Troubleshoot

Resultant Set of Policy

Privilege Management for Windows provides full support for Resultant Set of Policy (RSoP). RSoP is usually accessed through the Group Policy Management Console (GPMC).

The GPMC supports two modes of operation for RSoP:

  • Group Policy Modeling (RSoP planning mode)
  • Group Policy Results (RSoP logging mode)

RSoP can be used to establish which policy applies to a particular user or computer to aid troubleshooting. Detailed HTML reports are generated, which may also be exported to aid policy documentation.

Group Policy Modeling

To run a Group Policy Modeling query (RSoP planning), perform the following steps from the GPMC:

  1. Double-click the forest in which you want to create a Group Policy Modeling query.
  2. Right-click Group Policy Modeling and click Group Policy Modeling wizard.
  3. In the Group Policy Modeling wizard, click Next and enter the appropriate information.
  4. After completing the wizard, click Finish.
  5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the Resultant Set of Policy window.
  6. Select the Privilege Management Settings node under the Computer Configuration node or the User Configuration node to view the RSoP HTML report for Privilege Management for Windows.

Privilege Management also appears in the Summary tab of the Group Policy Modeling node. Expand the Component Status section of the HTML report to find out whether RSoP data has been collected for Privilege Management for Windows.

Privilege Management does not appear in the Settings tab of the Group Policy Modeling node, as third-party Group Policy extensions are not detailed in this HTML report. You must use the Advanced View, as outlined above, to view Privilege Management for Windows Workstyles for an RSoP query.

Group Policy Results

To run a Group Policy Results query (RSoP logging), perform the following steps from the GPMC:

  1. Double-click the forest in which you want to create a Group Policy Results query.
  2. Right-click Group Policy Results and click Group Policy Results wizard.
  3. In the Group Policy Results wizard click Next and enter the appropriate information.
  4. After completing the wizard, click Finish.
  5. Right-click the node for the completed query in the console tree, and click Advanced View to launch the Resultant Set of Policy window.
  6. Select the Privilege Management Settings node under the Computer Configuration node or the User Configuration node to view the RSoP HTML report for Privilege Management for Windows.

Privilege Management also appears in the Summary tab of the Group Policy Results node. Expand the Component Status section of the HTML report to find out whether RSoP data has been collected for Privilege Management for Windows.

Privilege Management does not appear in the Settings tab of the Group Policy Results node, as third-party Group Policy extensions are not detailed in this HTML report. You must use the Advanced View, as outlined above, to view Privilege Management for Windows Workstyles for an RSoP query.

Check Privilege Management for Windows is Installed and Functioning

If you are having problems, the first step is to check that you installed the client and the client is functioning.

  • Privilege Management: The UI of Privilege Management for Windows on the toolbar for messages and end user interaction
  • defendpointd: The Privilege Management for Windows daemon that manages interaction with Privilege Management for Windows
  • dppolicyserverd: Manages policy and communicates with defendpointd
  • Custodian: Manages authentication as required by Privilege Management for Windows

The easiest way to determine the client is installed and functioning is to check for the existence of the BeyondTrust Privilege Management Service in the Services Privilege Management Policy Editor. Ensure this service is both present and started. The Privilege Management for Windows service is installed by Privilege Management for Windows and should start automatically.

The Privilege Management for Windows service requires MSXML6 in order to load the Privilege Management for Windows settings, but the service still runs even if MSXML6 is not present.

Windows 7 and Windows Server 2008 R2 already include MSXML6.

Check Settings are Deployed

Assuming Privilege Management for Windows is installed and functioning, the next step is to check that you deployed settings to the computer or user.

You can use RSoP logging mode to determine whether the computer has received settings. Assuming the RSoP query shows that Privilege Management for Windows settings are applied, you should check the contents of the settings (including licensing and Workstyle precedence).

Check Privilege Management for Windows is Licensed

One of the most common reasons for Privilege Management for Windows not functioning is the omission of a valid license from the Privilege Managementfor Windows settings. If you are creating multiple GPOs, then you must ensure the computer or user receives at least one GPO that contains a valid license. To avoid problems, it is simpler to add a valid license to every set of Privilege Management for Windows settings that you create.

Check Workstyle Precedence

Assuming Privilege Management for Windows is functioning and licensed, most other problems are caused by configuration problems or Workstyle precedence problems.

Once an application matches an Application Group entry in the Application Rules or the On-Demand Application Rules, processing does not continue for that application. Therefore, it is vital you order your entries correctly:

  • If you create multiple Workstyles, Workstyles higher in the list have a higher precedence.
  • If you have multiple rules in the Application Rules and the On-Demand Application Rules sections of a Workstyle, entries higher in the list have a higher precedence.

Application Rules are applied to applications that are launched either directly by the user or by a running process. On-Demand Application Rules are only applied to applications that are launched from the Privilege Management for Windows shell menu (if enabled).

If you have multiple GPOs applying to a user and/or computer, you should ensure GPO precedence rules are not causing the problem. If multiple GPOs are applied to a computer or user, Privilege Management for Windows merges the computer GPOs and user GPOs by following Group Policy precedence rules. Once merged, the user Workstyles take precedence over the computer Workstyles. In other words, the computer Workstyles are only processed if an application does not match an entry in the user Workstyles.

For this reason, we strongly recommended you do not create over-complex rules that rely on the merging of many GPOs, as this can become difficult to troubleshoot. If, however, it makes sense to split rules over multiple GPOs, you should make use of RSoP to ensure Workstyles are combined correctly. You must also remember that computer and user Workstyles are processed separately, with user Workstyles always processed ahead of computer Workstyles, if both exist.