Enabled Options - RSoP (Windows only)

The Resultant Set of Policy (RSoP) feature identifies the Group Policy Objects (GPO) in effect on Windows nodes. This feature can be enabled as a scan option for a selected node group. In Cloudhouse Guardian (Guardian), RSoP is treated as a scan item within the Enabled Options category that can generate policies, compare differences, identify governance inconsistencies, and integrate information with additional platforms. This topic describes how you can add RSoP to a node group's scan options. For more information on the other scan options available to configure, see Scan Options.

Warning: The Enabled Options category is only displayed for top-level Windows/Linux groups.

Add RSoP via Scan Options

On the Scan Options page in the Monitored tab (Inventory > Monitored), you can select different categories in order to customize the scans of your node groups. Each category specifies a particular area of interest that is always checked when a node group is scanned. Here, you can edit the Enabled Options category to configure which sections of your node group you want to be scanned, including RSoP.

Note: Alternatively, you can edit the Enabled Options category or add other scan options directly within the node group settings page. For more information, see Edit Node Group.

To add RSoP to a node group's scan options, complete the following steps:

1. In the Guardian web application, navigate to the Monitored tab. By default, all currently monitored nodes are displayed within the 'All Nodes' node group.

   

   Note: If you want to display the list of monitored nodes contained within a different node group, select a node group from the Node Groups drop-down menu.
   

2. Select the node you want to edit from the list of monitored nodes. The node scan results page is displayed.

3. Click the Edit drop-down and select Scan Options. The Scan Options page is displayed.

   

4. Select the node group you want to add RSoP to from the list of Node Groups.

   Warning: By default, the 'All Nodes' node group is displayed. However, scan options on the 'All Nodes' node group are not available to edit. Select a different node group to edit the corresponding scan options.
   

5. Select Enabled Options from the list of Categories. The node sections to be scanned are displayed.

   

6. Here, select 'Yes' from the RSoP drop-down list item to add this to your scan preferences.
   

   Note: Optionally, next to the RSoP drop-down list, you can set a priority number in the field provided, from 1 - 1000, '1' being the highest priority. By default, if a scan option does not have a priority value set, then it defaults to '1000'. For more information on how you can set a custom priority for a file scan option, see Custom Order of Precedence.

7. Once complete, click the Save button to add the RSoP section to your node group's scan options.

Once you add or edit an item from the Categories section, the scan options are saved and applied to the selected node group the next time the nodes are scanned. RSoP results are then displayed in the scan results page where you can generate policies, compare differences, identify governance inconsistencies, and integrate information with additional platforms. For more information on how you can analyze results and configure the output to access the data you require, see Node Scan Results.

Troubleshooting

If you are experiencing issues with adding RSoP to your node group's scan options, try the following:

• If you can’t see the RSoP section in the scan results page or if the section is empty, check the Connection Manager or agent logs at C:\Program Files\Guardian\logs.

  • If the following warning 'The user [...] does not have RSoP data' is displayed, it means the user account the Agent or service is running under doesn't have access to any valid RSoP data to generate valid results.

  • You can alter the user the Guardian service runs under by right clicking the Guardian service in the Services window, selecting Properties and altering the user the service is run as.

• If the following warning message is displayed after a scan, 'Cannot find path C:\Windows\Temp...\RSOPReport because it does not exist.' it means that the user the Guardian service is being run under doesn't have access to enough RSoP data to generate a valid report.
  

  Note: Windows Agent version 4.21.0 onwards replaces this error message with an empty RSoP section in the resulting scan and a warning message indicating that the particular user doesn’t have access to RSoP data.