Troubleshooting Group Policy can be a daunting task. Changes that you make in the Group Policy Management Editor are not always reflected immediately on the client. You are now probably using GPResult to verify the policies. But an easier way is to use the RSoP management console.
The GPResult tool is great when you want to quickly check which policies are applied to the client, and when the last update was. But when you are changing settings inside a policy and want to verify if they are applied, then the RSoP tool is a much better option to use. Besides showing the existing setting, it can also be used to plan new policy changes.
In this article
In this article, we are going to take a look at the RSoP management console. How to use it for existing policies and planning changes.
Using the RSoP Utility
The RSoP (Resultant Set of Policies) utility gathers all user and computer policy information. What great is about the tool is that it displays the policy in the same format as the Group Policy Management Editor. This makes comparing policies a lot easier.
We can run the utility both in the user context or with elevated permissions. When you run it in the user context, only the user policies are gathered, not the computer policies. So let’s take a look at how to inspect all user policies:
- Press Windows key + R (or right-click start and select Run)
- Type rsop.msc <enter>
You will probably get an error, that the computer’s data can be generated due to insufficient permissions. Just click close to continue.
To console of RSoP looks similar to the Group Policy Management Console. But besides that you can’t change any setting in the RSoP utility, you will also notice that you only see the configured settings.
For the examples below I have configured a user policy (UPO_Win11_Settings) that sets the PowerShell Execution policy. Below you will see the policy in the Group Policy Management editor:
If we take a look at the RSoP utility we can verify the settings by navigating to the policy: User Configuration > Administrative Templates > Windows Components > Windows PowerShell:
We can see that the setting Turn on Script Execution is enabled and you can also open the setting and see how it’s configured.
Viewing Policy Precedence
When it comes to policies the precedence of a policy determines which policy is applied. If you open the policy in the RSoP tool you can click on the Precedence tab and see in which policy the setting is made, and in case of multiple policies which one is effective. (Policy on top is the one that’s effective)
In this example, the setting made in the user policy UPO_IT overrules the PowerShell Execution Policy setting in UPO_Win11_Settings. So when troubleshooting policies, make sure that you also check the precedence tab!
View Applied Polices in RSoP
Something a lot of people don’t know is that besides the effective policy settings, you can also view the applied policies, filtered ones, and policies with errors in RSoP. We are still running the RSoP tool in the user context mode, but this also works for the computer configuration. So let’s start by showing which policies are applied and filtered out.
- Right-Click on User Configuration (you can do the same with computer configuration)
- Select Properties
- Enable Display all GPOs and filtering status
By default, you will see only the Applied policies, but when you enable Display All… (3) then we can also see which policies are filtered out because they are disabled for example.
If you want to know where the policy is linked, then enable the option “Display scope of management”. This will show the OU where to policy is linked.
Show Policies with Errors
With the User Configuration properties open, you can also view the policies that contain an error. Open the tab Error Information to check for any errors in your policies. In this case, we have an incorrect parameter in the Internet Explorer Zonemapping.
Unfortunately, it won’t tell you in which policy the setting is made.
Viewing the Computer Configuration
To view the computer configuration policies you will need to have elevated (admin) permission on the local machine. One way to do this is to open the Windows PowerShell (admin) and run the RSoP utility from the elevated PowerShell console.
- Right-Click on Start or press Windows key + X
- Choose Windows PowerShell (Admin) or Windows Terminal (Admin)
- Type rsop.msc and press enter
You will now also see the Computer Configuration in the Resultant Set of Policy tool. The only problem is that the User Configuration shows the applied policies of the administrator account. We can also verify this by opening the properties of the RSoP:
Now if you only want to check the Computer Configuration, then this isn’t really an issue. But if you want to view the User Configuration as well, then we will have to run a new query from the management console.
- Right-Click on the top record in the navigation tree.
- Choose Change Query
- Click Next, we want to view the policy of this computer
- Choose Select a specific user and select the user in question
- Click Next twice and Finish to view the results.
We now have the computer configuration policies and user policies together in one overview:
Planning Policy Changes with RSoP
Another great feature of the RSoP Utility is that you see the effects of moving a computer or user to another OU (Organization Unit), before actually making the change. For this, we will need to add the RSoP Utility in a new management console.
Note
To use the planning mode you will need to have administrator permission. Either log in as administrator and follow steps 1 and 2 below or open the first PowerShell as Admin and type MMC to open a new management console (and continue with step 3).
- Press Windows key + R (or right-click start
- Choose Run and type MMC <enter>
This will open a new empty management console. - Click on File and select Add or Remove Snap-Ins
- Scroll down and select Resultant Set of Policy and click Add and Ok when done
- Right-Click on Resultant Set of Policy
- select Generate RSoP Data
- A new wizard opens, click Next to get Started
- Select Planning Mode
User and Computer Selection
We are now in the User and Computer Selection screen. Here we can determine which scenario we want to simulate. We have the option to select a specific user and computer, the container where the user is in (or is going to be moved to), and the container for the computer.
These options allow you to simulate what happens when a user logs onto a different computer or what happens when you move a computer or user to a different container (OU). For our example, we are going to simulate what happens when we move our user Zoe Tucker, from the IT container to the Marketing container. We leave the computer the same.
The last setting which we can also simulate what happens with the policy when using a Slow network connection, and what the result is of the different Loopback processing modes (Replace or Merge). In this case, leave everything unchecked.
In the next screens, we can verify the User and Computer location, change the user and computer security groups, and even remove WMI filters if they were set in a policy.
The last screen is the summary, where we can view the selections that we have made and select the domain controller that we want to use for the simulation. Click Next when everything looks correct to generate the resultant set of policies.
Viewing the Results
After the results are generated we can navigate through the policy the same way as in the Group Policy Management editor or when running RSoP in normal mode. If we check the applied User Configuration policies, then we can see that the IT-related policies are not applied anymore:
Wrapping Up
Personally, I prefer the RSoP utility over the GPResult command-line tool. The latter is great if you want to view the Applied policies or last applied time, but when you really need to troubleshoot group policy objects, then this tool is so much more useful.
The Planning mode of the RSoP utility can of course also be used to view the resultant set of policies of other users or computers from your own computer. So when troubleshooting issues, you don’t need to have access to the user’s computer. You can view all the results from your own workstation.
I hope you found this article useful, if you have any questions, just drop a comment below.
