Resultant Set of Policy (RSoP)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Resultant Set of Policy (RSoP)

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2217

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    What does Resultant Set of Policy do?
    Group Policy ResultantSet of Policy (RSoP) reports Group Policy settings thatareapplied to a user or computer. Group Policy
    Results in Group Policy Management Console(GPMC) requests RSoP data from a target computer and presents this in a report
    in HTML format. Group Policy Modeling requests thesametype of information, but the data reported is from a servicethat
    simulates RSoP for a combination of computer and user.This simulation is performed on a domain controller running
    Windows Server 2003 and is then returned to thecomputer running GPMC for presentation.Finally, the RSoP Microsoft
    Management Console(MMC) provides an alternative way to display this information,although Group Policy Results is
    generally the preferred method.
    Who does this feature apply to?
    Group Policy administrators in an Active Directory domain environment. In addition,an IT professional who needs to plan or
    validatetheapplication of Group Policy might beinterested in RSoP.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    RSoP Use with Windows Firewall Enabled
    Detailed description
    In Windows XP Service Pack 2 (SP2),Windows Firewall is enabled by default. Incoming requests against unopened ports—as
    opposed to responses to requests originated from thecomputer—are blocked by Windows Firewall. In Windows Server 2003
    Service Pack 1 (SP1),Windows Firewall is notenabled by default.
    If you elect to use Windows Firewall,you should beaware of theimpact on its use on RSoP across the network.
    For moreinformation about Windows Firewall, see”Windows Firewall,” in this document.
    Why is this change important?
    Enabling a firewall, such as Windows Firewall, provides more protection from many network-based attacks.For example, if
    Windows Firewall had been enabled therecent MSBlaster attack would have been greatly reduced in impact, regardless of
    whether users were up-to-date with patches.
    What works differently?
    Therearetwo important changes to RSoP in Windows Server 2003 SP1.
    After Windows Firewall is installed on a computer, remoteaccess to RSoP data no longer works from that target
    computer.
    If Windows Firewall is enabled, when GPMC is run for the purpose of using Group Policy Results or Group Policy
    Modeling to retrieve RSoP data it will be unableto retrievethis data.
    How do I resolve these issues?
    Thefollowing tablesummarizes thechanges necessary to fully support remote RSoP tasks when running Windows XP SP2 or
    Windows Server 2003 SP1 with Windows Firewall enabled. Pleaseseethesections below for further details.
    Task Target Computer Administrative Computer
    Generate
    Group
    Policy
    results
    Enable Windows Firewall Allow remote
    administration exception Group Policy
    setting.
    This Group Policy setting is located in
    Computer Configuration \Administrative
    Templates\Network \Network
    Connections\Windows Firewall\[Domain |
    Standard] Profile\.
    GPMC with SP1.
    No action required.
    RSoP snap-in.
    Enable Windows Firewall: Define program exceptions. Configurethe
    program exception list with thefull path to Unsecapp.exeso that the
    WMI messages can betransmitted. In a default installation
    Unsecapp.exeis located in the C:\Windows\System32\Wbem folder.
    Enable Windows Firewall: Define port exception policy to open
    Port 135.
    Delegate
    access to
    Group
    Policy
    results
    Enable Windows Firewall: Allow remote
    administration exception Group Policy
    setting.
    Configurethefollowing DCOM security
    settings:
    DCOM: Machineaccess restrictions…
    DCOM: Machinelaunch restrictions…
    These policy settings arelocated in
    Computer Configuration\Windows
    Settings\Security Settings\Local
    Policies\Security Options.
    No changes necessary
    Remotely
    edita
    Local
    Group
    Policy
    object
    Enable Windows Firewall: Allow file and
    printer sharing administration exception
    policy setting.
    This policy setting is located in Computer
    Configuration \Administrative
    Templates\Network \Network
    Connections\Windows Firewall\[Domain |
    Standard] Profile\.
    No changes necessary.
    Administering Remote RSoP with GPMC SP1
    Theinitial release of GPMC used a callback mechanism when waiting for theresults of a Group Policy Results or Modeling
