Group Policy Diagnostics with GPResult Command

Group Policy Diagnostics with GPResult Command

GPResult.exe – is a console application designed to analyze settings and diagnose group policies that apply to a computer and/or user in an Active Directory domain. Specifically, GPResult provides the resulting set of policies (RSOP), a list of applied domain policies (GPOs), their settings, and detailed information about processing errors. The utility has been part of the Windows operating system since Windows XP. The GPResult utility let you know whether a particular policy applies to a computer, which GPO has changed a particular Windows setting, and why it takes so long for GPP/GPO to apply, even if you’ve run gpupdate /force.

In this article, we will look at how you can use the GPResult command to troubleshoot and debug the application of Group Policy in an Active Directory domain.

Contents

  • Resultant Set of Policies (RSOP)
  • How to Use GPResult Utility
  • How to Get RSOP HTML Report via GPResult
  • How to Get GPResult Data From a Remote Computer
  • How to Get RSOP Data for a Certain User
  • Possible Reasons for GPOs to not Apply


Resultant Set of Policies (RSOP)

Initially, the RSOP.msc graphical console was used to diagnose the application of group policies in Windows, which allowed the resulting policy settings (domain + local) to be applied to the computer and the user in a graphical interface similar to the GPO editor console.

Resultant Set of Policies (RSOP)

However, the RSOP.msc console does not make sense in modern versions of Windows, as it does not reflect the settings applied by various client side extensions (CSEs), such as GPP (Group Policy Preferences). Also, it does not allow searching, and provides little diagnostic information. Therefore, the GPResult command that is the primary tool for troubleshooting GPOs in Windows. Moreover, in Windows 10, there is even a warning that RSOP does not provide a full report as opposed to GPResult.

How to Use GPResult Utility

In order to check for group policy enforcement the GPResult command have to be run on the computer where you want to check for it. The GPResult command has the following syntax:

GPRESULT [/S <system> [/U <user> [/P <password> ]]] [/SCOPE ] [/USER <enduser> ] [/R | /V | /Z] [(/X | /H) <filename> [/F]]

To learn more about Group Policies that apply to the following AD object (user and computer) and other settings related to the GPO infrastructure (i.e. the resulting GPO policy settings – RsoP), run the command:


Gpresult /r

The results of the command execution are divided into 2 sections:

  • COMPUTER SETTINGS – this section contains information about GPO operating on the computer
  • USER SETTINGS – user policies (policies that apply to the user account in AD)

Let’s briefly run through the main settings/partitions that may be useful in GPResult output:

  • Site Name – the name of the AD site where the computer is located;
  • CN – full canonical user/computer name for which RSoP data were generated;
  • Last time Group Policy was applied – the time when Group Policy was last applied;
  • Group Policy was applied from – the domain controller from which the latest version of the GPO was downloaded;
  • Domain Name and Domain Type – the name and version of the Active Directory domain schema;
  • Applied Group Policy Objects – lists of active Group Policy Objects;
  • The following GPOs were not applied because they were filtered out – not applied, filtered GPOs;
  • The user/computer is a part of the following security groups – domain groups that the user belongs to.
gpresult /r output

In our example, you can see that there are 3 Group Policies that apply to the user object.

  • Default Domain Policy;
  • Drive Mapping;
  • Outlook Coding;

If you do not want the console to display both user and computer policies at the same time, you can use the /scope option to display only the needed section. For example here is the command for user settings:

gpresult /r /scope:user

And here is for the computer policies:

gpresult /r /scope:computer

Since the Gpresult utility outputs its data directly to the command line console, which is not always convenient for further analysis, its output can be redirected to the clipboard:

Gpresult /r |clip

or a text file:

Gpresult /r > c:\gpresult.txt

To output RSOP super detailed information, you need to add the /z key:

Gpresult /r /z

How to Get RSOP HTML Report via GPResult

In addition, the GPResult utility can generate an HTML report on the applied resulting policies (available in Windows 7 and above). This report will contain detailed information about all system settings that are set by Group Policies. The resulting report is structured like the Settings tab in the Domain Group Policy Management Console (GPMC). You can generate a GPResult HTML report using the following command:

GPResult /h c:\temp\GPreport.html /f
GPResult HTML Report

To generate a report and then automatically open it in your browser, follow the command:

GPResult /h GPReport.html & GPReport.html

The gpresult HTML report contains quite a lot of useful information:

  • GPO’s application errors
  • Processing time in ms
  • Application of specific policies and CSE (that are located in Computer Details ⇒ Component Status)

As you can see, this HTML report is much more useful for analyzing the policies than the rsop.msc console.

