Group Policy Diagnostics with GPResult Command
GPResult.exe – is a console application designed to analyze settings and diagnose group policies that apply to a computer and/or user in an Active Directory domain. Specifically, GPResult provides the resulting set of policies (RSOP), a list of applied domain policies (GPOs), their settings, and detailed information about processing errors. The utility has been part of the Windows operating system since Windows XP. The GPResult utility let you know whether a particular policy applies to a computer, which GPO has changed a particular Windows setting, and why it takes so long for GPP/GPO to apply, even if you’ve run gpupdate /force.
In this article, we will look at how you can use the GPResult command to troubleshoot and debug the application of Group Policy in an Active Directory domain.
- Resultant Set of Policies (RSOP)
- How to Use GPResult Utility
- How to Get RSOP HTML Report via GPResult
- How to Get GPResult Data From a Remote Computer
- How to Get RSOP Data for a Certain User
- Possible Reasons for GPOs to not Apply
Resultant Set of Policies (RSOP)
Initially, the RSOP.msc graphical console was used to diagnose the application of group policies in Windows, which allowed the resulting policy settings (domain + local) to be applied to the computer and the user in a graphical interface similar to the GPO editor console.
However, the RSOP.msc console does not make sense in modern versions of Windows, as it does not reflect the settings applied by various client side extensions (CSEs), such as GPP (Group Policy Preferences). Also, it does not allow searching, and provides little diagnostic information. Therefore, the GPResult command that is the primary tool for troubleshooting GPOs in Windows. Moreover, in Windows 10, there is even a warning that RSOP does not provide a full report as opposed to GPResult.
How to Use GPResult Utility
In order to check for group policy enforcement the GPResult command have to be run on the computer where you want to check for it. The GPResult command has the following syntax:
GPRESULT [/S <system> [/U <user> [/P <password> ]]] [/SCOPE ] [/USER <enduser> ] [/R | /V | /Z] [(/X | /H) <filename> [/F]]
To learn more about Group Policies that apply to the following AD object (user and computer) and other settings related to the GPO infrastructure (i.e. the resulting GPO policy settings – RsoP), run the command:
The results of the command execution are divided into 2 sections:
- COMPUTER SETTINGS – this section contains information about GPO operating on the computer
- USER SETTINGS – user policies (policies that apply to the user account in AD)
Let’s briefly run through the main settings/partitions that may be useful in GPResult output:
- Site Name – the name of the AD site where the computer is located;
- CN – full canonical user/computer name for which RSoP data were generated;
- Last time Group Policy was applied – the time when Group Policy was last applied;
- Group Policy was applied from – the domain controller from which the latest version of the GPO was downloaded;
- Domain Name and Domain Type – the name and version of the Active Directory domain schema;
- Applied Group Policy Objects – lists of active Group Policy Objects;
- The following GPOs were not applied because they were filtered out – not applied, filtered GPOs;
- The user/computer is a part of the following security groups – domain groups that the user belongs to.
In our example, you can see that there are 3 Group Policies that apply to the user object.
- Default Domain Policy;
- Drive Mapping;
- Outlook Coding;
If you do not want the console to display both user and computer policies at the same time, you can use the /scope option to display only the needed section. For example here is the command for user settings:
gpresult /r /scope:user
And here is for the computer policies:
gpresult /r /scope:computer
Since the Gpresult utility outputs its data directly to the command line console, which is not always convenient for further analysis, its output can be redirected to the clipboard:
Gpresult /r |clip
or a text file:
Gpresult /r > c:\gpresult.txt
To output RSOP super detailed information, you need to add the /z key:
Gpresult /r /z
How to Get RSOP HTML Report via GPResult
In addition, the GPResult utility can generate an HTML report on the applied resulting policies (available in Windows 7 and above). This report will contain detailed information about all system settings that are set by Group Policies. The resulting report is structured like the Settings tab in the Domain Group Policy Management Console (GPMC). You can generate a GPResult HTML report using the following command:
GPResult /h c:\temp\GPreport.html /f
To generate a report and then automatically open it in your browser, follow the command:
GPResult /h GPReport.html & GPReport.html
The gpresult HTML report contains quite a lot of useful information:
- GPO’s application errors
- Processing time in ms
- Application of specific policies and CSE (that are located in Computer Details ⇒ Component Status)
As you can see, this HTML report is much more useful for analyzing the policies than the rsop.msc console.
How to Get GPResult Data from a Remote Computer
GPResult can also collect data from a remote computer, eliminating the need for the administrator to log on to the remote computer locally or via RDP. The syntax of the command to collect RSOP data from the remote computer is the following:
GPResult /s servername /r
Similarly, you can remotely collect data by both user and computer policies.
How to Get RSOP Data for a Certain User
When UAC is enabled, running GPResult without elevated privileges displays only the user’s group policy settings. If you want to display both settings at the same time (User and computer settings), you need to run the command with administrative privileges. If the cmd.exe with elevated privileges is run on an account that differs from the current system user, the utility will generate an INFO warning: The user “domain\user” does not have RSOP data. This happens because GPResult is trying to collect information for the user who started it, but because the user has not logged on, there is no RSOP information for him. To collect RSOP information for a user with an active session, you need to specify their account:
gpresult /r /user:domain\username
If you do not know the name of an account that is logged on to a remote computer, the account can be obtained this way:
Also check the time (and time zone) on the client. The time must correspond to the time on the PDC (Primary Domain Controller).
Possible Reasons for GPOs to not Apply
While troubleshooting group policies, you should also take a look at the section: “The following GPOs were not applied because they were filtered out“. This section displays a list of GPOs do not apply to this object. Policy may not apply due to following options:
- Filtering: Not Applied (Empty) – the policy is empty (there’s nothing to apply);
- Filtering: Denied (Unknown Reason) – It is likely that the user or computer does not have permission to read/apply this policy. Permissions can be configured in the Security tab in the Group Policy Management Console (GPMC);
- Filtering: Denied (Security) – the “Apply Group Policy” section has an explicit deny permission, or the AD object is not listed in the Security Filtering section of the GPO settings.
You can also understand whether the policy should apply or not to a specific AD object on the Advanced ⇒ Effective Access tab.
So, these are all options for the Group Policies diagnostic features using the GPResult utility.