GPResult command: diagnostics of the resulting group policies. Give a detailed description of the server's policy regarding

When you install Windows, most of the non-essential subsystems are not activated or installed. This is done for security reasons. Because the system is secure by default, system administrators can focus on designing a system that does what it does, and nothing else. To help you enable the features you want, Windows prompts you to select a Server Role.

Roles

A server role is a set of programs that, when properly installed and configured, enable a computer to perform a specific function for multiple users or other computers on a network. In general, all roles have the following characteristics.

  • They define the main function, purpose or purpose of using a computer. You can designate a computer to play one role that is heavily used in the enterprise, or to play multiple roles where each role is used only occasionally.
  • Roles give users throughout the organization access to resources that are managed by other computers, such as websites, printers, or files stored on different computers.
  • They usually have their own databases that queue user or computer requests or record information about network users and computers associated with a role. For example, Active Directory Domain Services contains a database for storing the names and hierarchical relationships of all computers on a network.
  • After correct installation and role settings function automatically. This allows the computers on which they are installed to perform assigned tasks with limited user interaction.

Role Services

Role services are programs that provide the functionality of a role. When you install a role, you can choose which services it provides to other users and computers in the enterprise. Some roles, such as the DNS server, perform only one function, so there are no role services for them. Other roles, such as Remote Desktop Services, have several services that you can install based on your enterprise's remote access needs. A role can be thought of as a collection of closely related, complementary role services. In most cases, installing a role means installing one or more of its services.

Components

Components are programs that are not directly part of roles, but support or extend the functionality of one or more roles or the entire server, regardless of which roles are installed. For example, the Failover Cluster Tool extends other roles, such as File Services and DHCP Server, by allowing them to join server clusters, which provides increased redundancy and performance. The other component, the Telnet Client, allows remote communication with the Telnet server over a network connection. This feature enhances the communication options for the server.

When Windows Server is running in Server Core mode, the following server roles are supported:

  • Active Directory Certificate Services;
  • Active Directory Domain Services;
  • DHCP server
  • DNS server;
  • file services (including the file server resource manager);
  • Active Directory Lightweight Directory Services;
  • Hyper-V
  • printing and document services;
  • streaming media services;
  • web server (including a subset of ASP.NET);
  • server windows updates server;
  • Active Directory rights management server;
  • Routing and Remote Access Server and the following subordinate roles:
    • Remote Desktop Connection Broker;
    • licensing;
    • virtualization.

When Windows Server is running in Server Core mode, the following server features are supported:

  • Microsoft .NET Framework 3.5;
  • Microsoft .NET Framework 4.5;
  • Windows PowerShell;
  • Background Intelligent Transfer Service (BITS);
  • BitLocker Drive Encryption;
  • BitLocker Network Unlock;
  • BranchCache
  • data center bridge;
  • Enhanced Storage;
  • failover clustering;
  • Multipath I/O;
  • network load balancing;
  • PNRP protocol;
  • qWave;
  • remote differential compression;
  • simple TCP/IP services;
  • RPC over HTTP proxy;
  • SMTP server;
  • SNMP service;
  • Telnet client;
  • telnet server;
  • TFTP client;
  • Windows internal database;
  • Windows PowerShell Web Access;
  • Windows Activation Service;
  • standardized Windows storage management;
  • IIS WinRM extension;
  • WINS server;
  • WoW64 support.

Installing server roles using Server Manager

To add, open Server Manager, and in the Manage menu, click Add Roles and features:

The Add Roles and Features Wizard opens. Click Next

Installation Type, select Role-based or feature-based installation. Next:

Server Selection - select our server. Click Next Server Roles - Select roles if needed, select role services and click Next to select components. During this procedure, the Add Roles and Features Wizard automatically informs you of conflicts on the destination server that may prevent the installation or normal operation of the selected roles or features. You are also prompted to add the roles, role services, and features required by the selected roles or features.

Installing roles with PowerShell

Open Windows PowerShell Enter the Get-WindowsFeature command to view the list of available and installed roles and features on the local server. The output of this cmdlet contains the command names for the roles and features that are installed and available for installation.

Type Get-Help Install-WindowsFeature to view the syntax and valid parameters for the Install-WindowsFeature (MAN) cmdlet.

Enter the following command (-Restart will restart the server if the role installation requires a restart).

Install-WindowsFeature –Name -Restart

Description of roles and role services

All roles and role services are described below. Let's look at advanced settings for the most common Web Server Role and Remote Desktop Services in our practice.

Detailed description of IIS

  • Common HTTP Features - Basic HTTP Components
    • Default Document - allows you to set the index page for the site.
    • Directory Browsing - Allows users to view the contents of a directory on a web server. Use Directory Browsing to automatically generate a list of all directories and files in a directory when users don't specify a file in the URL and the index page is disabled or not configured
    • HTTP Errors - allows you to customize the error messages returned to clients in the browser.
    • Static Content - allows you to post static content, such as images or html files.
    • HTTP Redirection - Provides support for redirecting user requests.
    • WebDAV Publishing allows you to publish files from a web server using the HTTP protocol.
  • Health and Diagnostics Features - Diagnostic components
    • HTTP Logging provides logging of website activity for a given server.
    • Custom Logging provides support for creating custom logs that are different from "traditional" logs.
    • Logging Tools provides a framework for managing web server logs and automating common logging tasks.
    • ODBC Logging provides a framework that supports logging of web server activity to an ODBC-compliant database.
    • Request Monitor provides a framework for monitoring the state of web applications by collecting information about HTTP requests in an IIS worker process.
    • Tracing provides a framework for diagnosing and troubleshooting web applications. By using failed request tracing, you can track hard-to-find events such as poor performance or authentication failures.
  • Performance components to increase the performance of the web server.
    • Static Content Compression provides a framework for configuring HTTP compression of static content
    • Dynamic Content Compression provides a framework for configuring HTTP compression of dynamic content.
  • Security components
    • Request Filtering allows you to capture all incoming requests and filter them based on rules set by the administrator.
    • Basic Authentication allows you to set additional authorization
    • Centralized SSL Certificate Support is a feature that allows you to store certificates in a central location, like a file share.
    • Client Certificate Mapping Authentication uses client certificates to authenticate users.
    • Digest Authentication works by sending a password hash to a Windows domain controller to authenticate users. If you need more high level security compared to basic authentication, consider using Digest authentication
    • IIS Client Certificate Mapping Authentication uses client certificates to authenticate users. The client certificate is a digital ID obtained from a trusted source.
    • IP and Domain Restrictions allows you to allow/deny access based on the requested IP address or domain name.
    • URL Authorization allows you to create rules that restrict access to web content.
    • Windows Authentication This authentication scheme allows Windows domain administrators to take advantage of the domain infrastructure for user authentication.
  • Application Development Features
  • FTP Server
    • FTP Service Enables FTP publishing to a web server.
    • FTP Extensibility Enables support for FTP features that extend the functionality of
  • Management Tools
    • The IIS Management Console installs the IIS Manager, which allows you to manage the Web Server through a GUI
    • IIS 6.0 Management Compatibility provides forward compatibility for applications and scripts that use the Admin Base Object (ABO) and the Directory Service Interface (ADSI) Active Directory API. This allows existing IIS 6.0 scripts to be used by the IIS 8.0 web server
    • IIS Management Scripts and Tools provide the infrastructure to manage the IIS web server programmatically using commands in the command line or by running scripts.
    • The Management Service provides the infrastructure for customizing the user interface, IIS Manager.

