GPResult is a command-line utility for determining the resultant set of policy for a given user and/or computer. In other words, it shows you what Group Policy Objects have been applied and their settings. This is typically one of the first tools I go to when troubleshooting Group Policy from a client once basic connectivity has been confirmed (e.g. Network/DNS). The tool itself is very simple to use and I will run through some common examples below.
List GPOs Applied with Summary Data
Gpresult /r
/r Displays RSOP summary data
This is pretty useful when you simply want to see what GPOs have applied and in what order. It will also display summary data, such as last time group policy was applied, which Domain Controller it was applied from, the site, security groups and if the slow link threshold has been activated. If you are unsure if a GPO has been applied, this is a quick way of checking.
Here we see that 4 GPOs have applied to the Computer settings portion.
Image may be NSFW.
Clik here to view.
If you don’t want to view both Computer and Users settings in the output you can request one or the other with the /scope flag.
gpresult /r /scope:user
gpresult /r /scope:computer
The output reads fairly well from within the command prompt, but if you need to export the output you could use either of the following.
Gpresult /r > gpresult.txt Export output to a text file
Gpresult /r |clip Export output to Windows clipboard
I can’t see the Computer Settings?
If UAC is enabled, running GPResult without elevating the command prompt will only show you the user settings. If you want to see both user and computer settings, elevate the command prompt by either tapping the winkey+cmd then ctrl+shift+enter or right click on the command prompt and select run as administrator. If you elevate with an admin account different to the currently logged in user (common if the user does not have administrator rights), then you will receive an error message stating INFO: The user “domain\user” does not have RSOP data. This is because GPResult is using the elevated user’s context. To work around this, specify the standard user that you are troubleshooting.
gpresult /r /user:sa\edward.thomas
Image may be NSFW.
Clik here to view.
Generate HTML Report
Gpresult /h report.html /f
Gpresult /h report.html /user:sa\edward.thomas /f
/h Saves the report in HTML format
/f Forces GPresult to overwrite the file name specified with /h
/user Specifies the user name for which the RSOP data is to be displayed
To get a more graphical view of what’s going on, you can generate a HTML report. This gives a detailed break down of each setting and the GPO from which it came. This view is particularly nice as you can show all and use ctrl+f to find a particular policy or setting.
Image may be NSFW.
Clik here to view.
Run GPResult on Remote Computer
Gpresult /s server1 /r
/s Specifies the remote system to connect to
This allows you to run GPResult on a remote system, all of the above applies.
Image may be NSFW.
Clik here to view.
The following GPOs were not applied because they were filtered out
Image may be NSFW.
Clik here to view.
You may see this for a few reasons. The first that the policy is empty in which case you’ll see Filtering: Not Applied (Empty), this is fairly self explanatory. The second is Filtering: Denied (Security), which typically boils down to the “Apply Group Policy” permission on the GPO. You may also see Filtering: Denied (Unknown Reason) which is similar to (Security) in that the “Read” permissions has been denied.
To review the last two examples, launch the GPMC (Group Policy Management Console). Find the offending GPO, and select Delegation- from there you may see an additional group or a single user or machine that has been added.
Image may be NSFW.
Clik here to view.
Click on advanced and review the permissions against the object. In this case you can see that the Seven computer object has been denied Apply Group Policy resulting in the Filtering: Denied (Security) message.
Image may be NSFW.
Clik here to view.
If in doubt, select Advanced -> Effective Access and enter the required computer or user object. If you scroll down to around halfway you’ll see the Apply Group Policy permission with either a green tick of a red cross against it. If deny read has been granted every permission will have a red cross next to it.
Image may be NSFW.
Clik here to view.
I hope this gives you the basics behind GPResult and some good real world example to aid in your Group Policy troubleshooting.
The post Group Policy – GPResult Examples appeared first on The Sysadmins.