Resultant Set of Policy (RSoP) is an addition to Group Policy that makes policy implementation and troubleshooting easier. RSoP is a query engine that polls existing policies and planned policies, and then reports the results of those queries. It polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (otherwise known as CIM-compliant object repository) through Windows Management Instrumentation (WMI).
RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation.
When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied).
RSoP consists of two modes: planning mode and logging mode. With planning mode, you can simulate the effect of policy settings that you want to apply to a computer and user. Logging mode reports the existing policy settings for a computer and user that is currently logged on.
The Resultant Set of Policy Wizard helps you create an RSoP query. You can open the wizard from Microsoft Management Console (MMC), Active Directory Users and Computers, or Active Directory Sites and Services. You must run the wizard at least once to create an RSoP query. When complete, the wizard displays the query results in the RSoP snap-in in MMC. From here, you can save, change, and refresh your queries. You can create many RSoP queries by adding multiple Resultant Set of Policy snap-ins to MMC, one RSoP snap-in per query.
RSoP uses the CIMOM database through WMI. When a computer logs on to a network, information such as the computer hardware, Group Policy Software Installation settings, Internet Explorer Maintenance settings, Scripts, Folder Redirection settings, and Security Settings, is written to the CIMOM database. When you start RSoP in logging mode, RSoP reports policy settings that have been applied from information provided in the CIMOM database.
Unlike the CIMOM database, Active Directory® directory services stores objects regardless of the state of a computer or user. Group Policy uses Group Policy objects (GPOs) in Active Directory to store policy settings. With Group Policy, administrators can:
After you define a policy setting for an object, it is applied the next time that object logs on. When an object logs on to a network, the policy settings are applied in the following order:
When a Group Policy object overwrites the settings of a different GPO that was applied previously, the new GPO has precedence over the GPO that it has overwritten. When a Group Policy object has a no overwrite attribute, it has precedence over all of the policies that are applied subsequently. RSoP can simulate and test the application of policy settings and precedence to Group Policy objects in Active Directory.
A significant part of Group Policy are the software settings extensions, which monitor Group Policy Software Installation. In an RSoP report, RSoP displays which applications are available for any given user or computer, as well as any software setting changes that are advertised or applied. By identifying all of the software that is available for a given user, as well as updates and configuration changes, RSoP makes deployment scenario planning and implementation easier.
RSoP provides the following features that you can use to determine which comprehensive security policy meets your needs: