Posted on November 6, 2014 · Posted in Active Directory

Using GPResult to Diagnose Group Policies Issues

GPResult.exe is a console utility that allows to analyze settings and diagnose group policies that applied to a computer and/or user. In particular, GPResult helps to obtain the Resultant Set of Policy (RSOP), the list of the applied domain policies (GPO), their settings and the detailed information on the errors during processing them. This tool is a part of Windows OS since Windows XP.

In this article we look at the GPResult features that can be used to diagnose and debug Group Policies that apply on domain computers.

So, to get a detailed information about the group policies, applied to a user or a computer, as well as other settings that belong to the GPO infrastructure, run this command:

Gpresult /r

The results of this command are subdivided into two sections:

  • COMPUTER SETTINGS – the section contains the information on the GPO applied to the computer (as an Active Directory object)
  • USER SETTINGS – this is a user section of policies (the policies applied to the account of the user in AD)

Let’s briefly cover the basic settings/sections of GPResult that can be of interest for us:

  • Site Name is the name of the AD site where the computer is located
  • CN is the full canonical name of the user/computer the RsoP data have been generated
  • Last time Group Policy was applied is the time when the group policies were last applied
  • Group Policy was applied from is the domain controller the last GPO version has been downloaded from
  • Domain Name и Domain Type is the name and the version of the Active Directory domain schema
  • Applied Group Policy Objects are the lists of applied Group Policy objects
  • The following GPOs were not applied because they were filtered out are GPOs that have  not been applied or have been filtered out
  • The user is a part of the following security groups are the domain groups the user is a member of

gpresult /r

In this example, you can see that 4 group policies are applied to the user object.

If you don’t want the information both on the user policies and the computer policies to be displayed simultaneously, you can use the  /scope option to display only the section you need:

gpresult /r /scope:user


gpresult /r /scope:computer

Since Gpresult displays its data directly to the command line, and it is sometimes not too convenient for further analysis, the output can be redirected to the clipboard:

Gpresult /r |clip

or a text file:

Gpresult /r > c:\temp\gpresult.txt

When the UAC is enabled and GPResult is used as non-elevated, only the user settings section of the group policies are shown. If you need both sections (USER SETTINGS and COMPUTER SETTINGS) to be displayed, the command must be running  in the command line with the administrator privileges.

If the command line with the elevated privileges is run on behalf of the account that is different from the current user, the tool will show the warning:

INFO: The user “domain\user” does not have RSOP data.

It happens since GPResult tries to collect the data of the user that has started it, but as he  hasn’t logged on to the system, the RSOP information on him is absent. To collect the data on the system user, his account should be specified:

gpresult /r /user:sa\edward

gpresult user scope

GPResult can also generate an HTML report on the applied policies. This report contains the detailed information on all system parameters that are set by the Group Policies and the names of the certain GPOs that have set them (in its structure, this report resembles the Settings tab in the Group Policy Management Console – GPMC). The HTML report can be generated using the command:

GPResult /h c:\temp\gpo-report.html /f

Genereate GPResult html report

To generate the report and automatically open it in a browser, run the following command:

GPResult /h GPResult.html & GPResult.html

GPResult can collect data from a remote computer as well with no need to log on to the remote system. The command looks like this:

Gpresult /s remote-pc-name1 /r

When troubleshooting the group policies, it’s worth to pay attention to the section: The following GPOs were not applied because they were filtered out. It contains the list of the GPOs that are not applied to this object by any reason. Here are some reasons why the policies are not applied:

  • Filtering: Not Applied (Empty) – the policy is empty (there is nothing to apply)
  • Filtering: Denied (Unknown Reason) – a user/computer is likely to have no permission to read/apply this policy (the permissions can be configured in the Security tab of GPMC (Group Policy Management Console)
  • Filtering: Denied (Security) — an explicit denial is specified in the section Apply Group Policy, or an AD object is not in the list of groups in the Security Filtering section of the GPO  GPO Security Settings in AD

So, in this article we have considered the peculiarities of the diagnostics of the group policy application using GPResult and covered basic scenarios of using it. GPResult is often used together with the RsoP.msc console that allows to present the resultant set of policies graphically.

Related Articles