How to Verify Applied GPOs with the GPResult Tool

choubertsprojects

VPN offers!

1. NordVPN

2. Surfshark

3. ExpressVPN

The GPResult tool is a Microsoft Exchange Server Management Pack that allows users to verify GPOs are applied across the organization. It works in conjunction with other management packs such as AD, SharePoint, and more. The guide will walk you through how to configure GPResult and show examples of what it can do in action

The “how to check group policy applied command line” is a tool that allows you to verify the applied GPOs with the GPResult Tool.

How to Verify Applied GPOs with the GPResult Tool

Have you ever deployed a Group Policy Object (GPO) to an Active Directory organizational unit (OU) and then wanted to be sure it was implemented correctly? If this is the case, you must be familiar with the gpresult command.

Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.

In this video, you’ll learn how to check Group Policy settings on local and remote Windows devices using the gpresult command.

Let’s get going!

Prerequisites

Make sure you have the following items if you want to follow along with the examples in this tutorial:

  • A domain in Active Directory. Any version will work. The domain HomeLab.Local will be used in this lesson.
  • At least one GPO has been deployed to a domain-joined Windows PC. You’ll need a second domain-joined PC if you want to learn how to use gpresult remotely. The Win10VM1 and Win10VM2 computers will be used in this tutorial.
  • Local administrator privileges on both your local and distant computers.

The GPResult Command: An Overview

GPResult is a Windows command-line utility that creates reports on both user-based and machine-based policies implemented to a domain-joined computer.

When a GPO is assigned to an OU by an Active Directory administrator, the machines or users in that OU must check in to apply the settings. gpresult is used when the GPO is received by the target PCs.

The Group Policy refresh interval determines how quickly each machine gets and implements those settings.

You may use the gpresult program to execute a command on these target machines to verify that the GPOs you assume should be implemented are indeed being applied.

Understanding the GPUpdate Command is related.

Getting Assistance with GPResult

Gpresult, like many other command-line programs, includes a built-in help system. This approach makes it simple to locate all of those difficult-to-remember switches.

Simply run gpresult without any switches to see all of the switches available, as shown below. Instead of returning to this article when you’re unsure what a parameter does, remember that the built-in help is available!

gpresult command help informationgpresult command help information

Data from the Resultant Set of Policies (RSOP)

With no arguments, gpresult will just provide help information. You must it in order to retrieve data! To begin, let’s look at how the /r switch, or the ensuing collection of policies, works.

The Resultant Set of Policy (RSOP) add-on for Group Policy enables you to query different parts of the policy. RSOP is an excellent tool for determining the outcome of a computer’s policy.

In logging mode, GPResult provides RSOP data for both users and machines, including policy settings like as user and computer OU paths, domain names, AD group memberships, security settings, and applied GPOs.

Open cmd.exe or PowerShell as administrator to use gpresult to query RSOP data. Use the /r switch to run gpresult, as illustrated below.

You can see below that gpresult retrieves all of the GPOs that the specific computer (Machine SETTINGS) has, as well as GPOs that target all users that will log into the computer (USER SETTINGS).

On a non-admin command prompt, gpresult /R will only provide policies that apply to the user who is doing the command.

The output of the Gpresult /R command is shown.The output of the Gpresult /R command is shown.

Finding Detailed Applied Group Policy Information Getting Granular

The RSOP data you obtain through the /r switch will enough if you just need to know what GPOs are applied to a specific machine or user(s) on that computer. However, RSOP data is limited. The last execution time of a logon script, the registry key in which the GPO is formed, and other details are not available in RSOP data.

Use the /v or verbose option to get as much information as gpresult can supply, as seen below.

Take a look at all that /v has to offer. That’s a lot of details!

Checking the GPOs on the PCChecking the GPOs on the PC

On the computer, there are password regulations in place.On the computer, there are password regulations in place.

On the computer, services have been deactivated.On the computer, services have been deactivated.

Configuring Logon Scripts for the UserConfiguring Logon Scripts for the User

GPO user policy sets the wallpaper.GPO user policy sets the wallpaper.

