In this guide, you will learn how to use the GPResult command line tool to verify what group policy objects are applied to a user or computer.
GPResult is a command line tool that shows the Resultant Set of Policy (RsoP) information for a user and computer. In other words, it creates a report that displays what group policies objects are applied to a user and computer.
If your using group policy in your environment then you definitely should know how to use this tool.
GPResult Video Tutorial
If you don’t like video tutorials or want more details, then continue reading the instructions below.
Group Policy is an effective way for administrators to control policy settings, deploy software, apply permissions and so on across the entire domain.
When you have multiple Group Policy Objects you need a way to verify those objects are getting applied to a user or computer.
This is exactly what GPresult was built to do.
Let’s look at the example below, I have 4 group policy objects applied at different levels of the domain. One at the root, two at ADPro Computers and one at the ADPRo users OU.
How do I know if they are working?
How can I check if these GPOs are getting applied correctly?
In the next section I’ll show you exactly how I can use gpresult to verify these GPOs are getting applied.
The GPResult command is included with Windows Server versions 2008 and higher. It is also included in client version Windows 7 and higher.
Tip: Run the command prompt as administrator or you may run into issues with the command returning computer settings.
Display All Applied GPOs applied to (User and Computer)
This is the most common usage of the gpresult command, it a quick way to display all group policy objects to a user and computer.
It will display the GPO order, displays details such as last time group policy was applied, which domain controller it run from, which security groups the user and computer is a member of.
From the screenshot of my group policy management console there should be 3 GPOs that get applied to the computer and one to the user. Let’s look at the results of the command to verify that is happening.
I can see under applied group policy objects that all three GPOs are getting applied.
Now let’s check the user GPOs. Yes, I can see the Users – Browser Settings GPO is getting applied.
Display GPOs applied to a specific user
If you don’t want to see both User and Computer GPOs then you can use the scope option to specify user or computer
gpresult /r /scope:user
Display GPOs applied to a specific computer
gpresult /r /scope:computer
Display GPOs applied on a remote computer
gpresult /s pc2 /r
Generate HTML Report
This generates an html report of the applied group policy objects. If you don’t specify a path it will save it to the system32 folder.
gpresult /h c:\reports.html
Export to a text file
You can redirect the output to a text file with the command below. This is helpful if the results are producing lots of information.
gpresult /r >c:\results.txt
Group policy can be a pain, even when best practices are followed group policy can still be challenging. Knowing how to use these built in tools will help you to verify and troubleshoot group policy’s in your environment. Go give it a try and let me know if you have questions.
Recommended Tool: SolarWinds Server & Application Monitor (SAM)
This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.
What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.