In the first implementation of Group Policies in Windows 2000, calculating effective
policy for a given user or computer was challenging. This was especially true when there
were many different GPOs at various levels within a given domain. At that time,
Microsoft did not provide helper tools that would allow administrators to model the
results of policies applied to a given computer or user. Thus, before undertaking a
massive deployment of Group Policies within a corporate environment, it was imperative
to carefully test all new policies.

Note Many administrators used a command-line tool called GPResult.exe, which was
supplied as part of the Windows 2000 Server Resource Kit. This tool generates a
list of current GPO settings for a given user logged onto a given Windows 2000
computer.
With Windows Server 2003, Microsoft introduced several Group Policy management
improvements, including:

Software Restriction Policies. The rapid growth of the Internet increases security
threats to a network, both from worms or viruses and from attacks. A network also
could face internal threats, such as human errors. With software restriction
policies, organizations can protect their networks from malicious software or even
suspicious code by identifying and specifying the applications that are allowed to
run. Unfortunately, Windows 2000 and earlier versions of Windows NT are
unable to process software restriction policies. To use such policies, all domains
must be migrated to Windows Server 2003 domains in native mode and all clients
must be upgraded to Windows XP. (For more information on software restriction
policies, refer to Chapter 9
.)

Enhanced User Interface in the Group Policy Object Editor. Policy settings are
more easily understood, managed, and verified with Web-view integration in the
Group Policy Object Editor. Clicking on a policy instantly shows the text
explaining its function and supported environments such as Windows XP or

and earlier.
Using Resultant Set of Policy
Resultant Set of Policy (RSoP) is a long-awaited tool that allows system administrators to
determine which Group Policy settings are being applied to a particular user or computer
account. This tool can be used both for planning Group Policies before deploying them in
a production environment and for troubleshooting problems with specific Group Policy
settings. It implements one of the newest mechanisms for managing and troubleshooting
Group Policies, and, therefore, deserves special attention. Unfortunately, like many
improvements recently introduced by Microsoft, it is not available for Windows 2000 and
earlier versions of Windows NT, nor for other legacy operating systems.
On Windows Server 2003, RSoP can operate in two modes:

Logging mode, which displays Group Policy settings for a specific user or
computer. This mode is applicable for standalone computers running Windows
Server 2003. At the time of this writing, it also could be used on Windows XP
computers joined to Windows 2000 or Windows Server 2003 domains.

Planning mode, which allows administrators to evaluate the affect of applying
different Group Policy Objects
Where does RSoP get information on the resulting Group Policies? To gather this data, it
queries the Common Infrastructure Management Object Manager (CIMOM) database
through Windows Management Instrumentation. The CIMOM database contains
information on computers' hardware, software installation settings, scripts, folder
redirection settings, security settings, and Internet Explorer maintenance settings. The
CIMOM database is refreshed with the current information each time a computer logs on
to the network.

Note The Common Infrastructure Management (CIM) model, now known as the Web-
Based Enterprise Management (WBEM) initiative, was adopted by the Distributed
Management Task Force (DMTF). This emerging standard, intended for all


Figure 11.10: The User Selection window displayed by RSoP Wizard
5. The wizard will display the next window summarizing your selections. To change
your selections, click Back. To confirm the selected options and proceed with the
query, click Next, and RSoP will start the query. When the query completes, the
wizard will display the final window, where you need to click Finish.
6. RSoP will appear for the selected user on the selected computer (Fig. 11.11
). Click
the RSoP folder to view data. Note that you can also set the order in which
policies are applied. Simply right-click on the policy element, select Properties,
then click the Precedence tab (Fig. 11.12
).

Figure 11.11: RSoP query results

Figure 11.12: The Precedence tab displays the order of policy application

Note To immediately view RSoP for the current user on the local Windows Server 2003
computer, click the Start button, select the Run command, enter the rsop.msc
command into the Open field, and click OK.
You will immediately notice that there is a Group Policy problem if a red × on the user or
computer configuration level appears. (This indicates an error.) To view information on
the error, right-click the marked object, select Properties and go to the Error
Information tab.
How Group Policy Administrative Templates Affect the Registry