The policies' whole registry key pathThe policies’ whole registry key path

Verifying GPOs for each userVerifying GPOs for each user

Below are the distinctions between /r and /v. You’ll see that /r simply gives you the GPO name, while /v gives you the logon script file name and the last time the script was run on the PC.

/r and /v differences/r and /v differences

GPresult is limited to user or computed-based settings.

As previously stated, gpresult returns both user and computer-based settings by default. The volume of output might be daunting at times, particularly when handling GPOs with hundreds of settings.

The /scope argument in gpresult enables you to restrict the scope of the query to just check for settings applied to the machine or user. gpresult will only provide settings that apply to all users or the machine if the /scope parameter argument is either computer or user.

Run the command below to view RSOP data for all policies in the computer scope.

Gpresult /R /Computer Scope

How about discovering all policies for all users in verbose mode?

To restrict the scope of either command, use the /scope argument in conjunction with additional switches like /r and /v.

If you use GPResult while running cmd.exe or PowerShell as administrator, it will return Group Policy settings for all users. When you use the /scope user switch, it removes computer-based settings but keeps all other user settings.

Use the /user option followed by the desired username as an argument to restrict settings to a single user logged in at the same time.

If you attempt to query RSOP data for a user that doesn’t exist, GPResult will return the message The user “<user>” does not have RSOP data.

GPresult Output Export

It’s not always enough to just deliver data to the command-line prompt. You may need to create a report or discuss the findings with others. In such situation, you’ll need to convert the results to a different format.

There are many methods to export GPResult output.

Creating a Text File from the Results

One of the easiest ways to export results to a file is using the command prompt or PowerShell’s output redirection feature. By “piping” the command-line results to a file with the redirection operator > followed by a text file name, the text will contain exactly what you’d see in the console.

The command below will return all RSOP data and produce a file named C:TempRsopReport.txt that contains the whole GPResult command results.

Gpresult /R > c:TempRsopReport.txt

Related:Using the PowerShell Out-File Cmdlet to Redirect Output to a File

Creating an HTML or XML File from the Results

You can produce and store the applicable policy information to an HTML or XML file, unlike the native redirection from a command prompt to a text file. GPResult will generate a neatly formatted HTML file with output using the /H switch (for HTML) or the /X switch (for XML) followed by the path to the required HTML file.

/H c:TempRsopData.html Gpresult /X c:TempRsopXMLRreport.xml Gpresult

GPResult will return an error if the file already exists. The /F option tells GPResult to replace the existing file.

Remotely running GPResult

You’ve been running GPResult locally throughout this tutorial. GPResult may also obtain all of the same Group Policy settings remotely using the /s argument.

For example, you might use the following command to obtain RSOP data for the user user01 who has logged into the delete win10vm1 machine at least once:

user01 /user gpresult /R /S win10vm1

Finding RSOP informationFinding RSOP information

Perhaps you’re using a PC that doesn’t have the permissions to query Group Policy information on a distant computer. If you don’t supply other credentials, GPResult will fail.

Use the /U (username) and /P (password) arguments to provide substitute credentials, as demonstrated below.

gpresult /R /S win10vm1 /scope user /U homelabMyLabAdmin /P password gpresult /R /S win10vm1 /scope

Alternate credentials are specified.Alternate credentials are specified.

Do you have any passwords in your Active Directory that have been compromised? Use Specops Password Auditor Free to find out.

Conclusion

You should now be able to query implemented Group Policy settings on both local and distant systems using the GPResult command. Any Active Directory administrator’s toolkit should have this useful command for discovery and troubleshooting.

What tool will you use the next time you question, “How do I validate a domain-joined machine has implemented the GPO I expect?”

The “how to check the group policy applied on a remote computer powershell” is a question that has been asked before. The GPResult tool can be used to verify whether or not the GPO was applied successfully.

Related Tags

  • gpresult scope user
  • gpresult /user example
  • gpresult command
  • gpresult command examples
  • gpresult scope:computer