Recently I had a couple of issues with Resultant Set of Policy (RSOP) and enabling it to work for IT teams who were not Administrators.
One issue I had was that every time Resultant Set of Policy was run for users with delegated permissions (and on further testing “Domain Admins” too) they all received an error message stating “provider not loaded“.
This transpired to be a relatively simple fix and was nothing to do with delegated permissions.
The Resultant Set of Policy service had been disabled on all domain controllers and to resolve this issue I enabled the Resultant Set of Policy service on all the domain controllers.
The other issue I had was “Access Denied” when selecting the Domain Controller to run the Resultant Set of Policy against, when in planning mode for users with delegated RSOP rights – Administrators functioned correctly.
After some research I discovered Resultant Set of Policy in Planning mode needs some additional DCOM permissions set in order for it to work remotely when not an Administrator.
To enable delegated groups to run Resultant Set of Policy in Planning mode remotely, DCOM permissions on all Domain Controllers need to be amended, this group policy setting needs to be configured and applied to all domain controllers.
DCOM: Machine launch restrictions in Security Descriptor Definition Language (SDDL) syntax
By default the Everyone group only had the permission to execute and activate DCOM locally, where as Domain Admins had local and remote execute and activate permissions.
By adding the group that had the delegation RSOP permissions set and adding to their default permissions the “Remote Activation” right resolved the issue and Resultant Set of Policy (Planning Mode) now functioned remotely for the teams that needed the functionality but are not administrators.