Share via


How Resultant Set of Policy Works

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

How Resultant Set of Policy Works

In this section

  • Resultant Set of Policy Snap-in Architecture

  • Related Topics

Administrators can use the Resultant Set of Policy (RSoP) snap-in for two purposes: to predict the cumulative effect of Group Policy objects (GPOs), or to determine the actual result of Group Policy settings on a particular computer, user, or user on a computer.

Although administrators can use the RSoP snap-in for reporting and planning the effects of Group Policy, much of its functionality has been subsumed into Group Policy Management Console (GPMC), which provides a much better experience for the network administrator.

In an ideal environment, administrators are encouraged to use the GPMC features for simulating Group Policy or determining the effect of Group Policy on a particular user or computer.

Resultant Set of Policy Snap-in Architecture

The RSoP snap-in is one of three administrative tools used to manage Group Policy. The following diagram shows all three of the tools, as well as the domain controller and a client computer. In addition, the diagram describes the different communication protocols being used by each tool (LDAP, SMB, RPC/COM); the interactions between RSoP, the domain controller, and the client; and whether those interactions are READ or READ/WRITE.

Resultant Set of Policy Snap-in Architectural Diagram

Resultant Set of Policy Snap-in Architecture

Component Description of Resultant Set of Policy Snap-in Architectural Diagram

Component Description

Resultant Set of Policy snap-in

The RSoP snap-in is an MMC used to determine which policy settings are in effect for a given computer, user, or user on a computer, or to predict the effect of applied policy.

The RSoP snap-in itself is contained within the same binary as the Group Policy Object Editor. Thus, the user interface is a read-only view of the same information available in Group Policy Object Editor. However, there is one important difference: while Group Policy Object Editor can show all settings from a single GPO at a time, the RSoP snap-in can show the cumulative effect of many GPOs.

For RSoP snap-in functionality, administrators can use GPMC, which includes its own integrated RSoP infrastructure reporting features.

RSoP snap-in is capable of read access to the Active Directory, Sysvol, Event Log, RSoP infrastructure, and Local GPO on the target computer. Although RSoP is capable of read-only access to the Active Directory and Sysvol, most of the work of predicting or reporting Group Policy is done using RPC/COM communication with the RSoP provider, either on the client or the domain controller.

Domain Controller (Server)

In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. GPOs are stored in two parts of domain controllers: The Active Directory database (sometimes called Group Policy Container) and the Sysvol (known as the Group Policy template).

Active Directory

Active Directory, the Windows-based directory service, stores information about objects on a network and makes this information available to users and network administrators. Administrators link GPOs to Active Directory containers such as sites, domain, and OUs that include user and computer objects. In this way, policy settings can be targeted to users and computers throughout the organization.

Sysvol

Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the largest part of a GPO: the Group Policy template, which includes Administrative Template-based policy settings, security settings, script files, and information regarding applications that are available for software installation. File Replication Service (FRS) replicates this information throughout the network.

LDAP Protocol

LDAP (Lightweight Directory Access Protocol) is the protocol used by the Active Directory directory service. RSoP snap-in uses LDAP for authentication and delegation checks. The client also uses LDAP to read the directory store on the domain controller.

SMB Protocol

SMB (Server Message Block) protocol is the primary method of file and print sharing. SMB can also be used for abstractions such as named pipes and mail slots. RSoP snap-in and the client use SMB to access the Sysvol on the domain controller.

RPC/COM

RPC (Remote Procedure Call), DCOM (Distributed Component Object Model) and COM (Component Object Model) enable data exchange between different processes. The different process can be on the same computer, on the local area network, or across the Internet.

COM and RPC are used by the RSoP snap-in for communication with the RSoP provider on the client or domain controller.

WMI

WMI is a management infrastructure that supports the monitoring and controlling of system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status.

WMI makes available data about a target computer for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data. WMI Filtering in Windows Server 2003 allows you to create queries based on this data. These queries (also called WMI filters) determine which users and computers receive all of the policy configured in the GPO where you create the filter.

RSoP infrastructure

All Group Policy processing information is collected and stored in a namespace in WMI. This information, such as the list, content and logging of processing details for each GPO, can then be accessed by tools using WMI.

In logging mode, RSoP snap-in queries the database on the target computer, receives information about the policies and displays it in the RSoP snap-in.

In planning mode, RSoP snap-in simulates the application of policy using the Resultant Set of Policy Provider on a Domain Controller. This simulates the application of GPOs and passes them to Group Policy client-side extensions on the Domain Controller. The results of this simulation are stored to a local WMI database on the domain controller before the information is passed back and displayed in the RSoP snap-in.

Event Log

The Event log is a service that records events in various logs. The RSoP snap-in reads the Event Log on client computers and domain controllers in order to provide information about error events.

Local Group Policy object

The local Group Policy object (local GPO) is stored on each individual computer, in the hidden %systemroot%\System32\GroupPolicy directory. Each computer running Windows 2000, Windows XP Professional, Windows XP 64-Bit Edition, or Windows Server 2003 has exactly one local GPO, regardless of whether the computers are part of an Active Directory environment.

Local GPOs do not support certain extensions, such as Folder Redirection or Group Policy Software Installation. Local GPOs do support many security settings, but the Security Settings extension of the Group Policy Object Editor does not support remote management of local GPOs. Local GPOs are always processed, but can be overridden by domain policy in an Active Directory environment, because GPOs linked to Active Directory containers have precedence.