Thursday, February 03, 2005

Getting the Resultant Set of Policy from XP SP2 clients

Before the insecure days of Windows XP SP2, administrators who were using Group Policy were able to query the Resultant Set of Policy directly from the Group Policy Management Console. This is included by default in Small Business Server 2003.

With the installation of Windows XP SP2 on client computers, the windows firewall closes off the ports required to query the client. At least it does if you've got all your windows updates. :) If your Windows Firewalls are not turned on, you should really consider running the Update for Windows Small Business Server 2003: KB 872769 which configures Group Policy on your network to enable the firewalls on each client.

We did some research to make sure this is the most secure set of firewall configurations, without blocking too much functionality.

Now back to the question at hand. How can I get the RSOP of the client from the server? Well, I recently came across two methodologies for doing this.

  1. The first method is to modify your Group Policy settings on your network to open the ports and programs on each Windows Firewall enabled PC so you can have this functionality. To learn how to do this, simply follow the instructions at KB 883611. Once these steps are completed, you can query the RSOP whenever you like.

  2. The second method is more of a push methodology. Using the Group Policy Monitor, the client will send the RSOP to a location on the server each time policy is applied to it. This enables you to keep the ports closed for a more secure environment and still have the RSOP functionality available.

Those are the two main ways I've found to enable the query functionality, each have their pros and cons. Alternatively, you could use Remote Web WorkPlace, or Remote Assistance and load the desktop of the client up and run RSOP.msc from the client computer, and this does the exact same thing, no ports need to be opened in addition to the remote assistance ports.