This article will explore how to use the RSoP feature to understand your current group policies and demonstrate how administrators can use this feature to plan and troubleshoot new policies across the network.
What is RSoP?
RSoP stands for Resultant Set of Policy. It is used to simulate and test the policy settings applied to users or computers that use Group policy. RSoP is considered an addition to Group Policy to assist in implementing and troubleshooting policy.
RSoP is usually in the form of a report which contains the Group Policy settings within Active Directory that demonstrate how those settings can affect a network or how existing Group Policy Objects (GPOs) can affect different combinations of users and computers in respect to the application of local security policy.
This data of the RSoP report can be viewed as an HTML report using the gpresult tool in Group Policy Management Console. In addition, the reports can be viewed easily using the Help and Support Center for Microsoft Management Console. RSoP is a handy tool that sysadmin can use for testing and troubleshooting group policy settings at the client level.
Below are some key terms you’ll want to familiarize yourself with to understand the working of RSoP fully and check Group Policy.
Group Policy is a specifically designed hierarchical framework that enables a network administrator to implement user-specific configurations for different computers. Here, the network administrator must be in charge of Microsoft’s Active directory.
Therefore, group policy can effectively be defined as a security policy to implement critical security configurations for users and computers. One of the best practical examples is the administrative templates for Microsoft office.
Active Directory, also abbreviated as AD, is Microsoft’s directory service that runs on Windows Server and allows the system admins to manage and control access to Network Resources. An Active Directory stores its data in the form of objects. An object can be defined as any single element, an application, or a user. Etc.
Group Policy Objects (GPOs)
Group Policy Object (GPO) is Microsoft’s collection of Group Policy Settings that determines and defines how a system will appear and how it will behave for a particular set of users. The GPO is correlated with selected Active Directory Containers such as domains or websites.
Generally, there are three types of GPOs: Local GPOs, Non-local GPOs, and Starter GPOs. The local and non-local GPOs refer to the local or non-local computer they can be applied to. The starter GPO represents a baseline policy that the admin can create using a pre-configured group of settings.
Group Policy Management Console (GPMC)
The Group Policy Management Console (GPMC) collectively resembles the usage and management of Group policy across an organizational unit. It is an interface that allows the Active Directory administrators to import, export, backup, and restore the GPOs from a single console application. Before the advent of GPMC, the system administrators had to use many other tools for managing Group Policy.
After having an overview of these terms, we better understand how these essential items relate to each other, so we come back to the discussion of RSoP.
RSoP can be a query engine that polls on existing and future planned policies based on the website, domain, and organizational unit.
RSoP provides detailed information about all the policy settings that a system administrator has configured. These settings usually include Group Policy Software installation, code scripts, security settings, administrative templates for different tasks, and Internet Explorer maintenance.
RSoP has two modes in general. The first one is the Planning mode, which can simulate how the desired policy settings can affect the computer when applied. It is more related to “What if” scenarios.
For instance, what if I put a user in a different AD group, a computer or a user gets moved to a separate Organizational Unit (OU), etc. An Organizational Unit (OU) is a container within a Microsoft Active Directory domain that can hold users, groups, and computers.
The second mode is the Logging mode which reports the existing policy settings for a computer and a user currently logged on the system. This mode is best used to verify and troubleshoot group policy settings.
Using RSoP to check and troubleshoot group policy settings
This article provides an easy-to-follow guideline for using RSoP to check and configure Group Policy settings. It will also help you troubleshoot any issues you can face relevant to Group Policy settings.
The first problem is that having multiple Group Policy Objects is not easy to control and troubleshoot. So, when GPOs are deployed, certain things need to be considered. These include:
- The difference between the user settings and computer settings.
- GPO’s order of precedence.
- Overlapping of Group Policy Settings.
- The applied policies can be affected when a user or a computer is moved to a different Organizational Unit (OU).
Before jumping into the guide itself, it will be fruitful to go through the best-used practices for Group Policy. These include:
- The default domain policy is set at the domain level, so it should not be modified. However, any other settings must be put into a separate Group Policy Object (GPO).
- A carefully designed OU structure will make the task easier. For instance, a sub-organizational unit needs to be created for each separate business function.
