1
00:00:03,050 --> 00:00:03,680
All right.

2
00:00:03,710 --> 00:00:08,810
Now, what I want to do is use Samarra Soapy to do modeling and logging of group policy processing.

3
00:00:08,930 --> 00:00:12,710
So what I'm going to do is I'm going to start with the group policy modeling wizard.

4
00:00:12,920 --> 00:00:18,110
And as you can see, I'm an M.C. beneath the domains node under group policy modeling.

5
00:00:18,110 --> 00:00:21,140
And if I right click start the group policy modeling wizard.

6
00:00:21,260 --> 00:00:22,040
Click next.

7
00:00:23,050 --> 00:00:29,020
I can select the DC that I want to run the simulation on and again I can pick the domain and it'll show

8
00:00:29,020 --> 00:00:30,760
me all the DC is available.

9
00:00:31,720 --> 00:00:36,040
In this case, I only have this one, so I'm going to go ahead and choose the default.

10
00:00:36,220 --> 00:00:40,180
And then I can choose the container where the user object that I want to model.

11
00:00:41,170 --> 00:00:42,910
So what does this mean?

12
00:00:43,870 --> 00:00:47,920
So for the user, I can choose another view that the user is a member of.

13
00:00:47,950 --> 00:00:53,920
So for example, I can come into sales users and we know we've got my good old friend Joe Sales in there

14
00:00:53,920 --> 00:00:57,310
and I can choose the container or the user for the computer object.

15
00:00:58,290 --> 00:01:03,900
So what this is doing is it's telling me that I'm going to model for any users in the users o u under

16
00:01:03,900 --> 00:01:09,030
sales or in the case of the computer, I'm going to model for any computers in the marketing.

17
00:01:09,030 --> 00:01:09,570
All you.

18
00:01:10,500 --> 00:01:16,620
I could have picked a specific user or a specific computer if I wanted to, but in this case, I'm just

19
00:01:16,620 --> 00:01:18,210
going to be generic about it.

20
00:01:19,180 --> 00:01:23,800
Now here is where I can kind of tweak the behavior of processing a little bit.

21
00:01:24,040 --> 00:01:26,560
Let's say, for example, I wanted to simulate.

22
00:01:27,520 --> 00:01:32,740
A slow network connection, which, as we've known from an earlier module, can affect which client

23
00:01:32,740 --> 00:01:34,120
side extensions run.

24
00:01:35,110 --> 00:01:40,060
I can also select to have loopback processing run or at least be simulated to run.

25
00:01:40,970 --> 00:01:45,560
And this, of course, changes what user settings are delivered to the user.

26
00:01:46,530 --> 00:01:49,410
And then I can tell it what site my client is in.

27
00:01:50,360 --> 00:01:51,290
In this case.

28
00:01:51,290 --> 00:01:55,430
I just had this one site, so I'll go ahead and take the default site.

29
00:01:56,420 --> 00:02:01,200
Then what I can do is I can simulate group membership for both the user and the computer.

30
00:02:01,220 --> 00:02:06,920
So, for example, for the selected user, I can say, okay, they're in the sales users group.

31
00:02:07,890 --> 00:02:11,160
So I want to simulate them being a member of the sales users.

32
00:02:11,340 --> 00:02:17,010
And where this comes into play is that remember that security group filtering can affect which GPOs

33
00:02:17,010 --> 00:02:17,910
get processed.

34
00:02:18,890 --> 00:02:24,260
So if you want a model, adding somebody to a group and see what effect that has on the group policy

35
00:02:24,260 --> 00:02:27,800
they receive or or removing them from the group for that matter.

36
00:02:28,790 --> 00:02:31,850
You can do that and I can do the same for computers.

37
00:02:32,870 --> 00:02:35,060
I'll just leave this at the default.

38
00:02:35,990 --> 00:02:41,480
And then I can have either the my filters that are currently linked to the GPOs that are selected or

39
00:02:41,480 --> 00:02:44,840
I can have it be specific to particular filters that I use.

