locked
Local Security Policies do no show up in RSOP RRS feed

  • Question

  • We have an issue where items that are set with a machine's Local Group Policy Editor within the Security Settings area of Computer Configuration list as Not Defined when running a RSOP on the same machine.  We also noticed this problem continued to exist when joined to the domain environment.  Case in point, if there is a setting applied via the Local Group Policy, but not set via a domain GPO, when running a RSOP on that machine, instead of seeing the setting and the Winning GPO to be "Local Security Policy", the setting's value is listed as Not Defined.  We've verified that even though it says Not Defined, the settings still take effect.  In addition, for a non-domain joined machine, when we make any change to any setting that falls within the Local Policies-Security Options, even after a RSOP, the setting doesn't display, but only shows within the Local Group Policy Editor.

    We have reset the security database to the Vista default, but the issue still seems to persist.... We are building our image with numerous applications, so we are trying to avoid beginning from scratch.

    Suggestions to this frustrating problem are welcome.

    Tuesday, August 31, 2010 5:55 PM

Answers

  • Hi,

    As Florian explained, it’s by design behavior. RSOP gathers policies data from a Common Information Model Object Management (CIMOM) database on the local computer.

    Local Group Policy was not stored in this database and cannot be queried by RSOP. Gpedit.msc and secpol.msc just edits system settings directly.

    If there is any trouble caused by this behavior, please let us know, we will help to find a workaround.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Mervyn Zhang Thursday, September 9, 2010 6:46 AM
    Wednesday, September 1, 2010 6:34 AM
  • Howdie!
     
    Am 31.08.2010 19:55, schrieb Bigjon06:
    > We have an issue where items that are set with a machine's *Local Group
    > Policy Editor *within the *Security Settings *area of *Computer
    > Configuration *list as *Not Defined* when running a RSOP on the same
    > machine. We also noticed this problem continued to exist when joined to
    > the domain environment. Case in point, if there is a setting applied via
    > the Local Group Policy, but not set via a domain GPO, when running a
    > RSOP on that machine, instead of seeing the setting and the Winning GPO
    > to be "Local Security Policy", the setting's value is listed as *Not
    > Defined. *We've verified that even though it says * Not Defined*, the
    > settings still take effect. In addition, for a non-domain joined
    > machine, when we make any change to any setting that falls within the
    > *Local Policies-Security Options*, even after a RSOP, the setting
    > doesn't display, but only shows within the *Local Group Policy Editor.*
     
    Unfortunately, this is how the system behaves. If I remember correctly,
    changes to the security settings get incorporated directly into the
    system's security database whereas domain security settings are cached
    on the client so that they can be evaluated by RSOP.
     
    Cheers,
    Florian
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Tuesday, August 31, 2010 6:16 PM

All replies

  • Howdie!
     
    Am 31.08.2010 19:55, schrieb Bigjon06:
    > We have an issue where items that are set with a machine's *Local Group
    > Policy Editor *within the *Security Settings *area of *Computer
    > Configuration *list as *Not Defined* when running a RSOP on the same
    > machine. We also noticed this problem continued to exist when joined to
    > the domain environment. Case in point, if there is a setting applied via
    > the Local Group Policy, but not set via a domain GPO, when running a
    > RSOP on that machine, instead of seeing the setting and the Winning GPO
    > to be "Local Security Policy", the setting's value is listed as *Not
    > Defined. *We've verified that even though it says * Not Defined*, the
    > settings still take effect. In addition, for a non-domain joined
    > machine, when we make any change to any setting that falls within the
    > *Local Policies-Security Options*, even after a RSOP, the setting
    > doesn't display, but only shows within the *Local Group Policy Editor.*
     
    Unfortunately, this is how the system behaves. If I remember correctly,
    changes to the security settings get incorporated directly into the
    system's security database whereas domain security settings are cached
    on the client so that they can be evaluated by RSOP.
     
    Cheers,
    Florian
     

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Tuesday, August 31, 2010 6:16 PM
  • Hi,

    As Florian explained, it’s by design behavior. RSOP gathers policies data from a Common Information Model Object Management (CIMOM) database on the local computer.

    Local Group Policy was not stored in this database and cannot be queried by RSOP. Gpedit.msc and secpol.msc just edits system settings directly.

    If there is any trouble caused by this behavior, please let us know, we will help to find a workaround.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Mervyn Zhang Thursday, September 9, 2010 6:46 AM
    Wednesday, September 1, 2010 6:34 AM
  • Hi,

    Do you need any other assistance? If there is anything we can do for you, please let us know.

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, September 6, 2010 2:15 AM
  • I know this topic is kind of old, but are there any tools that will do a cumulative report of policies that set applied from the local policy AND then the domain policy?
    Friday, January 28, 2011 6:27 PM
  • Even older now, but I am very interested in such a toolset as well, and I'm sure many others are also stumbling on this and wishing silently for an answer.
    Thursday, September 8, 2011 4:50 PM
  • +1 on something that would show the currently cumulative policy that is applied. This hidden differentiation between what is saved where is not very apparent to most!
    Monday, March 11, 2013 3:48 PM
  • +2 Its unbelievable that Microsoft cannot provide a tool to show you the actual policy being applied to a machine.
    Saturday, August 23, 2014 12:55 AM
  • > +2 Its unbelievable that Microsoft cannot provide a tool to show you the
    > actual policy being applied to a machine.
     
    secpol.msc will show you the effective security policy settings.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Saturday, August 23, 2014 12:33 PM