- Use small GPOs for simplifying administration.
- Change management should be implemented for group policy. It can get out of control if all administrators are given the right to make changes whenever they feel necessary.
- New computer and user configurations should be disabled to speed up GPO processing.
- Descriptive GPO names should be used for quick identification.
- GPOs need not be set at a domain level. Instead, they should only be applied at the OU level. This will allow sub-OUs to inherit the policy settings.
Using RSoP for determining Computer and User Policy Settings
Now, let’s go through the steps needed to run RSoP for determining computer and user policy settings.
- First, you must be a local administrator on the local computer so that RSoP can return the computer configuration policy settings.
- Run the “rsop.MSC” command line from a local. It will run and produce a user and computer policy settings report.
- With the RSoP report complete, it is time to review the policy settings generated. First, go through the policies and understand what settings have been applied. Remember that the RSoP report will only have the policy settings and not the Group Policy Objects (GPOs).
- Now, we have to go back to Group Policy Management Console (GPMC) and verify that the linked policies are getting applied.
Let us verify it on our end. But then, you can do the same on your end as well. So, for instance, we have a Group Policy Object (GPO) named “Computer – Win 10 settings”. And, we are logged in from computer PC1. So, administrators should apply the policies in that GPO to PC1.
Now, this needs to be verified with results from RSoP. This is quite simple to perform. After running the RSoP, you can see that the settings in the GPO named “Computer – Browser Settings” are getting applied to PC1. In the results, it can also be seen that from which GPO the settings are coming from.
If there are more than one overlapping GPOs that you acquire, then you have to observe which GPO is taking precedence in the results section.
An important point to note is that when rsop. msc is run on a client machine, and then, by default, it will run in logging mode. There are two modes in which RSoP can run, one is logging mode, and the other is planning mode. Below are the steps to run RSoP in planning mode.
How to Simulate GPO Policy Settings by running RSoP in Planning Mode
Now, we will use the planning mode of RSoP to observe what policies will be applied if a user is moved to a new OU, for instance, sales. Since we have a GPO linked to this OU, so it is expected that those policies will get applied. Therefore, we want to observe what would get set before moving anything to this OU.
- The first step is to open MMC. This can be done using either of the two ways. The first way is to open the windows run command by pressing win + R and then type MMC. The second way is to open the command prompt and type mmc.exe.
- The MMC console opens. You have to go to File and then click on Add / Remove snap-in.
- There is a list of available snap-ins in the Add or Remove Snap-ins dialog box. Choose Resultant Set of Policy (RSoP) from the list.
- For running the RSoP wizard, right-click on the Resultant Set of Policy and Select Generate RSoP Data.
- A welcome screen appears. Click next to continue.
- Then select the planning mode (Since we are trying to simulate GPO Policy Settings by running RSoP in Planning Mode).
- Select the User, Computer, or OU you want to simulate the policy settings for.
- As talked earlier, we‘ll simulate the policies for Sales OU, so I’m going to select Container for the user information and then PC1 for the computer system. Click Next to continue.
- You can choose from any additional simulation options if needed.
- Click Next to continue. Again, click Next.
- The next page appears in the User Security group page. Changes to the security groups can be simulated there.
- Click Next to go onto the next page.
- The next page to appear is the WMI Filters page. Again, you have the option to use all of the available ones or choose only selected filters from them. Then, click Next to continue.
- The next page is the final page, i.e., the summary page. You can skim through the chosen configurations there. Click Next to continue.
- The wizard is finally complete.
Now, we have the simulated results. We have to observe which policies will get applied when selecting the sales OU. On checking the results, we know that only those settings are shown which are used. The GPO itself will not be displayed. Only the policy settings can be seen.
We can see that the screen saver settings are applied under the user configuration by going through the simulated results. So, it is confirmed that the GPO set at the sales OU will get used. So, there are no issues with this. Now, administrators can move users into this OU.
RSoP can be a precious tool for system administrators if used correctly. The feature helps sysadmin avoid GPO conflicts and helps reduce potential downtime by acting as a planning tool before updates are applied in production.
Are you looking to use RSoP in your environment? Let us know in the comments below.