NIST's guidance for a Zero Trust Architecture

Active Directory Policies

Group Policy Results

It is always a good practice to know what policy settings are being applied to a user or computer since GPO imposes a lot of restrictions and customizations on the user and computer. So, if something is amiss, a review of the policy settings will shed some light on the problem. To view the Resultant Set of Policy settings, you can use the following tools:

RSoP snap-in

The Resultant Set of Policy snap-in is a Microsoft Management Console (MMC) tool. It can be used to create detailed reports about applied policy settings. It has two modes: Logging mode – displays the policy settings currently applied to a user and computer. Planning mode – simulates policy settings that will be applied to a user or computer. To open the RSoP snap-in, follow these steps:

  • Go to Start Menu → Run. Type MMC and click OK
  • In the MMC console menu bar, File → Add/Remove Snap-in. Select RSoP from the list of available snap-in and click Add → OK
  • Right-click the Resultant Set of Policy and select Generate RSoP data
  • In the wizard that appears, choose the either Logging mode or Planning mode, the computer and the user to see the list of applied settings

Group Policy Results: Group Policy Results is a container available in GPMC. The following steps illustrate how to use Group Policy Results:

  • In the left pane of GPMC, right-click the Group Policy Results container and select Group Policy Results Wizard
  • In the Group Policy Results wizard, choose the target computer and users
  • Click Next to see a summary of the selections made and click next to generate a report. Click Finish

The following information will be available in the right pane: Summary Tab – Contains information on Applied and Denied GPOs, Security Group membership, WMI filters, and component status for both computer and user configuration. Settings Tab – shows all the Computer Configuration and User Configuration policy settings with the name of the winning GPO for each setting. Policy Events Tab – shows all the policy-related events.

gpresult command line tool

The gpresult command line tool when executed displays all the policy settings applied to a particular user or computer. For example, gpresult /user kevin /z will display all available information about the group policy applied to the user Kevin. For more information about using this tool, use the command gpresult /?.

People also read

Group Policy

Group Policy Objects (GPOs): Different Policy Settings

How to force Group Policy update?

Active Directory Group Policy in a Nutshell

Related posts
Active Directory Policies

Group Policy Management Console (GPMC) – Part II

Active Directory Policies

Fine-Grained Password Policy: A Step-by-Step Configuration Guide

Active Directory Policies

Active Directory Account Lockout Policy

Active Directory Policies

Active Directory Password Policy