How to Get GPResult Data from a Remote Computer

GPResult can also collect data from a remote computer, eliminating the need for the administrator to log on to the remote computer locally or via RDP. The syntax of the command to collect RSOP data from the remote computer is the following:

GPResult /s servername /r

Similarly, you can remotely collect data by both user and computer policies.

How to Get RSOP Data for a Certain User

When UAC is enabled, running GPResult without elevated privileges displays only the user’s group policy settings. If you want to display both settings at the same time (User and computer settings), you need to run the command with administrative privileges. If the cmd.exe with elevated privileges is run on an account that differs from the current system user, the utility will generate an INFO warning: The user “domain\user” does not have RSOP data. This happens because GPResult is trying to collect information for the user who started it, but because the user has not logged on, there is no RSOP information for him. To collect RSOP information for a user with an active session, you need to specify their account:

gpresult /r /user:domain\username

If you do not know the name of an account that is logged on to a remote computer, the account can be obtained this way:

qwinsta /SERVER:remotePCname

Also check the time (and time zone) on the client. The time must correspond to the time on the PDC (Primary Domain Controller).

Possible Reasons for GPOs to not Apply

While troubleshooting group policies, you should also take a look at the section: “The following GPOs were not applied because they were filtered out“. This section displays a list of GPOs do not apply to this object. Policy may not apply due to following options:

  • Filtering: Not Applied (Empty) – the policy is empty (there’s nothing to apply);
  • Filtering: Denied (Unknown Reason) – It is likely that the user or computer does not have permission to read/apply this policy. Permissions can be configured in the Security tab in the Group Policy Management Console (GPMC);
  • Filtering: Denied (Security) – the “Apply Group Policy” section has an explicit deny permission, or the AD object is not listed in the Security Filtering section of the GPO settings.

You can also understand whether the policy should apply or not to a specific AD object on the Advanced ⇒ Effective Access tab.

So, these are all options for the Group Policies diagnostic features using the GPResult utility.


PureVPN : UNLOCK THE BEST VPN DEAL

How to Update Windows Group Policy on Domain Computers

How to Update Windows Group Policy on Domain Computers

In this article, we will take a look at the features of updating Group Policy settings on Active Directory domain computers:

  • Automatic Group Policy update interval
  • The GPUpdate command
  • Remote update via the Group Policy Management Console (GPMC.msc)
  • PowerShell Invoke-GPUpdate command

Group Policy Update Interval

In order for the new settings that you have defined in a Local or Domain Group Policy (GPO) to apply to clients, the Group Policy Client service must reload the policies and make changes to the client settings. This process is called updating Group Policies. Group Policy settings are updated when the computer boots up and the user logs on, or automatically in the background every 90 minutes plus random offset between 0 and 30 minutes (i.e., the policies are guaranteed to apply to clients between 90 and 120 minutes after the GPO files are updated on the domain controller).

Domain controllers by default update the GPO settings much more frequently – once every 5 minutes.
You can change the refresh interval for GPO settings using the Set Group Policy refresh interval for computers option, which is located in the GPO Computer Configuration ⇒ Administrative Templates ⇒ System ⇒ Group Policy section. Enable the policy and set the time (in minutes) in the following settings:

  • This setting allows you to customize how often Group Policy is applied to computers (0 to 44640 minutes) – if you specify 0 here, the policies will start to update every 7 seconds – you should not do this
  • This is a random time added to the refresh interval to prevent all clients from requesting Group Policy at the same time (0 to 1440 minutes) – the maximum value of a random time interval that is added as an offset to the previous setting.
Set Group Policy Refresh Interval for Computers

Keep in mind that frequent GPO updates result in increased traffic to domain controllers and increased network load.

