How to use GPResult to verify Group Policies

When you are managing a Window network you are probably using group policies to preset Windows settings, and determine what user can and can’t do. To verify if the settings are applied to the clients we can use the GPResult tool, but how does it exactly work?

Testing new policies is always a bit challenging, you try to pull the new policies to the client with GPUpdate, maybe even a reboot, but how do you know if the policies are applied? And which policies are even applied to the user or computer?

In this article, we are going to take a look at the GPResult command and how we can use it to verify policy settings.

Using GPResult Command

The gpresult command displays the Resultant Set of Policies (RSoP) for a user and/or computer. Policies can overrule each other, a setting applied to all users can be canceled out by a specific policy that is assigned to a small group of users. So the RSoP will show you the actual assigned policies settings.

Note

Good to know is that when you run the command in a user context, it will show only the policies of the logged-on user. To view the computer policies you will need to use an elevated terminal or log in as an Administrator, but later more about that.

So we are going to start with the basics, reviewing the applied user policies. When you are logged in as the user you can run the following command in PowerShell or Windows Terminal to view applied GPOs:

GPResult /r

The result will be outputted in the console, and there are a few things important to note here:

gpresult
gpresult
  1. The distinguished name of the user, tells also the OU the user is in.
  2. Last time the policies are updated and from which domain controller
  3. Applied group policies object, these policies are effective
  4. Filtered out policies

Policies are automatically renewed every 90 mins, but you can force an update with the GPUpdate command. When you want to check if a policy is applied, make sure that you check the last time the policies are applied, and from which server they are pulled. When you have multiple domain controllers it’s possible that your recent group policy changes have not been synced yet to the other server.

Tip

Make sure that you also checkout the built-in RSoP Utility in Windows 10 and 11. This tool makes troubleshooting policies even easier!

Empty and disabled policies are filtered out. You can recognize disabled policies in the Group Policy Managed by the lighter grey icon.

GPResult Computer

When you run the gpresult command as a domain user, you may have noticed that the computer policies are not displayed. This is because the user doesn’t have permission to access the computer policies. So to view the computer scope we will need to use an elevated prompt.

  • Right-click on Start or press Windows key + X
  • Choose Windows Terminal (admin) or PowerShell (Admin)

If you now run the command gpresult /r you will get first the Computer setting (you might need to scroll up a bit) followed by the user settings. Note that the user settings are from the administrator account, not the logged-on user!

RSOP data for LAZYADMIN\Administrator on LA-WIN11-LAB03 : Logging Mode
-----------------------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.22000
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\administrator
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=LA-WIN11-LAB03,OU=Computers,OU=Amsterdam,OU=Sites,DC=lazyadmin,DC=nl
    Last time Group Policy was applied: 9/15/2022 at 12:47:29 PM
    Group Policy was applied from:      LazySrvLab02.lazyadmin.nl
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        LAZYADMIN
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        CPO_Win11_Settings
        CPO_Bitlocker_Settings
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        LA-WIN11-LAB03$
        Domain Computers
        Authentication authority asserted identity
        System Mandatory Level


USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=lazyadmin,DC=nl   ### USER IS ADMINISTRATOR!
    Last time Group Policy was applied: 9/15/2022 at 9:53:05 AM
    Group Policy was applied from:      LazySrvLab02.lazyadmin.nl
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        LAZYADMIN
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups

For the computer setting, we see the same structure as with the user settings. When the policy is last applied, which policies are effective and which ones are filtered out.

Now, to be honest, this is not the most ideal combination. You are running two queries and need to combine the result yourself. What you want is the computer settings together with the user settings in one overview.

Specify the User for GPResult

The GPResult command allows us to specify the user that we want to query the policy. This option, in combination with an elevated prompt, allows us to get both the user and computer settings in one overview.

To specify the user we are going to use the /USER parameter. The specified user must have logged on at least once the computer before you can gather the RSoP data.

# Gather the RSoP data for the user Zoe Tucker
gpresult /USER ztucker /R
gpresult computer
gpresult computer and user

As you can see in the screenshot above we have the computer settings first, and the user setting below.

If you only want to view the computer settings of the user you can also specify the scope. The scope can either be USER or COMPUTER:

gpresult /USER ztucker /SCOPE Computer /R

# Or limit to user scope:
gpresult /USER ztucker /SCOPE USER /R

Get GPResult of Remote Computer

To get the policy result of a user you don’t need access to the computer. Because we can also get the applied policies from a remote computer with the /S parameter. For example, to get the applied policies from the computer LA-WIN11-LAB03 for the user Zoe Tucker we can use the following command:

Note

We are using the parameter /user and not /u. The latter is used when you want to run the command in another users context, for example as admin. With /user we can specify the user from which we want to retrieve the RSoP data.
gpresult /S LA-WIN11-LAB03 /user ztucker /R

View More Information

Until now we have only viewed when the last group policy was applied, and which group policy objects were applied. But sometimes you need more information, for example, which actual settings are made in the policies. For this, we can use the /V or /Z parameter.

With the /V parameter we get the verbose information which provides additional details about the policy. /Z is the super-verbose parameter, which will also show settings there are made in multiple places.

gpresult /v

The results of the verbose parameters are not always as readable as you want. For example, the default domain policy contains the password age settings. With the verbose option, we can clearly see how it’s configured.

password policy results
password policy settings

But if we take a look at the UPO_IT policy, we can see which settings are configured, but not the actual settings. So the verbose parameters do give us more information, but I recommend using them in combination with the export to HTML option.

group policy results
verbose information

Export GPResult to HTML

So to make the gpresult data more readable we can export the result to an HTML file. The HTML file is formatted the same as the Settings tab in the Group Policy Management Console. When you export to HTML you don’t need to specify /R or one of the verbose parameters /Z or /V. It will generate a detailed HTML for you with all the verbose information you need. You do need to specify the path and file name:

gpresult /USER ztucker /H c:\temp\gpresult-ztucker.html
gpresult HTML export
gpresult HTML export

If the filename already exists you might get an error. To overwrite the file you can use the /f parameter to force overwriting of the existing file.

Wrapping Up

The gpresult tool is a great way to verify which group policy objects are applied to the computer and user. Use the export HTML option to easily compare the applied policies with the assigned policies in the group policy management console.

Another great tool to check policies is the RSoP Utility. This allows you to view all the applied policy settings just like the Group Policy Management tool. You can also generate the group policy results in the group policy management console on the server, make sure you check that option out as well.

If you have any questions, just drop a comment below!

Leave a Comment

0 Shares
Tweet
Pin
Share
Share