The process of securing a network by applying group policies has the potential to become confusing. After all, policy elements can be applied to users, groups, computers, domains, etc. Sure, there are guidelines to make the process more efficient and less confusing, but in the end, there’s still a good chance that you might have some overlapping group policy elements.
When group policy elements overlap, it’s often difficult to predict the results, especially when large numbers of policy elements overlap and contradict each other. Windows XP contains a tool called the Resultant Set of Policy (RSoP) Wizard that can help you to make sense out of the overlapping chaos.
How RSoP Works
According to the online Microsoft document, “Managing Windows XP in a Windows 2000 Server Environment,” RSoP is a query engine that polls existing policies and then reports the results of the query. It polls existing policies based on site, domain, domain controller, and organizational unit (OU). RSoP gathers this information from the Common Information Model Object Manager (CIMOM) database (commonly referred to as ‘WMI’ or Windows Management Instrumentation).
In addition to checking the policies set by the group policy, RSoP also checks Software Installation for any applications that are associated with a particular user or computer and reports the results of these queries. RSoP details all the policy settings configured by an administrator. This includes Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security, and Scripts.
Load the RSoP Wizard
Begin the process by entering the MMC command at the Run prompt. Doing so will open an empty Microsoft Management Console session. Next, click File | Add/Remove Snap-In to open the Add/Remove Snap-In properties sheet. The Standalone tab should be selected. Click the Add button to reveal a list of available snap-ins. At this point, select the RSoP snap-in from the list and click the Add button. Doing so will launch the RSoP Wizard.
As with most of Microsoft’s wizards, the RSoP Wizard begins with a Welcome screen. Click the Next button to clear the Welcome screen and move on to the Mode selection screen, which allows you to choose between logging mode and planning mode. Logging mode allows you to review the actual policy settings applied to a specific computer or to a specific user, and is the mode you will probably use most often with RSoP. Planning mode allows you to simulate a policy implementation by using data from Active Directory. This allows you to perform “what if” analyses based on information you supply about the user, computer, site, domain, organizational unit (OU), and security group membership. Planning mode requires that you use .NET server. Because we’re interested in troubleshooting already applied policies, we’ll be using logging mode for this article.
After selecting the Logging Mode radio button and clicking Next, the RSoP Wizard asks which computer you want to display the policy settings for (see Figure A). You can choose either your current computer or another computer on the network.
There’s also an option that allows you to avoid displaying any computer-related policies at all. I personally find this option to be very helpful when troubleshooting. For example, suppose that you’re trying to figure out a permissions problem for a user. An undesirable policy is being enforced, but you have no idea where the policy is coming from. If you use the option to look at only the user-related policies and not the computer-related policies, you can quickly find out if the undesirable policy setting is being applied because of a user-related group policy element or because of a computer-related policy element.
Just by selecting this one check box, you can effectively eliminate half the possible causes of your problem. Of course, if you aren’t troubleshooting but are instead trying to find out which policies apply to a user, you shouldn’t use this option.
After selecting the computer to work with, click Next. The wizard will then ask you which user you want to examine the policy settings for (see Figure B). Use the check boxes to select either the current user or another user.
If you want to look at the policy settings for a user other than the one that you’re logged in as, there are a few things that you need to know. Selecting the Another User option displays a list of users in a window below the radio button. This option is used primarily for checking policies that apply to local user accounts. The only time that you’ll ever see a domain user account appear on this list is when you’re logged in with a domain user account. Even then, you’ll only see your own account.
For example, if you’re logged in as a domain administrator, the list will contain the domain administrator account and all of the local user accounts. So if you need to check out the policy settings for a domain user account, you must be logged in as that user prior to launching the RSoP Wizard.
Beneath the user list is a radio button that you can use to force the wizard to ignore user policies. Again, this radio button is useful if you’re troubleshooting and want to examine which policy elements apply directly to the computer account, without being confused by user policies.
After selecting the user, if any, that you want to examine, you’ll see a screen, shown in Figure C, which displays a summary detailing the mode, user, and computer that you’ve selected. Although it’s often easy to ignore the summary screens found in some wizards, I recommend taking a good look at this one. If you’re running the RSoP Wizard, you are probably trying to troubleshoot some sort of policy problem. The troubleshooting process can get very frustrating if you think that you’re looking at the policy settings for a different user or computer than you actually are. So take a second to verify the information on the summary screen before continuing.
At this point, click Next to begin the examination process. Depending on how many policy elements you have assigned to the user and computer, this process could take a minute or two.
Viewing the RSoP Wizard’s results
When the examination process completes, click the Finish button. As odd as it sounds, you’ll then be returned to the Add Standalone Snap-In dialog box that you saw at the very beginning of this process. Click Close and OK to close any open dialog boxes and go to the main console screen. You’ll next see the selected resultant set of policies appear in the console tree (see Figure D).
The resultant set of policies appears in tree form. The root level of the policy is listed as User On Computer – RSoP. For example, on my test machine, the root level appeared as Administrator on HOBBS – RSoP. This designation is used in case you want to use the Add/Remove Snap-In command on the File menu to add another resultant set of policies. By adding two or more policies, you can compare the resultant set of policies against each other.
Once you expand the policy, you’ll see several containers beneath it. As you expand each container, you can drill down to the individual policy settings that apply to the user, computer, or both (see Figure E).
The RSoP tree is arranged exactly the same way as the normal group policy console except that it displays the name of the group policy object that assigns the policy’s value. This lets you see which policy is actually being applied to the user. For example, in Figure E, you can see that the Remove Task Manager setting is being determined by a local group policy. If this setting were causing the user a problem, you would now know which policy to change to solve it.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays