- Activate BitLocker with manage-bde, PowerShell, or WMI - Wed, Sep 20 2023
- Join Azure Active Directory with Windows 11 - Tue, Sep 12 2023
- Manage enhanced security mode in Microsoft Edge using Group Policy - Fri, Sep 8 2023
If there are conflicts between local group policies and domain-level policies, the latter take precedence as they are executed after the local ones, potentially overwriting redundant settings.
However, if you, for example, disable a GPO in Active Directory, the expected effect may not occur as a local policy still might be active. Besides, it can be useful to get an overview of the configured local settings, especially on workgroup computers.
Finding local Group Policy settings in RSOP
To find local policies in RSOP, rsop.msc can be used as a graphical tool. On a workgroup computer with relatively few policies, it helps you quickly find the configured settings.
Rsop.msc displays the name of the GPO or local Group Policy for each setting
However, if the machine is a member of a domain, then you have to navigate through practically the entire tree to determine whether a setting is derived from the domain or from a local policy.
Evaluation of the text output from gpresult
The default tool for GPO reporting is gpresult.exe. When you execute "gpresult /r", it only shows you under Applied Group Policy Objects whether local Group Policy objects are present. The settings configured through these policies are not displayed.
A simple call to gpresult only indicates that local policies have been applied
To obtain more information, you need to use the /v switch. Instead of searching for the relevant entries yourself, you can filter them out with a regex:
gpresult /r /v > gpr.txt
Get-Content -Raw gpr.txt |
Select-String '(?s)GPO: Local Group Policy.*?abled' -AllMatches |
Foreach {$_.matches} | Format-List @{n="Setting";e={$_.value}}
Evaluating the extended gpresult report using PowerShell and a regular expression
However, the output is not very clear, and it lacks information such as the path within the GPO editor where the respective setting can be found.
Examine XML reports using PowerShell
As an alternative to plain text output, gpresult.exe can generate a structured report in XML format that can be analyzed easily with PowerShell.
gpresult /X gpr.xml
[XML]$XMLRep = Get-Content -Raw .\gpr.xml
$XMLRep.Rsop.ComputerResults.ExtensionData.Extension.Policy |
where {$_.GPO.Identifier.'#text' -eq "LocalGPO"} |
Format-List @{n="Name";e={$_.name}}, @{n="Path";e={"Computer - " + $_.Category}}
The above code example extracts locally set policies from the computer branch. If you also want to find the settings for the users branch, then run the following command too:
$XMLRep.Rsop.UserResults.ExtensionData.Extension.Policy |
where {$_.GPO.Identifier.'#text' -eq "LocalGPO"} |
Format-List @{n="Name";e={$_.name}}, @{n="Path";e={"User - " + $_.Category}}
The output of the two commands contains the names of the settings and their paths in the GPO editor. If necessary, you can add more elements, such as the entire help text for each setting which is contained in the XML report.
Evaluation of the XML report from gpresult using PowerShell
Summary
When you want to determine which settings are configured by local group policies, you can use rsop.msc on workgroup PCs.
Subscribe to 4sysops newsletter!
However, for computers that are members of a domain, the graphical tool can be cumbersome. In such cases, you can generate various reports with gpresult.exe and analyze them with PowerShell. The most effective approach is to use structured files in XML format for this purpose.
From windows 2008R2 rsop is not fully supported because of gpp which is not shown in the mmc.
True. But since GPP are not available in local group policies, you can examine all settings with rsop.msc.
is there a way to find out what RSOP is applied on a Service Account?