How to use RSOP to Inspect Applied GPO Settings

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

The GPO tool in Windows is an invaluable resource for IT administrators. It allows you to manage the settings on your computer and enforce them across multiple PCs with just a few clicks, without having to write any code (although you can use VBS or PowerShell scripts if needed). This guide will teach you how RSOP stands for Remote Server Administration Tools, which are included in every version of Microsoft Windows operating system; how it works; and finally how it can be used to inspect applied GPO settings from another PC.,

The “rsop command line switches” is a command-line tool that can be used to inspect applied GPO settings. The RSOP tool can be used in conjunction with the GPMC.

How to use RSOP to Inspect Applied GPO Settings

When you deploy an Active Directory (AD) Group Policy Object (GPO) to hundreds or even thousands of target computers, it’s likely that it will take some time for them to all get it. When a computer gets a new policy or retrieves updated policy settings, how do you know? The RSOP tool is being used.

The Resultant Set Of Policy (RSOP) tool is a built-in Windows utility that lets you see what policy settings are implemented to local and distant machines. Read on if you’re curious in the configuration GPOs create on your PC.

How to Use the GPResult Tool to Verify Applied GPOs

Let’s get this party started.

Prerequisites

This course will walk you through a variety of examples. If you want to follow along, make sure you have the following items on hand:

  • Any version of Active Directory will function in an Active Directory domain. This lesson will make use of the domain HomeLab.Local.
  • To test local GPOs, you’ll need a domain-joined Windows PC with at least one GPO installed. This course will be performed on a computer known as Win10VM1.
  • If you wish to run RSOP remotely, you’ll need a second domain-joined Windows PC. This course will be performed on a computer known as Win10VM3.
  • On the remote machine, TCP ports 445, 135, RPC dynamic ports, and all WMI ports are open. To guarantee that all ports are open, establish a GPO named Group Policy Reporting Firewall Ports.
  • Both the local and distant computers have local administrator access.
  • A GPO with refuse permissions defined for an AD group. This tutorial will utilize the DeniedGPOUsers AD group with no users added to it and deny permissions.

When you assign a GPO to a computer in Active Directory, that machine should contact the domain controller and, depending on the GPO refresh interval, view the GPO and try to implement the settings indicated by the GPO as soon as possible.

What is a Group Policy, and How Does It Work? (In Detail)

When the computer uses the Windows Management Instrumentation to apply GPO settings, the settings are saved on the computer in the Common Information Management Object Model (CIMOM) database (WMI). Run the RSOP tool to check the settings that have been applied. The RSOP utility creates a report that details the rules that have been implemented (or are being implemented) for users and machines on the PC.

When you have several, contradictory rules, RSOP is a fantastic way to troubleshoot them. You may use RSOP to see which GPOs had priority and overrode each other.

Modes

To assist you figure out how GPOs influence target machines, RSOP offers two separate modes: logging and planning.

  • Logging mode — The most popular usage of RSOP, which generates a report on all rules that have been applied to all logged-on users and the machine.
  • Planning mode is a less-used feature of RSOP that enables you to simulate what settings will be applied to a machine if one or more GPOs are applied to it. Planning mode is used to predict what will happen if, for example, a user is relocated to a different AD group.

Using RSOP to inspect locally applied GPOs

Let’s get started with some practical RSOP demos. Let’s start with how to use the RSOP tool and what type of data you may anticipate to view.

Open a command prompt or PowerShell window as an administrator on your domain-joined Windows PC.

How to Run PowerShell as an Administrator is a related topic.

RSOP will not have access to the machine settings until you open a command prompt or PowerShell as administrator (only logged-in user settings). When you run RSOP, you’ll get an error message saying you don’t have enough rights.

Run the rsop.msc command next. The RSOP MMC snap-in will appear as a result of this activity.

When you start RSOP, it will instantly begin reading all of the policies that have been implemented and will provide a report. RSOP is set to log mode by default. The results of running RSOP on a machine named WIN10VM1 while signed in as a user named LabAdmin are shown below.

