Getting Results, Part 1: The Resultant Set of Policy Tool in Windows Server 2003

by Dan DiNicolo

With the release of Windows Server 2003 on the horizon, enterprises and systems administrators are starting to examine what this new operating system has to offer. This article concentrates on the Resultant Set of Policy Tool, a new tool that specifically deals with 'results' with respect to group policy settings.

With the release of Windows Server 2003 less than a couple of months away, enterprises and system administrators that have not already done so will be starting to take a good hard look at what this new operating system has to offer. While the bulk of the core operating system, services, and features are fundamentally similar to those in Windows 2000, a number of new and potentially very useful enhancements have been included that will help make the lives of system administrators easier.

The purpose of this article is not to provide an overview of all the new features of Windows Server 2003, but rather to concentrate on one important new tool that specifically deals with "results," in this case with respect to group policy settings. A follow-up article will cover a new feature that enables the cumulative permissions that apply to users, groups, and computers to be easily obtained.

The new tool covered in this article is known as Resultant Set of Policy (RSoP). RSoP is an administrative tool provided as an MMC snap-in that enables an administrator to easily gauge the cumulative group policy settings that apply to a user or computer. In Windows 2000, group policy settings in a domain environment are usually set at three different levels -- namely sites, domains, and OUs. While this model provides a great deal of flexibility, it can also make understanding the actual settings that apply to a user or computer difficult to discern.

For example, the first major issue is the order of group policy processing -- site GPOs, followed by domain GPOs, followed by OU GPOs. At any given level, multiple policies may apply, in different orders according to the manner in which they are ordered for a particular container. To confuse things further, certain policies can be blocked or set to not override, which impacts whether the policy settings can be changed or overwritten at a lower level, or whether they should be processed at all.

Going a step further, GPOs can also be filtered through the use of permissions, allowing group policy settings to be applied to users or computers within a container or not, according to the specific needs or requirements. When all is said and done, determining the actual settings that will ultimately apply to a user or computer can be at best difficult, if not impossible, especially in large environments.

To help circumvent this issue, Microsoft provided a utility in the Windows 2000 resource kit known as gpresult.exe. Essentially, this command-line utility was used to discern the exact policy settings that would apply to a user or computer once group policy processing is complete. Unfortunately, the long, text-based output of the tool made it difficult to grasp exact settings, and as another tool buried on the resource kit, many administrators weren't even aware of its existence. Gpresult.exe is now included as a built-in utility with Windows Server 2003, but most administrators will probably still feel more comfortable with the RSoP tool.

Note: The screen shots in this article are all based on a pre-release version of Windows Server 2003. Although some of the screen shot details may change in the final release, the functionality of the RSoP tool should largely be the same.

As mentioned earlier, RSoP is simply an MMC snap-in. It can be added or removed from the list of available snap-ins, as shown below.

Once added to an MMC console, the RSoP interface is fairly basic. The tool's purpose is to provide the list of settings that apply to a user or computer after all group policy settings that apply have been processed. To see this information, simply right-click on the RSoP node, and click Generate RSoP Data, as shown below. This will walk you through the RSoP Wizard, allowing you to choose the user or computer for which you want to view RSoP data.

RSoP allows you to gather policy data in one of two modes -- logging mode and planning mode, as shown below. Logging mode allows you to view the settings that would apply to a particular user or computer based on current GPO settings. Planning mode is a little different, but another great feature -- it allows you to carry out a type of "what if" analysis, simulating a policy implementation for users or groups that are part of a specific container.

This article, walks through the steps associated with logging mode, since that will probably be the more popular choice when trying to ascertain the impact of existing policy settings.

After choosing logging mode, the next step is to choose whether to view the impact of policy settings on the current computer (which is likely a server) or another computer on the network. This is a really neat feature because it enables you to view the results of policy settings on the user's specific PC, which may be impacted by specific policy settings as well.

After selecting the computer for which the analysis should occur, select the user. The currently logged-on user is selected by default; however, it is also possible to select a different user -- in the example below, this is Dan. The screen shot shows that it is also possible to view computer-related policy information if that is your preference.

Once the user for whom results should be generated has been selected, the wizard gathers the necessary policy information to present a set of results. This can take anywhere from a few seconds to several minutes, depending on the number of policy objects to be processed and their related settings. Once the process is complete, you are left with a familiar sight, namely an interface that looks almost exactly like the one used to configure group policy settings, as shown below.

By clicking on the individual policy elements and drilling down through settings, the RSoP tool provides precise information about which settings actually apply to the user Dan. For example, in the screen shot below, you can see the password policy settings that apply to Dan, along with the source GPO from which these particular settings are gathered.

Once all is said and done, the RSoP tool provides capabilities that few system administrators will want to be without. Such a tool would have been excellent for Windows 2000 administrators, but I suppose this is a case of better late than never.

Another nice feature about this tool is that you don't have to worry about running through the entire wizard each and every time you want to analyze the impact of a change to policy settings or assess the impact of policy on a different user or computer. The tool also allows you to refresh queries based on policy changes or easily change your queries to view the impact on a different user or computer. Overall, the RSoP tool goes a long way toward making the challenges of security and user environment administration easier to manage for Windows Server 2003 administrators.

This article was originally published on Tuesday Mar 4th 2003
Mobile Site | Full Site