1 00:00:03,090 --> 00:00:09,930 So now let's look how the resultant set of policy or are soapy tools within Windows can help with troubleshooting 2 00:00:09,930 --> 00:00:11,370 challenges that we have? 3 00:00:12,360 --> 00:00:15,870 So resultant set of policy comes in two flavors, if you will. 4 00:00:15,900 --> 00:00:21,090 The first is called RCP modeling, and this is a feature that tells you what should happen from a group 5 00:00:21,090 --> 00:00:24,300 policy processing perspective on a given system. 6 00:00:25,220 --> 00:00:30,620 And it's basically kind of an analysis tool that lets you before you've deployed a policy or before 7 00:00:30,620 --> 00:00:35,810 you've made a change, lets you essentially do some analysis of group policy and see what's going to 8 00:00:35,810 --> 00:00:36,290 happen. 9 00:00:36,440 --> 00:00:39,530 It actually runs against a DC in your environment. 10 00:00:40,530 --> 00:00:43,470 So any DC that it can find will run against it. 11 00:00:43,470 --> 00:00:48,840 Does the modeling at the DC and it lets you place sort of a what if scenario with some group policy 12 00:00:48,840 --> 00:00:51,630 processing conditions like slow link and loopback. 13 00:00:51,630 --> 00:00:57,030 And you can also sort of do it against the whole or you rather than picking a specific machine or user. 14 00:00:58,000 --> 00:00:58,720 Now. 15 00:00:59,660 --> 00:01:03,020 The other flavor of our soap is our soap logging. 16 00:01:03,940 --> 00:01:09,130 Our soapy logging is also called group policy results, and this is the feature that tells you what 17 00:01:09,130 --> 00:01:11,080 has happened on a given target system. 18 00:01:11,290 --> 00:01:17,200 So you run it against an actual system and it gathers up all the ah soapy data that the clients or extensions 19 00:01:17,200 --> 00:01:19,900 have logged for the last GP processing cycle. 20 00:01:19,900 --> 00:01:24,100 And it shows what worked and what didn't from my group policy processing perspective. 21 00:01:25,090 --> 00:01:30,700 One thing to note about it, and this is also true with our soapy modeling, is that our soap in general 22 00:01:30,700 --> 00:01:36,010 only shows you the winning settings or the setting that were actually delivered to the system or will 23 00:01:36,010 --> 00:01:36,730 be delivered. 24 00:01:37,690 --> 00:01:42,940 It doesn't show you, for example, settings that are in conflict with the winning settings from other 25 00:01:42,940 --> 00:01:43,840 GPOs. 26 00:01:44,830 --> 00:01:47,260 Now the requirements to run are soapy. 27 00:01:47,350 --> 00:01:52,660 For our soapy modelling you need at least one 2003 R to DC in the domain. 28 00:01:53,600 --> 00:01:59,330 This shouldn't be a problem for most folks, given where a two hour or 2003 is these days. 29 00:01:59,330 --> 00:02:04,460 You need those delegated rights that I talked about in the previous module on delegation to be able 30 00:02:04,460 --> 00:02:09,200 to do group policy modeling, and that those rights have to be at the container where you're modeling, 31 00:02:09,200 --> 00:02:10,220 whether it's an O.U. 32 00:02:10,250 --> 00:02:12,380 Or a particular machine or user. 33 00:02:13,330 --> 00:02:18,220 It does not require GP processing to have happened for either the user or the computer. 34 00:02:18,370 --> 00:02:23,500 So this is going to be different from what you need for group policy results or ah, soapie logging, 35 00:02:23,650 --> 00:02:25,360 which I'll talk about in a second. 36 00:02:26,330 --> 00:02:31,550 So with our soapy logging, what you need is you need to be able to connect to that target system over 37 00:02:31,550 --> 00:02:33,990 WMI using the decon protocol. 38 00:02:34,010 --> 00:02:39,560 So what this means is if you have a firewall on your client systems, it needs to be able to allow either 39 00:02:39,560 --> 00:02:45,770 what's called the remote administration exception or the WMI com exception in the firewall so that you 40 00:02:45,770 --> 00:02:50,480 can get access to via WMI the ah soapy data on that system. 