With the release of Windows Server 2003 less than a couple of months away, enterprises and system administrators that have not already done so will be starting to take a good hard look at what this new operating system has to offer. While the bulk of the core operating system, services, and features are fundamentally similar to those in Windows 2000, a number of new and potentially very useful enhancements have been included that will help make the lives of system administrators easier.
With the release of Windows Server 2003 on the horizon, enterprises and systems administrators are starting to examine what this new operating system has to offer. This article concentrates on the Resultant Set of Policy Tool, a new tool that specifically deals with ‘results’ with respect to group policy settings.
The purpose of this article is not to provide an overview of all the new features of Windows Server 2003, but rather to concentrate on one important new tool that specifically deals with “results,” in this case with respect to group policy settings. A follow-up article will cover a new feature that enables the cumulative permissions that apply to users, groups, and computers to be easily obtained.
The new tool covered in this article is known as Resultant Set of Policy (RSoP). RSoP is an administrative tool provided as an MMC snap-in that enables an administrator to easily gauge the cumulative group policy settings that apply to a user or computer. In Windows 2000, group policy settings in a domain environment are usually set at three different levels — namely sites, domains, and OUs. While this model provides a great deal of flexibility, it can also make understanding the actual settings that apply to a user or computer difficult to discern.
For example, the first major issue is the order of group policy processing — site GPOs, followed by domain GPOs, followed by OU GPOs. At any given level, multiple policies may apply, in different orders according to the manner in which they are ordered for a particular container. To confuse things further, certain policies can be blocked or set to not override, which impacts whether the policy settings can be changed or overwritten at a lower level, or whether they should be processed at all.
Going a step further, GPOs can also be filtered through the use of permissions, allowing group policy settings to be applied to users or computers within a container or not, according to the specific needs or requirements. When all is said and done, determining the actual settings that will ultimately apply to a user or computer can be at best difficult, if not impossible, especially in large environments.
To help circumvent this issue, Microsoft provided a utility in the Windows 2000 resource kit known as gpresult.exe. Essentially, this command-line utility was used to discern the exact policy settings that would apply to a user or computer once group policy processing is complete. Unfortunately, the long, text-based output of the tool made it difficult to grasp exact settings, and as another tool buried on the resource kit, many administrators weren’t even aware of its existence. Gpresult.exe is now included as a built-in utility with Windows Server 2003, but most administrators will probably still feel more comfortable with the RSoP tool.
Note: The screen shots in this article are all based on a pre-release version of Windows Server 2003. Although some of the screen shot details may change in the final release, the functionality of the RSoP tool should largely be the same.
As mentioned earlier, RSoP is simply an MMC snap-in. It can be added or removed from the list of available snap-ins, as shown below.