Detailed description of RDS

  • Remote Desktop Connection Broker - Provides client device reconnection to programs based on desktop and virtual desktop sessions.
  • Remote Desktop Gateway - Allows authorized users to connect to virtual desktops, RemoteApp programs, and session-based desktops on a corporate network or over the Internet.
  • Remote Desktop Licensing - RDP License Management Tool
  • Remote Desktop Session Host - Includes a server to host RemoteApp programs or a desktop-based session.
  • Remote Desktop Virtualization Host - allows you to configure RDP on virtual machines
  • Remote Desktop WebAccess - Allows users to connect to desktop resources using the Start menu or web browser.

Consider installing and configuring a terminal license server. The above describes how to install roles, installing RDS is no different from installing other roles, in Role Services we need to select Remote Desktop Licensing and Remote Desktop Session Host. After installation, the Terminal Services item will appear in Server Manager-Tools. There are two items in Terminal Services RD Licensing Diagnoser, this is a tool for diagnosing the operation of remote desktop licensing, and Remote Desktop Licensing Manager, this is a license management tool.

Run RD Licensing Diagnoser

Here we can see that there are no licenses available yet because the licensing mode is not set for the RD Session Host server. The license server is specified in local group policies. To launch the editor, run the gpedit.msc command. The Local Group Policy Editor opens. In the tree on the left, expand the tabs:

  • Computer Configuration
  • Administrative Templates
  • Windows Components
  • Remote Desktop Services
  • Remote Desktop Session Host
  • "Licensing" (Licensing)

Open the parameters Use the specified Remote Desktop license servers

In the policy settings editing window, enable the licensing server (Enabled). Next, you must define a license server for Remote Desktop Services. In my example, the license server is located on the same physical server. Specify the network name or IP address of the license server and click OK. If the server name, the license server will change in the future, you will need to change it in the same section.

After that, in the RD Licensing Diagnoser, you can see that the terminal license server is configured, but not enabled. To enable, run Remote Desktop Licensing Manager

Select the licensing server, with the status Not Activated . To activate, right-click on it and select Activate Server. The Server Activation Wizard will start. On the Connection Method tab, select Automatic Connection. Next, fill in the information about the organization, after that the license server is activated.

Active Directory Certificate Services

AD CS provides configurable services for issuing and managing digital certificates that are used in software security systems that use public key technologies. Digital certificates provided by AD CS can be used for encryption and digital signing electronic documents and messages. These digital certificates can be used to authenticate computer, user, and device accounts on the network. Digital certificates are used to provide:

  • privacy through encryption;
  • integrity through digital signatures;
  • authentication by linking certificate keys to computer, user, and device accounts on the network.

AD CS can be used to improve security by binding the identity of a user, device, or service to the corresponding private key. Uses supported by AD CS include secure multi-purpose Internet Mail Standard Extensions (S/MIME) protected wireless network, virtual private networks (VPN), IPsec protocol, Encrypting File System (EFS), Smart Card Login, Data Transfer Security and Transport Layer Security (SSL/TLS), and digital signatures.

Active Directory Domain Services

Using the Active Directory Domain Services (AD DS) server role, you can create a scalable, secure, and manageable infrastructure for managing users and resources; you can also provide directory-enabled applications such as Microsoft Exchange Server. Active Directory Domain Services provides a distributed database that stores and manages information about network resources and directory-enabled application data. The server that is running AD DS is called a domain controller. Administrators can use AD DS to organize network elements such as users, computers, and other devices into a hierarchical nested structure. The hierarchical nested structure includes the Active Directory forest, the domains in the forest, and the organizational units in each domain. Security features are integrated into AD DS in the form of authentication and access control to resources in the directory. With single sign-on, administrators can manage directory information and organization over the network. Authorized network users can also use network single sign-on to access resources located anywhere on the network. Active Directory Domain Services provides the following additional features.

  • A set of rules is a schema that defines the classes of objects and attributes that are contained in a directory, the restrictions and limits on instances of those objects, and the format of their names.
  • A global catalog containing information about each object in the catalog. Users and administrators can use the global catalog to search for catalog data, regardless of which domain in the catalog actually contains the searched data.
  • A query and indexing mechanism through which objects and their properties can be published and located network users and applications.
  • A replication service that distributes directory data across a network. All writable domain controllers in the domain participate in replication and contain a complete copy of all directory data for their domain. Any changes to directory data are replicated in the domain to all domain controllers.
  • Operations master roles (also known as flexible single master operations, or FSMOs). Domain controllers that act as masters of operations are designed to perform special tasks to ensure data consistency and avoid conflicting directory entries.

Active Directory Federation Services

AD FS provides end users who need access to applications in an AD FS-secured enterprise, in federation partner organizations, or in the cloud with simplified and secure identity federation and single sign-on (SSO) web services. Windows Server AD FS includes a role service Federation Service acting as an identity provider (authenticates users to provide security tokens to applications that trust AD FS) or as a federation provider (applies tokens from other identity providers and then provides security tokens to applications that trust AD FS).

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is an LDAP protocol that provides flexible support for directory applications without the dependencies and domain-specific restrictions of Active Directory Domain Services. AD LDS can be run on member or standalone servers. You can run multiple instances of AD LDS with independently managed schemas on the same server. With the AD LDS service role, you can provide directory services to directory-enabled applications without using domain and forest service data and without requiring a single forest-wide schema.

