If you end up managing a Window community you might be in all probability utilizing group insurance policies to preset Home windows settings, and decide what consumer can and might’t do. To confirm if the settings are utilized to the shoppers we are able to use the GPResult instrument, however how does it precisely work?
Testing new insurance policies is all the time a bit difficult, you attempt to pull the brand new insurance policies to the shopper with GPUpdate, possibly even a reboot, however how have you learnt if the insurance policies are utilized? And which insurance policies are even utilized to the consumer or pc?
On this article, we’re going to try the GPResult command and the way we are able to use it to confirm coverage settings.
Utilizing GPResult Command
The gpresult command shows the Resultant Set of Insurance policies (RSoP) for a consumer and/or pc. Insurance policies can overrule one another, a setting utilized to all customers might be canceled out by a particular coverage that’s assigned to a small group of customers. So the RSoP will present you the precise assigned insurance policies settings.
Observe
Good to know is that once you run the command in a consumer context, it can present solely the insurance policies of the logged-on consumer. To view the pc insurance policies you’ll need to make use of an elevated terminal or log in as an Administrator, however later extra about that.
So we’re going to begin with the fundamentals, reviewing the utilized consumer insurance policies. If you end up logged in because the consumer you’ll be able to run the next command in PowerShell or Home windows Terminal to view utilized GPOs:
GPResult /r
The outcome shall be outputted within the console, and there are some things essential to notice right here:
- The distinguished title of the consumer, tells additionally the OU the consumer is in.
- Final time the insurance policies are up to date and from which area controller
- Utilized group insurance policies object, these insurance policies are efficient
- Filtered out insurance policies
Insurance policies are robotically renewed each 90 minutes, however you’ll be able to power an replace with the GPUpdate command. Whenever you need to test if a coverage is utilized, just be sure you test the final time the insurance policies are utilized, and from which server they’re pulled. When you’ve a number of area controllers it’s potential that your latest group coverage modifications haven’t been synced but to the opposite server.
Empty and disabled insurance policies are filtered out. You possibly can acknowledge disabled insurance policies within the Group Coverage Managed by the lighter gray icon.
GPResult Pc
Whenever you run the gpresult command as a website consumer, you’ll have observed that the pc insurance policies are usually not displayed. It is because the consumer doesn’t have permission to entry the pc insurance policies. So to view the pc scope we might want to use an elevated immediate.
- Proper-click on Begin or press Home windows key + X
- Select Home windows Terminal (admin) or PowerShell (Admin)
If you happen to now run the command gpresult /r you’re going to get first the Pc setting (you would possibly have to scroll up a bit) adopted by the consumer settings. Observe that the consumer settings are from the administrator account, not the logged-on consumer!
RSOP knowledge for LAZYADMINAdministrator on LA-WIN11-LAB03 : Logging Mode
-----------------------------------------------------------------------
OS Configuration: Member Workstation
OS Model: 10.0.22000
Website Identify: Default-First-Website-Identify
Roaming Profile: N/A
Native Profile: C:Usersadministrator
Related over a gradual hyperlink?: No
COMPUTER SETTINGS
------------------
CN=LA-WIN11-LAB03,OU=Computer systems,OU=Amsterdam,OU=Websites,DC=lazyadmin,DC=nl
Final time Group Coverage was utilized: 9/15/2022 at 12:47:29 PM
Group Coverage was utilized from: LazySrvLab02.lazyadmin.nl
Group Coverage gradual hyperlink threshold: 500 kbps
Area Identify: LAZYADMIN
Area Kind: Home windows 2008 or later
Utilized Group Coverage Objects
-----------------------------
CPO_Win11_Settings
CPO_Bitlocker_Settings
Default Area Coverage
The next GPOs weren't utilized as a result of they had been filtered out
-------------------------------------------------------------------
Native Group Coverage
Filtering: Not Utilized (Empty)
The pc is part of the next safety teams
-------------------------------------------------------
BUILTINAdministrators
Everybody
BUILTINUsers
NT AUTHORITYNETWORK
NT AUTHORITYAuthenticated Customers
This Group
LA-WIN11-LAB03$
Area Computer systems
Authentication authority asserted id
System Necessary Degree
USER SETTINGS
--------------
CN=Administrator,CN=Customers,DC=lazyadmin,DC=nl ### USER IS ADMINISTRATOR!
