How to use RSOP to Inspect Applied GPO Settings

Chaitanya

Read more posts by this author.

When you apply an Active Directory (AD) Group Policy Object (GPO) across hundreds or even thousands of target computers, chances are it’s going to take a while for them all to receive it. How do you know when a computer receives a new policy or retrieves updated policy settings? Using the RSOP tool.

The RSOP tool or Resultant Set Of Policy, is a built-in Windows tool that allows you to discover what policy settings are applied to local and remote computers. If you’re wondering what configuration GPOs are setting on your PC, read on!

Let’s get started.

Prerequisites

This tutorial will run through a few different demos. If you’d like to follow along, be sure you have the following:

  • An Active Directory domain – Any version of AD will work. This tutorial will use a domain called HomeLab.Local.
  • A domain-joined Windows PC with at least one GPO applied to it to test local GPOs. This tutorial will use a PC called Win10VM1.
  • A second domain-joined Windows PC if you want to run RSOP remotely. This tutorial will use a PC called Win10VM3.
  • TCP ports 445, 135, RPC dynamic ports, and all ports for WMI open on the remote computer. You can create a starter GPO called Group Policy Reporting Firewall Ports to ensure all ports are open.
  • Local administrator rights on both the local PC and remote PC.
  • A GPO with an AD group configured with deny permissions. DeniedGPOUsers AD group with no users added to it and deny permissions will be used in this tutorial.

What is the RSOP tool?

When you assign a GPO to a computer in Active Directory, that computer should reach out to the domain controller and, based on the defined GPO refresh interval, soon see that GPO and attempt to apply the settings the GPO defines.

When the computer applies the GPO settings, those policy settings are then stored on the computer in the Common Information Management Object Model (CIMOM) database using the Windows Management Instrumentation (WMI). To inspect those applied settings, run the RSOP tool. The RSOP tool generates a report on the policies that are applied (or planned) for users and computers on the PC.

RSOP is great for troubleshooting instances where you have multiple, conflicting policies. Using RSOP, you can inspect which GPOs took precedence and overrode another.

Modes

RSOP has two different modes to help you with discovering how GPOs affect target computers; logging and planning mode.

  • Logging mode – The most common use of RSOP that’s used to generate a report on all applied policies for all logged-on users and the computer itself.
  • Planning mode – A less common use of RSOP that allows you to simulate what settings will apply to a computer if one or more GPOs were applied to them. Planning mode works to determine what will happen when a user is moved to a different AD group, for example.

Inspecting Locally-Applied GPOs with RSOP

Let’s now get started with some hands-on demonstrations of RSOP. First, let’s cover how to bring up the RSOP tool and what kind of information you can expect to see.

On your local, domain-joined Windows PC, open a command prompt or PowerShell window as an administrator.

If you don’t run a command prompt or PowerShell as administrator, RSOP will not have access to the computer settings (only logged-in user settings). When you run RSOP, you will receive an error indicating you have insufficient permissions.

Next, run the command rsop.msc. This action will bring up the RSOP MMC snap-in.

When you bring up RSOP, it will immediately begin reading all applied policies and generating a report. RSOP defaults to logging mode. Below you’ll see the results of running RSOP on a computer called WIN10VM1 logged in as a user called LabAdmin.

Expand each of the folders and you’ll see every setting across all GPOs that are applied to that particular user or computer.

If you do not see an expected GPO setting for a recently-created GPO, run the gpupdate /force command on the PC to manually refresh the policy settings.

Running the gupdate force command
Running the gupdate force command

For example, below you’ll see a local policy called HostName.bat assigned to the user logon on the PC. Inside the policy is a batch file called HostName.bat under User Configuration —> Windows Settings —> Scripts —> Logon.

Local Group Policy Editor
Local Group Policy Editor

Running RSOP on a computer that has local policy configured, you’ll see the Logon script applied and the Policy Name that applied it.

Resultant Set of Policy console
Resultant Set of Policy console

Testing Policy Changes with RSOP’s Planning Mode

Perhaps you’re ready to roll out an important GPO to many computers. You could “test in production” by applying it immediately to all computers at once, or you could use RSOP’s planning mode.

Using planning mode, you can simulate many different scenarios if you’d apply a GPO to a computer such as when:

  • The target PC has a slow network connection
  • You enable loopback processing
  • The target PC has many GPOs applied to it to test policy precedence
  • A user logs onto the target PC or the computer account is in different AD groups and an AD group is denied permission to the GPO.
  • A user or computer is moved between domains, OUs or even AD sites.
  • A WMI filter is applied to an OU

Planning mode will help you account for all of the conditional variables that GPOs can throw at you.

To run RSOP in planning mode:

1. Open a command prompt or elevated PowerShell console and type mmc. This will open MMC console.

Note you cannot simply run rsop.msc in this instance. The only way to change the RSOP mode is when you add an MMC snap-in, as you’ll see.

2. In the MMC console, open the File menu and click Add/Remove Snap-in, as shown below.

MMC console Add/Remove option
MMC console Add/Remove option

3. In the Add or Remove Snap-ins dialog box, select Resultant Set of Policy and click Add to move the snap-in from the left window to the right window.

