The Sysadmins

Tips and tricks from the Sysadmins

Group Policy – GPResult Examples

GPResult is a command-line utility for determining the resultant set of policy for a given user and/or computer. In other words, it shows you what Group Policy Objects have been applied and their settings. This is typically one of the first tools I go to when troubleshooting Group Policy from a client once basic connectivity has been confirmed (e.g. Network/DNS). The tool itself is very simple to use and I will run through some common examples below.

List GPOs Applied with Summary Data

Gpresult /r

/r Displays RSOP summary data

This is pretty useful when you simply want to see what GPOs have applied and in what order. It will also display summary data, such as last time group policy was applied, which Domain Controller it was applied from, the site, security groups and if the slow link threshold has been activated. If you are unsure if a GPO has been applied, this is a quick way of checking.

Here we see that 4 GPOs have applied to the Computer settings portion.

GPresult /r

If you don’t want to view both Computer and Users settings in the output you can request one or the other with the /scope flag.

gpresult /r /scope:user
gpresult /r /scope:computer

The output reads fairly well from within the command prompt, but if you need to export the output you could use either of the following.

Gpresult /r > gpresult.txt Export output to a text file
Gpresult /r |clip Export output to Windows clipboard

I can’t see the Computer Settings?

If UAC is enabled, running GPResult without elevating the command prompt will only show you the user settings. If you want to see both user and computer settings, elevate the command prompt by either tapping the winkey+cmd then ctrl+shift+enter or right click on the command prompt and select run as administrator. If you elevate with an admin account different to the currently logged in user (common if the user does not have administrator rights), then you will receive an error message stating INFO: The user “domain\user” does not have RSOP data. This is because GPResult is using the elevated user’s context. To work around this, specify the standard user that you are troubleshooting.

gpresult /r /user:sa\edward.thomas

GPResult-5

Generate HTML Report

Gpresult /h report.html /f
Gpresult /h report.html /user:sa\edward.thomas /f

/h Saves the report in HTML format
/f Forces GPresult to overwrite the file name specified with /h
/user Specifies the user name for which the RSOP data is to be displayed

To get a more graphical view of what’s going on, you can generate a HTML report. This gives a detailed break down of each setting and the GPO from which it came. This view is particularly nice as you can show all and use ctrl+f to find a particular policy or setting.

GPResult /h html report

Run GPResult on Remote Computer

Gpresult /s server1 /r

/s Specifies the remote system to connect to

This allows you to run GPResult on a remote system, all of the above applies.

GPresult Remote Computer

The following GPOs were not applied because they were filtered out

Filtering Denied Security or Not Applied Empty

You may see this for a few reasons. The first that the policy is empty in which case you’ll see Filtering: Not Applied (Empty), this is fairly self explanatory. The second is Filtering: Denied (Security), which typically boils down to the “Apply Group Policy” permission on the GPO. You may also see Filtering: Denied (Unknown Reason) which is similar to (Security) in that the “Read” permissions has been denied.

To review the last two examples, launch the GPMC (Group Policy Management Console). Find the offending GPO, and select Delegation- from there you may see an additional group or a single user or machine that has been added.

GPO Delegation Permissions

Click on advanced and review the permissions against the object. In this case you can see that the Seven computer object has been denied Apply Group Policy resulting in the Filtering: Denied (Security) message.

Deny Apply Group Policy

If in doubt, select Advanced -> Effective Access and enter the required computer or user object. If you scroll down to around halfway you’ll see the Apply Group Policy permission with either a green tick of a red cross against it. If deny read has been granted every permission will have a red cross next to it.

Effective Access for GPO Permissions

I hope this gives you the basics behind GPResult and some good real world example to aid in your Group Policy troubleshooting.

11 Comments

  1. Thank you so much! This is very beneficial for diagnosing policies applied to a machine and I learned something new about the security context they run in!

  2. Very useful, Thank you very much

  3. Thank you so much for this material 🙂

  4. Brilliant mate, well done

  5. Very informative, thank you.

  6. Good steps. Also, I never knew that you could pipe to the clipboard. Thank you.

  7. If a user is part of Group 1 and Group 1 is part of Group 2, gpresult will list the user to be part of both groups 1 and 2. Am I right?

  8. Excellent. Very helpful.

  9. Thank you… very helpful…!!!

Leave a Reply

Your email address will not be published.

*