Active Directory Rights Management Services

You can use AD RMS to extend your organization's security strategy by securing documents using Information Rights Management (IRM). AD RMS allows users and administrators to assign access permissions to documents, workbooks, and presentations using IRM policies. This allows you to protect confidential information from being printed, forwarded, or copied by unauthorized users. Once a file's permissions are restricted using IRM, access and usage restrictions apply regardless of the location of the information, because the file's permission is stored in the document file itself. With AD RMS and IRM, individual users can apply their own preferences regarding the transfer of personal and confidential information. They will also help an organization enforce corporate policies to control the use and distribution of sensitive and personal information. The IRM solutions supported by AD RMS are used to provide the following capabilities.

  • Persistent usage policies that stay with information whether it is moved, sent, or forwarded.
  • An additional layer of privacy to protect sensitive data - such as reports, product specifications, customer information, and email messages - from intentionally or accidentally falling into the wrong hands.
  • Prevent unauthorized sending, copying, editing, printing, faxing, or pasting of restricted content by authorized recipients.
  • Prevent copying of restricted content using the PRINT SCREEN feature in Microsoft Windows.
  • Support for file expiration, preventing document content from being viewed after a specified period of time.
  • Implement corporate policies that govern the use and distribution of content within the organization

Application Server

Application Server provides an integrated environment for deploying and running custom server-based business applications.

DHCP Server

DHCP is a client-server technology that allows DHCP servers to assign or lease IP addresses to computers and other devices that are DHCP clients. Deploying DHCP servers on a network automatically provides client computers and other network devices with based on IPv4 and IPv6 valid IP addresses and additional configuration settings required by these clients and devices. The DHCP Server service in Windows Server includes support for policy-based assignments and DHCP failover.

DNS Server

The DNS service is a hierarchical distributed database containing mappings of DNS domain names to various types of data such as IP addresses. The DNS service allows you to use friendly names such as www.microsoft.com to help locate computers and other resources on TCP/IP-based networks. The Windows Server DNS service provides further enhanced support for DNS Security Modules (DNSSEC), including network registration and automated control parameters.

FAX Server

Fax Server sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on your fax server.

File and Storage Services

Administrators can use the File and Storage Services role to set up multiple file servers and their storages, and to manage those servers using Server Manager or Windows PowerShell. Some specific applications include the following features.

  • working folders. Use to allow users to store and access work files on personal computers and devices other than corporate PCs. Users get a convenient place to store work files and access them from anywhere. Organizations control corporate data by storing files on centrally managed file servers and optionally setting user device policies (such as encryption and screen lock passwords).
  • Data deduplication. Use to reduce disk space requirements for storing files, saving money on storage.
  • iSCSI target server. Use to create centralized, software and device-independent iSCSI disk subsystems in storage area networks (SANs).
  • Disk spaces. Use to deploy storage that is highly available, resilient, and scalable with cost-effective, industry-standard drives.
  • Server Manager. Use to remotely manage multiple file servers from a single window.
  • Windows PowerShell. Use to automate the management of most file server administration tasks.

Hyper-V

The Hyper-V role allows you to create and manage a virtualized computing environment using the virtualization technology built into Windows Server. Installing the Hyper-V role installs prerequisites and optional management tools. Prerequisites include Windows hypervisor, management service virtual machines Hyper-V, WMI virtualization provider, and virtualization components such as VMbus, Virtualization Service Provider (VSP), and Virtual Infrastructure Driver (VID).

Network Policy and Access Services

Network Policy and Access Services provides the following network connectivity solutions:

  • Network Access Protection is a technology for creating, enforcing, and remediating client health policies. With Network Access Protection, system administrators can set and automatically enforce health policies that include requirements for software, security updates, and other settings. For client computers that do not comply with the health policy, you can restrict access to the network until their configuration is updated to comply with the requirements of the policy.
  • If 802.1X-enabled wireless access points are deployed, you can use Network Policy Server (NPS) to deploy certificate-based authentication methods that are more secure than password-based authentication. Deploying 802.1X-enabled hardware with an NPS server allows intranet users to be authenticated before they can connect to the network or obtain an IP address from a DHCP server.
  • Instead of configuring a network access policy on each network access server, you can centrally create all policies that define all aspects of network connection requests (who can connect, when a connection is allowed, the security level that must be used to connect to the network ).

Print and Document Services

Print and Document Services allows you to centralize print server and network printer tasks. This role also allows you to receive scanned documents from network scanners and upload documents to network shares - to a Windows SharePoint Services site or via email.

remote access

The Remote Access Server role is a logical grouping of the following network access technologies.

  • Direct Access
  • Routing and remote access
  • Web Application Proxy

These technologies are role services remote access server role. When you install the Remote Access Server role, you can install one or more role services by running the Add Roles and Features Wizard.

On Windows Server, the Remote Access Server role provides the ability to centrally administer, configure, and monitor DirectAccess and VPN with Routing and Remote Access Service (RRAS) remote access services. DirectAccess and RRAS can be deployed on the same Edge Server and managed using Windows PowerShell commands and Remote Access Management Console (MMC).

Remote Desktop Services

Remote Desktop Services accelerates and expands the deployment of desktops and applications on any device, making the remote worker more efficient while securing critical intellectual property and simplifying compliance. Remote Desktop Services includes Virtual Desktop Infrastructure (VDI), session-based desktops, and applications, giving users the ability to work from anywhere.

Volume Activation Services

Activation Services corporate licenses is a server role in Windows Server starting with Windows Server 2012 that automates and simplifies the issuance and management of volume licenses for Microsoft software in a variety of scenarios and environments. Together with Volume License Activation Services, you can install and configure the Key Management Service (KMS) and Active Directory activation.

Web Server (IIS)

The Web Server (IIS) role in Windows Server provides a platform for hosting Web sites, services, and applications. Using a web server provides access to information to users on the Internet, intranet, and extranet. Administrators can use the Web Server (IIS) role to set up and manage multiple websites, web applications, and FTP sites. Special features include the following.

  • Use Internet Information Services (IIS) Manager to configure IIS components and administer websites.
  • Using the FTP protocol to allow website owners to upload and download files.
  • Using website isolation to prevent one website on the server from affecting others.
  • Customization of web applications developed using various technologies such as Classic ASP, ASP.NET and PHP.
  • Use Windows PowerShell to automatically manage most web server administration tasks.
  • Consolidate multiple web servers into a server farm that can be managed using IIS.

