What Is Resultant Set of Policy?
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
What Is Resultant Set of Policy?
In this section
Resultant Set of Policy Snap-in Core Scenarios
Similar Technologies for Viewing Resultant Set of Policy Data
Resultant Set of Policy Snap-in Dependencies
One challenge of Group Policy administration is to understand the cumulative effect of a number of Group Policy objects (GPOs) on any given computer or user, or how changes to Group Policy, such as reordering the precedence of GPOs or moving a computer or user to a different organizational unit (OU) in the directory, might affect the network. The Resultant Set of Policy (RSoP) snap-in offers administrators one solution. Administrators use the RSoP snap-in to see how multiple Group Policy objects affect various combinations of users and computers, or to predict the effect of Group Policy settings on the network.
Resultant Set of Policy Snap-in Core Scenarios
There are two core scenarios for the Resultant Set of Policy (RSoP) snap-in: reporting the effect of policy on various combinations of users and computers, and predicting the affect of policy. The reporting functionality of RSoP snap-in is known as logging mode. The predictive functionality is known as planning mode. Both of these scenarios are described in detail in the following respective sections.
Whether in logging or planning mode, an administrator typically accesses the RSoP snap-in by opening an empty Microsoft Management Console (MMC), adding the RSoP snap-in to the console, and then using the Resultant Set of Policy Wizard to collect data from various computers on the network for either logging or planning mode.
Logging Mode
An administrator uses logging mode to report on the current state of Group Policy settings. The scope of reports can include Group Policy settings for various targets, including a computer, a user, or both. The administrator selects combinations of targets in the Resultant Set of Policy Wizard.
When the administrator finishes with the wizard, the RSoP snap-in queries the Windows Management Instrumentation (WMI) repository on the client computer for information about the Group Policy settings for the targets. RSoP snap-in displays these settings.
Logging mode in the RSoP snap-in is useful for troubleshooting Group Policy. The RSoP snap-in lists each policy setting, and from which GPO the displayed setting came. GPO precedence is also available, as is any error information that was logged by either the Group Policy engine or any of the Group Policy client side extensions. Using this information, an administrator can determine which GPOs are applying a Group Policy setting and which GPOs are not.
In addition to using an empty MMC to access RSoP snap-in, there is another scenario an administrator is just as likely to use for troubleshooting Group Policy settings. An administrator can run RSOP.msc from the command prompt on a client computer to report on the current computer with the current user logged on. In this manner, the administrator avoids having to select targets in the Resultant Set of Policy Wizard.
Planning Mode
An administrator uses planning mode to perform “what if” scenarios with Group Policy. Like logging mode, the end result is a report of Group Policy settings. However, unlike logging mode, this report contains simulated data.
The administrator uses RSoP snap-in and a Windows Server 2003 domain controller. First, the administrator must use the Resultant Set of Policy Wizard to define the scope of the report. This is done by selecting various targets. In planning mode these targets must include both user information and computer information; however, the administrator can select either a particular user or computer or an Active Directory container for users or computers.
After specifying the scope of the plan, the administrator uses the wizard to specify a simulated Group Policy settings environment. Because these Group Policy environment settings are simulated, an actual client computer might behave differently in live tests. It is not possible for a domain controller to accurately determine how a particular client computer will actually behave.
The following simulated environment settings are available:
A slow network connection
Loopback processing (merge mode and replace mode)
Site-based policy implementation
Security group memberships for the user, the computer, or both
WMI Filters that are linked to the user, the computer, or both
The administrator can elect to simulate any, all, or none of the environment variables. Whatever the choices, when the wizard finishes, the RSoP snap-in requests a simulation of policy from the domain controller. The domain controller uses Resultant Set of Policy Provider to simulate the application of GPOs. This service passes the GPO settings to virtual client-side extensions on the domain controller. The results of the simulation are stored in the WMI repository on the domain controller before the information is passed back to the RSoP snap-in for analysis. It is important to remember that the results displayed in the RSoP snap-in are not actual Group Policy settings, but simulated Group Policy based on the settings created using the wizard. If a custom client side extension exists on a client but does not exist on the domain controller, then any Group Policy settings this custom client side extension might create would not appear in the simulation results.
Planning mode in the RSoP snap-in is useful for planning Group Policy. The RSoP snap-in lists each GPO from which the displayed setting came as well as any other lower priority GPOs that attempted to configure settings. Using this information, an administrator can determine which GPOs are applying a policy setting and which GPOs are not.
Similar Technologies for Viewing Resultant Set of Policy Data
Although administrators can use the RSoP snap-in for reporting and planning the effects of Group Policy, much of its functionality has been subsumed into Group Policy Management Console (GPMC), which provides a much better experience for the network administrator.
The following table gives the equivalent names of GPMC and RSoP snap-in features that utilize the RSoP infrastructure.
Equivalent Names and Descriptions of GPMC and RSoP Snap-in Features
GPMC feature | RSoP snap-in feature | Description |
---|---|---|
Group Policy Results |
Logging Mode |
Reports the effect of policy on a computer or user |
Group Policy Modeling |
Planning Mode |
Predicts the affect of policy on the network |
Although GPMC provides functionality that subsumes most of the reporting features of RSoP snap-in, there is some Group Policy information that can only be reported on using RSoP snap-in. For example, RSoP snap-in lists each GPO from which the displayed setting came as well as any other lower priority GPOs that attempted to configure settings. Using this information, an administrator can determine which GPOs are applying a policy setting and which GPOs are not. In these cases, an administrator can use GPMC to open the RSoP snap-in by electing to view advanced information about a Group Policy Results or Group Policy Modeling report.
Resultant Set of Policy Snap-in Dependencies
Resultant Set of Policy snap-in has the following dependencies.
Resultant Set of Policy snap-in is an MMC console; as such, it requires MMC infrastructure to function.
Resultant Set of Policy infrastructure was introduced in Windows XP. Therefore, you cannot run gather RSoP data for a computer running Windows 2000 or lower.
To run RSoP on a remote computer, you must be logged on as a member of the local Administrators group, or be delegated Generate Resultant Set of Policy (logging) rights for logging mode, or Generate Resultant Set of Policy (planning) rights for planning mode.
To run RSoP planning mode, you must have a Windows Server 2003 domain controller.
For planning mode involving security group membership, the administrator needs access to see membership of security groups.