Using Resultant Set of Policy to view IPSec policy assignments
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Using Resultant Set of Policy to view IPSec policy assignments
Resultant Set of Policy (RSoP) is an addition to Group Policy that you can use to view IPSec policy assignments for a computer or for members of a Group Policy container. This information can help you troubleshoot policy precedence issues and plan your deployment.
To view IPSec policy assignments in RSoP, you must first open the RSoP MMC console, and then run a query. RSoP provides two types of queries: logging mode queries (for viewing IPSec policy assignments for a computer) and planning mode queries (for viewing IPSec policy assignments for members of a Group Policy container).
Logging mode queries
You can run an RSoP logging mode query to view all of the IPSec policies that are assigned to an IPSec client. The query results display the precedence of each IPSec policy assignment, so that you can quickly determine which IPSec policies are assigned but are not being applied and which IPSec policy is being applied. The RSoP console also displays detailed settings (that is, the filter rules, filter actions, authentication methods, tunnel endpoints, and connection type) for the IPSec policy that is being applied.
When you run a logging mode query, RSoP retrieves policy information from the Windows Management Instrumentation (WMI) repository on the target computer, and then displays this information in the RSoP console. In this way, RSoP provides a view of the policy settings that are being applied to a computer at a given time.
For information about how to run RSoP logging mode queries for IPSec policies, see Use RSoP to view IPSec policy assignments for a computer. For general information about RSoP logging mode queries, see RSoP logging mode. For general information about RSoP, see RSoP overview.
Planning mode queries
You can run an RSoP planning mode query to view all of the IPSec policies that are assigned to members of a Group Policy container. For example, a planning mode query can be useful if you are planning a company reorganization and you want to move computers from one organizational unit to a new organizational unit. By supplying the appropriate information and then running a planning mode query, you can determine which IPSec policies are assigned but are not being applied to the new organizational unit and which IPSec policy is being applied. In this way, you can identify which policy would be applied if you were to move the computers to the new organizational unit. As with logging mode queries, when you run a planning mode query, the RSoP console displays detailed policy settings for the IPSec policy that is being applied.
When you run a planning mode query, RSoP retrieves the names of the target user, computer, and domain controller from the WMI repository on the domain controller. WMI then uses the Group Policy Data Access Service (GPDAS) to create the policy settings that would be applied to the target computer, based on the RSoP query settings that you entered. RSoP reads the policy settings from the WMI repository on the domain controller, and then displays this information in the RSoP console user interface.
For information about how to run RSoP planning mode queries for IPSec policies, see Use RSoP to view IPSec policy assignments for members of a Group Policy container. For general information about RSoP planning mode queries, see RSoP planning mode.
You can run an RSoP planning mode query only on a domain controller (when you run a planning mode query, you must explicitly specify the domain controller name). However, you can specify any IPSec client as the target for the query, provided you have the appropriate permissions to do so.
Assigning and processing IPSec policy in Group Policy
IPSec policies can be assigned from and stored in Active Directory, as part of Group Policy, or they can be assigned and stored locally, on a computer. When a computer is joined to an Active Directory domain, the domain-level IPSec policy applies. If a computer is not joined to an Active Directory domain, the local IPSec policy applies.
Group Policy settings are contained in Group Policy objects, which are linked with specific Active Directory objects (sites, domains, and organizational units). When an IPSec policy is assigned to a Group Policy object for an Active Directory object (such as an organizational unit), that IPSec policy is propagated to any computer accounts that are affected by the Group Policy object.
Multiple Group Policy objects, each of which can contain an IPSec policy, can be assigned to a computer account. When multiple IPSec policies are assigned, the last policy that is processed is the policy that is applied (that is, the last policy takes the highest precedence and overrides the settings of any IPSec policy assignments that were processed earlier).
Policy precedence is based on the Group Policy inheritance model. The policy used is the policy assigned at the lowest level of the domain hierarchy for the domain container of which the computer is a member. For example, if there are IPSec policies that are configured for both the domain and for an organizational unit within the domain, the computers that are members of the domain use the domain IPSec policies. The computers that are members of the organizational unit within the domain use the organizational unit IPSec policies. If there are multiple organizational units, members of each organizational unit use the IPSec policy assigned to the organizational unit that is closest in level to their container in the Active Directory hierarchy. If no IPSec policies are configured for Active Directory, or if a computer is not connected to an Active Directory domain, the local IPSec policy is used.
IPSec policy information displayed in the RSoP console
The RSoP console simplifies the task of determining which IPSec policy is being applied by displaying the following information for each Group Policy object that contains an IPSec policy assignment: the name of the IPSec policy, the name of the Group Policy object that the IPSec policy is assigned to, the IPSec policy precedence (the lower the number, the higher the precedence), and the name of the site, domain, and organizational unit to which the Group Policy object containing the IPSec policy applies (that is, the scope of management for the Group Policy object).
For information about policy precedence and IPSec policy behavior in an Active Directory environment, see the section "Active Directory-based policy" in Creating, modifying, and assigning IPSec policies. For general information about Group Policy, see Group Policy overview.
The settings of the IPSec policy with the highest precedence apply in their entirety; they are not merged with the settings of IPSec policies that are applied at higher levels of the Active Directory hierarchy.