In order to view the policy (code group hierarchy and list of known permission sets) for a policy level the –list option is used.
Caspol –list
This will show the code group hierarchy and known named permission sets at the default policy level (for administrators that is the machine policy level, for others that is the user policy level
It is possible to explicitly defer an option to either the machine or user policy level. For this simply prefix an option with –machine or –user. This can be used to list the policy of either the machine or user level, as can be seen below:
Caspol –machine –list Caspol –user –list
If the policy of both machine and user level should be listed, instead of –machine or –user, one can simply use –all, as shown below:
Caspol –all –list
This will list both the machine and the user policy.
Generally the output format for the –list option is:
Microsoft (R) COM+ Caspol [Version] - the policy manipulation tool Copyright (c) Microsoft Corp 1999-1999. All rights reserved. Security is [ON|OFF] Execution Checking is [ON|OFF] Policy Change Prompt is [ON|OFF] Level = [Machine|User] Code Groups: 1. [(FirstMatchCodeGroup)] MemberShipConditionName [– Value] : PermSetName [(FirstMAtchCodeGroup)] MemberShipCondName [– Value] : PermSetName …… ….. Named Permission Sets: 1. Permission Set:Pset_name,(Description) <Pset Xml> 2. Permission Set:Pset name,(Description) <Pset Xml>
As can be seen code groups are labeled by a reference number. This number is used in CASPol options to refer back to specific code groups. Both the membership condition name as well (if present) as a membership condition value are listed, followed by the name of the permission set associated with that code group. If the code group merges the permissions of its child code groups using the First Match logic this is indicated by (FirstMatchCodeGroup). The default merge logic is unioning the permissions granted by child code groups (for more information on this please refer to the Policy Specification)
Following the code group hierarchy is a list of the named permissions known at that policy level.