What is the rsop command? How do you determine what GPO policies are applied to a computer or user?
In this post, you will learn how to use the rsop command (resultant set of policy) to verify if your GPO policy settings are being applied to your users and computers.
This is a must-know command to quickly troubleshoot and verify GPO policy settings.
Let’s get started.
Bonus: I will also show you how to simulate group policy settings. It’s great for planning GPOs.
I also recommend you check out my list of Group Policy Best practices. It contains some great tips and recommendations for group policy design and implementation
A quick overview of RsoP (Resultant Set of Policy)
RsoP (Resultant Set of Policy) is a Microsoft tool that is built into Windows 7 and later versions. It provides administrators with a report on what group policy settings are getting applied to users and computers. It can also be used to simulate settings for planning purposes.
RsoP is one of my favorite windows commands for testing and troubleshooting group policy settings at the client level.
RsoP (Resultant Set of Policy) has two modes, Logging Mode and Planning mode.
Logging Mode:
This mode is used to generate a report on policy settings for users and computers. It is best used to verify and troubleshoot group policy settings.
Planning Mode:
Administrators can use planning mode for “what if” scenarios. What if I move a user or computer to a different OU, what if I put a user in a different AD group, what if the user logs into a different computer? You can select various options with planning mode and it will simulate the policy settings.
This was just a quick overview of RsoP (Resultant Set of Policy) for more details see Microsoft’s article What is Resultant Set of Policy.
Now to the good stuff.
RSop vs GPResult
The rsop and gpresult commands are both used to troubleshoot group policy but which one should you use and why?
- RSop – Use this command to report on the current state of the group policy settings. In other words, this will generate a report of what GPO policy settings are applied to a user or computer.
- GPResult – Use this command to see which GPOs are being applied or filtered for a computer or user.
For example, say you create a new GPO that enabled the lock screen after 15 minutes of inactivity. You would use the gpresult command to verify the PC has applied the new GPO. You would use the Rsop command to verify the GPO policy settings have been applied.
How to run RSoP to determine computer and user policy settings
You must be a local administrator on the local computer for RsoP to return the computer configuration policy settings.
In this example, I want to verify that a computer is applying the GPO policy settings from the lockscreen GPO I applied to all computers.
Step 1: Run rsop.msc from a local computer
Open the command line, type rsop.msc, and hit enter.
Rsop will run and generate a report for the user and computer policy settings.
Step 2: Review Policies
Now that RSoP has run its time to review the policy settings. Keep in mind, RsoP will only show the policy settings, it will not show the group policy objects.
When the report is completed, browse to the location of the policy setting you want to verify. This should be the same location that you configured from the GPO management console.
Below you can see from the RSop report that the computer has applied the policy “Interactive Logon: Machine inactivity limit” and the value is set to 1800 seconds.
If I go back to the Group Policy Management console I can verify the GPO settings to the results of RSoP report.
It looks good.
The computer has the same policy setting that is configured from my lock screen GPO.
If you had multiple GPOs that have overlapping settings, you can look at the results and see which GPO is taking precedence.
Simple, right?
By default, when you run rsop.msc on a client machine it will run in logging mode. If you want to run in planning mode, follow the steps below.
Simulate GPO policy settings with RsoP planning mode
I’m going to use planning mode to see what policies would get applied if I moved a user to the Sales OU. I have a GPO linked to this OU so I’m expecting those policies will get applied. But before I move a bunch of people to this OU I want to test and see what really would get set.
Step 1: Open MMC and add Resultant Set of Policy
MMC can be opened by typing MMC in the windows run command or typing mmc.exe from command line.
From the MMC console go to File and select Add/Remove Snap-in.
Select the Resultant Set of Policy from the available snap ins.
Step 2: Run the RsoP wizard
Right click Resultant Set of Policy and select Generate Rsop Data.
Click Next at the welcome screen.
Select Planning mode.
Select the User, Computer or OU that you want to simulate policy settings for.
I want to simulate policies for the Sales OU so I’m going to select Container for the user information and then PC1 for the computer.
Click Next.
Select any additional simulation options if desired.
Click Next.
Click Next.
On the user security group page, you can simulate changes to the security groups.
Click Next.
WMI Filters page, you can use all filters or only selected filters.
Click next.
Summary page, click next.
Finally, the wizard is complete.
So now I have the simulated results. I want to see what policies will get applied since I selected the sales OU.
Let’s check it out.
The results are only going to show what settings are applied. It will not show the GPO itself just the policy settings.
Looking through the simulated results I can see that the screen saver settings are getting applied under the User Configuration. So, this confirms the GPO I set at the sales OU would get applied. I see no issues so I can move forward with moving users into this OU.
I hope you found this article helpful. If you have any questions leave a comment below.
But it still gets weird when looking at the policy conflict with Windows updates.
thanks bro, very detailed with screen shots. I appreciate you <3
Why would this happen the user is in the right group.But when the user log in the script for mapping the network drive challenge to enter credentials.once the user enter the credentials the network drives are mapped.But for very reboot or logoff the user is challenged for the credential for network share drives.This only happens fo 1 user in that group.
Thanks in advance for your reply
Is the user logging into a computer that is on the same domain as the network drive location? Can the user try it on another computer? You might also consider switching to group policy for mapping drives https://activedirectorypro.com/map-network-drives-with-group-policy/
This may be occurred due to credential manager not updating, it can be fixed by updating the credential manager manually by adding the path details with username and password for that network location.