Solving Group Policy Problems with the Group Policy Results Wizard

Sometimes referred to as Resultant Set of Policy (RSoP), in this Ask the Admin, I’ll show you how to determine which Group Policy settings are actually being applied to devices using the Group Policy Results Wizard.

Group Policy Results is a feature of the Group Policy Management Console (GPMC), and allows administrators to scan the local or remote machines, and users to determine which Group Policy objects (GPOs) and settings are being applied. This differs from Group Policy Modelling, which shows the result of applying a set of GPOs without making any changes to users or machines.

The Group Policy Results Wizard helps system administrators figure out what settings are really being applied to devices, which can be a difficult task when you consider that multiple GPOs might be linked at different levels of the AD hierarchy, then add different processing options and enforcement settings, along with WMI filters, and it may not be immediately clear what settings are being applied.

Group Policy Management Console

The Group Policy Management Console is installed by default on all Active Directory domain controllers (DCs). Alternatively, GPMC is installed as part of the Remote Server Administration Tools (RSAT) for Windows Server 2012 R2, which are supported on client and server versions of Windows. For details on RSAT, see Remote Server Administration Tools (RSAT) for Windows 8: Download and Install on the Petri IT Knowledgebase.

Setting Up Your Environment for RSoP

Before analyzing remote devices, you’ll need to make sure that the relevant inbound Windows Firewall rules are enabled for Group Policy Results. Windows Firewall includes a set of built-in rules for Group Policy Results that need to be enabled for GPMC to make connections to remote machines. The Windows Firewall rules are Remote Event Log Management (NP-in), Remote Event Log Management (RPC), Remote Event Log Management (RPC-EPMAP), and Windows Management Instrumentation (WMI-in).

But don’t worry, it’s easy to enable the Windows Firewalls rules on all devices in your domain using Group Policy, because there’s a starter GPO included in Windows Server 2012 (and later) that includes the necessary settings. For more information on using starter GPOs and linking GPOs, see How to Use Starter Group Policy Objects in Windows Server and How to Create and Link a Group Policy Object in Active Directory on Petri.

Alternatively, you can quickly create a GPO with the necessary settings, and link it your domain so that it applies to all devices, using the PowerShell cmdlet below. You’ll need to log in to a domain controller as a domain administrator, or a device that has the Active Directory module for PowerShell installed, to run the cmdlet. Don’t forget to replace dc=ad,dc=contoso,dc=com in the –target value with the CN of your domain name.

New-GPO –Name ‘Windows Firewall RSoP Ports’ –StarterGpoName ‘Group Policy Reporting Firewall Ports’ | New-GPLink –target ‘dc=ad,dc=contoso,dc=com’ –LinkEnabled yes

Group Policy Results Wizard

Now that the necessary Windows Firewall rules have been applied to devices in the domain, let’s open GPMC and check the Group Policy settings on a device.

Log on to a Windows Server 2012 R2 domain controller (DC) using a domain administrator account, or a device where RSAT is installed.

• Switch to the Start screen, type group policy management and select Group Policy Management from the search results.
• If you need to start GPMC with alternate user credentials, make sure Group Policy Management is selected in the search results, press CTRL+SHIFT+ENTER and then enter a username and password.
• In the left pane of GPMC, expand your AD forest, right click Group Policy Results in the left pane, and select Group Policy Results Wizard from the menu.
• Click Next in the Group Policy Results Wizard on the welcome screen.
• On the Computer Selection screen, check Another computer.
• In the box, type a computer name. Alternatively, click Browse and use the Select computer dialog to select a computer account.

• Click Next on the Computer Selection screen.
• On the User Selection screen, if you want to also collect user results, check Select a specific user and then select a user from the box. The box only displays users that have logged in previously to the remote device.
• If you’re not interested in collecting the results of user policy, check Do not display user policy settings in the results (display computer policy settings only). Click Next to continue.
• Check the configured settings on the Summary of Selections screen and click Next.
• Click Finish in the Group Policy Results Wizard window.

Note that at this point, you have the option to rename the results report in the left pane, or you can just press ENTER to accept the default name.

The Report from the Group Policy Results Wizard

On the Summary tab in the right pane of GPMC, you should see a message saying No Errors Detected for both computer and user policy. Now switch to the Details tab. Here you’ll find the nitty gritty of the report. In this example, I can see information about GPO processing at the top of the Details tab. The GPOs applied to the device, in this case CONTOSOSRV1, are listed along with any WMI filters that are applied. Under Computer Details and User Details respectively, you can expand the relevant sections to see the actual settings that are applied to the remote device.

FAQs

How does the Group Policy Results Wizard differ from other Group Policy management tools?

The Group Policy Results Wizard provides real-time analysis capabilities that other tools don’t offer, allowing administrators to troubleshoot policy conflicts and see the exact hierarchy of applied policies across multiple domains. This makes it particularly useful when managing complex Active Directory environments.

Can the Group Policy Results Wizard be used in offline environments?

While the Group Policy Results Wizard primarily functions in online environments, it can generate reports that can be exported and analyzed offline. However, real-time policy analysis requires network connectivity to the target machines.

What permissions are required to use the Group Policy Results Wizard effectively?

To utilize the Group Policy Results Wizard comprehensively, users need domain admin privileges or delegated permissions specifically for Group Policy management. The tool also requires specific firewall configurations and remote management permissions on target machines.

How often should administrators run the Group Policy Results Wizard for maintenance?

Best practices suggest running the Group Policy Results Wizard monthly for routine maintenance, after major policy changes, and when troubleshooting user reports of policy-related issues. This ensures optimal policy implementation and helps identify potential conflicts early.

What are the reporting capabilities of the Group Policy Results Wizard?

The Group Policy Results Wizard can generate detailed HTML reports showing applied policies, processing time, and policy conflicts. These reports can be customized to focus on specific users, computers, or policy areas, making it an invaluable tool for documentation and compliance purposes.