In #Lesson 2, you learned that a user or computer can be within the scope of multiple GPOs.
Group Policy inheritance, filters, and exceptions are complex, and it’s often difficult to determine just which policy settings will apply.
Resultant Set Of Policy (RSOP) is the net effect of GPOs applied to a user or computer, taking into account GPO links, exceptions such as Enforced and Block Inheritance, and the application of security and WMI filters.
RSOP is also a collection of tools that help you evaluate, model, and troubleshoot the application of Group Policy settings. RSOP can query a local or remote computer and report
back the exact settings that were applied to the computer and to any user who has logged on
to the computer. RSOP can also model the policy settings that are anticipated to be applied
to a user or computer under a variety of scenarios, including moving the object between OUs
or sites or changing the object’s group membership. With these capabilities, RSOP can help
you manage and troubleshoot conflicting policies.
Windows Server 2008 R2 provides the following tools for performing RSOP analysis:
– The Group Policy Results Wizard
– The Group Policy Modeling Wizard
Generating RSOP Reports with the Group Policy Results Wizard
To help you analyze the cumulative effect of GPOs and policy settings on a user or computer
in your organization, Group Policy Management includes the Group Policy Results Wizard.
If you want to understand exactly which policy settings have applied to a user or computer,
and why, the Group Policy Results Wizard is the tool to use.
The Group Policy Results Wizard reaches into the WMI provider on a local or remote
computer. The WMI provider can report everything there is to know about the way Group
Policy was applied to the system. It knows when processing occurred, which GPOs were applied, which GPOs were not applied and why, errors that were encountered, and the exact
policy settings that took precedence and their source GPOs.
There are several requirements for running the Group Policy Results Wizard:
– You must have administrative credentials on the target computer.
– The target computer must be running Windows XP or later. The Group Policy Results
Wizard cannot access Windows 2000 systems.
– You must be able to access WMI on the target computer. That means that it must be
powered on, connected to the network, and accessible through ports 135 and 445.
Note: E nable remote administration of client computers
Performing RSOP analysis by using the Group Policy Results Wizard is just one example
of remote administration. Windows includes a firewall that prevents unsolicited inbound connections, even from members of the Administrators group. To perform remote administration, you might need to configure inbound rules for the firewall used by your clients and servers.
Group Policy provides a simple way to enable remote administration. In the Computer ConfigurationPoliciesAdministrative TemplatesNetworkNetwork Connections Windows FirewallDomain Profile folder, there is a policy setting named Windows Firewall: Allow Inbound Remote Administration Exception. When you enable this policy setting, you can specify the IP addresses or subnets from which inbound remote administration packets will be accepted. As with all policy settings, review the explanatory text in the Help box and #test the effect of the policy in a lab environment before deploying it in production.
– The WMI service must be started on the target computer.
– If you want to analyze RSOP for a user, that user must have logged on at least once to the computer. It is not necessary for the user to be currently logged on.
After you have ensured that the requirements are met, you are ready to run an RSOP analysis. To run an RSOP report, right-click Group Policy Results in the GPMC console tree,
and then click Group Policy Results Wizard.
The wizard prompts you to select a computer. It then connects to the WMI provider on
that computer and provides a list of users who have logged on to it. You can then select one
of the users or opt to skip RSOP analysis for user configuration policies.
The wizard produces a detailed RSOP report in a dynamic HTML format. If Internet Explorer Enhanced Security Configuration (IE ESC) is enabled, you are prompted to allow the console to display the dynamic content. You can expand or collapse each #section of the report by clicking the Show or Hide link or by double-clicking the heading of the section. The report is displayed on three tabs:
– Summary The Summary tab displays the status of Group Policy processing at the last refresh. You can identify information that was collected about the system, the GPOs that were applied and denied, security group membership that might have affected GPOs filtered with security groups, WMI filters that were analyzed, and the status of CSEs.
– Settings The Settings tab displays the resultant set of policy settings applied to the computer or user. This tab shows you exactly what has happened to the user through the effects of your Group Policy implementation. A tremendous amount of information can be gleaned from the Settings tab, but some #data isn’t reported, such as IPSec, wireless, and disk quota policy settings.
–Policy Events The Policy Events tab displays Group Policy events from the event logs
of the target computer.
After you have generated an RSOP report with the Group Policy Results Wizard, you can
right-click the report to rerun the query, print the report, or save the report as either an XML
file or an HTML file that maintains the dynamic expanding and collapsing sections. Either file
type can be opened with Internet Explorer, so the RSOP report is portable outside the GPMC.
If you right-click the node of the report itself underneath the Group Policy Results folder
in the console tree, you can switch to Advanced View. In Advanced View, RSOP is displayed
using the RSOP snap-in, which exposes all applied settings, including IPSec, wireless, and disk
Generating RSOP Reports with Gpresult.exe
The Gpresult.exe command is the command-line version of the Group Policy Results Wizard.
GPResult accesses the same WMI provider as the wizard, produces the same information,
and, in fact, enables you to create the same graphical reports. GPResult is available on
computers running Windows XP or later versions of Windows. Windows 2000 includes
a Gpresult.exe command, which produces a limited report of Group Policy processing but is
not as sophisticated as the command included in later versions of Windows.
When you run the GPResult command, you are likely to use the following options:
– /s computername Specifies the name or IP address of a remote system. If you use
a dot (.) as the computer name, or do not include the /s option, the RSOP analysis is
performed on the local computer.
– /scope [user | computer] Displays RSOP analysis for user or computer settings. If you
omit the /scope option, RSOP analysis includes both user and computer settings.
– /user username Specifies the name of the user for which RSOP data is displayed.
– /r Displays a summary of RSOP data.
– /v Displays verbose RSOP data, which presents the most meaningful information.
– /z Displays super-verbose data, including the details of all policy settings applied to the system. Often, this is more information than you require for typical Group Policy troubleshooting.
– /u domainuser /p password Provides credentials that are in the Administrators group
of a remote system. Without these credentials, GPResult runs using the credentials
with which you are logged on.
– [/x | /h] filename Saves the reports in XML or HTML format, respectively.