Windows Deployment Services

Windows Deployment Services allows you to deploy Windows operating systems over a network, which means you don't have to install each operating system directly from a CD or DVD.

Windows Server Essentials Experience

This role allows you to perform the following tasks:

  • protect server and client data by backing up the server and all client computers on the network;
  • manage users and user groups through a simplified server dashboard. In addition, integration with Windows Azure Active Directory* provides users with easy access to online Microsoft Online Services (such as Office 365, Exchange Online, and SharePoint Online) using their domain credentials;
  • store company data in a centralized location;
  • integrate the server with Microsoft Online Services (such as Office 365, Exchange Online, SharePoint Online, and Windows Intune):
  • use ubiquitous access features on the server (such as remote web access and virtual private networks) to access the server, network computers, and data from highly secure remote locations;
  • access data from anywhere and from any device using the organization's own web portal (through remote web access);
  • manage the mobile devices that access your organization's email with Office 365 via the Active Sync protocol from the dashboard;
  • monitor network health and receive customizable health reports; reports can be generated on demand, customized, and emailed to specific recipients.

Windows Server Update Services

The WSUS server provides the components that administrators need to manage and distribute updates through the management console. In addition, the WSUS server can be the source of updates for other WSUS servers in the organization. When implementing WSUS, at least one WSUS server on the network must be connected to Microsoft Update to receive information about available updates. Depending on the network's security and configuration, an administrator can determine how many other servers are directly connected to Microsoft Update.

GPResult Utility.exe– is a console application designed to analyze settings and diagnose group policies that are applied to a computer and/or user in an Active Directory domain. In particular, GPResult allows you to get data from the resulting set of policies (Resultant Set of Policy, RSOP), a list of applied domain policies (GPOs), their settings, and detailed information about their processing errors. The utility has been part of the Windows operating system since the days of Windows XP. The GPResult utility allows you to answer questions such as whether a particular policy applies to a computer, which GPO changed a particular Windows setting, and to figure out the reasons.

In this article, we will look at the specifics of using the GPResult command to diagnose and debug the application of group policies in an Active Directory domain.

Initially, to diagnose the application of group policies in Windows, the RSOP.msc graphical console was used, which made it possible to obtain the settings of the resulting policies (domain + local) applied to the computer and user in a graphical form similar to the GPO editor console (below, in the example of the RSOP.msc console view, you can see that the update settings are set).

However, the RSOP.msc console in modern versions of Windows is not practical to use, because it does not reflect the settings applied by various client side extensions (CSE), such as GPP (Group Policy Preferences), does not allow search, provides little diagnostic information. Therefore, on this moment it is the GPResult command that is the main tool for diagnosing the use of GPOs in Windows (in Windows 10 there is even a warning that RSOP does not give a complete report, unlike GPResult).

Using the GPResult.exe utility

The GPResult command is run on the computer on which you want to test the application of group policies. The GPResult command has the following syntax:

GPRESULT ]] [(/X | /H)<имя_файла> ]

To get detailed information about the group policies that apply to a given AD object (user and computer) and other settings related to the GPO infrastructure (i.e. the resulting GPO policy settings - RsoP), run the command:

The results of the command execution are divided into 2 sections:

  • COMPUTER SETTINGS (Computer configuration) – the section contains information about GPO objects that affect the computer (as an Active Directory object);
  • USER SETTINGS – user section of policies (policies that apply to a user account in AD).

Let's briefly go over the main parameters/sections that may be of interest to us in the GPResult output:

  • siteName(Site name:) - the name of the AD site in which the computer is located;
  • CN– full canonical user/computer for which the RSoP data was generated;
  • LasttimegroupPolicywasapplied(Last applied group policy) - the time when group policies were last applied;
  • groupPolicywasappliedfrom(Group Policy was applied from) - the domain controller from which the latest version of the GPO was loaded;
  • DomainNameand Domaintype(Domain name, domain type) – Active Directory domain schema name and version;
  • AppliedgroupPolicyObjects(Applied GPOs)– lists of active group policy objects;
  • ThefollowingGPOswerenotappliedbecausetheywerefilteredout(The following GPO policies were not applied because they were filtered) - not applied (filtered) GPOs;
  • Theuser/computerisapartofthefollowingsecuritygroups(The user/computer is a member of the following security groups) – Domain groups the user is a member of.

In our example, you can see that the user object is affected by 4 group policies.

  • Default Domain Policy;
  • Enable Windows Firewall;
  • DNS Suffix Search List

If you do not want the console to display information about both user policies and computer policies at the same time, you can use the /scope option to display only the section you are interested in. Only resulting user policies:

gpresult /r /scope:user

or only applied computer policies:

gpresult /r /scope:computer

Because The Gpresult utility outputs its data directly to the command line console, which is not always convenient for subsequent analysis; its output can be redirected to the clipboard:

gpresult /r |clip

or text file:

gpresult /r > c:\gpresult.txt

To display super-detailed RSOP information, add the /z switch.

HTML RSOP report using GPResult

In addition, the GPResult utility can generate an HTML report on the applied result policies (available in Windows 7 and later). This report will contain detailed information about all system settings that are set by group policies and the names of specific GPOs that set them (the resulting report on the structure resembles the Settings tab in the Domain Group Policy Management Console - GPMC). You can generate an HTML GPResult report using the command:

GPResult /h c:\gp-report\report.html /f

To generate a report and automatically open it in a browser, run the command:

GPResult /h GPResult.html & GPResult.html

The gpresult HTML report contains quite a few useful information: GPO application errors, processing time (in ms) and application of specific policies and CSE are visible (under Computer Details -> Component Status). For example, in the screenshot above, you can see that the policy with the settings 24 passwords remember is applied by the Default Domain Policy (Winning GPO column). As you can see, such an HTML report is much more convenient for analyzing applied policies than the rsop.msc console.