When you expand each of the folders, you’ll see all of the settings from all of the GPOs that apply to that specific user or machine.

Run the gpupdate /force command on the PC to manually refresh the policy settings if you don’t see an anticipated GPO setting for a recently-created GPO.

Using the force gupdate commandUsing the force gupdate command

For example, below you’ll see a local policy called HostName.bat assigned to the user logon on the PC. Inside the policy is a batch file called HostName.bat under User Configuration —> Windows Settings —> Scripts —> Logon.

Editor of Local Group PoliciesEditor of Local Group Policies

When you run RSOP on a machine with local policy defined, the Logon script will be applied, along with the Policy Name that applied it.

As a result, a set of policy consoles has been created.As a result, a set of policy consoles has been created.

Using RSOP’s Planning Mode to test policy changes

Perhaps you’re preparing to deploy a critical GPO to a large number of machines. You may either “test in production” by applying it to all machines at the same time, or you can utilize RSOP’s planning mode.

If you apply a GPO to a machine, you may simulate many different situations in planning mode, such as when:

  • The network connection on the target PC is sluggish.
  • Loopback processing is enabled.
  • Many GPOs have been applied to the target PC in order to evaluate policy priority.
  • A user signs in to the target PC, or the computer account belongs to several AD groups, and one of the AD groups is refused GPO authorization.
  • A person or machine may be relocated across domains, OUs, and even Active Directory sites.
  • An OU is given a WMI filter.

GPOs may throw a lot of conditional variables at you, thus planning mode will help you account for them all.

To use RSOP in planning mode, follow these steps:

1. Type mmc in a command prompt or elevated PowerShell terminal. This will bring up the MMC console.

It’s important to note that you can’t just execute rsop.msc in this case. As you’ll see, the only method to modify the RSOP mode is to use an MMC snap-in.

2. Open the File menu in the MMC console and choose Add/Remove Snap-in, as shown below.

Add/Remove option in MMC consoleAdd/Remove option in MMC console

3. Select Resultant Set of Policy in the Add or Remove Snap-ins dialog box and click Add to transfer the snap-in from the left window to the right window.

Option to Display the Resultant Set of PoliciesOption to Display the Resultant Set of Policies

4. To skip through the intro stage, right-click on the Resultant Set of Policy MMC snap-in, as shown below, and choose Generate RSOP Data and Next.

Option to Generate RSoP DataOption to Generate RSoP Data

5. Select Planning mode from the Mode Selection page and click Next to go to the Computer Selection screen.

Choosing the Planning mode optionChoosing the Planning mode option

6. Select the individual who could be impacted by a forthcoming GPO by clicking Browse under User Information. Also, under Computer Information, click Container and Browse to pick the OU that will hold the PC this user will be entering into.

The simulation will offer all of the settings that a user named HOMELABUser01 would get if they logged onto any machine in the Desktop VMs OU, as seen in the accompanying picture.

Choose a user OU and a computer OU from the drop-down menus.Choose a user OU and a computer OU from the drop-down menus.

7. If you’d like to simulate a few additional scenarios, pick the following options:

When you’re finished, click Next.

Loopback processing mode with a slow network connectionLoopback processing mode with a slow network connection

8. Click Browse to alter the OU for either item if you don’t intend on deploying the GPO to the OU where the user or machine will be. When you’re finished, click Next.

You established the OUs in which the user and target machine would be situated in step six. You’re specifying the OU to which the GPO will be applied here.

Changing the course of the simulated GPO that has been appliedChanging the course of the simulated GPO that has been applied

9. Click Add to add the user to the AD group you want them to be in. The user in this tutorial will be a member of the DeniedGPOUsers group.

User Security Groups are shown. User Security Groups are shown.

The DeniedGPOUsers group is barred from using this GPO, as seen below.

Custom permissions for the DeniedGPOUsers AD group are being shown.Custom permissions for the DeniedGPOUsers AD group are being shown.