GPUpdate.exe – Group Policy Settings Update Command

All administrators are familiar with the gpupdate.exe command, which allows you to update group policy settings on your computer. Many of them do not hesitate to use the gpupdate /force command to update the GPO. This command forces the computer to reread all the policies from the domain controller and reapply all settings. The client accesses the domain controller, and receives ALL policies that are targeting it. This puts an increased load on the network and the domain controller.

A simple gpudate without /force key command applies only the new/changed GPO settings.

If all is OK when we update the GPO, the following lines should appear:

Updating policy…
Computer Policy Update has completed successfully.
User Policy Updating has completed successfully.

If any policies or settings have not applied, use the gpresult command to troubleshoot.


You can separately update GPO user settings by running the following command:

gpupdate /target:user

or just computer policies:

gpupdate /target:computer /force

If some policies cannot be updated in the background, gpudate can force the logoff of the current user:

gpupdate /target:user /logoff

Or reboot the computer (if the GPO changes can only be applied when Windows boots):

gpupdate /Boot

Force Update of Group Policy from the Group Policy Management Console

GPMC.msc (Group Policy Management Console), starting with Windows Server 2012, provides the ability to remotely update Group Policy settings on domain computers.

In Windows 10, you will need to install the RSAT component to use this console. In order to install it run the following command with administrator privileges:

Add-WindowsCapability -Online -Name Rsat.GroupPolicy.Management.Tools~~~~0.0.1.0

Now, after changing the settings or creating and linking a new GPO, all you have to do is right click on the desired Organizational Unit (OU) in the GPMC and select Group Policy Update from the context menu. In the new window, you will see the number of computers that will update the GPO. Confirm the forced policy update by clicking Yes.

Group Policy Update via GPMC

Then, the GPO begin to update on each computer in the OU and you get a result with the status of the policy update on the computers (Succeeded/Failed).

This command remotely creates a scheduled task on the computers with the GPUpdate.exe /force command for each logged user. The task starts at a random time interval (up to 10 minutes) to reduce the network load.

The following conditions must be met for this GPMC functionality to work on the client:

  • TCP port 135 needs to be opened in Windows Firewall
  • Windows Management Instrumentation and Task Scheduler services must be enabled

If the computer is shut down or access to it is blocked by the firewall, the message “The remote procedure call was cancelled” will appear next to the computer name.

In a nutshell, this functionality would have the same effect if you had manually updated the policy settings on each computer with the GPUpdate /force command.

Group Policy Update with Invoke-GPUpdate Powershell Command

You can also trigger remote Group Policy updates on computers using the Invoke-GPUpdate PowerShell cmdlet (included in the RSAT). For example, you can use the command to remotely update user policies on a specific computer:

Invoke-GPUpdate -Computer "domain\computer035" -Target "User".

When running the Invoke-GPUpdate command without settings, it updates the GPO settings on the current computer (gpudate.exe analogue).

When combined with the Get-ADComputer cmdlet, you can update Group Policies on all computers in a specific OU:

Get-ADComputer -filter * -Searchbase "ou=Computers,dc=domain,dc=com" | foreach{ Invoke-GPUpdate -computer $_.name -force}

Or all computers that fall under certain criteria (for example, all Windows Server in the domain):

Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like 'Windows Server' }| foreach{ Invoke-GPUpdate -computer $_.name -RandomDelayInMinutes 10 -force}

You can specify a random delay in updating a GPO using the RandomDelayInMinutes setting. In this case you can reduce the load on the network if you want to update policies on multiple computers at the same time. The RandomDelayInMinutes 0 setting is used to apply the policies immediately.

For inaccessible computers, the command will return the error:

Invoke-GPUpdate: Computer "spb-srv01" is not responding. The target computer is either turned off or Remote Scheduled Tasks Management Firewall rules are disabled.

When running the Invoke-GPUpdate command remotely or updating a GPO through the GPMC, a cmd window may briefly appear on the user’s monitor with the gpupdate command running.