Getting GPResult data from a remote computer

GPResult can also collect data from a remote computer, eliminating the need for an administrator to log in locally or RDP to a remote computer. The command format for collecting RSOP data from a remote computer is as follows:

GPResult /s server-ts1 /r

Similarly, you can collect data from both user policies and computer policies remotely.

username has no RSOP data

With UAC enabled, running GPResult without elevated privileges only displays the settings for the custom section of Group Policy. If you need to display both sections (USER SETTINGS and COMPUTER SETTINGS) at the same time, the command must be run. If the elevated command prompt is on a system other than the current user, the utility will issue a warning INFO: Theuser“domain\user”doesnothaveRSOPdata ( The user 'domain\user' has no RSOP data). This is because GPResult is trying to collect information for the user who ran it, but because This user has not logged on to the system and no RSOP information is available for this user. To collect RSOP information for a user with an active session, you need to specify his account:

gpresult /r /user:tn\edward

If you don't know the name of the account that is logged in on the remote computer, you can get the account like this:

qwinsta /SERVER:remotePC1

Also check the time(s) on the client. The time must match the time on the PDC (Primary Domain Controller).

The following GPO policies were not applied because they were filtered out

When troubleshooting group policies, you should also pay attention to the section: The following GPOs were not applied because they were filtered out (The following GPO policies were not applied because they were filtered out). This section displays a list of GPOs that, for one reason or another, do not apply to this object. Possible options for which the policy may not apply:


You can also understand whether the policy should be applied to a specific AD object on the Effective Permissions tab (Advanced -> Effective Access).

So, in this article, we reviewed the features of diagnosing the application of group policies using the GPResult utility and reviewed typical scenarios for its use.

The functionality in the Windows Server operating system is calculated and improves from version to version, there are more and more roles and components, so in today's article I will try to briefly describe description and purpose of each role in Windows Server 2016.

Before proceeding to the description of Windows Server server roles, let's find out what exactly is " Server role» on the Windows Server operating system.

What is a "Server Role" in Windows Server?

Server Role is a software package that ensures that the server performs a certain function, and given function is the main one. In other words, " Server role' is the purpose of the server, i.e. what it is for. So that the server can perform its main function, i.e. certain role in Server role» includes all the necessary software for this ( programs, services).

The server can have one role if it is actively used, or several if each of them does not heavily load the server and is rarely used.

A server role can include multiple role services that provide the functionality of the role. For example, in the server role " Web server (IIS)” includes a fairly large number of services, and the role “ DNS server» does not include role services, because this role performs only one function.

Role Services can be installed all together or individually, depending on your needs. Essentially, installing a role means installing one or more of its services.

Windows Server also has " Components» server.

Server Components (Feature) are software tools that are not a server role, but extend the capabilities of one or more roles, or manage one or more roles.

Some roles cannot be installed if the server does not have required services or components that are required for the roles to function. Therefore, at the time of installation of such roles " Add Roles and Features Wizard» itself, will automatically prompt you to install the necessary, additional role services or components.

Description of Windows Server 2016 server roles

You are probably already familiar with many of the roles that are in Windows Server 2016, since they have been around for quite some time, but as I said, with each new version of Windows Server, new roles are added that you may not have worked with, but we would like to know what they are for, so let's start looking at them.

Note! You can read about the new features of the Windows Server 2016 operating system in the material " Windows Server 2016 installation and overview of new features » .

Since very often the installation and administration of roles, services and components occurs using Windows PowerShell, I will indicate for each role and its service a name that can be used in PowerShell, respectively, for its installation or for management.

DHCP server

This role allows you to centrally configure dynamic IP addresses and related settings for computers and devices on your network. The DHCP Server role does not have role services.

The name for Windows PowerShell is DHCP.

DNS server

This role is intended for name resolution in TCP/IP networks. The DNS Server role provides and maintains DNS. To simplify the management of a DNS server, it is usually installed on the same server as Active Directory Domain Services. The DNS Server role does not have role services.

The role name for PowerShell is DNS.

Hyper-V

With the Hyper-V role, you can create and manage a virtualized environment. In other words, it is a tool for creating and managing virtual machines.

The role name for Windows PowerShell is Hyper-V.

Device health attestation

Role " » allows you to evaluate the health of the device based on measured indicators of security parameters, such as indicators of the state of secure boot and Bitlocker on the client.

For the functioning of this role, a lot of role services and components are required, for example: several services from the role " Web server (IIS)", component " ", component " .NET Framework 4.6 Features».

During installation, all required role services and features will be automatically selected. The role " Device health attestation» There are no role services.

The name for PowerShell is DeviceHealthAttestationService.

Web server (IIS)

Provides a reliable, manageable, and scalable web application infrastructure. Consists of a fairly large number of services (43).

The name for Windows PowerShell is Web-Server.

Includes the following role services ( in brackets I will indicate the name for Windows PowerShell):

Web server (Web-WebServer)- A group of role services that provides support for HTML websites, ASP.NET extensions, ASP, and the web server. Consists of the following services:

