RSOP Result not showing Account Policies on one of my DCs

MS Lee 61 Reputation points
2020-11-24T05:37:03.583+00:00

Hi All,

I have recently setup two DCs on my test lab. I have configured settings on Account Policies (Password Policy/Account Lockout Policy/Kerberos Policy) on the Default Domain Policy (at the domain level).

I have done a RSOP on both of my DCs to ensure the settings are applied correctly. However, I noticed the RSOP on one of my DC shows 'Not Defined" for the settings that I have configured. Such as, 'Not Defined" for Enforce Password History. It is showing as "10 passwords remembered" on the RSOP result of another DC.

Can anyone advise me on what is going on? Thank you.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,808 questions
{count} votes

Accepted answer
  1. Hannah Xiong 6,231 Reputation points
    2020-11-24T06:50:33.193+00:00

    Hello,

    Thank you so much for posting here.

    RSOP.msc is graphical tool while gpresult is command line tool.

    Starting with Windows Vista SP1, the Resultant Set of Policies (RSoP) report does not show all Microsoft Group Policy settings (It is no longer updated and has no idea about a great number of policies).

    To see the full set of policy settings applied for a computer/user, it is suggested to use gpresult instead. To check the computer configuration, we could run
    gpresult /h C:\report.html.

    Besides, when checking with gpresult, some settings were only showing on the PDC emulator. The settings that are hid on non-PDC domain controllers are:

    Account Policies/Password Policy
    Account Policies/Account Lockout Policy

    In my environment, I could see the above settings on the gpresult report on PDC, while the settings are not showing on other DC. For example:

    42082-1.png

    42034-2.png

    Some discussions are here: https://social.technet.microsoft.com/Forums/en-US/460e746f-9058-4de6-9638-21bcc7d0ed7d/gpresults-and-rsop-do-not-show-applied-gpo-settings-on-one-of-my-dcs?forum=winserverGP

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. MS Lee 61 Reputation points
    2020-11-27T02:09:08.233+00:00

    Hi Hannah,

    Thanks. I have tried the same on my environment and the rsop result are showing up on the DC that is holding PDC Role.

    However, may I know whether this is being documented by Microsoft? I am trying to search for proper document to show that this is the correct behaviour but in vain.

    0 comments No comments

  2. Hannah Xiong 6,231 Reputation points
    2020-11-27T05:35:44.75+00:00

    Hi @MS Lee ,

    You are welcome. Thank you so much for your feedback.

    According to the below official document, "the RSoP Microsoft Management Console (MMC) provides an alternative way to display this information, although Group Policy Results is generally the preferred method."

    Reference: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789183(v=ws.11)

    Another reference about the discussion of this issue: https://social.technet.microsoft.com/Forums/ie/en-US/49ac4eea-45bc-4ca7-8a3d-897ce3c741e9/different-results-in-rsopmsc-and-gpresult?forum=winserverGP

    So in order to see the full set of policy settings applied for computer/user, it is suggested to use gpresult instead.

    Hope the information could be helpful. Thank you so much for your support.

    Best regards,
    Hannah Xiong

    0 comments No comments