Local users

In Windows, a local user is one whose username and encrypted password are stored on the computer itself. When you log in as a local user, the computer checks its own list of users and its own password file to see if you are allowed to log into the computer. The computer itself then applies all the permissions (for example, 'can use the CD-ROM', 'can install programs') and restrictions (for example, 'cannot install programs') that are assigned to you for that computer.

Note that the value in%USERDOMAIN% may not be the same as the one returned by systeminfo command.%USERDOMAIN% gives the domain name the user account belongs to, it could be different from the domain of the computer. Also, this may give you the NetBios name of the computer, not DNS/FQDN name. Alternatively, we can use WMIC to retrieve domain name.

• The User Does Not Have RSoP Data When the UAC is enabled and GPResult is used in non-elevated mode, only the user settings section of the group policies is shown. If you need both sections (USER SETTINGS and COMPUTER SETTINGS) to be displayed, the command must be running in the command prompt with the administrator privileges.
• INFO: The user 'DOMAINuser' does not have RSOP data When I run rsop.msc, I get the following error RSoP data is invalid. Likely causes are, data is corrupt, data has been deleted or data.

Save RSOP Information to an HTML File Saves resultant set of policy information to an HTML file. This script, contributed by Mike Stephens of Microsoft, requires the Group Policy Management Console. This command line tool displays the Resultant Set of Policy (RSoP) information for a target user and computer. Parameter List: /S system Specifies the remote system to connect to. /U domainuser Specifies the user context under which the command should execute. Can not be used with /X, /H.

Domain users

A domain user is one whose username and password are stored on a domain controller rather than the computer the user is logging into. When you log in as a domain user, the computer asks the domain controller what privileges are assigned to you. When the computer receives an appropriate response from the domain controller, it logs you in with the proper permissions and restrictions.

Domain users evolved in response to the challenges administrators face when managing large numbers of computers, peripherals (for example, printers, network storage), services, and users. When a network has a large population of users on various computers, it is difficult to maintain information for every user on each individual computer. The task of managing so many users is simplified by allowing each computer to validate access through a central source to see if each user can log in and use computing resources. With one centralized source of user info, network administrators have only a small set of computers on which to maintain user information.

Important considerations

When you log into your computer at Indiana University, if the 'Log on to:' field is ADS, then you are logging in as a domain user. It is important to remember that if you eventually remove your computer from the domain, you will be unable to log in because the computer will not be able to access the domain controller. If you plan to remove your computer from the domain (for example, moving your computer to an off-campus location), you must create a local user. For more, see Disable Windows ADS network settings after you leave the IU network.

RSoP, Resultant Set of Policy, and GPResult are two of those tools you absolutely have to know about if you’re using Group Policy in your environment or you’ll wish you had known about it sooner. Through the Group Policy Management Console you can see all the settings that a specific GPO will apply to machines and users in that OU but because the Active Directory is hierarchical you have to drill down into further Organizational Units in order to find if a more specific GPO might be affecting the target machines. If only we could see from the computer’s perspectives what group policies were being applied to it… We can! Using RSoP and GPResult, we can get exactly that kind of information.

RSoP

The Resultant Set of Policy MMC snap-in has a nice interface and is easily used. Just go to Start, Run and enter rsop.msc. This will flash up a quick screen with a summary of the environment it’s processing.

When the progress reaches 100%, it will pull up a report for the policies upon which the computer and the user are having applied. You can browse the list, which mirrors the Group Policy Management Console, and see which policies the machine is seeing, which might not quite match what you’ve set in the Active Directory server.

You can also use this to diagnose any errors. For example, if a software deployment isn’t coming through for some reason, you can verify that it has access to the policy and has received the command. You can also see any related errors to help your troubleshooting.

GPResult

Starting with Vista SP1, RSoP no longer shows all of the group policies that a computer might have being applied to it. Instead, Microsoft recommends that you use the command line tool GPResult.

Just open the Command Prompt and type:

Being a command line tool, it opens up the possibilities to include it in scripting. There are a large number of options you can use with GPResult to get exactly what you want. You can use it to create a nicely formatted HTML or XML report and you can also use it to run remotely on another system and as a different user (provided you know the password).

The report will look something like this:

Unable To Generate Rsop Data

From the command line help file, GPResult has these options:

GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]
[/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]]

Description:
This command line tool displays the Resultant Set of Policy (RSoP)
information for a target user and computer.

Parameter List:
/S system Specifies the remote system to connect to.

/U [domain]user Specifies the user context under which the
command should execute.
Can not be used with /X, /H.

/P [password] Specifies the password for the given user
context. Prompts for input if omitted.
Can not be used with /X, /H.

Info The User Domain User Does Not Have Rsop Data Management System

/SCOPE scope Specifies whether the user or the
computer settings needs to be displayed.
Valid values: “USER”, “COMPUTER”.

/USER [domain]user Specifies the user name for which the
RSOP data is to be displayed.

/X <filename> Saves the report in XML format at the
location and with the file name specified
by the <filename> parameter. (valid in
Windows Vista SP1 and Windows Server 2008)

/H <filename> Saves the report in HTML format at the
location and with the file name specified by
the <filename> parameter. (valid in Windows
Vista SP1 and Windows Server 2008)

/F Forces gpresult to overwrite the file name
specified in the /X or /H command.

/R Displays RSoP summary data.

/V Specifies that verbose information should
be displayed. Verbose information provides
additional detailed settings that have
been applied with a precedence of 1.

/Z Specifies that the super-verbose
information should be displayed. Super-
verbose information provides additional
detailed settings that have been applied
with a precedence of 1 and higher. This
allows you to see if a setting was set in
multiple places. See the Group Policy
online help topic for more information.

/? Displays this help message.

Examples:
GPRESULT /R
GPRESULT /H GPReport.html
GPRESULT /USER targetusername /V
GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
GPRESULT /S system /U username /P password /SCOPE USER /V

Info The User Domain User Does Not Have Rsop Database

Are there any other tools out there that fall into that category ‘I wish I knew about that earlier‘ that you’d recommend? Let me hear them in the comments.