Resultant Set of Policy (RSoP)
Applies To: Windows Server 2003 with SP1
What does Resultant Set of Policy do?
Group Policy Resultant Set of Policy (RSoP) reports Group Policy settings that are applied to a user or computer. Group Policy Results in Group Policy Management Console (GPMC) requests RSoP data from a target computer and presents this in a report in HTML format. Group Policy Modeling requests the same type of information, but the data reported is from a service that simulates RSoP for a combination of computer and user. This simulation is performed on a domain controller running Windows Server 2003 and is then returned to the computer running GPMC for presentation. Finally, the RSoP Microsoft Management Console (MMC) provides an alternative way to display this information, although Group Policy Results is generally the preferred method.
Who does this feature apply to?
Group Policy administrators in an Active Directory domain environment. In addition, an IT professional who needs to plan or validate the application of Group Policy might be interested in RSoP.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
RSoP Use with Windows Firewall Enabled
In Windows XP Service Pack 2 (SP2), Windows Firewall is enabled by default. Incoming requests against unopened ports—as opposed to responses to requests originated from the computer—are blocked by Windows Firewall. In Windows Server 2003 Service Pack 1 (SP1), Windows Firewall is not enabled by default.
If you elect to use Windows Firewall, you should be aware of the impact on its use on RSoP across the network.
For more information about Windows Firewall, see "Windows Firewall," in this document.
Why is this change important?
Enabling a firewall, such as Windows Firewall, provides more protection from many network-based attacks. For example, if Windows Firewall had been enabled the recent MSBlaster attack would have been greatly reduced in impact, regardless of whether users were up-to-date with patches.
What works differently?
There are two important changes to RSoP in Windows Server 2003 SP1.
After Windows Firewall is installed on a computer, remote access to RSoP data no longer works from that target computer.
If Windows Firewall is enabled, when GPMC is run for the purpose of using Group Policy Results or Group Policy Modeling to retrieve RSoP data it will be unable to retrieve this data.
How do I resolve these issues?
The following table summarizes the changes necessary to fully support remote RSoP tasks when running Windows XP SP2 or Windows Server 2003 SP1 with Windows Firewall enabled. Please see the sections below for further details.
|Task||Target Computer||Administrative Computer|
Generate Group Policy results
Enable Windows Firewall Allow remote administration exception Group Policy setting.
This Group Policy setting is located in Computer Configuration \Administrative Templates\Network \Network Connections\Windows Firewall\[Domain | Standard] Profile\.
GPMC with SP1.
No action required.
Enable Windows Firewall: Define program exceptions. Configure the program exception list with the full path to Unsecapp.exe so that the WMI messages can be transmitted. In a default installation Unsecapp.exe is located in the C:\Windows\System32\Wbem folder.
Enable Windows Firewall: Define port exception policy to open Port 135.
Delegate access to Group Policy results
Enable Windows Firewall: Allow remote administration exception Group Policy setting.
Configure the following DCOM security settings:
DCOM: Machine access restrictions…
DCOM: Machine launch restrictions…
These policy settings are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
No changes necessary
Remotely edit a Local Group Policy object
Enable Windows Firewall: Allow file and printer sharing administration exception policy setting.
This policy setting is located in Computer Configuration \Administrative Templates\Network \Network Connections\Windows Firewall\[Domain | Standard] Profile\.
No changes necessary.
Administering Remote RSoP with GPMC SP1
The initial release of GPMC used a callback mechanism when waiting for the results of a Group Policy Results or Modeling request. The administrative computer must be "listening" for this response. If Windows Firewall is enabled, Windows will block these responses. Although opening the appropriate ports can address this issue, using the updated Group Policy Management Console (GPMC) with Service Pack 1 completely removes the use of the callback mechanism. We recommend that you install GPMC with Windows Server 2003 Service Pack 1, because this allows Group Policy Results and Modeling to continue to work without opening up ports on the administrative computer. To install GPMC with Windows Server 2003 Service Pack 1, see "Group Policy Management Console with Service Pack 1" on the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=23529.
In order to administer RSoP remotely, you must enable the Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
Administering Remote RSoP with the RSoP MMC snap-in
In order to administer RSoP remotely using the RSoP MMC snap-in, the target computer must listen on the appropriate network ports to ensure that incoming RSoP requests can be serviced. This can be managed through Group Policy using the following policy settings:
Enable the Windows Firewall: Define program exceptions Group Policy setting to permit Unsecapp.exe. Make sure you enter the full path to Unsecapp.exe.
Enable the Windows Firewall: Define port exception Group Policy setting and open Port 135. Click Show and enter 135:TCP:*:Enabled:135.
Enabling the Windows Firewall: Define port exception Group Policy setting may also allow unwanted data to be accepted on this port. Be sure to fully review this Group Policy setting before enabling it in your environment. Enabling this policy setting is not necessary if the Windows Firewall: Allow remote administration exception Group Policy setting is enabled on the administrative computer.
Delegating access to Group Policy Results
By default, Group Policy Results and the RSoP snap-in can only be used remotely when the person originating the request is a local administrator on the target computer. Beginning in Windows Server 2003, a delegation model is available that allows this right to be delegated to users who are not Administrators on the target computer. This is a common scenario when help desk personnel require access to computers without being made Administrators on those computers.
In Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, the security model for DCOM authentication (on which RSoP relies) has been strengthened. Even if RSoP delegation has been configured correctly, this strengthening prevents local non-administrators from retrieving RSoP information from a target computer. Note that this issue does not impact Group Policy Modeling, since the request for simulated RSoP data is made against a domain controller running Windows Server 2003, which, by definition, is not running Windows XP.
You can manage the list of users and groups associated with DCOM authentication through Group Policy. To allow continued use of delegated RSoP, users to whom you want to grant this right must also have access through the DCOM authentication model. For more information about the security changes to DCOM in Windows Server 2003 Service Pack 1, see "DCOM Security Enhancements" earlier in this document.
Use the following procedure to delegate access to Group Policy Results:
To delegate access to Group Policy Results
Enable the Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
Set the following DCOM security policy settings on target computers. (They are located in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)
DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax
Right-click the Group Policy object, and then click Properties.
Click Edit Security. Access Permission opens.
Click Add, and then Select Users, Computers, or Groups opens.
Enter the desired delegation targets.
Remotely editing a local Group Policy object
In order to remotely edit a local Group Policy object on a target computer that has Windows Firewall enabled, you need to enable the following policy setting: Windows Firewall: Allow file and printer sharing administration.
The policy setting is located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\[Domain|Standard] Profile\.