Final time Group Coverage was utilized: 9/15/2022 at 9:53:05 AM
Group Coverage was utilized from: LazySrvLab02.lazyadmin.nl
Group Coverage gradual hyperlink threshold: 500 kbps
Area Identify: LAZYADMIN
Area Kind: Home windows 2008 or later
Utilized Group Coverage Objects
-----------------------------
N/A
The next GPOs weren't utilized as a result of they had been filtered out
-------------------------------------------------------------------
Native Group Coverage
Filtering: Not Utilized (Empty)
The consumer is part of the next safety teams
For the pc setting, we see the identical construction as with the consumer settings. When the coverage is final utilized, which insurance policies are efficient and which of them are filtered out.
Now, to be sincere, this isn’t essentially the most supreme mixture. You’re operating two queries and wish to mix the outcome your self. What you need is the pc settings along with the consumer settings in a single overview.
Specify the Person for GPResult
The GPResult command permits us to specify the consumer that we need to question the coverage. This feature, together with an elevated immediate, permits us to get each the consumer and pc settings in a single overview.
To specify the consumer we’re going to use the /USER parameter. The desired consumer will need to have logged on not less than as soon as the pc earlier than you’ll be able to collect the RSoP knowledge.
# Collect the RSoP knowledge for the consumer Zoe Tucker gpresult /USER ztucker /R
As you’ll be able to see within the screenshot above we have now the pc settings first, and the consumer setting beneath.
If you happen to solely need to view the pc settings of the consumer you can too specify the scope. The scope can both be USER or COMPUTER:
gpresult /USER ztucker /SCOPE Pc /R # Or restrict to consumer scope: gpresult /USER ztucker /SCOPE USER /R
Get GPResult of Distant Pc
To get the coverage results of a consumer you don’t want entry to the pc. As a result of we are able to additionally get the utilized insurance policies from a distant pc with the /S parameter. For instance, to get the utilized insurance policies from the pc LA-WIN11-LAB03 for the consumer Zoe Tucker we are able to use the next command:
Observe
We’re utilizing the parameter /consumer and never /u. The latter is used once you need to run the command in one other customers context, for instance as admin. With /consumer we are able to specify the consumer from which we need to retrieve the RSoP knowledge.
gpresult /S LA-WIN11-LAB03 /consumer ztucker /R
View Extra Data
Till now we have now solely seen when the final group coverage was utilized, and which group coverage objects had been utilized. However generally you want extra data, for instance, which precise settings are made within the insurance policies. For this, we are able to use the /V or /Z parameter.
With the /V parameter we get the verbose data which gives further particulars concerning the coverage. /Z is the super-verbose parameter, which may also present settings there are made in a number of locations.
gpresult /v
The outcomes of the verbose parameters are usually not all the time as readable as you need. For instance, the default area coverage comprises the password age settings. With the verbose possibility, we are able to clearly see the way it’s configured.
But when we check out the UPO_IT coverage, we are able to see which settings are configured, however not the precise settings. So the verbose parameters do give us extra data, however I like to recommend utilizing them together with the export to HTML possibility.
Export GPResult to HTML
So to make the gpresult knowledge extra readable we are able to export the outcome to an HTML file. The HTML file is formatted the identical because the Settings tab within the Group Coverage Administration Console. Whenever you export to HTML you don’t have to specify /R or one of many verbose parameters /Z or /V. It would generate an in depth HTML for you with all of the verbose data you want. You do have to specify the trail and file title:
gpresult /USER ztucker /H c:tempgpresult-ztucker.html
If the filename already exists you would possibly get an error. To overwrite the file you need to use the /f parameter to power overwriting of the present file.
Wrapping Up
The gpresult instrument is a good way to confirm which group coverage objects are utilized to the pc and consumer. Use the export HTML possibility to simply evaluate the utilized insurance policies with the assigned insurance policies within the group coverage administration console.
You can even generate the group coverage leads to the group coverage administration console on the server, ensure you test that possibility out as nicely.
When you’ve got any questions, simply drop a remark beneath!
