When you are managing a Window network you are probably using group policies to preset Windows settings, and determine what user can and can’t do. To verify if the settings are applied to the clients we can use the GPResult tool, but how does it exactly work?
Testing new policies is always a bit challenging, you try to pull the new policies to the client with GPUpdate, maybe even a reboot, but how do you know if the policies are applied? And which policies are even applied to the user or computer?
In this article, we are going to take a look at the GPResult command and how we can use it to verify policy settings.
Using GPResult Command
The gpresult command displays the Resultant Set of Policies (RSoP) for a user and/or computer. Policies can overrule each other, a setting applied to all users can be canceled out by a specific policy that is assigned to a small group of users. So the RSoP will show you the actual assigned policies settings.
Note
Good to know is that when you run the command in a user context, it will show only the policies of the logged-on user. To view the computer policies you will need to use an elevated terminal or log in as an Administrator, but later more about that.
So we are going to start with the basics, reviewing the applied user policies. When you are logged in as the user you can run the following command in PowerShell or Windows Terminal to view applied GPOs:
GPResult /r
The result will be outputted in the console, and there are a few things important to note here:
- The distinguished name of the user, tells also the OU the user is in.
- Last time the policies are updated and from which domain controller
- Applied group policies object, these policies are effective
- Filtered out policies
Policies are automatically renewed every 90 mins, but you can force an update with the GPUpdate command. When you want to check if a policy is applied, make sure that you check the last time the policies are applied, and from which server they are pulled. When you have multiple domain controllers it’s possible that your recent group policy changes have not been synced yet to the other server.
Tip
Make sure that you also checkout the built-in RSoP Utility in Windows 10 and 11. This tool makes troubleshooting policies even easier!
Empty and disabled policies are filtered out. You can recognize disabled policies in the Group Policy Managed by the lighter grey icon.
GPResult Computer
When you run the gpresult command as a domain user, you may have noticed that the computer policies are not displayed. This is because the user doesn’t have permission to access the computer policies. So to view the computer scope we will need to use an elevated prompt.
- Right-click on Start or press Windows key + X
- Choose Windows Terminal (admin) or PowerShell (Admin)
If you now run the command gpresult /r
you will get first the Computer setting (you might need to scroll up a bit) followed by the user settings. Note that the user settings are from the administrator account, not the logged-on user!
RSOP data for LAZYADMIN\Administrator on LA-WIN11-LAB03 : Logging Mode ----------------------------------------------------------------------- OS Configuration: Member Workstation OS Version: 10.0.22000 Site Name: Default-First-Site-Name Roaming Profile: N/A Local Profile: C:\Users\administrator Connected over a slow link?: No COMPUTER SETTINGS ------------------ CN=LA-WIN11-LAB03,OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl Last time Group Policy was applied: 9/15/2022 at 12:47:29 PM Group Policy was applied from: LazySrvLab02.lazyadmin.nl Group Policy slow link threshold: 500 kbps Domain Name: LAZYADMIN Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- CPO_Win11_Settings CPO_Bitlocker_Settings Default Domain Policy The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The computer is a part of the following security groups ------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization LA-WIN11-LAB03$ Domain Computers Authentication authority asserted identity System Mandatory Level USER SETTINGS -------------- CN=Administrator,CN=Users,DC=lazyadmin,DC=nl ### USER IS ADMINISTRATOR! Last time Group Policy was applied: 9/15/2022 at 9:53:05 AM Group Policy was applied from: LazySrvLab02.lazyadmin.nl Group Policy slow link threshold: 500 kbps Domain Name: LAZYADMIN Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- N/A The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups
For the computer setting, we see the same structure as with the user settings. When the policy is last applied, which policies are effective and which ones are filtered out.
Now, to be honest, this is not the most ideal combination. You are running two queries and need to combine the result yourself. What you want is the computer settings together with the user settings in one overview.
Specify the User for GPResult
The GPResult command allows us to specify the user that we want to query the policy. This option, in combination with an elevated prompt, allows us to get both the user and computer settings in one overview.
To specify the user we are going to use the /USER
parameter. The specified user must have logged on at least once the computer before you can gather the RSoP data.
# Gather the RSoP data for the user Zoe Tucker gpresult /USER ztucker /R
As you can see in the screenshot above we have the computer settings first, and the user setting below.
If you only want to view the computer settings of the user you can also specify the scope. The scope can either be USER
or COMPUTER
:
gpresult /USER ztucker /SCOPE Computer /R # Or limit to user scope: gpresult /USER ztucker /SCOPE USER /R
Get GPResult of Remote Computer
To get the policy result of a user you don’t need access to the computer. Because we can also get the applied policies from a remote computer with the /S
parameter. For example, to get the applied policies from the computer LA-WIN11-LAB03 for the user Zoe Tucker we can use the following command:
Note
We are using the parameter /user and not /u. The latter is used when you want to run the command in another users context, for example as admin. With /user we can specify the user from which we want to retrieve the RSoP data.
gpresult /S LA-WIN11-LAB03 /user ztucker /R
View More Information
Until now we have only viewed when the last group policy was applied, and which group policy objects were applied. But sometimes you need more information, for example, which actual settings are made in the policies. For this, we can use the /V
or /Z
parameter.
With the /V
parameter we get the verbose information which provides additional details about the policy. /Z
is the super-verbose parameter, which will also show settings there are made in multiple places.
gpresult /v
The results of the verbose parameters are not always as readable as you want. For example, the default domain policy contains the password age settings. With the verbose option, we can clearly see how it’s configured.
But if we take a look at the UPO_IT policy, we can see which settings are configured, but not the actual settings. So the verbose parameters do give us more information, but I recommend using them in combination with the export to HTML option.
Export GPResult to HTML
So to make the gpresult data more readable we can export the result to an HTML file. The HTML file is formatted the same as the Settings tab in the Group Policy Management Console. When you export to HTML you don’t need to specify /R
or one of the verbose parameters /Z
or /V
. It will generate a detailed HTML for you with all the verbose information you need. You do need to specify the path and file name:
gpresult /USER ztucker /H c:\temp\gpresult-ztucker.html
If the filename already exists you might get an error. To overwrite the file you can use the /f
parameter to force overwriting of the existing file.
Wrapping Up
The gpresult tool is a great way to verify which group policy objects are applied to the computer and user. Use the export HTML option to easily compare the applied policies with the assigned policies in the group policy management console.
Another great tool to check policies is the RSoP Utility. This allows you to view all the applied policy settings just like the Group Policy Management tool. You can also generate the group policy results in the group policy management console on the server, make sure you check that option out as well.
If you have any questions, just drop a comment below!