    request.Theadministrativecomputer must be”listening” for this response. If Windows Firewall is enabled,Windows will block
    theseresponses. Although opening theappropriate ports can address this issue, using the updated Group Policy Management
    Console(GPMC) with Service Pack 1 completely removes the use of thecallback mechanism.Werecommend thatyou install
    GPMC with Windows Server 2003 Service Pack 1, becausethis allows Group Policy Results and Modeling to continueto work
    without opening up ports on theadministrativecomputer.To install GPMC with Windows Server 2003 Service Pack 1, see
    “Group Policy Management Console with Service Pack 1” on the Microsoft Download Center at
    http://go.microsoft.com/fwlink/?LinkId=23529.
    In order to administer RSoP remotely,you mustenablethe Windows Firewall: Allow remote administration exception
    Group Policy setting on target computers.
    Administering Remote RSoP with the RSoP MMC snap-in
    In order to administer RSoP remotely using the RSoP MMC snap-in, thetarget computer must listen on theappropriate
    network ports to ensurethat incoming RSoP requests can beserviced.This can be managed through Group Policy using the
    following policy settings:
    Enablethe Windows Firewall: Define program exceptions Group Policy setting to permit Unsecapp.exe. Makesure
    you enter thefull path to Unsecapp.exe.
    Enablethe Windows Firewall: Define port exception Group Policy setting and open Port 135. Click Show and enter
    135:TCP:*:Enabled:135.
    Caution
    Enabling the Windows Firewall: Define port exception Group Policy setting may also allow unwanted data to beaccepted
    on this port. Besureto fully review this Group Policy setting beforeenabling it in your environment.
    Enabling this policy setting is not necessary if the Windows Firewall: Allow remote administration exception Group
    Policy setting is enabled on theadministrativecomputer.
    Delegating access to Group Policy Results
    By default, Group Policy Results and the RSoP snap-in can only be used remotely when the person originating therequest is a
    local administrator on thetarget computer. Beginning in Windows Server 2003,a delegation model is availablethatallows this
    right to be delegated to users who are not Administrators on thetarget computer.This is a common scenario when help desk
    personnel requireaccess to computers without being made Administrators on thosecomputers.
    In Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, thesecurity model for DCOM authentication (on
    which RSoP relies) has been strengthened.Even if RSoP delegation has been configured correctly, this strengthening prevents
    local non-administrators from retrieving RSoP information from a target computer. Notethat this issue does not impact Group
    Policy Modeling, sincetherequest for simulated RSoP data is madeagainsta domain controller running Windows
    Server 2003, which, by definition, is not running Windows XP.
    You can managethelist of users and groups associated with DCOM authentication through Group Policy.To allow continued
    use of delegated RSoP, users to whom you want to grant this right mustalso haveaccess through the DCOM authentication
    model.For moreinformation about thesecurity changes to DCOM in Windows Server 2003 Service Pack 1, see”DCOM
    Security Enhancements”earlier in this document.
    Usethefollowing procedureto delegateaccess to Group Policy Results:
    To delegate access to Group Policy Results
    1. Enablethe Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
    2. Set thefollowing DCOM security policy settings on target computers. (They arelocated in Computer
    Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)
    DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
    DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax
    3. Right-click the Group Policy object,and then click Properties.
    4. Click Edit Security. Access Permission opens.
    5. Click Add,and then Select Users, Computers, or Groups opens.
    6. Enter the desired delegation targets.
    Remotely editing a local Group Policy object
    In order to remotely edita local Group Policy object on a target computer that has Windows Firewall enabled,you need to
    enablethefollowing policy setting: Windows Firewall: Allow file and printer sharing administration.
    The policy setting is located in Computer Configuration\AdministrativeTemplates\Network\Network Connections\Windows
    Firewall\[Domain|Standard] Profile\.

You must be logged in to reply to this topic.