41 00:02:51,380 --> 00:02:58,790 So without this access, RSVP will simply fail, usually with a message that says our PC server unavailable. 42 00:02:59,750 --> 00:03:03,470 It needs those delegated rights, just like our soapy modeling does. 43 00:03:03,500 --> 00:03:08,030 So you just need to have rights over the container for that you're modelling against and for a given 44 00:03:08,030 --> 00:03:13,760 user, if you're trying to find out if Joe Sales got a specific set up policy on the win client, that 45 00:03:13,760 --> 00:03:19,610 user has to have at least logged into the system once and processed policy in order to get our soapie 46 00:03:19,610 --> 00:03:20,450 data from them. 47 00:03:21,410 --> 00:03:23,090 So that's pretty self-evident. 48 00:03:23,090 --> 00:03:24,920 But it is something to keep in mind. 49 00:03:24,920 --> 00:03:30,320 If you're looking for data from a particular user, that user has to have logged into the machine that 50 00:03:30,320 --> 00:03:31,550 you're reporting against. 51 00:03:32,540 --> 00:03:34,850 So when to use our soap? 52 00:03:35,830 --> 00:03:42,040 So RCP modeling is it's kind of a good tool for analyzing the effect of future changes. 53 00:03:43,050 --> 00:03:48,330 Now, what it doesn't do is, is it doesn't let you modify the settings in the GPO to say, what if 54 00:03:48,330 --> 00:03:50,540 I added the setting to this GPO? 55 00:03:50,550 --> 00:03:51,690 It doesn't do that. 56 00:03:52,650 --> 00:03:58,170 It only takes the current sets of GPOs that are available and it lets you make changes, theoretical 57 00:03:58,170 --> 00:04:04,740 changes to, for example, security groups where WMR filters that are linked to the GPOs or whether 58 00:04:04,740 --> 00:04:07,770 a slow link was detected or a loopback was detected. 59 00:04:07,920 --> 00:04:10,440 And so it's of limited value for doing settings. 60 00:04:10,440 --> 00:04:11,580 What if analysis? 61 00:04:11,850 --> 00:04:17,040 But it lets you do some of that and at least lets you see what settings will be on a system. 62 00:04:17,950 --> 00:04:24,130 I find that I use it much less than I use RCP logging or GP results, but it is something out there 63 00:04:24,130 --> 00:04:27,700 as a tool for you to use when you're making changes to your environment. 64 00:04:28,660 --> 00:04:30,490 Now RCP logging. 65 00:04:30,490 --> 00:04:35,470 On the other hand, I consider this the first line of defense for group policy troubleshooting. 66 00:04:35,620 --> 00:04:37,840 So this is the go to tool that I use. 67 00:04:38,810 --> 00:04:43,730 Whenever I'm trying to figure out where there are problems in group policy, this is the very first 68 00:04:43,730 --> 00:04:44,510 thing I will run. 69 00:04:44,510 --> 00:04:49,430 And what it does is it tells you what's actually happened on the system during the last group policy 70 00:04:49,430 --> 00:04:50,570 processing cycle. 71 00:04:51,520 --> 00:04:56,860 So it's only telling you what happened during the last cycle, but it's giving you that kind of at on 72 00:04:56,860 --> 00:05:01,780 the ground information about what's going on, on the system and there's ways to run that group policy 73 00:05:01,780 --> 00:05:03,850 results or RSP login. 74 00:05:04,810 --> 00:05:10,870 The first is through the group policy results node, and this is in M.S. and then the second is in a 75 00:05:10,870 --> 00:05:13,690 command line tool called Pre-salt Dot XY. 76 00:05:13,690 --> 00:05:16,180 And I'll show you both of these methods in a second. 77 00:05:17,140 --> 00:05:18,580 The command line version. 78 00:05:18,700 --> 00:05:21,790 Some people really like it because it's command line. 79 00:05:22,730 --> 00:05:26,310 I find it to be hard to read and hard to get information out of. 80 00:05:26,330 --> 00:05:32,120 I much prefer the version in group policy management console, but the command line version is available 81 00:05:32,120 --> 00:05:34,100 for getting some basic information. 82 00:05:35,050 --> 00:05:40,900 So let's go ahead and dive in and actually play around with these tools and see how they work in practice.