing Group Policy Objects you already have and “calculating” what the result is going to be when the change occurs.

Remember, when a user changes job roles, there’s a whole lot that can change during that move. Let’s take a look at what we can discover as a user changes job roles and what we can learn about their move.

You’ll start out by using the Group Policy Management Console (GPMC) to run the Group Policy Modeling Wizard as seen in Figure 1.

Figure 1

Next, you’ll pick a Domain Controller for the “action” to happen. All the calculations are done on a Domain Controller and not the client machines. The Domain Controller is going to figure out which GPOs are associated with the user and computer today, and what they will be in the future.

Figure 2

Next, choose a user and computer pair. You can either browse or type in the pair you want to start with as seen in Figure 3.

Figure 3

The next several screens are about the “what if.” Here, you can see that you are able to change some parameters, such as if the user is coming in over a slow link, using Loopback processing, or more commonly selected, you’re able to pick a site that the user will be using. For instance, if they move from City A to City B.

Figure 4

Then you can also manipulate which OU the computer and/or user is moving to. Simply Browse for the new location (if that’s part of the job role change.)

Figure 5

The user’s group membership is important too, because that often changes during job role changes, and can affect the Group Policy Objects they will receive after the move is complete.

Figure 6

The final results can be seen in Figure 7.

You will be able to see which GPOs apply to the user and computer, which are denied, and also, in the Settings tab, the full complement of settings the user should expect.

This is called “Group Policy Modeling” for a reason. It’s possible the results could change from what is predicted here, but it’s a really good start.

Now, the real question is, how do YOU get a promotion where you get to move to Paris?

Figure 7