Share via


RSoP overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

RSoP overview

Resultant Set of Policy (RSoP) is an addition to Group Policy that makes policy implementation and troubleshooting easier. RSoP is a query engine that polls existing policies and planned policies, and then reports the results of those queries. It polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (otherwise known as CIM-compliant object repository) through Windows Management Instrumentation (WMI).

RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation.

When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied).

RSoP consists of two modes: planning mode and logging mode. With planning mode, you can simulate the effect of policy settings that you want to apply to a computer and user. Logging mode reports the existing policy settings for a computer and user that is currently logged on.

The Resultant Set of Policy Wizard helps you create an RSoP query. You can open the wizard from Microsoft Management Console (MMC), Active Directory Users and Computers, or Active Directory Sites and Services. You must run the wizard at least once to create an RSoP query. When complete, the wizard displays the query results in the RSoP snap-in in MMC. From here, you can save, change, and refresh your queries. You can create many RSoP queries by adding multiple Resultant Set of Policy snap-ins to MMC, one RSoP snap-in per query.

RSoP and the CIMOM database

RSoP uses the CIMOM database through WMI. When a computer logs on to a network, information such as the computer hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, Scripts, Folder Redirection settings, and Security Settings, is written to the CIMOM database. When you start RSoP in logging mode, RSoP reports policy settings that have been applied from information provided in the CIMOM database.

RSoP, Active Directory, and policy precedence

Unlike the CIMOM database, Active Directory® directory services stores objects regardless of the state of a computer or user. Group Policy uses Group Policy objects (GPOs) in Active Directory to store policy settings. With Group Policy, administrators can:

  • Deploy registry keys (Administrative Templates)

  • Deploy software (Group Policy Software Installation)

  • Deploy security: Safer, IPSec (Security Settings)

  • Deploy scripts: logon, logoff, startup, shutdown (Scripts)

  • Configure the browser (Internet Explorer Maintenance)

After you define a policy setting for an object, it is applied the next time that object logs on. When an object logs on to a network, the policy settings are applied in the following order:

  • Local policy

  • Site-level policy

  • Domain-level policy

  • Domain controller policy (if the domain controller is left in the domain controller container)

  • Organizational unit policy

When a Group Policy object overwrites the settings of a different GPO that was applied previously, the new GPO has precedence over the GPO that it has overwritten. When a Group Policy object has a no overwrite attribute, it has precedence over all of the policies that are applied subsequently. RSoP can simulate and test the application of policy settings and precedence to Group Policy objects in Active Directory.

RSoP and Group Policy Software Installation

A significant part of Group Policy are the software settings extensions, which monitor Group Policy Software Installation. In an RSoP report, RSoP displays which applications are available for any given user or computer, as well as any software setting changes that are advertised or applied. By identifying all of the software that is available for a given user, as well as updates and configuration changes, RSoP makes deployment scenario planning and implementation easier.

RSoP and security issues

RSoP provides the following features that you can use to determine which comprehensive security policy meets your needs:

  • Provides security templates for creating and assigning security settings for one or more computers. A security template is a file representation of a security setting configuration. It can be applied to a local computer or it can be imported to a Group Policy object in Active Directory. When you import a security template to a Group Policy object, Group Policy processes the security template and makes the corresponding changes to the members of that Group Policy object, which can be users or computers. RSoP verifies those changes. By polling the system and displaying the resultant policy, RSoP indicates a misapplied or overwritten policy setting and the policy setting's precedence, which enables you to fix a security breach.

  • RSoP reports the scope of a Group Policy object according to security group membership. RSoP does this through Group Policy filtering.

  • Processes and displays the resulting policy for any computer or user. Through individual security settings, Administrators can define a security policy in Active Directory that contains specific security settings for nearly all security areas. Security settings in a local Group Policy object can also establish a security policy on a local computer. When there are conflicts, security settings that are defined in Active Directory always override any security settings that are defined locally.