From Windows 2000 through Vista, the go to tool for troubleshooting Group Policy on the client was RSOP.msc. The GPResult command was always, at least for me, a second choice in troubleshooting. Yes, GPResult had unique features and was certainly useful at times. But the similar interfaces between RSOP.MSC and the Group Policy Management Editor made troubleshooting so much easier.
The times had to change. With the complete rebuild of the GPResult command, administrators need to learn a whole new set of commands and actions.
A Little History of GPResult
Beginning with Windows Vista SP1, Microsoft made the GPResult command the primary tool for troubleshooting Group Policy on a client.
This was done for a few reasons, including:
- The ability to log a greater number of client side extensions (CSEs) such as Group Policy Preferences. As you will notice, the two pictures above only show Administrative templates and Security settings.
- The ability to use a graphical view or a command line view with a single tool.
- To provide a standard open format for searching, scripting, etc.
- Easier remote usage
Clarifying Some Terms
Before we dive further down the GPResult rabbit hole, we need to clear up the usage of RSOP. Technically, RSOP stands for Resultant Set Of Policy. So when asked, “what’s the RSOP of that machine?” – you are being asked for the final application of Group Policy. You are not being asked to run the RSOP.MSC tool.
To keep things simple, I prefer to ask my co-workers, “what’s the GPResult?” This eliminates confusion between the two tools. If interested, grab these free Group Policy notes and check out the GPResult section. There is a good bit of explanation on why Microsoft changed this tool.
Using the GPResult Command
With GPResult, you have two main ways of operating – Command Line or Graphical. Most of the time, I stick with the Graphical view because 99% of the time the Graphical view has everything I need.
To get the graphical view of GPResult, run this command: GPResult /h Report.htm /f . The /h generates a file name in a HTML format. The /f overwrites an existing file (Report.htm) if it exists. To run GPResult in the command line, I normally run GPResult /r /z. This generates a super-verbose report that contains the RSOP summary data.
Most of the time, I will run a GPResult with the /h switch. The picture below shows why (and how much easier it makes troubleshooting common issues):
Running Remotely
While you can use the /S parameter in GPResult to specify a remote machine, I prefer using the Group Policy Results Wizard in the Group Policy Management Console (GPMC). This can be found at the very bottom of GPMC.
By proceeding through the wizard, you can select remote computers and remote users. When finished, you will see the entire Group Policy Result for both the computer and the user. You will also be able to see:
- OU location for both Computer and User
- Group Memberships
- Length and status of processing time for each CSE (ex: Folder Redirection – Success- 1.2 seconds)
- Links to the Group Policy event log
- Detailed information for all policies and preferences.
One Last (maybe) Better Way
I spend a lot of my day inside of Active Directory Users and Computers (ADUC). I also hate switching windows just to grab a tool. Because of this, I add most scripts/tools that I use into a custom ADUC MMC. One script that I’ve added is a GPResult script.
set-location "PATH TO SCRIPT" $computer= Read-Host "What is the computer name?" $User= Get-WmiObject Win32_Computersystem -ComputerName $computer | Select-Object Username $Username=$User.Username if ($Username -eq $null) { Get-WmiObject Win32_NetworkLoginProfile -ComputerName $computer | Select-Object Caption $InputUser=Read-Host "What user would you like to use?" } if ($Username -eq $null) { gpresult.exe /s $Computer /user $InputUser /h Report.htm /f } else { gpresult.exe /s "$Computer" /user "$Username" /h Report.htm /f } start report.htm
This script prompts you for a computer name and then looks up the current logged in user on the remote machine. If no logged in user is found, it looks up previous logged in users and prompts you for a user to use. It will then generate a GPResult and launch the report automatically! This script saves me a ton of time.
All cleared up on GPResult vs RSOP? If not (or if you have any questions at all), let me know in the comments! If you haven’t, check out this guide to understanding GPUpdate and GPUpdate /force.
Not sure the problem here.. I’m running powershell as administrator but get Access Denied.. Guessing when it tries to write the file to the C:\Scripts directory (which I can create files in manually).. Any ideas?
PS C:\Scripts> .\GPRESULT.ps1
What is the computer name?: PC1
ERROR: Access Denied.
start : This command cannot be run due to the error: The system cannot find the file specified.
At C:\Scripts\GPRESULT.ps1:21 char:1
+ start report.htm
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
The Group Policy Results Wizard brings a great deal of much-appreciated transparency to the inner workings of group policy in an enterprise environment.
Great article!
I’m receiving access denied when running remotely. The server is 2012 R2, no firewalls are on, the account is local admin, and I also receive access denied when using RSOP via MMC and even when I try to run get-gpresultantsetofpolicy. The WMI service is also running. What are the requirements to be able to run any of the commands?
Thanks
GPResult works out of box without any configuration…
When I try and run your script against a Windows 7 machine it spits out this:
gpresult.exe : ERROR: Invalid pointer
At C:\scripts\GPOreport2.ps1:17 char:1
+ gpresult.exe /s “$Computer” /user “$Username” /h Report.htm /f
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: Invalid pointer:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
ERROR:
Invalid pointer
Can you run the gpresult command manually? Remove $computer and $user and specify the actual values as a test.
I get the same result.
If I run gpresult /h report.htm
I still get the same error.
I think it might have something to do with the Windows 7 OS, but I’m not 100% sure.
It works on Windows 8 & 10 though.
Also, when I try to perform the GPO result in the GPMC in Active Directory I get an error too.
That error says that the object is not set to an instance of an object.
So, they might be related errors.
You are probably right that it is a Windows 7 issue. Time to update. 🙂
Hi Im new to scripting but the script above looks like just what I need. I do not have a clue how to get this to run properly on my machine. Im sure this is a complete pain for you but if you could walk me through this I would be extremely grateful.
Hey Paul – go through this guide: https://www.simple-talk.com/sysadmin/powershell/getting-better-mileage-by-extending-active-directory-users-and-computers/
Here is some additional information that might be helpful: http://blog.thesysadmins.co.uk/group-policy-gpresult-examples.html
Good site tom! Let me know if you ever want to write a guest post!
Thanks Joseph, right back at you!
Would you know how to use gpresult to get the changes made to the local non-administrators policy? I can’t seem to get gpresult to give me anything other than what’s being applied at the domain level. I’m creating a Windows 7 kiosk and I’d like what changes I’ve made documented for future reference.
I don’t offhand and searched a bit. If you find out how, let me know. I am interested!
Hi,
I am trying to find a coomand to get RSoP only for a part of GPO for example “User Rights Assignment”. Have you got an idea?
Are you needing to see the user rights assignment for a particular GPO that is applied to a computer or for all GPOs in your domain?
…for all GPOs in domain.
This script here (http://activedirectory.ncsu.edu/advanced-topics/scripting-center/gpo-setting-search-powershell-example/) will let you search all GPOs in your domain for specific settings.