How to use RSoP to check and troubleshoot group policy settings

Want an insanely easy way to troubleshoot and report group policy settings for users and computers? Then you’ll love this guide.

Look:

Having multiple group policy objects can get out of control and difficult to troubleshoot.

When deploying GPOs, you need to consider:

Group policy settings can overlap
Moving a user or computer to another OU can affect what policies are getting applied
GPO ordering and precedence
User settings vs computer settings

So how exactly do you report what settings are getting applied?

It’s easy just follow the steps in this guide.

Bonus: I will also show you how to simulate group policy settings. It’s great for planning GPOs.

I also recommend you check out my list of Group Policy Best practices. It contains some great tips and recommendations for group policy design and implementation

A quick overview of RsoP (Resultant Set of Policy)

RsoP (Resultant Set of Policy) is a Microsoft tool that is built into Windows 7 and later versions. It provides administrators a report on what group policy settings are getting applied to users and computers. It can also be used to simulate settings for planning purposes.

RsoP is one of my favorite Active Directory Troubleshoot Tools for testing and troubleshooting group policy settings at the client level.

RsoP (Resultant Set of Policy) has two modes, Logging Mode and Planning mode.

Logging Mode:
This mode is used to generate a report on policy settings for users and computers. It is best used to verify and troubleshoot group policy settings.

Planning Mode:
Administrators can use planning mode for “what if” scenarios. What if I move a user or computer to a different OU, what if I put a user in a different AD group, what if the user logs into a different computer. You can select various options with planning mode and it will simulate the policy settings.

This was just a quick overview of RsoP (Resultant Set of Policy) for more details see Microsoft’s article What is Resultant Set of Policy.

Now to the good stuff:

How to run RSoP to determine computer and user policy settings

You must be a local administrator on the local computer for RsoP to return the computer configuration policy settings.

Step 1: Run rsop.msc from a local computer

Open the command line, type rsop.msc and hit enter.


Rsop will run and generate a report for the user and computer policy settings.

Step 2: Review Policies

Now that RSoP has run its time to review the policy settings. Keep in mind, RsoP will only show the policy settings, it will not show the group policy objects.

Browse through the policies to see what settings are applied.

Step 3: Compare the results to the group policy objects

Now it’s time to go back to the Group Policy Management console and verify that the policies that you have linked are getting applied.

I have a GPO called “Computer – Windows 10 Settings” that is applied to the Winadpro Computers OU. I’m logged into PC1 which is in the accounting folder. So, the policies in that GPO should get applied to PC1.

Let’s verify that with RsoP results.

After running RsoP I can see that the settings in the “Computer – Browser Settings” GPO are getting applied to PC1. In the results, you can also see what GPO the settings are coming from by looking under the GPO name. I can see the Prevent running First Run Wizard setting is coming from the Computer – Browser Settings GPO.

If you have multiple GPOs

If you had multiple GPOs that have overlapping settings, you can look at the results and see which GPO is taking precedence.

Simple, right?

By default, when you run rsop.msc on a client machine it will run in logging mode. If you want to run in planning mode, follow the steps below.

Simulate GPO policy settings with RsoP planning mode

I’m going to use planning mode to see what policies would get applied if I moved a user to the Sales OU. I have a GPO linked to this OU so I’m expecting those policies will get applied. But before I move a bunch of people to this OU I want to test and see what really would get set.

Step 1: Open MMC and add Resultant Set of Policy

MMC can be opened by typing MMC in the windows run command or typing mmc.exe from command line.

From the MMC console go to File and select Add/Remove Snap-in

Select Resultant Set of Policy from the available snap ins

Step 2: Run the RsoP wizard

Right click Resultant Set of Policy and select Generate Rsop Data

Click Next at the welcome screen

Select Planning mode

Select the User, Computer or OU that you want to simulate policy settings for.

I want to simulate policies for the Sales OU so I’m going to select Container for the user information and then PC1 for the computer.

Click Next

Select any additional simulation options if desired.

Click Next

Click Next

On the user security group page, you can simulate changes to the security groups.

Click Next

WMI Filters page, you can use all filters or only selected filters.

Click next

Summary page, click next

Finally, the wizard is complete.

So now I have the simulated results. I want to see what policies will get applied since I selected the sales OU.

Let’s check it out.

The results are only going to show what settings are applied. It will not show the GPO itself just the policy settings.

Looking through the simulated results I can see that the screen saver settings are getting applied under the User Configuration. So, this confirms the GPO I set at the sales OU would get applied. I see no issues so I can move forward with moving users into this OU.

I hope you found this article helpful. If you have any questions leave a comment below.

See also:
GPResult Tool: How to check what Group Policy objects are Applied
Group Policy Best Practices

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

2 Comments

  1. Jaymit on August 11, 2018 at 12:28 am

    Why would this happen the user is in the right group.But when the user log in the script for mapping the network drive challenge to enter credentials.once the user enter the credentials the network drives are mapped.But for very reboot or logoff the user is challenged for the credential for network share drives.This only happens fo 1 user in that group.
    Thanks in advance for your reply

Leave a Comment