Use this command to obtain the Resultant Set of
Policy (RSoP) for a particular user on a system. This command considers
all of the security settings for both the computer and the user and
creates a resultant policy—the policy that actually affects the user's
security setup on the system. Microsoft provides a wealth of articles on
RSoP. For example, you can see how RSoP affects Internet Protocol
Security (IPSec) assignments at http://technet2.microsoft.com/windowsserver/en/library/35675107-c728-47cd-8ad9-bfd2d5e7fe0a1033.mspx. You'll also find an excellent article on planning and logging RSoP at http://www.windowsnetworking.com/articles_tutorials/Resultant-Set-Policy-Planning-Logging.html. This command uses the following syntax:
GPRESULT [/S system [/U [domain\]user [/P [password]]]]
[/SCOPE {USER | COMPUTER}] [/USER [domain\]targetuser] [/V | /Z]
The following list describes each of the command line arguments.
/S
system
Specifies the remote
system that you want to check. In most cases, you'll also need to
supply the /U and the /P command line switches when using this switch.
/U
[domain\]user
Specifies the
username on the remote system. This name may not match the username on
the local system. You'll need to supply a domain name when working with a
domain controller.
/P
[password]
Specifies the
password for the given user. You can provide the command line switch
without specifying the password on the command line in cleartext. The
system prompts you for the password. Using this feature can help you
maintain the security of passwords used on your system.
/USER
[domain\]targetuser
Displays RSoP data for the specified user. You can check the information of users in other domains by including the user domain.
/SCOPE {USER | COMPUTER}
Specifies the
scope of the output. You can display the user or computer information
separately. The utility displays both user and computer information when
you omit this command line switch.
/V
Displays verbose
information about the user or computer. The amount of additional
information you receive varies by system. The utility displays
detail-specific settings that have a precedence of 1.
/Z
Displays
superverbose information about the user or computer. The amount of
additional information you receive varies by system. The utility
displays detail-specific settings that have a precedence of 1 or higher.
Using this command line switch lets you see whether a setting is set in
multiple places.
|
Much of
the Microsoft documentation leads you to believe that this utility is
useless without having Active Directory installed. However, even without
Active Directory, you can discover security information about a user
with this utility. For example, you can verify that the system views the
workstation as stand-alone, check the user's group participation, and
verify local policies for the user. |
