How To Install and Use RSoP in Windows Server 2003

This article describes how to install the Resultant Set of Policy (RSoP) snap-in and how to use the RSoP tool. RSoP is an addition to Group Policy that makes policy implementation and troubleshooting easier. RSoP is a query engine that polls existing policies and planned policies, and then reports the results of those queries. It polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (also known as CIM-compliant object repository) by using Windows Management Instrumentation (WMI).

RSoP provides the following three features that you can use to determine the comprehensive security policy that meets your needs:

• RSoP provides security templates to create and assign security settings for one or more computers. A security template is a file representation of a security setting configuration. You can apply this security template to a local computer or you can import it to a Group Policy object (GPO) in Active Directory. When you import a security template to a GPO, Group Policy processes the security template and makes the corresponding changes to the members of that GPO (the member can be either users or computers). RSoP verifies those changes. RSoP polls the computer and the resultant policy that is displayed indicates a misapplied or overwritten policy setting and the policy setting's precedence. You can use this information to fix a security breach.
• RSoP reports the scope of a GPO according to security group membership. RSoP uses Group Policy filtering to complete this task.
• RSoP processes and displays the resulting policy for any computer or user. Administrators can use individual security settings to define a security policy in Active Directory that contains specific security settings for nearly all security areas. Security settings in a local GPO can also establish a security policy on a local computer. If a conflict between security settings occur, security settings that are defined in Active Directory always override any security settings that are defined locally.

How to Use a Command to Run RSoP

If you use the rsop.msc command to start RSoP, RSoP runs on the computer on which you run this command and it collects the policies that are applied to the user who is logged on and the computer account.

1. Click Start, and then click Run.
2. In Open box, type rsop.msc, and then click OK.

How to Start RSoP As an MMC Snap-in

1. Start Microsoft Management Console (MMC), click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. On the Standalone tab, click Add.
4. In the Available Standalone Snap-in box, click Resultant Set of Policy, and then click Add.

NOTE: You must add a RSoP snap-in to MMC for each new RSoP query.

How to Access RSoP Data for an Existing Computer and User in Logging Mode

1. In the RSoP snap-in, right-click Resultant Set of Policy, and then click Generate RSoP Data.
2. After the RSoP Wizard starts, click Next.
3. Click Logging mode, and then click Next.
4. Specify the computer on which you want to run RSoP, and then click Next.
5. Specify the user for which you want to collect RSoP data, and then click Next.
6. Review the summary of settings, click Next, and then wait for RSoP to finish processing the data.
7. Click Finish.
8. In the RSoP snap-in, click the newly created RSoP query in the console tree to view the data.
   
   NOTE: Only users and computers that are currently logged on to the domain are visible.

How to Save Data from an RSoP Query

1. Open an RSoP query in the RSoP snap-in.
2. In the console tree, click Console Root, and then double-click User account on computer account - RSoP in the right pane.
3. On the View menu, click Archive data in console file.
4. On the File menu, click Save.
5. In the File name box, type a name for the file, and then click Save.

How to Change an Existing RSoP Query

1. In the RSoP snap-in, right-click the RSoP query that you want to change, and then click Change Query.
2. After the RSoP Wizard starts, click Next to select the appropriate step for the query option that you want to change.
3. Click Finish.

How to Refresh an RSoP Query

In the RSoP snap-in, right-click the RSoP query that you want to refresh, and then click Refresh Query.

How to View an RSoP Report in HTML

1. Click Start, and then click Help and Support.
2. Under Support Tasks, click Tools.
3. Under Tools, click Advanced System Information.
4. Under Advanced System Information, click View Group Policy settings applied.
5. Scroll to the results that you want to view. NOTE: To hide details, click the arrow in the upper-right corner of a category.

How to Run an RSoP Query on a Computer Account

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. In the console tree, expand Domain (where Domain is the domain in which the computer account on which you want to run RSoP exists), and then expand Computers.
3. Right-click the computer account on which you want to run RSoP, point to All Tasks, and then click Resultant Set of Policy (Logging) or Resultant Set of Policy (Planning).

NOTE: You can also run an RSoP query by adding the RSoP snap-in to an MMC.

How to Run an RSoP Query on a User Account

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. In the console tree, expand Domain (where Domain is the domain in which the user account on which you want to run RSoP exists), and then expand Users.
3. Right-click the user account on which you want to run RSoP, point to All Tasks, and then click either Resultant Set of Policy (Logging) or Resultant Set of Policy (Planning).

How to Run an RSoP Query on a Domain

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. In the console tree, expand Active Directory Users and Computers, expand Domains, and then right-click the domain on which you want to run RSoP.
3. Point to All Tasks, and then click Resultant Set of Policy (Planning).

How to Run an RSoP Query on an Organizational Unit

1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
2. In the console tree, expand Active Directory Users and Computers, expand Domain, expand Organizational unit, and then expand child organizational unit.
3. Right-click the organizational unit on which you want to run RSoP, point to All Tasks, and then click Resultant Set of Policy (Planning).

How to Run an RSoP Query on a Site

1. Click Start, point to All Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the console tree, expand Active Directory Sites and Services, and then expand Sites.
3. Right-click the site on which you want to run RSoP, point to All Tasks, and then click Resultant Set of Policy (Planning).

NOTE: If you use this method to open RSoP, you cannot change the site name in the RSoP query. You can also run an RSoP query by adding the RSoP snap-in to an MMC.

How to Run an RSoP Query on a Local Computer

1. Click Start, click Run, type mmc, and then click OK.
2. On the File menu, click Add/Remove Snap-in.
3. Click the Standalone tab, and then click Add.
4. In the Available Standalone Snap-in box, click Resultant Set of Policy, and then click Add.
5. In MMC, right-click Resultant Set of Policy, and then click Generate RSoP Data.
6. After the Resultant Set of Policy Wizard starts, click Next.
7. Click Logging mode, and then click Next.
   
   NOTE: Logging mode is the only mode that is available for an RSoP query on a local computer.
8. Click This computer, and then click Next to continue the Resultant Set of Policy Wizard.

For additional information about this topic, click the following article number to view the article in the Microsoft Knowledge Base: