The GPResult tool is a Microsoft Exchange Server Management Pack that allows users to verify GPOs are applied across the organization. It works in conjunction with other management packs such as AD, SharePoint, and more. The guide will walk you through how to configure GPResult and show examples of what it can do in action
The “how to check group policy applied command line” is a tool that allows you to verify the applied GPOs with the GPResult Tool.
Have you ever deployed a Group Policy Object (GPO) to an Active Directory organizational unit (OU) and then wanted to be sure it was implemented correctly? If this is the case, you must be familiar with the gpresult command.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
In this video, you’ll learn how to check Group Policy settings on local and remote Windows devices using the gpresult command.
Let’s get going!
Prerequisites
Make sure you have the following items if you want to follow along with the examples in this tutorial:
- A domain in Active Directory. Any version will work. The domain HomeLab.Local will be used in this lesson.
- At least one GPO has been deployed to a domain-joined Windows PC. You’ll need a second domain-joined PC if you want to learn how to use gpresult remotely. The Win10VM1 and Win10VM2 computers will be used in this tutorial.
- Local administrator privileges on both your local and distant computers.
The GPResult Command: An Overview
GPResult is a Windows command-line utility that creates reports on both user-based and machine-based policies implemented to a domain-joined computer.
When a GPO is assigned to an OU by an Active Directory administrator, the machines or users in that OU must check in to apply the settings. gpresult is used when the GPO is received by the target PCs.
The Group Policy refresh interval determines how quickly each machine gets and implements those settings.
You may use the gpresult program to execute a command on these target machines to verify that the GPOs you assume should be implemented are indeed being applied.
Understanding the GPUpdate Command is related.
Getting Assistance with GPResult
Gpresult, like many other command-line programs, includes a built-in help system. This approach makes it simple to locate all of those difficult-to-remember switches.
Simply run gpresult without any switches to see all of the switches available, as shown below. Instead of returning to this article when you’re unsure what a parameter does, remember that the built-in help is available!
gpresult command help information
Data from the Resultant Set of Policies (RSOP)
With no arguments, gpresult will just provide help information. You must it in order to retrieve data! To begin, let’s look at how the /r switch, or the ensuing collection of policies, works.
The Resultant Set of Policy (RSOP) add-on for Group Policy enables you to query different parts of the policy. RSOP is an excellent tool for determining the outcome of a computer’s policy.
In logging mode, GPResult provides RSOP data for both users and machines, including policy settings like as user and computer OU paths, domain names, AD group memberships, security settings, and applied GPOs.
Open cmd.exe or PowerShell as administrator to use gpresult to query RSOP data. Use the /r switch to run gpresult, as illustrated below.
You can see below that gpresult retrieves all of the GPOs that the specific computer (Machine SETTINGS) has, as well as GPOs that target all users that will log into the computer (USER SETTINGS).
On a non-admin command prompt, gpresult /R will only provide policies that apply to the user who is doing the command.
The output of the Gpresult /R command is shown.
Finding Detailed Applied Group Policy Information Getting Granular
The RSOP data you obtain through the /r switch will enough if you just need to know what GPOs are applied to a specific machine or user(s) on that computer. However, RSOP data is limited. The last execution time of a logon script, the registry key in which the GPO is formed, and other details are not available in RSOP data.
Use the /v or verbose option to get as much information as gpresult can supply, as seen below.
Take a look at all that /v has to offer. That’s a lot of details!
Checking the GPOs on the PC
On the computer, there are password regulations in place.
On the computer, services have been deactivated.
Configuring Logon Scripts for the User
GPO user policy sets the wallpaper.
The policies’ whole registry key path
Verifying GPOs for each user
Below are the distinctions between /r and /v. You’ll see that /r simply gives you the GPO name, while /v gives you the logon script file name and the last time the script was run on the PC.
/r and /v differences
GPresult is limited to user or computed-based settings.
As previously stated, gpresult returns both user and computer-based settings by default. The volume of output might be daunting at times, particularly when handling GPOs with hundreds of settings.
The /scope argument in gpresult enables you to restrict the scope of the query to just check for settings applied to the machine or user. gpresult will only provide settings that apply to all users or the machine if the /scope parameter argument is either computer or user.
Run the command below to view RSOP data for all policies in the computer scope.
Gpresult /R /Computer Scope
How about discovering all policies for all users in verbose mode?
To restrict the scope of either command, use the /scope argument in conjunction with additional switches like /r and /v.
If you use GPResult while running cmd.exe or PowerShell as administrator, it will return Group Policy settings for all users. When you use the /scope user switch, it removes computer-based settings but keeps all other user settings.
Use the /user option followed by the desired username as an argument to restrict settings to a single user logged in at the same time.
If you attempt to query RSOP data for a user that doesn’t exist, GPResult will return the message The user “<user>” does not have RSOP data.
GPresult Output Export
It’s not always enough to just deliver data to the command-line prompt. You may need to create a report or discuss the findings with others. In such situation, you’ll need to convert the results to a different format.
There are many methods to export GPResult output.
Creating a Text File from the Results
One of the easiest ways to export results to a file is using the command prompt or PowerShell’s output redirection feature. By “piping” the command-line results to a file with the redirection operator > followed by a text file name, the text will contain exactly what you’d see in the console.
The command below will return all RSOP data and produce a file named C:TempRsopReport.txt that contains the whole GPResult command results.
Gpresult /R > c:TempRsopReport.txt
Related:Using the PowerShell Out-File Cmdlet to Redirect Output to a File
Creating an HTML or XML File from the Results
You can produce and store the applicable policy information to an HTML or XML file, unlike the native redirection from a command prompt to a text file. GPResult will generate a neatly formatted HTML file with output using the /H switch (for HTML) or the /X switch (for XML) followed by the path to the required HTML file.
/H c:TempRsopData.html Gpresult /X c:TempRsopXMLRreport.xml Gpresult
GPResult will return an error if the file already exists. The /F option tells GPResult to replace the existing file.
Remotely running GPResult
You’ve been running GPResult locally throughout this tutorial. GPResult may also obtain all of the same Group Policy settings remotely using the /s argument.
For example, you might use the following command to obtain RSOP data for the user user01 who has logged into the delete win10vm1 machine at least once:
user01 /user gpresult /R /S win10vm1
Finding RSOP information
Perhaps you’re using a PC that doesn’t have the permissions to query Group Policy information on a distant computer. If you don’t supply other credentials, GPResult will fail.
Use the /U (username) and /P (password) arguments to provide substitute credentials, as demonstrated below.
gpresult /R /S win10vm1 /scope user /U homelabMyLabAdmin /P password gpresult /R /S win10vm1 /scope
Alternate credentials are specified.
Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.
Conclusion
You should now be able to query implemented Group Policy settings on both local and distant systems using the GPResult command. Any Active Directory administrator’s toolkit should have this useful command for discovery and troubleshooting.
What tool will you use the next time you question, “How do I validate a domain-joined machine has implemented the GPO I expect?”
The “how to check the group policy applied on a remote computer powershell” is a question that has been asked before. The GPResult tool can be used to verify whether or not the GPO was applied successfully.
Related Tags
- gpresult scope user
- gpresult /user example
- gpresult command
- gpresult command examples
- gpresult scope:computer
