Resultant Set of Policy (RSoP)

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Resultant Set of Policy (RSoP)

Viewing 0 reply threads
  • Author
    Posts
    • #2217
      Webmaster
      Keymaster

      Applies To:Windows Server 2003 with SP1
      What does Resultant Set of Policy do?
      Group Policy ResultantSet of Policy (RSoP) reports Group Policy settings thatareapplied to a user or computer. Group Policy
      Results in Group Policy Management Console(GPMC) requests RSoP data from a target computer and presents this in a report
      in HTML format. Group Policy Modeling requests thesametype of information, but the data reported is from a servicethat
      simulates RSoP for a combination of computer and user.This simulation is performed on a domain controller running
      Windows Server 2003 and is then returned to thecomputer running GPMC for presentation.Finally, the RSoP Microsoft
      Management Console(MMC) provides an alternative way to display this information,although Group Policy Results is
      generally the preferred method.
      Who does this feature apply to?
      Group Policy administrators in an Active Directory domain environment. In addition,an IT professional who needs to plan or
      validatetheapplication of Group Policy might beinterested in RSoP.
      What existing functionality is changing in Windows Server 2003 Service Pack 1?
      RSoP Use with Windows Firewall Enabled
      Detailed description
      In Windows XP Service Pack 2 (SP2),Windows Firewall is enabled by default. Incoming requests against unopened ports—as
      opposed to responses to requests originated from thecomputer—are blocked by Windows Firewall. In Windows Server 2003
      Service Pack 1 (SP1),Windows Firewall is notenabled by default.
      If you elect to use Windows Firewall,you should beaware of theimpact on its use on RSoP across the network.
      For moreinformation about Windows Firewall, see”Windows Firewall,” in this document.
      Why is this change important?
      Enabling a firewall, such as Windows Firewall, provides more protection from many network-based attacks.For example, if
      Windows Firewall had been enabled therecent MSBlaster attack would have been greatly reduced in impact, regardless of
      whether users were up-to-date with patches.
      What works differently?
      Therearetwo important changes to RSoP in Windows Server 2003 SP1.
      After Windows Firewall is installed on a computer, remoteaccess to RSoP data no longer works from that target
      computer.
      If Windows Firewall is enabled, when GPMC is run for the purpose of using Group Policy Results or Group Policy
      Modeling to retrieve RSoP data it will be unableto retrievethis data.
      How do I resolve these issues?
      Thefollowing tablesummarizes thechanges necessary to fully support remote RSoP tasks when running Windows XP SP2 or
      Windows Server 2003 SP1 with Windows Firewall enabled. Pleaseseethesections below for further details.
      Task Target Computer Administrative Computer
      Generate
      Group
      Policy
      results
      Enable Windows Firewall Allow remote
      administration exception Group Policy
      setting.
      This Group Policy setting is located in
      Computer Configuration \Administrative
      Templates\Network \Network
      Connections\Windows Firewall\[Domain |
      Standard] Profile\.
      GPMC with SP1.
      No action required.
      RSoP snap-in.
      Enable Windows Firewall: Define program exceptions. Configurethe
      program exception list with thefull path to Unsecapp.exeso that the
      WMI messages can betransmitted. In a default installation
      Unsecapp.exeis located in the C:\Windows\System32\Wbem folder.
      Enable Windows Firewall: Define port exception policy to open
      Port 135.
      Delegate
      access to
      Group
      Policy
      results
      Enable Windows Firewall: Allow remote
      administration exception Group Policy
      setting.
      Configurethefollowing DCOM security
      settings:
      DCOM: Machineaccess restrictions…
      DCOM: Machinelaunch restrictions…
      These policy settings arelocated in
      Computer Configuration\Windows
      Settings\Security Settings\Local
      Policies\Security Options.
      No changes necessary
      Remotely
      edita
      Local
      Group
      Policy
      object
      Enable Windows Firewall: Allow file and
      printer sharing administration exception
      policy setting.
      This policy setting is located in Computer
      Configuration \Administrative
      Templates\Network \Network
      Connections\Windows Firewall\[Domain |
      Standard] Profile\.
      No changes necessary.
      Administering Remote RSoP with GPMC SP1