  • Security (Web Security)- a set of services to ensure the security of the web server.
    • Request filtering (Web-Filtering) - using these tools, you can process all requests coming to the server and filter these requests based on special rules set by the web server administrator;
    • IP address and domain restrictions (Web-IP-Security) - these tools allow you to allow or deny access to content on a web server based on the IP address or domain name of the source in the request;
    • URL Authorization (Web-Url-Auth) - tools allow you to design rules to restrict access to web content and associate them with users, groups, or HTTP header commands;
    • Digest Authentication (Web-Digest-Auth) - This authentication provides a higher level of security than basic authentication. Digest authentication for user authentication works like passing a password hash to a Windows domain controller;
    • Basic Authentication (Web-Basic-Auth) - This authentication method provides strong web browser compatibility. It is recommended to use in small internal networks. The main disadvantage of this method is that passwords transmitted over the network can be quite easily intercepted and decrypted, so use this method in combination with SSL;
    • Windows Authentication (Web-Windows-Auth) is an authentication based on Windows domain authentication. In other words, you can use Active Directory accounts to authenticate users of your Web sites;
    • Client Certificate Mapping Authentication (Web-Client-Auth) - This authentication method uses a client certificate. This type uses Active Directory services to provide certificate mapping;
    • IIS Client Certificate Mapping Authentication (Web-Cert-Auth) - This method also uses client certificates for authentication, but uses IIS to provide certificate mapping. This type provide better performance;
    • Centralized SSL certificate support (Web-CertProvider) - these tools allow you to centrally manage SSL server certificates, which greatly simplifies the process of managing these certificates;
  • Serviceability and diagnostics (Web-Health)– a set of services for monitoring, managing and troubleshooting web servers, sites and applications:
    • http logging (Web-Http-Logging) - Tools provide logging of website activity on this server, i.e. log entry;
    • ODBC Logging (Web-ODBC-Logging) – These tools also provide logging of website activity, but they support logging that activity to an ODBC-compliant database;
    • Request Monitor (Web-Request-Monitor) is a tool that allows you to monitor the health of a web application by intercepting information about HTTP requests in the IIS worker process;
    • Custom Logging (Web-Custom-Logging) - Using these tools, you can configure logging of web server activity in a format that differs significantly from the standard IIS format. In other words, you can create your own logging module;
    • Logging tools (Web-Log-Libraries) are tools for managing web server logs and automating logging tasks;
    • Tracing (Web-Http-Tracing) is a tool for diagnosing and resolving violations in web applications.
  • http Common Functions (Web-Common-Http)– a set of services that provide basic HTTP functionality:
    • Default Document (Web-Default-Doc) - This feature allows you to configure the web server to return a default document when users do not specify a specific document in the request URL, making it easier for users to access website, for example, by domain, without specifying a file;
    • Directory Browsing (Web-Dir-Browsing) - This tool can be used to configure a web server so that users can view a list of all directories and files on a website. For example, for cases where users do not specify a file in the request URL, and default documents are either disabled or not configured;
    • http Errors (Web-Http-Errors) – this opportunity allows you to customize the error messages that will be returned to users' web browsers when an error is detected by the web server. This tool is used to more easily present error messages to users;
    • Static content (Web-Static-Content) - this tool allows you to use content on a web server in the form of static file formats, such as HTML files or image files;
    • http redirect (Web-Http-Redirect) - using this feature, you can redirect a user request to a specific destination, i.e. this is Redirect;
    • WebDAV Publishing (Web-DAV-Publishing) - allows you to use WebDAV technology on the IIS WEB server. WebDAV ( Web Distributed Authoring and Versioning) is a technology that allows users to work together ( read, edit, read properties, copy, move) over files on remote web servers using the HTTP protocol.
  • Performance (Web Performance)- a set of services to achieve higher web server performance, through output caching and common compression mechanisms such as Gzip and Deflate:
    • Static Content Compression (Web-Stat-Compression) is a tool to customize the compression of http static content, it allows more efficient use of bandwidth, while without unnecessary CPU load;
    • Dynamic Content Compression (Web-Dyn-Compression) is a tool for configuring HTTP dynamic content compression. This tool provides more efficient use bandwidth, but in this case, the server CPU load associated with dynamic compression can slow down the site if the CPU load is high even without compression.
  • Application Development (Web-App-Dev)- a set of services and tools for developing and hosting web applications, in other words, website development technologies:
    • ASP (Web-ASP) is an environment for supporting and developing web sites and web applications using ASP technology. At the moment, there is a newer and more advanced website development technology - ASP.NET;
    • ASP.NET 3.5 (Web-Asp-Net) is an object-oriented development environment for web sites and web applications using ASP.NET technology;
    • ASP.NET 4.6 (Web-Asp-Net45) is also an object-oriented development environment for web sites and web applications using the new version of ASP.NET;
    • CGI (Web-CGI) is the ability to use CGI to pass information from a web server to an external program. CGI is a kind of interface standard for connecting an external program to a web server. There is a drawback, the use of CGI affects performance;
    • Server Side Inclusions (SSI) (Web-Includes) is support for the SSI scripting language ( server side enable), which is used to dynamically generate HTML pages;
    • Application initialization (Web-AppInit) - this tool performs the tasks of initializing web applications before sending a web page;
    • WebSocket Protocol (Web-WebSockets) - Adds the ability to create server applications that communicate using the WebSocket protocol. WebSocket is a protocol that can send and receive data simultaneously between a browser and a web server over a TCP connection, a kind of extension to the HTTP protocol;
    • ISAPI extensions (Web-ISAPI-Ext) - support for dynamic development of web content using the ISAPI application programming interface. ISAPI is an API for the IIS web server. ISAPI applications are much faster than ASP files or files that call COM+ components;
    • .NET 3.5 Extensibility (Web-Net-Ext) is a .NET 3.5 extensibility feature that allows you to modify, add, and extend web server functionality throughout the request processing pipeline, configuration, and user interface;
    • .NET 4.6 Extensibility (Web-Net-Ext45) is a .NET 4.6 extensibility feature that also allows you to modify, add, and extend web server functionality across the entire request processing pipeline, configuration, and user interface;
    • ISAPI Filters (Web-ISAPI-Filter) - Add support for ISAPI filters. ISAPI filters are programs that are called when a web server receives a specific HTTP request to be processed by this filter.

FTP - server (Web-Ftp-Server)– services that provide support for the FTP protocol. We talked in more detail about the FTP server in the material - " Installing and configuring an FTP server on Windows Server 2016". Contains the following services:

  • FTP Service (Web-Ftp-Service) - adds support for the FTP protocol on the web server;
  • FTP Extensibility (Web-Ftp-Ext) - Extends standard FTP capabilities, such as adding support for features such as custom providers, ASP.NET users, or IIS manager users.

Management Tools (Web-Mgmt-Tools)- These are the management tools for the IIS 10 web server. These include: user interface IIS, command line tools and scripts.

  • The IIS Management Console (Web-Mgmt-Console) is the user interface for managing IIS;
  • Character sets and IIS management tools (Web-Scripting-Tools) are tools and scripts for managing IIS using the command line or scripts. They can be used, for example, to automate control;
  • Management Service (Web-Mgmt-Service) - this service adds the ability to manage a web server remotely from another computer using IIS Manager;
  • IIS 6 Compatibility Management (Web-Mgmt-Compat) - Provides compatibility for applications and scripts that use the two IIS APIs. The existing IIS 6 scripts can be used to manage the IIS 10 web server:
    • IIS 6 Compatibility Metabase (Web-Metabase) is a compatibility tool that allows you to run applications and character sets that have been migrated from earlier versions of IIS;
    • IIS 6 Scripting Tools (Web-Lgcy-Scripting) - These tools allow you to use the same IIS 6 Scripting Services that were created to manage IIS 6 in IIS 10;
    • IIS 6 Management Console (Web-Lgcy-Mgmt-Console) is a tool for administering remote IIS 6.0 servers;
    • IIS 6 WMI Compatibility (Web-WMI) are Windows Management Instrumentation (WMI) scripting interfaces for programmatically controlling and automating IIS 10.0 Web server tasks using a set of scripts created in a WMI provider.

