A question that appeared on the newsgroups today prompted me to blog about Group Policy Resultant Set of Policy (RSoP) and its capabilities. RSOP was first introduced in Windows XP as a way of letting administrators find out what happened during the last GP processing cycle on a given Windows system. This mode of forensically checking GP processing is called RSOP Logging or RSOP Results. The RSOP infrastructure also provides a mechanism for doing what’s called, RSOP Planning or Modeling, which lets you ask "what-if" questions about changes that you might want to make to your AD infrastructure that could affect Group Policy application on a given target computer or user. In both cases, this RSOP capability relies on some WMI enhancements that Microsoft made to XP, Server 2003 and later versions of the OS. These WMI enhancements are what is used by the RSOP engine to store resultant set of policy data in the WMI repository on each system, each time policy is processed. And, these enhancements are the reason that you cannot get RSOP data from a Windows 2000 machine–it doesn’t include those WMI enhancements and thus cannot collect or report RSOP.
Now with that background in mind, let’s look at how RSOP Logging works. When GP processing kicks off, each Client Side Extension (CSE) does work to process policy settings that apply to the computer or user. Each CSE is also responsible for logging RSOP data into the WMI repository on the machine where its running. That RSOP code is written into the CSE DLL that Microsoft (or a 3rd party) provides. What it does is basically send a list of the settings that its applying to WMI. This is an important point. RSOP does not check to make sure that each and every setting completed successfully. It does show if the CSE itself fails to run successfully, but it does not guarantee that every settting that was delivered was actually successfully applied (to the registry or elsewhere). So when you use GPMC or gpresult.exe to gather RSOP data, you are getting RSOP’s "best guess" that everything was delivered as it was supposed to be. Most of the time, if the CSE ran successfully, then it is a pretty good guess that all the settings were installed properly. But of course, there is no guarantee of this! Still RSOP in XP and above is orders of magnitude better than what we had in Windows 2000, which was essentially a gpresult.exe tool that only gave partial information related to GP based on some rough assumptions about which policies applied to the system.
A quick word on RSOP Modeling as well. In order to use RSOP modeling from GPMC, you need to have at least 1 Windows 2003 (or 2008!) DC in your AD domain. That is because there is a special service that runs on this version of Windows Server that is used by the modeling engine to actually compute the RSOP what-if scenario. So you need to have that DC somewhere in your domain and you need to have rights on the domain to be able to run the model in the first place!
Technorati Tags