Resultant Set of Policy Planning mode is not supported in cross-forest scenarios in Windows Server 2003

Administrators cannot use the Resultant Set of Policy (RSoP) Planning mode to plan for scenarios that span forests in Microsoft Windows Server 2003. For example, you cannot plan a scenario where a user logs on to a workstation in Forest 1 from Forest 2. When you try to run RSoP Planning mode in a cross-forest environment, you may receive the following Group Policy error message:

This issue occurs because RSoP Planning mode does not support cross-forest scenarios because domain controllers are not well trusted outside their respective forests. In many potential scenarios, RSoP cannot validate the information that is returned from a domain controller that is located in another forest. The Authenticated Users group must have Read permissions on relevant policies to successfully read a particular policy in a cross-forest environment. Microsoft does not recommend granting Read permission for the Authenticated Users group to read all policies. If both the user and the computer reside in the same forest, RSoP will be able to generate a complete set of data.

In a cross-forest scenario, if the user wants to connect to a computer that is in the remote forest to generate the RSoP Planning data for that user, the domain controller of the forest where the user is residing must first contact the domain controller of the remote forest. This is performed to obtain a list of policies that apply to the appropriate user or computer of the requested domain controller. The domain controller performs this action on behalf of the user who uses RSoP Planning. The results that are returned to the requested domain controller depend on the rights that the domain controller has in the remote forest instead of the user who uses RSoP planning. Therefore, cross-forest support is blocked in RSoP Planning mode because the data that is provided by RSoP Planning may be incomplete or inaccurate. Cross-forest support for RSoP Planning may be enabled in a future version of Windows. Consider the following scenarios.

• Scenario 1 is fully supported. In this scenario, the user generates an RSoP Planning policy data for a local domain controller. Therefore, if the administrator who uses RSoP Planning has correct credentials, the generated RSoP Planning policy data will be complete and accurate.
• In Scenario 2, the RSoP policy data that is generated will contain correct data about policies that are applied on the computer, including site policies that apply to Forest 1. However, user policies may be correct, may be partially correct, or may be incorrect.
• In Scenario 3, neither the user policy experience nor the computer policy experience can be verified. This is because the relevant site-based policies that are applied on the computer will be different from the policy that is applied on Forest 1. Also, if the user selects the loopback processing option for the computer, the RSoP Planning process will not be able to simulate this environment because the computer will apply the Group Policy objects from the Forest 2 domain controller for the user to log on to the computer. This is not supported by RSoP Planning. Therefore, the actual experience that the user may experience may be different from what is reported by RSoP Planning.
• In Scenario 4, the RSoP Planning policy data will be complete because the success or failure of RSoP Planning is dependant on the credentials of the user, and not that of the domain controller.

To work around this issue, you may run RSoP Planning mode on the domain controller of the user and the domain controller of the computer separately, and then manually combine the data to analyze the result.

For additional information about how to install and use RSoP in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

This behavior is by design.

For additional information about RSoP, visit the following Microsoft Web site: