RSoP overview

Resultant Set of Policy (RSoP) is an addition to Group Policy that makes policy implementation and
troubleshooting easier. RSoP is a query engine that polls existing policies and planned policies, and then
reports the results of those queries. It polls existing policies based on site, domain, domain controller, and
organizational unit. RSoP gathers this information from the Common Information Management Object Model
(CIMOM) database (otherwise known as CIM-compliant object repository) through Windows Management
Instrumentation (WMI).
RSoP provides details about all policy settings that are configured by an Administrator, including
Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and
Group Policy Software Installation.
When policies are applied on multiple levels (for example, site, domain, domain controller, and
organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their
precedence (the order in which policies are applied).
RSoP consists of two modes: planning mode and logging mode. With planning mode, you can simulate the
effect of policy settings that you want to apply to a computer and user. Logging mode reports the existing
policy settings for a computer and user that is currently logged on.
The Resultant Set of Policy Wizard helps you create an RSoP query. You can open the wizard from Microsoft
Management Console (MMC), Active Directory Users and Computers, or Active Directory Sites and Services.
You must run the wizard at least once to create an RSoP query. When complete, the wizard displays the
query results in the RSoP snap-in in MMC. From here, you can save, change, and refresh your queries. You
can create many RSoP queries by adding multiple Resultant Set of Policy snap-ins to MMC, one RSoP snap-in
per query.

RSoP and the CIMOM database

RSoP uses the CIMOM database through WMI. When a computer logs on to a network, information such as
the computer hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings,
Scripts, Folder Redirection settings, and Security Settings, is written to the CIMOM database. When you start
RSoP in logging mode, RSoP reports policy settings that have been applied from information provided in the
CIMOM database.

RSoP, Active Directory, and policy precedence

Unlike the CIMOM database, Active Directory® directory services stores objects regardless of the state of a
computer or user. Group Policy uses Group Policy objects (GPOs) in Active Directory to store policy settings.
With Group Policy, administrators can:
• Deploy registry keys (Administrative Templates)
• Deploy software (Group Policy Software Installation)
• Deploy security: Safer, IPSec (Security Settings)
• Deploy scripts: logon, logoff, startup, shutdown (Scripts)
• Configure the browser (Internet Explorer Maintenance)
After you define a policy setting for an object, it is applied the next time that object logs on. When an object
logs on to a network, the policy settings are applied in the following order:
• Local policy
• Site-level policy
• Domain-level policy
• Domain controller policy (if the domain controller is left in the domain controller container)
• Organizational unit policy
When a Group Policy object overwrites the settings of a different GPO that was applied previously, the new
GPO has precedence over the GPO that it has overwritten. When a Group Policy object has a no overwrite
attribute, it has precedence over all of the policies that are applied subsequently. RSoP can simulate and test
the application of policy settings and precedence to Group Policy objects in Active Directory.

RSoP and Group Policy Software Installation

A significant part of Group Policy are the software settings extensions, which monitor Group Policy Software
Installation. In an RSoP report, RSoP displays which applications are available for any given user or
computer, as well as any software setting changes that are advertised or applied. By identifying all of the
software that is available for a given user, as well as updates and configuration changes, RSoP makes
deployment scenario planning and implementation easier.

RSoP and security issues

RSoP provides the following features that you can use to determine which comprehensive security policy
meets your needs:
• Provides security templates for creating and assigning security settings for one or more computers. A security template is a file
representation of a security setting configuration. It can be applied to a local computer or it can be imported to a Group Policy object
in Active Directory. When you import a security template to a Group Policy object, Group Policy processes the security template and
makes the corresponding changes to the members of that Group Policy object, which can be users or computers. RSoP verifies those
changes. By polling the system and displaying the resultant policy, RSoP indicates a misapplied or overwritten policy setting and the
policy setting's precedence, which enables you to fix a security breach.
• RSoP reports the scope of a Group Policy object according to security group membership. RSoP does this through Group Policy
filtering.
• Processes and displays the resulting policy for any computer or user. Through individual security settings, Administrators can define a
security policy in Active Directory that contains specific security settings for nearly all security areas. Security settings in a local
Group Policy object can also establish a security policy on a local computer. When there are conflicts, security settings that are
defined in Active Directory always override any security settings that are defined locally.