Group Policy GPResult Examples

JUNE 4, 2014 / TOM@THESYSADMINS.CO.UK / 9 COMMENTS

GPResult is a command-line utility for determining the resultant set of policy for a given
user and/or computer. In other words, it shows you what Group Policy Objects have been
applied and their settings. This is typically one of the rst tools I go to when troubleshooting
Group Policy from a client once basic connectivity has been con rmed (e.g. Network/DNS).
The tool itself is very simple to use and I will run through some common examples below.

List GPOs Applied with Summary Data

1 Gpresult/r

/r Displays RSOP summary data

This is pretty useful when you simply want to see what GPOs have applied and in what
order. It will also display summary data, such as last time group policy was applied, which
Domain Controller it was applied from, the site, security groups and if the slow link
threshold has been activated. If you are unsure if a GPO has been applied, this is a quick way
of checking.

Here we see that 4 GPOs have applied to the Computer settings portion.
If you dont want to view both Computer and Users settings in the output you can request
one or the other with the /scope ag.

1 gpresult/r/scope:user

1 gpresult/r/scope:computer

The output reads fairly well from within the command prompt, but if you need to export the
output you could use either of the following.

Gpresult/r>gpresult.txt Export output to a text le

Gpresult/r|clip Export output to Windows clipboard

I cant see the Computer Settings?

If UAC is enabled, running GPResult without elevating the command prompt will only show
you the user settings. If you want to see both user and computer settings, elevate the
command prompt by either tapping the winkey+cmd then ctrl+shift+enter or right click on
the command prompt and select run as administrator. If you elevate with an admin account
different to the currently logged in user (common if the user does not have administrator
rights), then you will receive an error message stating INFO: The user domain\user does
not have RSOP data. This is because GPResult is using the elevated users context. To work
around this, specify the standard user that you are troubleshooting.

1 gpresult/r/user:sa\edward.thomas
Generate HTML Report

1 Gpresult/hreport.html/f

1 Gpresult/hreport.html/user:sa\edward.thomas/f

/h Saves the report in HTML format

/f Forces GPresult to overwrite the le name speci ed with /h
/user Speci es the user name for which the RSOP data is to be displayed

To get a more graphical view of whats going on, you can generate a HTML report. This gives
a detailed break down of each setting and the GPO from which it came. This view is
particularly nice as you can show all and use ctrl+f to nd a particular policy or setting.

Run GPResult on Remote Computer

1 Gpresult/sserver1/r

/s Speci es the remote system to connect to

This allows you to run GPResult on a remote system, all of the above applies.
The following GPOs were not applied because they were ltered out

You may see this for a few reasons. The rst that the policy is empty in which case youll see
Filtering: Not Applied (Empty), this is fairly self explanatory. The second is Filtering: Denied
(Security), which typically boils down to the Apply Group Policy permission on the GPO.
You may also see Filtering: Denied (Unknown Reason) which is similar to (Security) in that
the Read permissions has been denied.

To review the last two examples, launch the GPMC (Group Policy Management Console).
Find the offending GPO, and select Delegation- from there you may see an additional group
or a single user or machine that has been added.
Click on advanced and review the permissions against the object. In this case you can see
that the Seven computer object has been denied Apply Group Policy resulting in the
Filtering: Denied (Security) message.

If in doubt, select Advanced -> Effective Access and enter the required computer or user
object. If you scroll down to around halfway youll see the Apply Group Policy permission
with either a green tick of a red cross against it. If deny read has been granted every
permission will have a red cross next to it.
I hope this gives you the basics behind GPResult and some good real world example to aid in
your Group Policy troubleshooting.

Group Policy

GROUP POLICY

PREVIOUS POST NEXT POST

Get Default Gateway from List of Remote Remote Desktop iOS 8.1.0 Error
Servers 0x03000008

9 Comments

Andy K
JANUARY 8, 2016 AT 4:32 PM

Thank you so much! This is very bene cial for diagnosing policies applied to a machine
and I learned something new about the security context they run in!

REPLY

Stephen
MARCH 31, 2016 AT 4:44 PM

Very useful, Thank you very much

REPLY

AAW
MAY 5, 2016 AT 1:25 PM