Resultant Set of Policy (RSoP)
As you become more familiar with Group Policy, both at the local and Active Directory levels, you will quickly see that they can be very complex. The complexity results not only from the numerous settings that are available within a single Group Policy, but also from the fact that many policies can be applied, and at many different areas within the enterprise. When these settings finally apply to the computer and user on a Windows XP Professional computer, it can be very difficult, because of the array of settings from all the GPOs, to determine the final policies that are applied. Microsoft has gone to great lengths with Windows XP Professional to help decipher the complexity of GPOs and security settings that are possible. Microsoft has done this with three fantastic tools: Group Policy Result (gpresult), Group Policy Update (gpupdate), and the RSoP snap-in.
Group Policy Result
The first tool, Group Policy Result, is a command-line tool. This tool gives you the Resulting Set of Policy (RSoP) that applies to your computer and user accounts. The tool is extremely simple to run and is easy to read when it spits the results back to you. All you need to do is start a command prompt and type gpresult, as shown in Figure 3.4.
Figure 3.4 Group Policy Result output for the RSoP.
Group Policy Update
It is well known that Group Policies automatically refresh by default. So, when you configure any new setting in the Local or Active Directory Group Policies, the settings will automatically refresh for both the computer and user. For some situations, this is not sufficient, though. You might be testing out new policies and want to see the results immediately, or want to force a new security policy to a department of users immediately. If you need to force a policy immediately, you need only to run the Group Policy Update command-line tool, gpupdate. This tool will investigate the Local and Active Directory–based Group Policies and apply them immediately to both the computer and user accounts. You do not need to run any switches with the tool, but if you want better control, you can use the primary switches listed next:
U: (Computer, User)—Allows explicit refreshing of either the computer or user portions of the policies that need to be applied.
/force—Reapplies all settings in the policies, whereas if no switches are used, only the changed policies apply.
/logoff—Some user-based Group Policy settings exist (such as Folder Redirection) that do not apply until the user logs off and back on. With this switch, the user will be logged off automatically after the other policies refresh.
/boot—Like the user settings, some computer settings require a reboot (such as software deployment). With this switch, the computer will automatically reboot after the other policies refresh.
The final tool for determining the RSoP is the new RSoP snap-in. This tool enables you to investigate the policies in a GUI interface, which can then be saved to a file or website for archiving. To open this tool, open up a new MMC and add the RSoP snap-in. When you open the tool, you will have the following options for your Windows XP Professional computer:
Computer Scope—You have the choice of selecting either your computer or another computer on the network (as long as you have administrative credentials on the remote computer). You are also able to eliminate the computer portion of the RSoP, if you want to see only user-based settings.
User Scope—You can select the currently logged on user or another user who can access the local computer. Again, you must have the correct privileges to view another user’s RSoP. You can also eliminate the user portion of the RSoP, if you want to see only the computer-based settings.
When the tool is run and finishes, it gives you the results in the MMC that you initially opened. Figure 3.5 shows the resulting RSoP format, which is the same format as the original Group Policy Editor.
Figure 3.5 RSoP snap-in results for both the local computer and currently logged-on user.