- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
- Ten sed command examples - Wed, Aug 23 2023
Resultant Set of Policy (RSoP) in the MCC
Resultant Set of Policy (RSoP) is a Windows MMC tool that enables network administrators to analyze and manage Group Policy settings, including user settings and computer policy settings. It provides a comprehensive view of all Group Policy settings applied to a user or computer within an Active Directory environment. RSOP compiles and displays these policies, allowing admins to see their results visually.
RSoP comes in two operational modes:
Logging mode—Logging mode in RSoP enables administrators to view Group Policy settings currently applied to a user or computer. It's often used for troubleshooting Group Policy settings, especially when inconsistencies or unexpected behaviors occur.
This data includes user policy settings, computer configuration policy settings, security settings, and much more. Logging mode also filters out unapplied settings, making it easier to pinpoint specific problems.
Planning mode—Planning mode, on the other hand, is a planning/simulation tool. It simulates GPO policy settings for users and computers. This allows testing of the effects of potential changes to Group Policy Objects (GPOs) without affecting the actual production environment.
RSoP's ability to generate detailed reports on Group Policy settings makes it an excellent tool for troubleshooting, planning, and auditing policy settings across the network for both users and computers.
Group Policy Results and Group Policy Modeling in the GPMC
Microsoft has also added this functionality for modeling and auditing Group Policy settings directly to the Group Policy Management Console (GPMC). The relevant tools include Group Policy Results and Group Policy Modeling.
Group Policy Results—Reports the actual effect of a policy on a computer or user
Group Policy Modeling—Simulates how Group Policy would be applied under different conditions
The Group Policy Results feature of the GPMC corresponds to RSoP’s Logging mode in the MMC, and Group Policy Modeling corresponds to RSoP’s Planning mode.
Generating RSoP with Logging mode in the MCC
RSoP can be accessed from the MMC, which is launched from the command line or a PowerShell prompt using "mmc.exe." The RSoP Wizard in the Group Policy Management Console (GPMC) guides administrators through generating RSoP data and viewing the resultant set of policy settings.
After launching mmc.exe, select the Resultant Set of Policy snap-in and click OK.
Adding the RSoP snap in to the MMC
Next, under the Action menu, select Generate RSoP Data.
Generate RSoP data
It will begin the Resultant Set of Policy Wizard. Click Next.
Beginning the Resultant Set of Policy Wizard
Next, choose the mode you want. As mentioned earlier, the options are Logging mode and Planning mode.
Choosing Logging or Planning mode
Here, we are proceeding with Logging mode. Select the computer for which you want to view policy settings. It can be the local computer or a remote computer.
Select the computer for which you want to display policy settings
Next, select the user for whom you want to view policy settings.
User selection with RSoP
The RSoP Wizard displays a summary of the configuration settings. By default, the Gather extended error information option is selected, which helps to gather more detailed information.
Summary of Selections screen
When you reach the Completing the Resultant Set of Policy Wizard screen, click Finish.
Completing the Resultant Set of Policy Wizard
You will see the results displayed in the MMC console. You can expand the nodes listed to see the applied policy settings for both the computer configuration and the user configuration.
Viewing RSoP settings in the MMC console
Note the following:
- RSoP displays each GPO to which the displayed setting corresponds and any lower-priority GPOs that may be attempting to configure settings. GPMC displays the results in a report-style view that doesn't show the detailed listing of settings. You only see this in the advanced view that launches RSoP.
- If an administrator uses the GPMC and chooses to view advanced information about the Group Policy Results or Group Policy Modeling report, it will open the RSoP snap-in.
Using Group Policy Modeling in the GPMC
As shown below, you can find the new Group Policy Results and Group Policy Modeling in the updated Group Policy Management Console. Because I demonstrated Logging mode or RSoP in the MMC above, I will show you how to use Modeling mode in the GPMC.
The Group Policy Management Console (GPMC) is a well-known tool most admins use to view and configure Group Policy settings in Active Directory. You can launch the Group Policy Management Console by executing the gpmc.msc command.
Group Policy Modeling found in the Group Policy Management Console
Group Policy Modeling and Results are found in the Group Policy Management Console
Both tools function similarly to the corresponding features of the RSoP snap-in in the MMC. When you right-click a node, you can launch the respective wizards.
Launching the Group Policy Modeling Wizard is similar to RSoP Planning mode; the modeling wizard helps simulate policies for planning and testing purposes. It allows you to specify:
- Domain controller
- Users
- Security group membership
- Location
- WMI filter status
Let's work through an example of the Group Policy Modeling Wizard. Below, we launch the Group Policy Modeling Wizard to model changes before the changes are made to a user or computer, such as moving the object to a different OU.
After beginning the wizard, select a domain controller for processing. By default, it will use any available domain controller.
Select the domain controller for processing the modeling request
Next, select the user or computer on which you want to perform the modeling operation.
Select the object you want to model
The next screen also allows you to simulate policy implementation for slow links or specific Active Directory sites.
Simulate slow network connections or different sites
On the next screen, we see the power of the modeling wizard. Here, you can simulate a change in location for the object to see if there are any policy changes.
Simulate changes to the network location of a user or computer
In addition, you can simulate security group changes. What happens if you place a user or computer in a different container? The modeling wizard can help you understand the Group Policy results before making these changes.
Simulate changes to user groups
You can also simulate WMI filters in your modeling simulation.
Include WMI filters in the simulation
The wizard will provide a summary of the chosen options. Click Next.
Summary of the Group Policy Modeling selections
Finally, you will arrive at the completing wizard screen.
Finishing the Group Policy Modeling Wizard
The modeling wizard will automatically open the report of the modeling run. Here, you can see that we have picked up an additional policy setting affecting passwords due to moving the user to the different OU specified in the modeling wizard.
Subscribe to 4sysops newsletter!
Viewing the results of the Group Policy Modeling wizard
Wrapping up
Simulating potential changes with the RSoP's planning mode (Group Policy Modeling) or troubleshooting actual Group Policy issues with the RSoP's logging mode (Group Policy Results) are skills every Active Directory administrator must have.
