This guide gives an overview of Group Policy, RSoP (Resultant Set of Policy) and Group Policy Objects.
GP – Group Policy
RSoP – Resultant Set of Policy
GPOs or GP Objects – Group Policy Objects
GPMC – Group Policy Management Console
GP Settings – Group Policy Settings
What is Group Policy (GP)?
Group Policy is a Microsoft infrastructure tool that provides centralized management and configuration of user and computer settings. Group Policy does this through Group Policy settings and Group Policy Preferences.
The beauty of GP is that it provides administrators centralized management and control. For example, an administrator can enforce a password complexity policy. Or modify specific settings of domain-joined computers.
Group Policy Management Console (GPMC)
Group Policy Management Console (GPMC) is the tool used to create GPOs. GPOs are the actual objects where the administrator sets the policies that control users and computer settings.
Below are some of the things you can do with GPMC:
- Create new and edit existing GPOs
- Export existing GPO and import GPOs.
- Also, copy, paste, backup and restore GPOs
- Create GPO reports, including RSoP reports
RSoP (Resultant Set of Policy)
RSoP is a report of group policy settings applied to users and computers. You can use RSoP.mmc to get RSoP for a local computer. To get RSoP information for a remote computer, use GPResult command line.
GPResult displays the Resultant Set of Policy (RSoP) information for a local or remote user and/or computer. To learn how to use GPResult Command, click GPResult Command: Syntax, Parameters, Examples.
How to Use RSoP.mmc to Get Applied GPOs
- Log on to the computer with an admin account.
- Next, hold the Windows logo key and R, to open Run. When Run opens, type RSoP.msc and click Ok. RSoP will start gathering the information (see the second image below the Sponsored Content).
- When it finishes, it will display a report similar to the image below.
Generating the policies applied to a computer is useful for troubleshooting and resolving group policy issues. It will help determine what polices are applied or not applied to a user or a computer.
Understanding RSoP.mmc Results
The result generated by RSoP.mmc has two parts, Computer Configuration and User Configuration.
The results are similar to the settings in a typical GPO. But the result only shows settings applied to the computer or user.
As an example, when I click the Computer Configuration\Software Settings node, it is blank. This is because no policy setting was applied to the computer from the settings in this node.
As I said earlier, you can use RSoP results to troubleshoot GPOs. Say you created password policies and applied the GPO to an OU. You have confirmed that a particular computer is in the OU where the GPO is applied. But when you check the computer, the password policy does not apply.
To see the password policies applied to this computer, in the RSoP result, expand \Computer Configuration\Windows Settings\Security Settings\Account Policy. Then click Password Policy. On the right hand side of the console, you can review the password policies applied to this computer.
There are other factors that may help you determine why a GPO is not applied to a user or a computer. See the next section for details.
Group Policy Objects (GPOs)
A GPO is is a collection of user and computer settings that defines the permissions, behavior and configuration of users or computers the GPO is applied to.
A GPO can be applied at the Domain, Organizational Unit or Site container level.
When you apply a GPO to a container, all objects in that container inherits the policies defined in the GPO settings.
Objects inhering GPO polices may also be affected by other configurations like Block Inheritance or No override (more on this below).
To apply a GOP to a Domain, OU or site you can create a new GPO or link an existing one.
Enforced, Block Inheritance and GPO Priority
Earlier in this guide, I said that GPOs can be applied to Sites, Domains and Organizational Units (OUs). When you apply a GPO to a container, all objects within the container should apply the GPO settings. But there is a caveat.
There are two GPO settings that affect whether a GPO may be applied to an object or not – Enforced and Block Inheritance. If you do not want higher GPO links to apply to a child container, you can enable Block Inheritance. But if you want to force top level GPOs on child containers, enable Enforced on the higher level GPO.
When a GPO is set to Enforced, it overrides Block Inheritance. This means that Enforced policies takes precedence over Block Inheritance policies.
Block Inheritance is set at a child container to stop all GPOs in upper higher containers applying to the child container. But if you enable Enforced at the top level GPO, it overrides Block Inheritance set at the child container.
To set Enforced, right-click the top level GPO. Then click Enforced.
To set Block Inheritance, right-click the lower level container. Then click Block Inheritance.
GPO (Group Policy Object) Processing Order
GPO processing is based on a last writer-wins model. This means that a GPO applied later takes precedence over GPOs applier earlier.
GPOs are applied in this order:
- The local Group Policy object is applied first
- Then GPOs linked to sites are applied next
- Followed by GPOs linked to domains
- Finally, GPOs linked to organizational units (OUs) are applied last
Except Enforced is enabled at the Site or Domain level, a GPO applied at the OU is applied to an object. This information is very useful for troubleshooting purposes.
To view the Group Policy precedence order of a container:
- Highlight the container (click on it). On the right hand side, click the Group Policy Inheritance tab.
In this guide I covered Group Policy, RSoP (Resultant Set of Policy) and Group Policy Objects. I hope this has improved your knowledge of Group Policy.
If you have any question or comment use the “Leave a Reply” form at the end of the guide. Alternatively, share your experience with configuring, managing and troubleshooting Group Policies and GPOs.
Other Helpful Guides
- GPUPDATE (Group Policy Update Command): Syntax, Parameters and Examples
- WSUS (Windows Server Update Service): Installation and Configuration