Group Policy Resultant Set of Policy (RSoP) reports Group Policy settings that are applied to a user or computer. Group Policy Results in GPMC requests RSoP data from a target computer and presents this in a report in HTML format. Group Policy Modeling requests the same type of information, but the data reported is from a service that simulates RSoP for a combination of computer and user. This simulation is performed on a domain controller running Windows Server 2003 and is then returned to the computer running GPMC for presentation. Finally, the RSoP MMC provides an alternative way to display this information, although Group Policy Results is generally the preferred method.
In Windows Server 2003 SP1, Windows Firewall is not enabled by default. However, in Windows XP SP2, it is enabled by default. Windows Firewall blocks incoming requests against unopened ports. Enabling a firewall improves protection against many network-based attacks. For example, if Windows Firewall had been enabled, the recent MSBlaster attack would have had much less impact, even if users were not up-to-date with software updates.
If you elect to use Windows Firewall, you should be aware of its effect on RSoP across the network. The following are two important changes to RSoP in Windows Server 2003 SP1:
After Windows Firewall is installed on a computer, remote access to RSoP data no longer works from that target computer.
When Windows Firewall is enabled, GPMC annot retrieve RSoP data using Group Policy Results or Group Policy Modeling.
Table B-1 summarizes the changes necessary to support remote RSoP tasks when running Windows XP SP2 or Windows Server 2003 SP1 with Windows Firewall enabled. The sections following the table provide additional information.
Table B-1. RSoP Task Reference
Target Computer | Administrative Computer | |
|---|---|---|
Generate Group Policy Results | Enable Windows Firewall Allow Remote Administration Exception setting in Group Policy. This setting is located in Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall[Domain | Standard] Profile | GPMC with SP1 No action required RSoP snap-in Enable Windows Firewall: Define Program Exceptions. Configure the program exception list with the full path to Unsecapp.exe so the WMI messages can be transmitted. In a default installation, Unsecapp.exe is located in the C:WindowsSystem32Wbem folder. Enable Windows Firewall: Define port exception policy to open Port 135 |
Delegate access to Group Policy Results | Enable Windows Firewall: Allow Remote Administration Exception setting in Group Policy. Configure the following DCOM security settings: DCOM: Machine access restrictions DCOM: Machine launch restrictions These policy settings are located in Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options | No changes necessary |
Remotely edit a local GPO | Enable Windows Firewall: Allow File And Printer Sharing Administration Exception policy setting. This setting is located in Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall[Domain | Standard] Profile | No changes necessary |
The initial release of GPMC used a callback mechanism when waiting for the results of a Group Policy Results or Group Policy Modeling request. The administrative computer must be "listening" for this response; therefore, if Windows Firewall is enabled, Windows blocks these responses. Although opening the appropriate ports can address this issue, using the updated GPMC with SP1 removes the use of the callback mechanism. You should install GPMC with Windows Server 2003 SP1 to allow Group Policy Results and Group Policy Modeling to continue to work without opening up ports on the administrative computer.
More Info
To install GPMC with Windows Server 2003 SP1, see "Group Policy Management Console with Service Pack 1" at the Microsoft Download Center at http://go.microsoft.com/fwlink/?LinkId=23529.
To administer RSoP remotely, you must enable the Windows Firewall: Allow Remote Administration Exception Group Policy setting on target computers.
By default, Group Policy Results and the RSoP snap-in can be used remotely only when the person originating the request is a local administrator on the target computer. Windows Server 2003 introduces a delegation model that allows this right to be delegated to users who are not administrators on the target computer. This is a common scenario when help desk personnel require access to computers without being made administrator on those computers.
In Windows XP SP2 and Windows Server 2003 SP1, the security model for DCOM authentication (on which RSoP relies) has been strengthened. Even if RSoP delegation has been configured correctly, this strengthening prevents local nonadministrators from retrieving RSoP information from a target computer.
Note
This issue does not affect Group Policy Modeling because the request for simulated RSoP data is made against a domain controller running Windows Server 2003, which, by definition, is not running Windows XP.
You can manage the list of users and groups associated with DCOM authentication through Group Policy. To allow continued use of delegated RSoP, users to whom you want to grant this right must also have access through the DCOM authentication model.