Active Directory Domain Services

Role " Active Directory Domain Services» (AD DS) provides a distributed database that stores and processes information about network resources. This role is used to organize network elements such as users, computers, and other devices into a hierarchical containment structure. The hierarchical structure includes forests, domains within a forest, and organizational units (OUs) within each domain. The server running AD DS is called a domain controller.

The role name for Windows PowerShell is AD-Domain-Services.

Windows Server Essentials Mode

This role is a computer infrastructure and provides convenient and efficient functions, for example: storing customer data in a centralized location and protecting this data by Reserve copy server and client computers, remote web access that allows you to access data from virtually any device. This role requires several role services and features, for example: BranchCache Features, Windows Server Backup, Group Policy Management, Role Service " DFS Namespaces».

The name for PowerShell is ServerEssentialsRole.

Network Controller

Introduced in Windows Server 2016, this role provides a single point of automation for managing, monitoring, and diagnosing the physical and virtual network infrastructure in the datacenter. Using this role, you can configure IP subnets, VLANs, physical network adapters of Hyper-V hosts from one point, manage virtual switches, physical routers, firewall settings and VPN gateways.

The name for Windows PowerShell is NetworkController.

Node Guardian Service

This is the Hosted Guardian Service (HGS) server role and provides attestation and key protection services that allow protected hosts to run shielded virtual machines. For the functioning of this role, several additional roles and components are required, for example: Active Directory Domain Services, Web Server (IIS), the " Failover Clustering" and others.

The name for PowerShell is HostGuardianServiceRole.

Active Directory Lightweight Directory Services

Role " Active Directory Lightweight Directory Services» (AD LDS) is a lightweight version of AD DS that has less functionality but does not require the deployment of domains or domain controllers, and does not have the dependencies and domain restrictions required by AD DS. AD LDS runs over the LDAP protocol ( Lightweight Directory Access Protocol). You can deploy multiple AD LDS instances on the same server with independently managed schemas.

The name for PowerShell is ADLDS.

MultiPoint Services

It's also a new role that's new in Windows Server 2016. MultiPoint Services (MPS) provides basic remote desktop functionality that allows multiple users to work simultaneously and independently on the same computer. To install and operate this role, you need to install several additional services and components, for example: Print Server, Windows Search Service, XPS Viewer, and others, all of which will be automatically selected during MPS installation.

The name of the role for PowerShell is MultiPointServerRole.

Windows Server Update Services

With this role (WSUS), system administrators can manage Microsoft updates. For example, create separate groups of computers for different sets of updates, as well as receive reports on the compliance of computers with the requirements and updates that need to be installed. For functioning" Windows Server Update Services» You need role services and components such as: Web Server (IIS), Windows Internal Database, Activation Service Windows processes.

The name for Windows PowerShell is UpdateServices.

  • WID Connectivity (UpdateServices-WidDB) - set to WID ( Windows Internal Database) database used by WSUS. In other words, WSUS will store its service data in WID;
  • WSUS Services (UpdateServices-Services) is the WSUS role services such as Update Service, Reporting Web Service, API Remoting Web Service, Client Web Service, Web Simple Authentication Web Service, Server Synchronization Service and DSS Authentication Web Service;
  • SQL Server Connectivity (UpdateServices-DB) is a component installation that allows the WSUS service to connect to a Microsoft SQL Server database. This option provides for the storage of service data in a Microsoft SQL Server database. In this case, you must already have at least one instance of SQL Server installed.

Volume License Activation Services

With this server role, you can automate and simplify the issuance of volume licenses for software from Microsoft, and it also allows you to manage these licenses.

The name for PowerShell is VolumeActivation.

Print and Document Services

This server role is designed to share printers and scanners on a network, to centralized settings and management of print and scan servers, as well as management of network printers and scanners. Print and Document Services also allows you to send scanned documents via email, to network shares, or to Windows SharePoint Services sites.

The name for PowerShell is Print-Services.

  • Print Server (Print-Server) - This role service includes the " Print management”, which is used to manage printers or print servers, as well as to migrate printers and other print servers;
  • Printing over the Internet (Print-Internet) - To implement printing over the Internet, a website is created that allows users to manage print jobs on the server. For this service to work, as you understand, you need to install " Web server (IIS)". All required components will be selected automatically when you check this box during the installation process of the role service " Internet Printing»;
  • The Distributed Scan Server (Print-Scan-Server) is a service that allows you to receive scanned documents from network scanners and send them to a destination. This service also contains the " Scan Management”, which is used to manage network scanners and to configure scanning;
  • LPD Service (Print-LPD-Service) - LPD service ( Line Printer Daemon) allows UNIX-based computers and other computers using the Line Printer Remote (LPR) service to print to the server's shared printers.

Network Policy and Access Services

Role " » (NPAS) allows Network Policy Server (NPS) to set and enforce network access, authentication and authorization, and client health policies, in other words, to secure the network.

The name for Windows PowerShell is NPAS.

Windows Deployment Services

With this role, you can remotely install the Windows operating system over a network.

The role name for PowerShell is WDS.

  • Deployment Server (WDS-Deployment) - this role service is designed for remote deployment and configuration of Windows operating systems. It also allows you to create and customize images for reuse;
  • Transport Server (WDS-Transport) - This service contains the basic network components with which you can transfer data by multicasting on a stand-alone server.

Active Directory Certificate Services

This role is intended to create certificate authorities and related role services that allow you to issue and manage certificates for various applications.

The name for Windows PowerShell is AD-Certificate.

Includes the following role services:

  • Certification Authority (ADCS-Cert-Authority) - using this role service, you can issue certificates to users, computers, and services, as well as manage the validity of the certificate;
  • Certificate Enrollment Policy Web Service (ADCS-Enroll-Web-Pol) - This service allows users and computers to obtain certificate enrollment policy information from a web browser, even if the computer is not a member of a domain. For its functioning it is necessary Web server (IIS)»;
  • Certificate Enrollment Web Service (ADCS-Enroll-Web-Svc) - This service allows users and computers to enroll and renew certificates using a web browser over HTTPS, even if the computer is not a member of a domain. It also needs to function Web server (IIS)»;
  • Online Responder (ADCS-Online-Cert) - The service is designed to check the revocation of a certificate for clients. In other words, it accepts a revocation status request for specific certificates, evaluates the status of those certificates, and sends back a signed response with information about the status. For the service to function, it is necessary Web server (IIS)»;
  • Certificate Authority Web Enrollment Service (ADCS-Web-Enrollment) - This service provides a web interface for users to perform tasks such as requesting and renewing certificates, obtaining CRLs, and enrolling smart card certificates. For the service to function, it is necessary Web server (IIS)»;
  • Network Device Enrollment Service (ADCS-Device-Enrollment)—Using this service, you can issue and manage certificates for routers and other network devices that do not have network accounts. For the service to function, it is necessary Web server (IIS)».