40
00:02:45,830 --> 00:02:51,230
So in this case I don't have any filters, but I'll just choose all linked filters, which leaves the

41
00:02:51,230 --> 00:02:56,360
current linking of whatever w my filters might be in place and it just leaves that at the default.

42
00:02:57,290 --> 00:02:59,630
And I can do the same for computers.

43
00:03:00,590 --> 00:03:05,060
And now I'm ready to run the simulation, so I'm going to go ahead and let it run.

44
00:03:06,020 --> 00:03:07,220
And it's finished.

45
00:03:08,180 --> 00:03:11,930
And it tells me what has happened for users in the sales users.

46
00:03:12,140 --> 00:03:14,420
You and computers in the marketing.

47
00:03:14,420 --> 00:03:15,050
Oh, you.

48
00:03:15,980 --> 00:03:21,590
So it gives me the summary and it tells me this isn't super relevant because it's not actually showing

49
00:03:21,590 --> 00:03:23,120
me what happened on a system.

50
00:03:23,240 --> 00:03:25,100
It's modeling what might have happened.

51
00:03:26,060 --> 00:03:31,100
But it's just saying the fast link is detected because I didn't choose the slow link option.

52
00:03:32,020 --> 00:03:37,570
And what I'm really looking at is in the Details tab, which shows me all of the sort of status of group

53
00:03:37,570 --> 00:03:41,950
policy processing and more interestingly, the settings that have been delivered.

54
00:03:42,940 --> 00:03:48,940
So it shows me that this startup script was delivered via the scripts policy and that these security

55
00:03:48,940 --> 00:03:54,160
settings were delivered to the OR will be delivered to the computers in this IOU based on this winning

56
00:03:54,160 --> 00:03:55,300
policy of default.

57
00:03:55,300 --> 00:03:56,440
Domain policy.

58
00:03:57,370 --> 00:04:03,160
And then I can come down under group policy objects and see which GPOs have been applied and which have

59
00:04:03,160 --> 00:04:03,910
been denied.

60
00:04:03,910 --> 00:04:05,380
And the reason they're denied.

61
00:04:06,360 --> 00:04:09,360
In this case, this one has a disabled link.

62
00:04:10,330 --> 00:04:15,850
And then I can come in under user details and see the same information under user details.

63
00:04:16,860 --> 00:04:22,800
So essentially it shows me all of the settings that are delivered, the GPOs that win, the GPOs that

64
00:04:22,800 --> 00:04:23,310
lose.

65
00:04:23,310 --> 00:04:25,320
Why they win and why they lose.

66
00:04:26,270 --> 00:04:31,040
Now the query tab just shows me the values that I've chosen for this modeling run.

67
00:04:32,010 --> 00:04:33,830
So that's group policy modeling.

68
00:04:33,840 --> 00:04:39,810
And again, that's for figuring out what might be going on ahead of the game, so to speak, with policy

69
00:04:39,810 --> 00:04:40,620
processing.

70
00:04:41,550 --> 00:04:47,130
Group policy results, on the other hand, is giving you information on what's happened in the past.

71
00:04:47,310 --> 00:04:51,120
So I'm going to go ahead and run a query against an actual system.

72
00:04:52,030 --> 00:04:58,430
And this is where it goes out and touches that system over WMD for the for the R to test sales user.

73
00:04:58,450 --> 00:04:59,980
And I'm going to run that model.

74
00:05:00,920 --> 00:05:05,090
And this is telling me what happened during the last GP processing cycle.

75
00:05:05,090 --> 00:05:11,090
And so when, then when the report comes back, what I'll get is data about this particular policy processing.

76
00:05:12,020 --> 00:05:17,750
The summary shows me whether any errors were detected for computer or user refresh and the fast link

77
00:05:17,750 --> 00:05:18,530
was detected.

78
00:05:18,530 --> 00:05:19,430
So that's good.

