A question that appeared on the newsgroups today prompted me to blog about Group Policy Resultant Set of Policy (RSoP) and its capabilities. RSOP was first introduced in Windows XP as a way of letting administrators find out what happened during the last GP processing cycle on a given Windows system. This mode of forensically checking GP processing is called RSOP Logging or RSOP Results. The RSOP infrastructure also provides a mechanism for doing what’s called, RSOP Planning or Modeling, which lets you ask "what-if" questions about changes that you might want to make to your AD infrastructure that could affect Group Policy application on a given target computer or user. In both cases, this RSOP capability relies on some WMI enhancements that Microsoft made to XP, Server 2003 and later versions of the OS. These WMI enhancements are what is used by the RSOP engine to store resultant set of policy data in the WMI repository on each system, each time policy is processed. And, these enhancements are the reason that you cannot get RSOP data from a Windows 2000 machine–it doesn’t include those WMI enhancements and thus cannot collect or report RSOP.
Now with that background in mind, let’s look at how RSOP Logging works. When GP processing kicks off, each Client Side Extension (CSE) does work to process policy settings that apply to the computer or user. Each CSE is also responsible for logging RSOP data into the WMI repository on the machine where its running. That RSOP code is written into the CSE DLL that Microsoft (or a 3rd party) provides. What it does is basically send a list of the settings that its applying to WMI. This is an important point. RSOP does not check to make sure that each and every setting completed successfully. It does show if the CSE itself fails to run successfully, but it does not guarantee that every settting that was delivered was actually successfully applied (to the registry or elsewhere). So when you use GPMC or gpresult.exe to gather RSOP data, you are getting RSOP’s "best guess" that everything was delivered as it was supposed to be. Most of the time, if the CSE ran successfully, then it is a pretty good guess that all the settings were installed properly. But of course, there is no guarantee of this! Still RSOP in XP and above is orders of magnitude better than what we had in Windows 2000, which was essentially a gpresult.exe tool that only gave partial information related to GP based on some rough assumptions about which policies applied to the system.
A quick word on RSOP Modeling as well. In order to use RSOP modeling from GPMC, you need to have at least 1 Windows 2003 (or 2008!) DC in your AD domain. That is because there is a special service that runs on this version of Windows Server that is used by the modeling engine to actually compute the RSOP what-if scenario. So you need to have that DC somewhere in your domain and you need to have rights on the domain to be able to run the model in the first place!
Technorati Tags
AUG
About the Author:
Darren Mar-Elia is CTO & Founder of SDM Software, Inc. Darren has over 25 years of IT and Software experience in the Microsoft technology area, including serving as a Director in Infrastructure at Charles Schwab, CTO of Windows Management Solutions at Quest Software, and Sr. Director of Product Engineering at DesktopStandard. He has been a Microsoft MVP in Group Policy technology for the last 6 years and has written and spoken on Active Directory, Group Policy and PowerShell topics frequently over the years. He maintains the popular Group Policy resource web site at www.gpoguy.com and has been a contributing editor for Windows IT Pro Magazine since 1997. He has written and contributed to twelve books on Windows. Darren also speaks frequently at conferences on Windows infrastructure topics.