GPResult.exe is a console administrative tool designed to analyze and diagnose group policy settings that are applied to a computer and/or user in the Active Directory domain. In particular, GPResult allows you to get the RSOP (Resultant Set of Policy) data, the list of applied domain policies (GPO), their settings and detailed information about errors during GPO processing. This tool is a part of Windows OS since Windows XP. The GPResult tool allows you to answer such questions: does a particular policy apply to a computer, which GPO has changed a particular Windows setting and how to troubleshoot slow GPO/GPP processing?
In this article we’ll take a look at the nuances of using the GPResult command to diagnose performance and debug Group Policies in the Active Directory domain.
In earlier Windows versions, the RSOP.msc graphical console was used to diagnose the application of group policies on a client side, which allowed you to get the resulting policy settings (domain + local) that are applied to the computer and user in a graphical form that is similar to the GPO editor console. The RSOP.msc console on the screenshot below shows that the Windows update settings are set by the WSUS_SERVERS policy.
However, the RSOP.msc console is impractical to use in modern Windows versions, because it doesn’t show the settings applied by various group-policy extensions (client-side extensions – CSE), such as GPP (Group Policy Preferences), doesn’t allow to search among settings, provides a lack of diagnostic information (in Windows 10 even a warning appears that RSOP does not give a full report, unlike GPResult). Therefore, the GPResult command today is the primary tool to perform GPO diagnostic in Windows.
How to Use the Group Policy Results (GPResult.exe) Tool?
The GPResult command must be run on the computer on which you want to check the application of group policies. The GPResult command has the following syntax:
GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope] [/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]]
To get a detailed information about the group policies, applied to a user or a computer, as well as other parameters related to the GPO infrastructure (the resulting GPO policy settings – RsoP), run this command:
The results of this command are subdivided into two sections:
- COMPUTER SETTINGS – the section contains the information on the GP objects applied to the computer (as an Active Directory object);
- USER SETTINGS – this is a user policy section (the policies applied to the account of the AD user).
Let’s briefly cover the basic settings/sections in the GPResult output that can be of interest for us:
- Site Name – is the name of the AD site where the computer is located;
- CN – full canonical user / computer name for which RSoP data was generated;
- Last time Group Policy was applied – is the time when the group policies were last applied;
- Group Policy was applied from – is the domain controller name from which last GPO version has been downloaded ;
- Domain Name and Domain Type – is the name and the version number of the Active Directory domain schema;
- Applied Group Policy Objects – are the lists of applied Group Policy objects;
- The following GPOs were not applied because they were filtered out – are GPOs that have not been applied or have been filtered out;
- The user is a part of the following security groups – are the domain groups in which the user is a member .
In this example, you can see that 4 group policies are applied to the user object.
- Disable Cached Credentials;
- DNS Suffix Search List;
- Enable Windows Firewall;
- Default Domain Policy.
If you don’t want to simultaneously display information about user and computer policies, you can use the /scope option to display only the section you need. Only resulting user’s policy:
gpresult /r /scope:user
or only applied computer policies:
gpresult /r /scope:computer
Since Gpresult tool displays its data directly to the command line, which is not always convenient for further analysis, the output can be redirected to the clipboard:
Gpresult /r |clip
or a text file:
Gpresult /r > c:\ps\gpresult.txt
To display super detailed RSOP information, you need to add the /z key:
Gpresult /r /z
RSoP HTML Report Using GPResult
GPResult can also generate an HTML report on the applied resultant policies (available in Windows 7 and higher). This report contains the detailed information on all system settings that are set by the Group Policies and the names of the certain GPOs that have set them (in its structure, this report resembles the Settings tab in the Group Policy Management Console – gpmc.msc). You can generate the GPResult HTML report using the command:
GPResult /h c:\PS\gpo-report.html /f
To generate the report and automatically open it in a browser, run the following command:
GPResult /h GPResult.html & GPResult.html
The gpresult HTML report contains quite a lot of useful information: you can see GPOs applying errors, processing time (in ms) for a specific policies and CSEs (in the Computer Details -> Component Status section). For example, in the screenshot above you can see that the Enforce password history policy with the settings “24 passwords remembered” is applied by the Default Domain Policy (Winning GPO column). As you can see, this gpresult HTML report is much more convenient for analyzing the applied policies than the rsop.msc.
How to Run GPResult on a Remote Computer?
GPResult can collect data from a remote computer as well with no need to log locally or via the RDP on to the remote system. The command to collect RSOP from a remote computer looks like this:
GPResult /s remote-pc-name1 /r
Similarly, you can remotely collect data on both user and computer policies.
The User Does Not Have RSoP Data
When the UAC is enabled and GPResult is used in non-elevated mode, only the user settings section of the group policies is shown. If you need both sections (USER SETTINGS and COMPUTER SETTINGS) to be displayed, the command must be running in the command prompt with the administrator privileges. If a command prompt with elevated privileges is run on behalf of an account that is different from the current user, the tool will show the warning: INFO: The user “domain\user” does not have RSOP data. It happens since GPResult tries to collect the data of the user that has started it, but because this user has not logged in, there is no RSOP information for him. To collect RSOP information from a user with an active session, you need to specify his account:
gpresult /r /user:sa\edward
If you don’t know the name of an account that is logged on to a remote computer, you can get a username like this:
Also check the time (and time zone) on the client. The time must match the time on the PDC (Primary Domain Controller).
The following GPOs were not applied because they were filtered out
When troubleshooting the group policies, it’s worth to pay attention to the section: The following GPOs were not applied because they were filtered out. It contains the list of the GPOs that are not applied to this object by any reason. Here are some reasons why the policies are not applied:
- Filtering: Not Applied (Empty) – the policy is empty (there is nothing to apply);
- Filtering: Denied (Unknown Reason) – a user/computer is likely to have no permission to read/apply this policy (the permissions can be configured in the Security tab of (Group Policy Management Console)You can also understand whether the policy should be applied to a specific AD object using the effective permissions tab (Advanced -> Effective Access) in the GPMC.;
- Filtering: Denied (Security) — an explicit denial is specified in the section Apply Group Policy, or an AD object is not in the list of groups in the Security Filtering section of the GPO.
So, in this article we have considered the peculiarities of the diagnostics the application of group policies using GPResult tool and covered basic scenarios of using it.