      Theinitial release of GPMC used a callback mechanism when waiting for theresults of a Group Policy Results or Modeling
      request.Theadministrativecomputer must be”listening” for this response. If Windows Firewall is enabled,Windows will block
      theseresponses. Although opening theappropriate ports can address this issue, using the updated Group Policy Management
      Console(GPMC) with Service Pack 1 completely removes the use of thecallback mechanism.Werecommend thatyou install
      GPMC with Windows Server 2003 Service Pack 1, becausethis allows Group Policy Results and Modeling to continueto work
      without opening up ports on theadministrativecomputer.To install GPMC with Windows Server 2003 Service Pack 1, see
      “Group Policy Management Console with Service Pack 1” on the Microsoft Download Center at
      http://go.microsoft.com/fwlink/?LinkId=23529.
      In order to administer RSoP remotely,you mustenablethe Windows Firewall: Allow remote administration exception
      Group Policy setting on target computers.
      Administering Remote RSoP with the RSoP MMC snap-in
      In order to administer RSoP remotely using the RSoP MMC snap-in, thetarget computer must listen on theappropriate
      network ports to ensurethat incoming RSoP requests can beserviced.This can be managed through Group Policy using the
      following policy settings:
      Enablethe Windows Firewall: Define program exceptions Group Policy setting to permit Unsecapp.exe. Makesure
      you enter thefull path to Unsecapp.exe.
      Enablethe Windows Firewall: Define port exception Group Policy setting and open Port 135. Click Show and enter
      135:TCP:*:Enabled:135.
      Caution
      Enabling the Windows Firewall: Define port exception Group Policy setting may also allow unwanted data to beaccepted
      on this port. Besureto fully review this Group Policy setting beforeenabling it in your environment.
      Enabling this policy setting is not necessary if the Windows Firewall: Allow remote administration exception Group
      Policy setting is enabled on theadministrativecomputer.
      Delegating access to Group Policy Results
      By default, Group Policy Results and the RSoP snap-in can only be used remotely when the person originating therequest is a
      local administrator on thetarget computer. Beginning in Windows Server 2003,a delegation model is availablethatallows this
      right to be delegated to users who are not Administrators on thetarget computer.This is a common scenario when help desk
      personnel requireaccess to computers without being made Administrators on thosecomputers.
      In Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, thesecurity model for DCOM authentication (on
      which RSoP relies) has been strengthened.Even if RSoP delegation has been configured correctly, this strengthening prevents
      local non-administrators from retrieving RSoP information from a target computer. Notethat this issue does not impact Group
      Policy Modeling, sincetherequest for simulated RSoP data is madeagainsta domain controller running Windows
      Server 2003, which, by definition, is not running Windows XP.
      You can managethelist of users and groups associated with DCOM authentication through Group Policy.To allow continued
      use of delegated RSoP, users to whom you want to grant this right mustalso haveaccess through the DCOM authentication
      model.For moreinformation about thesecurity changes to DCOM in Windows Server 2003 Service Pack 1, see”DCOM
      Security Enhancements”earlier in this document.
      Usethefollowing procedureto delegateaccess to Group Policy Results:
      To delegate access to Group Policy Results
      1. Enablethe Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
      2. Set thefollowing DCOM security policy settings on target computers. (They arelocated in Computer
      Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)
      DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
      DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax
      3. Right-click the Group Policy object,and then click Properties.
      4. Click Edit Security. Access Permission opens.
      5. Click Add,and then Select Users, Computers, or Groups opens.
      6. Enter the desired delegation targets.
      Remotely editing a local Group Policy object
      In order to remotely edita local Group Policy object on a target computer that has Windows Firewall enabled,you need to
      enablethefollowing policy setting: Windows Firewall: Allow file and printer sharing administration.
      The policy setting is located in Computer Configuration\AdministrativeTemplates\Network\Network Connections\Windows
      Firewall\[Domain|Standard] Profile\.

Viewing 0 reply threads
  • You must be logged in to reply to this topic.