Using GPResult Command to Check Group Policy

If you’ve worked with Group Policy within Active Directory for more than a day, chances are you’ve needed to know what group policy objects were actually being applied to a machine.

I say “actually” because what is meant to be applied and what gets applied are sometimes two different things. When you throw in overlapping policies, nested OUs, permissions, group policy order, etc… you can often get unexpected results.

This is precisely why Microsoft created tools like GPResult and RSoP, so that you can take an accurate reading of what group policy objects (GPOs) and group policy settings are being applied.

Related: Using RSoP to Check & Troubleshoot Group Policy Settings

 

How to Use the GPResult Command

GPResult is a command line tool that has shipped with Windows since at least Windows Server 2008 and Windows 7. You can run it in either Command Prompt or PowerShell.

To see all the possible command line switches that you can use enter the command:

gpresult /?

Let’s step through a few gpresult examples from the most common use cases.

 

Show RSoP Summary to View Applied Group Policy Objects

To output the summary data about what Group Policy Objects have (and have not) been applied to your user or computer use the following commands:

gpresult /R

This command will give you a snapshot of the most important data when troubleshooting group policy such as applied group policy objects for both the computer and user accounts, OU info, security groups, domain controllers serving the policies, last time policy was applied, etc…

A typical output for the above command looks like this:

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
© 2017 Microsoft Corporation. All rights reserved.

Created on ‎9/‎18/‎2018 at 9:45:56 AM

RSOP data for npgdom\rsanchez on COMPUTER1 : Logging Mode
----------------------------------------------------------
OS Configuration:            Member Workstation
OS Version:                  10.0.16299
Site Name:                   Lab
Roaming Profile:             N/A
Local Profile:               C:\Users\rsanchez
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=COMPUTER1,OU=Workstations,DC=ad,DC=npgdom,DC=com
    Last time Group Policy was applied: 9/18/2018 at 9:30:27 AM
    Group Policy was applied from:      DOMCON1.ad.npgdom.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        ad.npgdom.com
    Domain Type:                        Windows 2012 or later

    Applied Group Policy Objects
    -----------------------------
        Standard Workstation
        NPGDOM Domain Security

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Screen Saver Disabled
            Filtering:  Denied (WMI Filter)
            WMI Filter: Screen Saver Disable (Windows 7-10)

        Local Group Policy
            Filtering:  Not Applied (Unknown Reason)

        Delayed Timeout (10)
            Filtering:  Disabled (Link)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        COMPUTER1$
        Wireless LAN Computers
        Domain Computers
        System Mandatory Level

Like I mentioned earlier this command can be used to pull a command prompt or PowerShell group policy report.

 

View Group Policy Summary for only Computer or User

If you want to narrow down the down scope of the output from the first command I showed you all you need to do is append it with /scope:user or /scope:computer for whichever account type you’re after.

Example:

gpresult /R /scope:computer

or

gpresult /R /scope:user

 

Show Group Policy Summary for Specific User

If you want to see the group policy information for a specific user on a specific machine you can use the /user switch. Keep in mind, you must know the user’s credentials for this to work.

gpresult /USER rsanchez /P Us3rsP@ssword!

If you do not know the user’s password you’ll want to make use of the Group Policy Results Wizard within the Group Policy Management Console which will allow you to generate a summary report from any computer and user within your domain.

 

Show GPResult Remote Computer

Another useful trick is to use GPResult to pull the RSoP information from a remote computer. To do that we’ll use the /s switch.

gpresult /R /S remotecomputername

You can also use PSExec from Microsoft PSTools to open a remote command line and just use the regular gpresult command.

 

Export GPResult to HTML

If you want a more readable output of your GPO summary data then you can use the /H switch to export group policy results to HTML. When you view the HTML file it will be formatted similarly to the GPMC so it should be easy for you to navigate.

gpresult /R /H c:\temp\gpresultoutput.html

You can also swap out the /H for /X if you prefer an XML output. This could be handy if you have a remote monitoring tool that can watch an XML file for changes. You can set up a task to periodically dump gpresult on a high priority machine to XML and then monitor that file for any changes and alert you if it finds anything.

Export GPResult to Text File

Similar to above, you can also dump your GPResults to a text file using the following command:

gpresult /R >c:\temp\gpresultoutput.txt

Dumping the results to a text file can be particularly helpful when you’re using the /V command for verbose output and want to be able to search the output using something like CTRL+F within notepad or notepad++.

I cannot stress how useful GPResult and RSoP.msc are for troubleshooting group policy. Someday it will pay for you to be familiar with these commands. I highly recommend playing around with them and committing them to memory. Good luck!

Recommended for You: Solarwinds Server & Application Monitor (SAM)

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.

Leave a Reply

Your email address will not be published. Required fields are marked *