Performing Resultant Set of Policy Queries with the GPRESULT Tool. XP Operating System Group Policy Result tool v2.0 Copyright (C). Windows Server 2012/2008/2003/2000/XP/NT Administrator Knowledge Base Categories. Supporting and Extending RSoP Developing an RSoP Management Tool. Developing an RSoP Management Tool. Developing an RSoP Management Tool. Computer Configuration\System\Group Policy\Turn off Resultant Set of. Check out http:// or http:// are applied by using the internal modeling tools and Resultant Set of Policy. Windows Server 2008 Active Directory. Windows Server 2008 R2; Windows Server 8. What is RSoP for Windows Group Policy?Resultant Set of Policies (RSo. P) cuts through the confusion and tells you what's happening with your Group Policy settings. Microsoft built RSo. P into the Windows Management Instrumentation (WMI) infrastructure beginning with Windows XP. Two main tools are available for accessing the RSo. P infrastructure: the graphical Group Policy Management Console (GPMC) and the command line–based Gpresult. In the 8+ years I’ve been doing this, by far the biggest improvement in Group Policy management has been the introduction of the Resultant Set of Policies (RSo. P) capability in Windows Server 2. Windows XP to help us figure out what the effective policy is on our desktops and servers. Understanding what RSo. This article describes how to install the Resultant Set of Policy. How To Install and Use RSoP in Windows Server 2003 Email. Malicious Software Removal Tool; Contact Us Contact Us. Use the Gpresult or Resultant Set of Policy tool Case Study 2 The Remove. Use the Gpresult or Resultant Set of Policy tool Case Study 2 P is and knowing how to read an RSo. P for a user or computer will help you ensure Group Policy is healthy and happy in your environment. And, while RSo. P won’t help solve every Group Policy problem that arises, an RSo. P can point the way toward how to further investigate. RSo. P doesn’t support Windows 2. Win. 2K’s WMI infrastructure and Group Policy engine don’t include the necessary components to collect RSo. P information. The Windows 2. Resource Kit does ship with a command- line utility called gpresult . RSo. P delivers, but this first- try Gpresult doesn’t paint as complete a picture of policy processing as the later RSo. P. When XP and later versions of Windows were introduced, Microsoft provided two main tools for accessing the WMI- based RSo. P infrastructure. The Microsoft Management Console (MMC) Group Policy Management Console (GPMC) snap- in provides a graphical UI for accessing RSo. P data, and the command line–based Gpresult is built into the OS. Don’t confuse the RSo. P- enabled version of Gpresult with the earlier Win. K Resource Kit version. Because the two tools use completely different mechanisms, they can return different information, with the RSo. P- enabled version being the more accurate of the two. Well, essentially it’s a mechanism to determine, for a given computer or user in Active Directory (AD), what that computer or user’s effective Group Policy settings are. A user or computer can process many Group Policy Objects (GPOs) in a typical AD environment—with GPOs having possibly conflicting settings. GPOs are processed in a certain order that affects which policy settings will actually apply to a given user or computer, and GPOs can be filtered by using security groups and WMI filters. Given all these factors, you can see how knowing what the effective policy settings are for a given user or computer can be hard, especially in larger organizations. RSo. P cuts through the confusion and tells you what’s happening with your Group Policy settings. Logging. The RSo. P capability in Windows Server 2. Windows Vista, Windows Server 2. XP comes in two flavors. The first, and by far the most common, is known as RSo. P or Group Policy Results Logging. It answers the question, “What policy settings were processed by a given computer or user during the last policy processing cycle?” Logging relies on the Group Policy engine and each Client Side Extension (CSE) that processes the various policy settings to report to WMI on what it did when Group Policy was processed. When you run a GPMC Group Policy Results Logging report, which Figure 1 shows, or use Gpresult from your XP or Vista machine, you’re essentially connecting to the machine you select—local or remote—and gathering the WMI logging data into a report. The second RSo. P flavor, RSo. P Planning (also known as Group Policy Modeling in GPMC), answers the question, “What policy should apply to a given computer or user during a future policy processing cycle?” As the name implies, RSo. P Planning lets you perform a “what- if” calculation on the policy that a given computer or user will receive. It goes one step better and lets you play with changes that might occur to users or computers to see what effect the changes will have on the users’ or computers’ effective policy. You can also simulate how policy would be affected if a slow network link were detected or if loopback policy were in place. All of these “modifications” that you can perform during the modeling phase will affect what policy settings a computer or user receives, and the Group Policy Modeling feature in GPMC lets you simulate these changes easily. However, it does require access to a Server 2. Server 2. 00. 8 domain controller (DC) to work. In fact, if you have only Win. K DCs in your AD domain, you won’t even see the Group Policy Modeling node when you start up GPMC because the modeling feature uses a service called the Resultant Set of Policy Provider that runs only on the newer DCs. Without this service, modeling won’t run. I find the version of Group Policy Results Logging that’s available in GPMC easier to use than the command- line Gpresult utility, so let’s start with the graphical version. So, if you’re running Group Policy Results against a Vista machine, run it from a Vista machine, not an XP machine. You’ll get more complete results this way. That means it must be up and running and must not have a firewall blocking access to the ports and protocols required by Group Policy Results. This protocol uses TCP port 1. If the target machine uses Windows Firewall, the easiest way to ensure that the necessary ports are unblocked is to use the built- in Remote Administration Exception provided in Group Policy. You can find this exception on XP and Server 2. GPMC under Computer Configuration\Administrative Templates Network\Network Connections\Windows Firewall\Standard (or Domain) Profile\Windows Firewall: Allow Remote Administration Exception and on Vista and Server 2. Computer Configuration\Windows Settings\Security Settings Windows Firewall with Advanced Security Inbound Rules, under the Predefined Rules selection. Suppose you want to verify that a certain workstation has retrieved some policy settings. Start GPMC, right- click the Group Policy Results node, then select the Group Policy Results Wizard option. The first wizard screen lets you select a remote or local computer to connect to. If you’re interested only in per- user settings, you can also select a check box to exclude any per- computer settings in the report that will be generated. After selecting the computer you want to target, the next wizard screen lets you select a user who has logged onto that computer, if you want to return per- user Group Policy settings in addition to computer settings. If you don’t see a user in the list, he or she likely hasn’t logged onto that system. After you select the user, the Group Policy Results wizard collects the WMI data from the selected computer and displays it in the GPMC’s right- hand results pane, as shown in Figure 1. Interpreting the Results. Once you’ve run the Group Policy Results wizard and the results are displayed, you can dive in and interpret those results. In the right- hand results pane are three tabs: Summary, Settings, and Policy Events. Table 1 describes the purpose of each. The Summary tab is probably the most interesting in terms of finding out what’s going on with Group Policy on the remote system, so let’s examine it in detail. Figure 2 shows an expanded Summary tab with all its sections. Assuming you selected to show both per- computer and per- user Group Policy settings, the summary will be broken into two sections: Computer Configuration Summary and User Configuration Summary. The most interesting subsections are Group Policy Objects and Component Status. The Group Policy Objects subsection is further divided into Applied GPOs and Denied GPOs. Applied GPOs lists the GPOs that were processed by the computer or user, to which AD container those GPOs were linked, and what their AD and SYSVOL version numbers were. This information is important because it lets you verify that a particular GPO that you think should be processed by the computer or user really is being processed. The version numbers are important because they should always be the same for a given GPO.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2016
Categories |