Recipe 9.20 Viewing the RSoP

9.20.1 Problem

You want to view the actual RSoP for a user and computer. This is a great tool for determining if policies are being applied correctly on a client.

9.20.2 Solution Using a graphical user interface

The RSoP snap-in is available only on Windows Server 2003 and Windows XP.

Open the RSoP snap-in by running rsop.msc from the command line. This will cause the RSoP snap-in to evaluate the group policies for the target computer and pop open a MMC console so that you can browse the applied settings.

You can target a different computer by right-clicking the top of the tree in the left pane and selecting Change Query. You will then be prompted for the name of the computer to query. Using a command-line interface
> gpresult

With the Windows Server 2003 version of gpresult, you can specify a /S option and the name of a computer to target, which allows you to run the command remotely. With Windows 2000, there is a /S option, but it enables super verbose mode. There is no way to target another computer with the Windows 2000 version. For a complete list of options with either version, run gpresult /? from a command line.

9.20.3 Discussion

If you implement more than a few GPOs, it can get confusing as to what settings will apply to users. To address this problem, you can query the resultant set of policy on a client to determine what settings have been applied.

The registry on the target computer is another source of information. You can view the list of policies that were applied to the computer by viewing the subkeys under this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History

The settings that were applied are not stored in the registry, but you can obtain the GPO name, distinguished name, SYSVOL location , version, and where the GPO is linked.

9.20.4 See Also

Recipe 9.19 for simulating the RSoP

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List