The purpose of this article is not to provide you with an overview of all the new features of Windows Server 2003. Instead, in this article I have decided to concentrate on one important new tool that specifically deals with ‘results’, in this case with respect to group policy settings. In a followup article I will cover a new feature that allows the cumulative permissions that apply to users, groups, and computers to be easily obtained.
The new tool covered in this article is known as Resultant Set of Policy, or RSoP. Resultant Set of Policy is an administrative tool provided as an MMC snap-in that allows an administrator to easily gauge the cumulative group policy settings that apply to a user or computer. If you’ll recall from Windows 2000, group policy settings in a domain environment are usually set at three different levels, namely sites, domains, and OUs. While this model provides a great deal of flexibility, it can also make understanding the actual settings that apply to a user or computer difficult to discern.
For example, the first major issue is the order of group policy processing – site GPOs, followed by domain GPOs, followed by OU GPOs. At any given level, multiple policies may apply, in different orders according to manner in which they are ordered for a particular container. Confusing things further is the fact that certain policies can be blocked or set to no override, which impacts whether the policy settings can be changed or overwritten at a lower level, or whether they should be processed at all. Going a step further, GPOs can also be filtered through the use of permissions, allowing group policy settings to either be applied to users or computers within a container or not, according to your specific needs or requirements. When all is said and done, determining the actual settings that will ultimately apply to a user or computer can be at best difficult, if not impossible, especially in large environments.
To help circumvent this issue, Microsoft provided a utility in the Windows 2000 resource kit know as gpresult.exe. Essentially, this command-line utility was used to discern the exact policy settings that would apply to a user or computer once group policy processing was complete. Unfortunately, the long text-based output of the tool made it difficult to grasp exact settings, and as another tool buried on the resource kit, many administrators weren’t even aware of its existence. Gpresult.exe is now included as a built-in utility with Windows Server 2003, but most administrators will probably still feel more comfortable with the Resultant Set of Policy tool.
As mentioned earlier, RSoP is simply an MMC snap-in. It can added or removed from the list of available snap-ins.
Once added to an MMC console, the RSoP interface is fairly basic. Remember that the tool’s purpose is to provide you with the list of settings that will apply to a user or computer after all group policy settings that apply have been processed. In order to see this information, you simply right-click on the Resultant Set of Policy node and click Generate RSoP Data, as shown below. Ultimately, this will walk you through the Resultant Set of Policy Wizard, allowing you to choose the user or computer for which you want to view RSoP data.