In the first implementation of Group Policies in Windows 2000, calculating effective
policy for a given user or computer was challenging. This was especially true when there
were many different GPOs at various levels within a given domain. At that time,
Microsoft did not provide helper tools that would allow administrators to model the
results of policies applied to a given computer or user. Thus, before undertaking a
massive deployment of Group Policies within a corporate environment, it was imperative
to carefully test all new policies.
Note Many administrators used a command-line tool called GPResult.exe, which was
supplied as part of the Windows 2000 Server Resource Kit. This tool generates a
list of current GPO settings for a given user logged onto a given Windows 2000
computer.
With Windows Server 2003, Microsoft introduced several Group Policy management
improvements, including:
Software Restriction Policies. The rapid growth of the Internet increases security
threats to a network, both from worms or viruses and from attacks. A network also
could face internal threats, such as human errors. With software restriction
policies, organizations can protect their networks from malicious software or even
suspicious code by identifying and specifying the applications that are allowed to
run. Unfortunately, Windows 2000 and earlier versions of Windows NT are
unable to process software restriction policies. To use such policies, all domains
must be migrated to Windows Server 2003 domains in native mode and all clients
must be upgraded to Windows XP. (For more information on software restriction
policies, refer to Chapter 9
.)
Enhanced User Interface in the Group Policy Object Editor. Policy settings are
more easily understood, managed, and verified with Web-view integration in the
Group Policy Object Editor. Clicking on a policy instantly shows the text
explaining its function and supported environments such as Windows XP or
Windows 2000.
Group Policy Management Console. Expected to be freely available as an add-in
component, the Group Policy Management Console (GPMC) provides a new
framework for managing Group Policy. With GPMC, an administrator can backup
and restore Group Policy Objects (GPOs), import/export and copy/paste GPOs,
report GPO settings, and more.
New Policy Settings. With Windows Server 2003, Microsoft introduced more than
200 new policy settings that let administrators easily lock down or manage
configurations. These settings also enable or prohibit most new features, such as
Remote Assistance, AutoUpdating, and Error Reporting.
User Data and Settings Management Enhancements. Administrators can
automatically configure client computers to meet specific requirements of a user's
business roles, group memberships, and location. Improvements include simplified
folder redirection and more robust roaming capabilities. These were addressed
briefly in Chapter 10
.
Cross-Forest Support. Although GPOs can only be linked to sites, domains, or
organizational units (OUs) within a given forest, the cross-forest feature in
Windows Server 2003 enables several new scenarios that Group Policy supports.
Resultant Set of Policy (RSoP). The Microsoft RSoP tool is probably the most
important improvement, since it allows administrators to plan, monitor, and
troubleshoot Group Policy. These capabilities in Windows 2000 were limited;
only a GPResult.exe command-line Resource Kit utility was available. With
RSoP, administrators can plan, preview, and verify policies and their effects on a
specific computer or user. Unfortunately, RSoP is unavailable for Windows 2000
and earlier.
Using Resultant Set of Policy
Resultant Set of Policy (RSoP) is a long-awaited tool that allows system administrators to
determine which Group Policy settings are being applied to a particular user or computer
account. This tool can be used both for planning Group Policies before deploying them in
a production environment and for troubleshooting problems with specific Group Policy
settings. It implements one of the newest mechanisms for managing and troubleshooting
Group Policies, and, therefore, deserves special attention. Unfortunately, like many
improvements recently introduced by Microsoft, it is not available for Windows 2000 and
earlier versions of Windows NT, nor for other legacy operating systems.
On Windows Server 2003, RSoP can operate in two modes:
Logging mode, which displays Group Policy settings for a specific user or
computer. This mode is applicable for standalone computers running Windows
Server 2003. At the time of this writing, it also could be used on Windows XP
computers joined to Windows 2000 or Windows Server 2003 domains.
Planning mode, which allows administrators to evaluate the affect of applying
different Group Policy Objects
Where does RSoP get information on the resulting Group Policies? To gather this data, it
queries the Common Infrastructure Management Object Manager (CIMOM) database
through Windows Management Instrumentation. The CIMOM database contains
information on computers' hardware, software installation settings, scripts, folder
redirection settings, security settings, and Internet Explorer maintenance settings. The
CIMOM database is refreshed with the current information each time a computer logs on
to the network.
Note The Common Infrastructure Management (CIM) model, now known as the Web-
Based Enterprise Management (WBEM) initiative, was adopted by the Distributed
Management Task Force (DMTF). This emerging standard, intended for all
computer systems, offers a common way of describing and managing systems.
Windows Management Instrumentation, which is built into Windows 2000,
Windows XP, and Windows Server 2003, is the Windows-specific implementation.
It can be used to discover information about Windows systems as well as manage
them.
To obtain results using RSoP:
1. Start MMC console, then select the Add/Remove Snap-in command from the File
menu. Click the Add button on the Standalone tab, and select the Resultant Set
of Policy from the list of available standalone snap-ins. Click Close, then click
OK.
Note To request RSoP, you must either be logged on to the machine as the user
whose policy you want to see, have local Administrator privileges on the
machine you are querying (membership in the local Administrators, Domain
Admins, or Enterprise Admins group is required), or have been delegated
control over RSoP.
2. After adding the Resultant Set of Policy snap-in, select Generate RSoP Data
from the Action menu. RSoP Wizard will start. Click Next.
3. RSoP Wizard will display the Mode Selection window (Fig. 11.9
). To see Group
Policy settings applied to a specific user or computer, select the Logging mode
option and click Next. Note that logging mode might be the only mode available.
Figure 11.9: RSoP Wizard prompts you to select a mode
4. Next, the wizard will display a window prompting you to select a computer. You
can either display Group Policy settings for the local computer or click the
Browse button and select a remote system. Make your selection and click Next.
You will be prompted to select a specific user for whom you need to display
policy settings (Fig. 11.10
). Select a user and click Next.
Figure 11.10: The User Selection window displayed by RSoP Wizard
5. The wizard will display the next window summarizing your selections. To change
your selections, click Back. To confirm the selected options and proceed with the
query, click Next, and RSoP will start the query. When the query completes, the
wizard will display the final window, where you need to click Finish.
6. RSoP will appear for the selected user on the selected computer (Fig. 11.11
). Click
the RSoP folder to view data. Note that you can also set the order in which
policies are applied. Simply right-click on the policy element, select Properties,
then click the Precedence tab (Fig. 11.12
).
Figure 11.11: RSoP query results
Figure 11.12: The Precedence tab displays the order of policy application
Note To immediately view RSoP for the current user on the local Windows Server 2003
computer, click the Start button, select the Run command, enter the rsop.msc
command into the Open field, and click OK.
You will immediately notice that there is a Group Policy problem if a red × on the user or
computer configuration level appears. (This indicates an error.) To view information on
the error, right-click the marked object, select Properties and go to the Error
Information tab.
How Group Policy Administrative Templates Affect the Registry