79
00:05:20,370 --> 00:05:22,110
If I come in under details.

80
00:05:22,110 --> 00:05:23,670
This is how it has broken out.

81
00:05:23,760 --> 00:05:25,470
Similar to GP modelling.

82
00:05:25,470 --> 00:05:31,290
And what it does further is it gives me a lot of detail about what process, how processing happened

83
00:05:31,290 --> 00:05:32,130
on this machine.

84
00:05:33,090 --> 00:05:35,010
So first for the computer.

85
00:05:35,990 --> 00:05:42,050
It'll give me the name, the domain, the site, the organizational unit the computer was detected in,

86
00:05:42,050 --> 00:05:46,220
and the computers group membership at the time the policy was processed.

87
00:05:47,190 --> 00:05:52,200
This is really important for troubleshooting group membership filtering issues because this will show

88
00:05:52,200 --> 00:05:56,640
you what group policy thought the computers, group policy or group membership was.

89
00:05:57,650 --> 00:06:00,020
Then down here under component status.

90
00:06:00,020 --> 00:06:05,450
It's giving me lots of great information about each client side extension that's run and how long it

91
00:06:05,450 --> 00:06:05,870
took.

92
00:06:06,840 --> 00:06:11,160
So group policy infrastructure is the core phase of group policy processing.

93
00:06:11,160 --> 00:06:13,140
That tells me essentially how many are that.

94
00:06:13,140 --> 00:06:18,570
He gives me the phase of group policy processing when it actually determines which GPOs it needs to

95
00:06:18,570 --> 00:06:19,310
process.

96
00:06:20,270 --> 00:06:25,940
And then each subsequent client side extension runs and gives me additional information about how long

97
00:06:25,940 --> 00:06:28,200
it took to run that client side extension.

98
00:06:28,220 --> 00:06:29,990
The last time it was processed.

99
00:06:30,950 --> 00:06:34,210
And this little view log entry, which is really handy.

100
00:06:34,220 --> 00:06:39,800
What it's doing is it's going out and passing the operational, the group policy operational log on

101
00:06:39,800 --> 00:06:45,650
the target system and showing the just the events for this last group policy processing cycle in a step

102
00:06:45,650 --> 00:06:46,760
by step fashion.

103
00:06:47,660 --> 00:06:52,820
And this is super useful for troubleshooting the operational log, which I'm going to talk about in

104
00:06:52,820 --> 00:06:55,100
a little bit through group policy results.

105
00:06:56,070 --> 00:07:00,390
And that, again, it shows me all the settings that were delivered to the client.

106
00:07:01,400 --> 00:07:06,980
You'll see that startup dot, that file that was delivered by the scripts policy and my admin templates

107
00:07:06,980 --> 00:07:11,090
for the computer and the applied GPOs and the denied GPOs.

108
00:07:12,080 --> 00:07:15,800
In this case, I had the Dallas sales office printers, GPO.

109
00:07:15,800 --> 00:07:17,870
That was denied because it's empty.

110
00:07:18,820 --> 00:07:21,130
And the policy and preference GPL.

111
00:07:21,130 --> 00:07:23,200
That was denied because it's empty.

112
00:07:24,170 --> 00:07:26,450
Now my filters were applied.

113
00:07:27,350 --> 00:07:29,660
And then I get into user details.

114
00:07:30,640 --> 00:07:36,340
And here you'll see, for example, that folder redirection is showing is pending because it did not

115
00:07:36,340 --> 00:07:40,930
complete because it needs the user to log on again for the settings to be applied.

116
00:07:41,890 --> 00:07:48,130
So here it is, telling you exactly why folder redirection policy didn't work, which is really handy.

117
00:07:49,140 --> 00:07:54,680
This component status section is super important when it comes to troubleshooting group policy.

118
00:07:55,590 --> 00:08:01,770
And then it shows you installed applications for the user, all the user settings and again all the

119
00:08:01,770 --> 00:08:03,990
users applied and denied GPOs.