Troubleshooting applied Group Policies

GPO

Microsoft’s Group Policy Object (GPO) is a collection of Group Policy settings that can be applied to a group of devices or a group of users from a central place. GPOs are a great enabler in the process to increase the security posture of the IT infrastructure. They can be used to apply changes to the configuration settings and ensure that changes are kept. A GPO is basically a defined rule that gets applied to a device or a user of a device.

But GPOs can be tricky since they can overrule/supersede each other. When this happens, the expected result holds off. This is where Nanitor comes in and reports on misconfigured devices based on the values returned from the Microsoft registry in question. Now you want to tell if Nanitor is reporting a false positive or if the GPO didn't get applied for whatever reason. In that case, it is very useful to use the built-in tool from Microsoft called Resultant Set of Policy (RSoP). RSoP is a tool for auditing group policy settings.

How to start RSoP

"RSoP is launched via a .msc file. This means you can open it through the start menu, run box, command prompt, or by navigating to the file within the Windows System Files or to just type it into the start menu."

There are many good articles on the internet that describe the use and functionality of the RSoP. E.g., this article.

Check your GPOs

When Nanitor is reporting a misconfiguration that you thought might have been fixed with an applied GPO it is worth checking with a tool like RSoP if that GPO got definitely applied. It will also help you to understand why the GPO didn't get applied, it got dismissed or superseded.