Displaying Resultant Set of Policy option
Displaying Resultant Set of Policy option

4. Next, right click on the Resultant Set of Policy MMC snap-in, as shown below, click on Generate RSOP Data and Next to skip past the intro step.

Generate RSoP Data option
Generate RSoP Data option

5. On the Mode Selection screen, select Planning mode and click Next to get to the Computer Selection screen.

Selecting Planning mode option
Selecting Planning mode option

6. Next, click Browse under User Information to select the user that might be affected by an upcoming GPO. Also, click Container and Browse under Computer Information to select the OU that will contain a PC this user may be logging into.

In the following screenshot, the simulation will provide all of the settings that a user called HOMELAB\User01 would receive if they were to log into any computer in the Desktop VMs OU.

Select user OU and computer OU
Select user OU and computer OU

7. Now, select options if you’d like to simulate a few more situations:

Click Next when complete.

Slow network connection and loopback processing mode
Slow network connection and loopback processing mode

8. If you don’t plan on directly applying the GPO to the OU that the user or computer will be in, click Browse to change the OU for either object. When complete, click Next.

In step six, you defined the OUs that the user and target computer would be located in. Here, you are defining the OU that you plan on applying the GPO to.

Changing the path for the simulated applied GPO
Changing the path for the simulated applied GPO

9. Now, enter the AD group you plan for the user to be in by clicking Add. For this tutorial, the user will be in the DeniedGPOUsers group.

Displaying User Security Groups
Displaying User Security Groups

You’ll see below that the DeniedGPOUsers group is denied from applying this GPO.

Displaying custom permissions for DeniedGPOUsers AD group
Displaying custom permissions for DeniedGPOUsers AD group

10. Next, for this tutorial, step through the screens for defining WMI filters and computer groups. If, however, you do plan on setting up a WMI filter on the GPO or are denying/allowing GPO application by the AD group the computer account is in, you may make these simulated changes.

11. Finally, on the summary screen, review all the details. Leave the Gather extended error information option enabled and click Next. When you enable the extended error information option, RSOP snap-in collects more error information when it performs the query. This error message includes network or AD issues that affect the policy when it is implemented. Enabling this option may greatly increase the time to process the simulation, but will provide more verbose information should an error occur.

After RSOP console is generated, right click on computer configuration or user configuration node and click properties. Then click on Error information tab to view any errors that are generated while simulating the policy.

Summary Screen
Summary Screen

12. Once RSOP is complete, navigate through the folders under Computer configuration and User configuration to verify the policies that are applied.

You’ll see two windows below; on the left, you’ll see the actual GPO applied (RSOP in logging mode) and on the right, you’ll see what RSOP would look like if the user were removed from the DeniedGPOUsers AD group.

GPO Applied
GPO Applied

Inspecting Remotely-Applied GPOs with RSOP

To prevent having to go to each computer’s local console, RSOP also allows you to inspect settings remotely for both logging and planning mode. In in this demonstration, the tutorial will use logging mode.

1. Open RSOP by running through steps 1-4 in the Testing Policy Changes with RSOP’s Planning Mode section above.

2. On the Mode Selection screen, choose Logging mode and click Next to come to the Computer Selection screen.

Selecting Logging Mode
Selecting Logging Mode

3. On the Computer Selection screen, choose Another computer since you’re going to be querying a remote computer and click Browse.

Selecting remote PC
Selecting remote PC

4. In the Select computer box, enter remote PC name and click Check Names. This action will search for the computer’s AD computer account. If found, it will underline the PC name, as shown below.

Remote PC name
Remote PC name

5. Click Next on the Computer Selection screen. Here, you could select Do not display policy settings for the selected computer in the results… but you’re going to inspect both computer and user settings.

Resultant Set of Policy wizard
Resultant Set of Policy wizard

6. Next, choose the user you’d like to inspect applied user policies for. You will see the list of users who have logged on to the remote computer at least once.

Select a user from the list and click Next.

Notice the Current user option is greyed out. RSOP doesn’t support finding the remotely logged-in user. You must explicitly pick one.

Selecting user on remote PC
Selecting user on remote PC

7. Uncheck the Gather extended error information checkbox. Click Next to continue. RSOP will now connect to the remote computer and attempt to retrieve all RSOP settings for both the selected user and the computer.

Resultant Set of Policy Wizard gather extended error information option
Resultant Set of Policy Wizard gather extended error information option

8. Click Finish when done.

Resultant Set of Policy wizard complete
Resultant Set of Policy wizard complete

9. You will now the exact same MMC snap-in you did when inspecting local settings. But this time, the settings came from a remote PC.

Verifying GPO on remote PC
Verifying GPO on remote PC

Conclusion

The RSOP tool is handy when you need to quickly find all the applied GPO settings targeted to a computer or user. Using this tool allows you to see the applied settings; not just all the settings for GPOs targeting a specific computer or user.

Where do you see yourself using RSOP in the future?

Subscribe to Stay in Touch

Never miss out on your favorite ATA posts and our latest announcements!

Looks like you're offline!