In this guide, you will learn how to use the GPResult command line tool to verify what group policy objects are applied to a user or computer.
GPResult is a command line tool that shows the resultant set of policy for group policy objects. In other words, it creates a report that displays what group policy objects are applied to a user and computer.
If you are using group policy in your environment then you definitely should know how to use this tool.
Topics in this guide:
GPResult Video Tutorial
If you don’t like video tutorials or want more details, then continue reading the instructions below.
Group Policy is an effective way for administrators to control policy settings, deploy software, apply permissions, and so on across the entire domain.
When you have multiple Group Policy Objects you need a way to verify those objects are getting applied to a user or computer.
This is exactly what GPresult was built to do.
Let’s look at the example below, I have 4 group policy objects applied at different levels of the domain. One at the root, two at ADPro Computers, and one at the ADPRo users OU.
How do I know if they are working?
How can I check if these GPOs are getting applied correctly?
In the next section, I’ll show you exactly how I can use gpresult to verify these GPOs are getting applied.
The GPResult command is included with Windows Server versions 2008 and higher. It is also included in client version Windows 7 and higher.
GPResult Examples
Tip: Run the command prompt as administrator or you may run into issues with the command returning computer settings.
Display All Applied GPOs applied to (User and Computer)
gpresult /r
This is the most common usage of the gpresult command, it is a quick way to display all group policy objects to a user and computer.
It will display the GPO order, displays details such as last time group policy was applied, which domain controller it run from, and which security groups the user and computer is a member of.
From the screenshot of my group policy management console, there should be 3 GPOs that get applied to the computer and one to the user. Let’s look at the results of the command to verify that is happening.
I can see under applied group policy objects that all three GPOs are getting applied.
Now let’s check the user GPOs. Yes, I can see the Users – Browser Settings GPO is getting applied.
Display GPOs applied to a specific user
If you don’t want to see both User and Computer GPOs then you can use the scope option to specify user or computer
gpresult /r /scope:user
Display GPOs applied to a specific computer
gpresult /r /scope:computer
Display GPOs applied on a remote computer
gpresult /s pc2 /r
Generate HTML Report
This generates an html report of the applied group policy objects. If you don’t specify a path it will save it to the system32 folder.
gpresult /h c:\reports.html
Export to a text file
You can redirect the output to a text file with the command below. This is helpful if the results are producing lots of information.
gpresult /r >c:\results.txt
Group Policy Reports
If you want to create a report on GPO objects in your network I recommend the AD Pro Toolkit. It includes over 200 built-in reports on users, groups, group policy, and security.
This easy to use tool will quickly generate a report on all GPOs, disabled GPOs, recently modified, and created, GPOs that are not linked, and much more. Below is a complete list of GPO reports.
General Group Policy Reports
- All GPOs
- All settings disabled
- All settings enabled
- Computer configuration disabled
- User configuration disabled
- Deleted GPOs
- GPOs created in last 7 days
- GPOs created in last 30 days
- GPOs created in last 60 days
- GPOs modified in last 1 days
- GPOs modified in last 7 days
- GPOs modified in last 30 days
- Link not enabled
- Block inheritance enabled
- OU linked GPOs
- Site linked GPOs
- Domain linked GPOs
You can download a free trial and test the reports on your own network.
Group policy can be a pain, even when best practices are followed group policy can still be challenging. Knowing how to use these built in tools will help you to verify and troubleshoot group policy’s in your environment. Go give it a try and let me know if you have any questions.
Related: GPUpdate command: How to force a group policy update
Thank you! Will be usefull
Hello… Thank you for the presentation/info…
(I’m new to GPO stuff..)
Is this tool can be used to show “Computer Config > Windows Settings > Security Setting >User Rights Assignment > “Log on as a service” is applied?
How can I check if a account has this right assigned? (I know how to add in the GPEdit….
Thank you very much!!
Check where the GPO is applied. Go to Group Policy Objects, select the GPO that has the settings and under scope you can see where the GPO is applied.
For example, I have a GPO called “users- lock screen” and this GPO is applied to the Accounting OU under my Users OU. This means everyone in the Accounting OU will get this GPO applied.
You can verify it is being applied by using the GPResult command as demonstrated in this guide.
Hope that helps.
i am having this issue on my domain joined computer can anyone look and help me with that
while
i have checked everything on domain controller by running dcdiag /c /v and every test goes smooth no error occurred. but on user end i am facing this issue i use all methods like (GPUPDATE, Restart system etc)
Applied Group Policy Objects
—————————–
Local Group Policy
The user is a part of the following security groups
—————————————————
ERROR: An unexpected error occurred.
Make sure to run the command prompt in administrator mode. If it just says command prompt in upper left then you are not in administrator mode.
Great Post! When running “gpresult /scope:computer /r” is there a way to only display the GPO’s that are listed in the Applied Group Policy Objects section for the output?
Good post, thanks! There is also great post about gpresult here – https://sysadminpoint.com/2020/08/18/group-policy-diagnostics-with-gpresult-command/
Metalline, good article. Thanks for sharing.
dead link
Please help running “gpupdate /force” runs without an error but when I run “gpresult /r”, Applied group Policy Objects shows N/A. What could be the problem here?
im probably too late, run your command line in administrator mode, if not you will see only the “users” part of the GPO
Martin, great tip. A very common mistake when running gpresult /r
Great Demo
Thanks Charley
great
bro
Thanks salman
yes thanks
There is also a professional tool called gytpol Validator which will validate all endpoint configurations against the GPO and Active Directory
Thanks Matthew. I have not used that tool, I’ll check it out.
Good Post.. thanks alot
Good post.