Resultant Set of Policy (RSoP)

Applies To:Windows Server 2003 with SP1
What does Resultant Set of Policy do?
Group Policy ResultantSet of Policy (RSoP) reports Group Policy settings thatareapplied to a user or computer. Group Policy
Results in Group Policy Management Console(GPMC) requests RSoP data from a target computer and presents this in a report
in HTML format. Group Policy Modeling requests thesametype of information, but the data reported is from a servicethat
simulates RSoP for a combination of computer and user.This simulation is performed on a domain controller running
Windows Server 2003 and is then returned to thecomputer running GPMC for presentation.Finally, the RSoP Microsoft
Management Console(MMC) provides an alternative way to display this information,although Group Policy Results is
generally the preferred method.
Who does this feature apply to?
Group Policy administrators in an Active Directory domain environment. In addition,an IT professional who needs to plan or
validatetheapplication of Group Policy might beinterested in RSoP.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
RSoP Use with Windows Firewall Enabled
Detailed description
In Windows XP Service Pack 2 (SP2),Windows Firewall is enabled by default. Incoming requests against unopened ports—as
opposed to responses to requests originated from thecomputer—are blocked by Windows Firewall. In Windows Server 2003
Service Pack 1 (SP1),Windows Firewall is notenabled by default.
If you elect to use Windows Firewall,you should beaware of theimpact on its use on RSoP across the network.
For moreinformation about Windows Firewall, see”Windows Firewall,” in this document.
Why is this change important?
Enabling a firewall, such as Windows Firewall, provides more protection from many network-based attacks.For example, if
Windows Firewall had been enabled therecent MSBlaster attack would have been greatly reduced in impact, regardless of
whether users were up-to-date with patches.
What works differently?
Therearetwo important changes to RSoP in Windows Server 2003 SP1.
After Windows Firewall is installed on a computer, remoteaccess to RSoP data no longer works from that target
computer.
If Windows Firewall is enabled, when GPMC is run for the purpose of using Group Policy Results or Group Policy
Modeling to retrieve RSoP data it will be unableto retrievethis data.
How do I resolve these issues?
Thefollowing tablesummarizes thechanges necessary to fully support remote RSoP tasks when running Windows XP SP2 or
Windows Server 2003 SP1 with Windows Firewall enabled. Pleaseseethesections below for further details.
Task Target Computer Administrative Computer
Generate
Group
Policy
results
Enable Windows Firewall Allow remote
administration exception Group Policy
setting.
This Group Policy setting is located in
Computer Configuration \Administrative
Templates\Network \Network
Connections\Windows Firewall\[Domain |
Standard] Profile\.
GPMC with SP1.
No action required.
RSoP snap-in.
Enable Windows Firewall: Define program exceptions. Configurethe
program exception list with thefull path to Unsecapp.exeso that the
WMI messages can betransmitted. In a default installation
Unsecapp.exeis located in the C:\Windows\System32\Wbem folder.
Enable Windows Firewall: Define port exception policy to open
Port 135.
Delegate
access to
Group
Policy
results
Enable Windows Firewall: Allow remote
administration exception Group Policy
setting.
Configurethefollowing DCOM security
settings:
DCOM: Machineaccess restrictions…
DCOM: Machinelaunch restrictions…
These policy settings arelocated in
Computer Configuration\Windows
Settings\Security Settings\Local
Policies\Security Options.
No changes necessary
Remotely
edita
Local
Group
Policy
object
Enable Windows Firewall: Allow file and
printer sharing administration exception
policy setting.
This policy setting is located in Computer
Configuration \Administrative
Templates\Network \Network
Connections\Windows Firewall\[Domain |
Standard] Profile\.
No changes necessary.
Administering Remote RSoP with GPMC SP1
Theinitial release of GPMC used a callback mechanism when waiting for theresults of a Group Policy Results or Modeling
request.Theadministrativecomputer must be”listening” for this response. If Windows Firewall is enabled,Windows will block
theseresponses. Although opening theappropriate ports can address this issue, using the updated Group Policy Management
Console(GPMC) with Service Pack 1 completely removes the use of thecallback mechanism.Werecommend thatyou install
GPMC with Windows Server 2003 Service Pack 1, becausethis allows Group Policy Results and Modeling to continueto work
without opening up ports on theadministrativecomputer.To install GPMC with Windows Server 2003 Service Pack 1, see
“Group Policy Management Console with Service Pack 1” on the Microsoft Download Center at
http://go.microsoft.com/fwlink/?LinkId=23529.
In order to administer RSoP remotely,you mustenablethe Windows Firewall: Allow remote administration exception
Group Policy setting on target computers.
Administering Remote RSoP with the RSoP MMC snap-in
In order to administer RSoP remotely using the RSoP MMC snap-in, thetarget computer must listen on theappropriate
network ports to ensurethat incoming RSoP requests can beserviced.This can be managed through Group Policy using the
following policy settings:
Enablethe Windows Firewall: Define program exceptions Group Policy setting to permit Unsecapp.exe. Makesure
you enter thefull path to Unsecapp.exe.
Enablethe Windows Firewall: Define port exception Group Policy setting and open Port 135. Click Show and enter
135:TCP:*:Enabled:135.
Caution
Enabling the Windows Firewall: Define port exception Group Policy setting may also allow unwanted data to beaccepted
on this port. Besureto fully review this Group Policy setting beforeenabling it in your environment.
Enabling this policy setting is not necessary if the Windows Firewall: Allow remote administration exception Group
Policy setting is enabled on theadministrativecomputer.
Delegating access to Group Policy Results
By default, Group Policy Results and the RSoP snap-in can only be used remotely when the person originating therequest is a
local administrator on thetarget computer. Beginning in Windows Server 2003,a delegation model is availablethatallows this
right to be delegated to users who are not Administrators on thetarget computer.This is a common scenario when help desk
personnel requireaccess to computers without being made Administrators on thosecomputers.
In Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, thesecurity model for DCOM authentication (on
which RSoP relies) has been strengthened.Even if RSoP delegation has been configured correctly, this strengthening prevents
local non-administrators from retrieving RSoP information from a target computer. Notethat this issue does not impact Group
Policy Modeling, sincetherequest for simulated RSoP data is madeagainsta domain controller running Windows
Server 2003, which, by definition, is not running Windows XP.
You can managethelist of users and groups associated with DCOM authentication through Group Policy.To allow continued
use of delegated RSoP, users to whom you want to grant this right mustalso haveaccess through the DCOM authentication
model.For moreinformation about thesecurity changes to DCOM in Windows Server 2003 Service Pack 1, see”DCOM
Security Enhancements”earlier in this document.
Usethefollowing procedureto delegateaccess to Group Policy Results:
To delegate access to Group Policy Results
1. Enablethe Windows Firewall: Allow remote administration exception Group Policy setting on target computers.
2. Set thefollowing DCOM security policy settings on target computers. (They arelocated in Computer
Configuration\Windows Settings\Security Settings\Local Policies\Security Options.)
DCOM: Machine access restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax
3. Right-click the Group Policy object,and then click Properties.
4. Click Edit Security. Access Permission opens.
5. Click Add,and then Select Users, Computers, or Groups opens.
6. Enter the desired delegation targets.
Remotely editing a local Group Policy object
In order to remotely edita local Group Policy object on a target computer that has Windows Firewall enabled,you need to
enablethefollowing policy setting: Windows Firewall: Allow file and printer sharing administration.
The policy setting is located in Computer Configuration\AdministrativeTemplates\Network\Network Connections\Windows
Firewall\[Domain|Standard] Profile\.