GPResult

If gpupdate is used to update Group Policy settings, then gpresult must be used to show us some kind of results from Group Policy updates, right? Absolutely. GPResult is another client-side command-line tool that can be used to show you some details about which GPOs have been applied or not applied to a particular workstation.

When I talk about workstations, what I really mean here is any device within your domain that can receive Group Policy settings. This includes both Windows 7/8/10/and so on workstations, as well as Windows Server operating systems. gpupdate and gpresult are just as useful on both client and server operating systems.

Switches also exist for GPResult, which are quite common to use because oftentimes when you are reviewing GPResult data, you are trying to home in on some particular GPO or piece of information, and the switches can be most helpful for narrowing down the scope of displayed info:

  • gpresult /R: The R is short for Resultant Set of Policy (RSoP). This switch will show you the results of the policy settings that have applied to this machine. Without using the /R switch, the gpresult command doesn't tell you much of anything other than how to learn how to run the gpresult command. You almost always use /R when working with gpresult.
  • gpresult /Scope <User or Computer>: This helps to narrow down the results to display for you either information from the User side of Group Policy, or results only from the Computer settings. When trying to narrow down a search to ensure a particular GPO is being successfully applied to a workstation, it is quite common to use this switch so that you have less data to sift through.
  • gpresult /X or /H: Both of these switches perform similar tasks, but with different results. Using /X will save your gpresult report to an XML file, whereas /H will save as an HTML document.
  • gpresult /S: Use /S to specify a remote computer name. This allows you to check Group Policy results remotely, without having to log in to that computer.
  • gpresult /U: Specifies a user context for running the gpresult command. If you are logged in as a standard user and have a non-privileged Command Prompt open, you will probably have to specify an administrative user account with your command in order to get any useful data.
  • gpresult /P: Use this switch to specify the password that goes along with the user account that you specified in /U.

There are other switches that can be used with gpresult but are less common. For a full report, type in gpresult /? to review the whole set. Also keep in mind that many of these switches can be used in combination to further modify your results. We will see an example of this below. I am going to use gpresult /R /Scope:Computer in order to show the RSoP (the list of policies that have been applied) for only the computer-based policy settings. This report does not, therefore, list any policies that apply at the user level:

One of the particularly cool things about this result is that it shows you not only the GPOs that have been applied successfully to your machine, but also points out the GPOs that have been specifically filtered out, and are therefore not applying. This will become very helpful in later, advanced troubleshooting scenarios where you are tracking down whether or not a GPO is working.