Resultant Set of Policy Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Resultant Set of Policy Tools and Settings
In this section
Resultant Set of Policy Tools
Resultant Set of Policy Group Policy Settings
Resultant Set of Policy WMI Classes
Related Information
This section describes the tools and settings that are associated with Resultant Set of Policy (RSoP), a Microsoft Management Console (MMC) snap-in that administrators use to report and plan cumulative effects of Group Policy.
Resultant Set of Policy Tools
The following tools are associated with Resultant Set of Policy.
RSoP Extension
Category
The Resultant Set of Policy (RSoP) extension is an MMC snap-in included in the same binary as the Group Policy Object Editor (gpedit.dll). The RSoP extension consists of a planning mode service, and a logging mode service. These two services correspond to the Group Policy Modeling and Group Policy Results nodes, respectively, in Group Policy Management Console (GPMC).
Version compatibility
The RSoP feature, which consists of two services, requires a Windows Server 2003 domain controller for the planning mode, but requires only a Windows Server 2003 schema for remote logging delegation. A Windows Management Instrumentation (WMI) namespace, Web Based Enterprise Management (WBEM), on which each computer policy has processed, is required for logging mode. This namespace is present in Windows XP and later.
The RSoP snap-in displays RSoP data provided by one or both of its two services, depending on domain controller operating system and forest schema. The RSoP snap-in requires Windows XP or later. RSoP logging is always processed on the targeted client computer. For remote logging, the RSoP data is generated on the remote computer and displayed on the client computer running the RSoP snap-in.
For more information about Resultant Set of Policy, see the What Is Resultant Set of Policy? topic in this collection.
Gpresult.exe: Group Policy Results
Category
This command line tool displays RSoP for a user or computer. You can use gpresult to see what policy is in effect and to troubleshoot problems on computers running Windows XP and later.
Version compatibility
The gpresult.exe that ships with Windows XP and Windows Server 2003 family is completely different than the original version of gpresult.exe that shipped in the Windows 2000 Resource Kit. The newer version cannot be used to view policy information for computers running Windows 2000.
For more information about Group Policy Tools and Settings, see the Core Group Policy Tools and Settings topic in this collection.
Resultant Set of Policy Group Policy Settings
This section describes Resultant Set of Policy specific settings. Using these settings, the administrator can determine which MMC snap-ins and RSoP services are permitted for the GPO. For a complete reference of these settings, see Group Policy Settings Reference for Windows Server 2003.
Group Policy Settings Associated with RSoP
| Group Policy Setting | Description |
|---|---|
Resultant Set of Policy Provider (Computer Configuration/Windows Settings/Security Settings/System Services) |
This setting controls enabling/disabling the RSoP service. |
Turn off RSoP logging (Computer Configuration/Administrative Templates/System/Group Policy) |
This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. |
Disallow Interactive Users from generating RSoP data (Computer and User Configuration/Administrative Templates/System/Group Policy) |
This setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. If this setting is enabled, interactive users cannot generate RSoP data. If this setting is not configured or disabled, interactive Users can generate RSoP. |
Resultant Set of Policy snap-in (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Administrative Templates (Computers) (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Administrative Templates (Users) (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Folder Redirection (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Internet Explorer Maintenance (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Scripts (Logon/Logoff) (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Scripts (Startup/Shutdown) (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Security Settings (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Software Installation (Computers) (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
Software Installation (Users) (User Configuration/Administrative Templates/Windows Components/MMC/Restricted/Permitted snap-ins/Group Policy/RSoP snap-in extensions) |
This setting permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the “Restrict users to the explicitly permitted list of snap-ins” setting determines whether this snap-in is permitted or prohibited. |
For more information about Group Policy settings, see the Group Policy Settings Reference for Windows Server 2003.
Resultant Set of Policy WMI Classes
There are two categories of WMI namespaces: computer and user. Each user has its own RSoP namespace based on the user’s Security Identifier (SID). Administrators can automate RSoP using scripting and WMI classes. The following table lists the WMI classes associated with RSoP.
RSoP WMI Classes
| Class Name | Namespaces | Version Compatibility |
|---|---|---|
RsopLoggingModeProvider |
ROOT\RSOP |
Windows XP Windows Server 2003 |
RsopPlanningModeProvider |
ROOT\RSOP |
Windows XP Windows Server 2003 (Windows Server 2003 Domain Controller Required) |
In addition, administrators can automate RSoP using the IGPMRSOP interface included with GPMC interfaces. The IGPMRSOP interface provides methods that support making RSoP queries in both logging and planning mode.
Related Information
The following resources contain additional information that is relevant to this section.
Registry Reference for Windows Server 2003.
Group Policy Settings Reference for Windows Server 2003.
MSDN.