Remote Desktop Services

A server role that can be used to provide access to virtual desktops, session-based desktops, and RemoteApps.

The role name for Windows PowerShell is Remote-Desktop-Services.

Consists of the following services:

  • Remote Desktop Web Access (RDS-Web-Access) - This role service allows users to access remote desktops and RemoteApp applications through the " Start» or using a web browser;
  • Remote Desktop Licensing (RDS-Licensing) - The service is designed to manage the licenses that are required to connect to an Remote Desktop Session Host server or virtual desktop. It can be used to install, issue licenses, and track their availability. This service requires " Web server (IIS)»;
  • Remote Desktop Connection Broker (RDS-Connection-Broker) is a role service that provides the following capabilities: reconnecting a user to an existing virtual desktop, RemoteApp application, and session-based desktop, as well as load balancing between remote session host servers desktops or between pooled virtual desktops. This service requires the " »;
  • Remote Desktop Virtualization Host (DS-Virtualization) - The service allows users to connect to virtual desktops using RemoteApp and Desktop Connection. This service works in conjunction with Hyper-V, i.e. this role must be installed;
  • Remote Desktop Session Host (RDS-RD-Server) - This service can host RemoteApp applications and session-based desktops on a server. Access is through the Remote Desktop Connection client or RemoteApps;
  • Remote Desktop Gateway (RDS-Gateway) - The service allows authorized remote users to connect to virtual desktops, RemoteApps, and session-based desktops on a corporate network or over the Internet. This service requires the following additional services and components: Web server (IIS)», « Network Policy and Access Services», « RPC over HTTP proxy».

AD RMS

This is a server role that will allow you to protect information from unauthorized use. It validates user identities and grants licenses to authorized users to access protected data. This role requires additional services and components: Web server (IIS)», « Windows Process Activation Service», « .NET Framework 4.6 Features».

The name for Windows PowerShell is ADRMS.

  • Active Directory Rights Management Server (ADRMS-Server) - the main role service, required for installation;
  • Identity Federation Support (ADRMS-Identity) is an optional role service that enables federated identities to consume protected content using Active Directory Federation Services.

AD FS

This role provides simplified and secure identity federation and single sign-on (SSO) functionality to websites using a browser.

The name for PowerShell is ADFS-Federation.

Remote access

This role provides connectivity through DirectAccess, VPN, and Web Application Proxy. Also the role Remote access"provides traditional routing capabilities, including network address translation (NAT) and other connection options. This role requires additional services and features: Web server (IIS)», « Windows Internal Database».

The role name for Windows PowerShell is RemoteAccess.

  • DirectAccess and VPN (RAS) (DirectAccess-VPN) - the service allows users to connect to the corporate network at any time with Internet access through DirectAccess, as well as organize VPN connections in combination with tunneling and data encryption technologies;
  • Routing (Routing) - the service provides support for NAT routers, LAN routers with BGP protocols, RIP and routers with multicast support (IGMP proxy);
  • Web Application Proxy (Web-Application-Proxy) - The service allows you to publish applications based on the HTTP and HTTPS protocols from the corporate network to client devices that are outside the corporate network.

File and storage services

This is a server role that can be used to share files and folders, manage and control shares, replicate files, provide fast file searches, and grant access to UNIX client computers. We considered file services and in particular the file server in more detail in the material " Installing a File Server on Windows Server 2016 ».

The name for Windows PowerShell is FileAndStorage-Services.

Storage Services- This service provides storage management functionality that is always installed and cannot be removed.

File Services and iSCSI Services (File-Services) are technologies that simplify the management of file servers and storages, save disk space, provide replication and caching of files in branches, and also provide file sharing via the NFS protocol. Includes the following role services:

  • File Server (FS-FileServer) - a role service that manages shared folders and provides users with access to files on this computer over the network;
  • Data Deduplication (FS-Data-Deduplication) - this service saves disk space by storing only one copy of identical data on a volume;
  • File Server Resource Manager (FS-Resource-Manager) - using this service, you can manage files and folders on a file server, create storage reports, classify files and folders, configure folder quotas and define file blocking policies;
  • iSCSI Target Storage Provider (VDS and VSS Hardware Providers) (iSCSITarget-VSS-VDS) - The service allows applications on a server connected to an iSCSI target to execute shadow copy volumes on iSCSI virtual disks;
  • DFS namespaces (FS-DFS-Namespace) - using this service, you can group shared folders hosted on different servers into one or more logically structured namespaces;
  • Work folders (FS-SyncShareService) - the service allows you to use work files on different computers, including work and personal. You can store your files in Work Folders, synchronize them, and access them from your local network or the Internet. For the service to function, the component " IIS In-Process Web Core»;
  • DFS Replication (FS-DFS-Replication) is a multi-server data replication engine that allows you to synchronize folders over a LAN or WAN connection. This technology uses the Remote Differential Compression (RDC) protocol to update only the portion of the files that have changed since the last replication. DFS Replication can be used with or without DFS Namespaces;
  • Server for NFS (FS-NFS-Service) - The service allows this computer to share files with UNIX-based computers and other computers that use the Network File System (NFS) protocol;
  • iSCSI Target Server (FS-iSCSITarget-Server) - provides services and management for iSCSI targets;
  • BranchCache Service for Network Files (FS-BranchCache) - The service provides BranchCache support on this file server;
  • File Server VSS Agent Service (FS-VSS-Agent) - The service enables volume shadow copies for applications that store data files on this file server.

fax server

The role sends and receives faxes, and allows you to manage fax resources such as jobs, settings, reports, and fax devices on this computer or on the network. Required for work Print Server».

The role name for Windows PowerShell is Fax.

This completes the review of Windows Server 2016 server roles, I hope the material was useful to you, for now!



Loading...
Top