10. After that, go through the screens for establishing WMI filters and computer groups for this lesson. You may make these simulated adjustments if you intend on putting up a WMI filter on the GPO or denying/allowing GPO application by the AD group the computer account is in.

11. Finally, examine all of the facts on the Screenshot Summary. Click Next with the Gather expanded error information option selected. When the enhanced error information option is enabled, the RSOP snap-in gathers extra error information when it runs the query. This error message may indicate network or AD difficulties that may impede the policy’s implementation. Enabling this option will likely lengthen the time it takes to run the simulation, but it will offer more detailed information if an issue occurs.

Right-click on the computer configuration or user configuration node and choose properties once the RSOP console has been produced. Then go to the Error Information page to see any errors that were created during the policy simulation.

Screenshot SummaryScreenshot Summary

12. After the RSOP is finished, go through the files under Computer configuration and User configuration to double-check the policies that have been implemented.

Below are two windows: the actual GPO implemented (RSOP in logging mode) on the left, and what RSOP would look like if the user were removed from the DeniedGPOUsers AD group on the right.

The GPO was used.The GPO was used.

Using RSOP to inspect GPOs that have been applied remotely

RSOP enables you to review settings for both logging and planning mode remotely, so you don’t have to walk to each computer’s local terminal. The lesson will utilize logging mode in this example.

1. Open RSOP by running through steps 1-4 in the Using RSOP’s Planning Mode to test policy changes section above.

2. Select Logging mode from the Mode Selection page and click Next to go to the Computer Selection screen.

Choosing the Logging ModeChoosing the Logging Mode

3. On the Machine Selection page, click Browse and choose Another computer since you’ll be querying a distant computer.

Choosing a remote PCChoosing a remote PC

4. In the Select computer box, type the name of the remote computer and then click Check Names. This procedure will look for the machine’s Active Directory (AD) computer account. It will highlight the PC name if it is discovered, as illustrated below.

Name of the remote computerName of the remote computer

5. On the Computer Selection screen, click Next. You might check the box that says Don’t show policy settings for the chosen machine in the results… However, you’ll examine both the machine and the user’s settings.

As a result, a set of policy wizards has been created.As a result, a set of policy wizards has been created.

6. Select the person for whom you’d want to see the policies that have been applied to them. You’ll see a list of users who have logged in at least once to the distant computer.

Click Next after selecting a user from the list.

The option for the current user is greyed out. The remote logged-in user cannot be found using RSOP. You must choose one specifically.

Choosing a user on a distant PCChoosing a user on a distant PC

7. Uncheck the option labeled “Collect extended error information.” To continue, click Next. RSOP will now try to connect to the distant computer and obtain all RSOP settings for the specified user as well as the machine.

As a result, a set of policy wizards has been created. gather extended error information optionAs a result, a set of policy wizards has been created. gather extended error information option

When you’re finished, click Finish.

As a result, a set of policy wizards has been created. completeAs a result, a set of policy wizards has been created. complete

9. You’ll see the identical MMC snap-in you saw while looking at local settings now. The settings, however, came from a distant PC this time.

GPO verification on a distant PCGPO verification on a distant PC

Conclusion

When you need to rapidly locate all of the GPO settings that have been applied to a machine or user, the RSOP tool comes in useful. This tool enables you to view the settings that have been applied, rather than simply the settings for GPOs that target a particular machine or user.

What applications do you envision RSOP being used for in the future?

The “gpresult vs rsop” is a question that has been asked before. The two tools are similar, but they serve different purposes.

Frequently Asked Questions

How do you verify a GPO is applied?

A: Windows Server 2008 R2 has a GPO called Windows6.1-KB860033-x64 that can be used to verify if any changes have been made.

How do I see what GPO is applied to all computers?

A: You can use Group Policy to see what GPO is applied to every computer in your enterprise.

How do I use Rsop?

A: You must first download the app on your device and then connect it to a Wi-Fi network. Once you have done that, launch the app and sign in with your credentials.

Related Tags

  • gpresult rsop command
  • rsop commands
  • how to run rsop command
  • how to open rsop
  • how to get rsop results in html