I was double checking some security settings on one of our systems. I could trace back everything to group membership and Group Policy, except for one thing. There was a ‘SeImpersonatePrivilege’ in a user token (verified via ProcessExplorer) yet it was nowhere to be found.
Normally this is the sort of thing you’d find via GPRESULT except that, too, came up blank. Impersonation was not configured. I decided to manually check the Local Security Security policy and there it was.
As it turns out, RSOP gathers policies data from a Common Information Model Object Management (CIMOM) database on the local computer. Local Group Policy is not stored in this database and cannot be queried by RSOP. Gpedit.msc and secpol.msc just edits system settings directly.