7.7 Viewing Planned User Policies (RSoP)

When many different GPOs are assigned to a user or a computer, you might have difficulty predicting what policy or preference settings ultimately apply.

To determine what settings apply, run an RSoP Analysis report. An RSoP Analysis report predicts the final result of all the settings that apply to a particular user logged on to a particular computer.

Active Directory assigns GPOs to users and computers. Some of the settings in each GPO may conflict with one another. For example, one setting may enable Remove Desktop icons while another setting may disable the same item. GPA uses a complex algorithm to arrive at the RSoP for a particular user on a particular computer. This algorithm uses the SDOU (Site, Domain, Organizational Unit) hierarchy to evaluate policy.

NOTE:Link order also affects an RSoP. If you configure GPA to retain the existing Active Directory link order, the RSoP Analysis report predicts the RSoP based on the link order in Active Directory, not in the GP Repository. You can change this option on the Customize Options window in the GP Repository database properties.

The following figure illustrates two sites that belong to one domain as well as a number of associated GPOs.

The policies or preferences are defined as follows:

  • A and G are site‑level.

  • B is domain‑level.

  • C, D, E, F, and L are OU‑level.

The following table shows the results of two different RSoP analyses using the SDOU hierarchy in the previous diagram.

OU in which user resides

OU in which computer resides

RSoP: S + D + (OUs)

Marketing

Marketing

A + B + (C + D + L)

Finance

Finance

G + B + (E + F)

The RSoP column of the table shows how the policies or preferences apply, in the order of the SDOU hierarchy. Each level of the hierarchy adds to the next, including GPOs from nested OUs. If any of the GPOs has either a Block Inheritance or Enforced setting, the algorithm processes additional rules to arrive at the RSoP. For more information, see the Microsoft documentation.

7.7.1 What‑If Scenarios in RSoP Analysis Reports

You can run a simple RSoP Analysis report or use what-if criteria when running the report to simulate a certain scenario.

Simple RSoP Analysis Scenario

When you want to find the effective RSoP from domain and OU policy or preference settings, select a user and a computer from either the same or different domains.

RSoP with What‑if Criteria Example Scenario

What‑if criteria allows you to deploy a GPO hypothetically rather than to actually implement a new or modified policy or preference without knowing it might affect. For example, if you are planning to deploy a GPO that defines a new corporate email policy, the ability to run a what‑if scenario helps you ensure the deployment of one GPO concerning email does not have a detrimental impact on all your users.

To determine the result of deploying a GPO under different conditions, use what‑if criteria in the RSoP Analysis report. The what-if criteria helps you simulate what would actually occur in Active Directory. For example, you can simulate the following what‑if scenarios:

  • What if the user or computer is moved to a different OU?

  • What if the user or computer is removed from a security group?

  • What if the user or computer is added to a different security group?

  • What if the computer is moved to another site?

  • What if the GP Repository version of the GPO is exported to Active Directory?

  • What if the GP Repository version of the GPO is exported and its link order is modified?

  • What if you perform the analysis ignoring the existing loop back mode?

  • What if you perform loop back analysis in Replace mode?

  • What if you perform loop back analysis in Merge mode?

In each case, GPA calculates and reports the resultant effect of policies and preferences on the computer and user combination without actually making changes in Active Directory.

NOTE:

  • By default, the RSoP Analysis report does not analyze local and site‑level policies and preferences. You can analyze site‑level policies and preferences by including the What if this computer is moved to another site? scenario.

  • If you are creating an RSoP Analysis report based on the What if the GP Repository version of the GPO is exported to Active Directory? scenario, only those links that belong to the domain for the user and computer you select are analyzed for block inheritance and link order. The report does not analyze link order and block inheritance settings of other domains. Also, the user and computer you select should be in the same domain to yield accurate results.

7.7.2 Running an RSoP Analysis Report

When you run an RSoP Analysis report, you select the user and computer for which you want to perform the analysis. You have the option to select a user and a computer from different domains and also simulate WMI filter results. You also have the option to incorporate what‑if scenarios such as selecting or ignoring site‑level policies and preferences for a computer when processing the RSoP Analysis report.

NOTE:When you run an RSoP Analysis report using the What if the GP Repository version of the GPO is exported to Active Directory? scenario on a GPO in the GP Repository, GPA always simulates the WMI filter results as True for this GPO.

To run an RSoP Analysis report:

  1. Log on to a GPA Console computer with an account that is a member of the Domain Administrators or Enterprise Administrators group. The account also needs read access to all GPOs and SDOU hierarchies that are included in the RSoP analysis.

  2. Start the GPA Console in the Group Policy Administrator program group.

  3. In the left pane, expand GP Analysis, and then click RSoP Analysis.

  4. On the Action menu, select RSoP Wizard.

  5. Follow the instructions on the wizard until you have finished the RSoP analysis and created an RSoP analysis report.