How to Verify Applied GPOs with the GPResult Tool

Published:27 May 2021 - 5 min. read

Azure Cloud Labs: these FREE, on‑demand Azure Cloud Labs will get you into a real‑world environment and account, walking you through step‑by‑step how to best protect, secure, and recover Azure data.

Have you ever applied a Group Policy Object (GPO) to an Active Directory organizational unit (OU) and wanted to verify whether or not they are applied? If so, you need to understand the gpresult command.

Scan Your AD for 930+ Million Compromised Passwords. Download Specops Password Auditor, a FREE read only tool that identifies password-related vulnerabilities.

In this tutorial, you will learn how to use the gpresult command to verify Group Policy settings on local and remote Windows machines.

Let’s get started!

Prerequisites

If you’d like to follow along with the examples in this tutorial, be sure you have the following:

  • An Active Directory domain. Any version will work. This tutorial will be using a domain called HomeLab.Local.
  • A domain-joined Windows PC with at least one GPO applied to it. If you’d like to learn how to invoke gpresult remotely, you’ll need a second domain-joined PC. This tutorial will use two Windows 10 computers called Win10VM1 and Win10VM2.
  • Local administrator rights on your local PC and remote PC.

Understanding the GPResult Command

GPResult is a command-line tool built into Windows that generates reports on policies applied to a domain-joined computer for both user-based and computer-based policies.

When an Active Directory admin assigns a GPO to an OU, the computers or users in that OU then check in to apply those settings. When the target computers receive the GPO is where gpresult comes in.

The time that each computer actually receives and applies those settings depends on the Group Policy refresh interval.

The gpresult utility allows you to run a command on these target computers to confirm the GPOs you think should be applied actually are.

Getting Help with GPResult

Like many other command-line utilities, gpresult has a simple built-in help system. This help system lets you easily find all of those hard-to-remember switches.

You can find all of the switches gpresult provides by simply running gpresult with no switches as shown below. Rather than coming back to this post when you’re wondering what a parameter does, remember the built-in help exists!

Help information for gpresult command
Help information for gpresult command

Retrieving Resultant Set of Policy (RSOP) Data

Running gpresult with no parameters will only show help information. You need it to retrieve some information! To start out, let’s first cover how the /r switch or resultant set of policy works.

Resultant Set of Policy (RSOP) is a Group Policy add-on that allows you to query various aspects of Group Policy. RSOP is a great way to discover the result of the policy assigned to a computer.

GPResult displays RSOP data in logging mode which includes policy settings like user and computer OU path, domain name, AD group memberships, security settings, and applied GPOs for both users and computers.

To use gpresult to query RSOP data, open cmd.exe or PowerShell as administrator. invoke gpresult with the /r switch as shown below.

Gpresult /R

You can see below that, among other things, gpresult returns all of the GPOs that the particular computer (COMPUTER SETTINGS) and GPOs targeting all users that will log onto the computer (USER SETTINGS).

You can run gpresult /R on a non-admin command prompt but it will only show policies applied to the user who is running the command.

Displaying output for Gpresult /R command
Displaying output for Gpresult /R command

Getting Granular: Finding Detailed Applied Group Policy Info

If you simply need to discover what GPOs are applied to a particular computer or user(s) on that computer, the RSOP data you get from the /r switch will work. But RSOP data only goes so far. RSOP data does not provide information such as the last execution time of a logon script, the registry key the GPO is created in, and more.

To discover as much information as gpresult can provide, use the /v or verbose switch as shown below.

Gpresult /V

Check out just all of the information that /v provides. That’s a lot of information!

Verifying GPOs applied on the computer
Verifying GPOs applied on the computer
Password policies applied on the computer
Password policies applied on the computer
Services disabled on the computer
Services disabled on the computer
Verifying Logon Scripts configured for user
Verifying Logon Scripts configured for user
Wallpaper set via user policy in GPO
Wallpaper set via user policy in GPO
Full registry key path for the policies
Full registry key path for the policies
Verifying GPOs applied for user
Verifying GPOs applied for user

Check out the differences in /r and /v below. You’ll see that /r only provides the GPO name while /v provides the logon script file name and last time the script executed on the computer.

Differences in /r and /v
Differences in /r and /v

Limiting GPresult to User or Computed-Based Settings

As mentioned, gpresult, by default, returns both user and computer-based settings. Sometimes, especially when managing GPOs with hundreds of settings, the amount of output may get overwhelming.

If you need to only look for settings applied to the computer or user, gpresult allows you to limit the scope of the query using the /scope parameter. By specifying either computer or user as the /scope parameter argument, gpresult will only return settings applied to all users or the computer.

To see RSOP data for all policies in the computer scope, run the below command.

Gpresult /R /Scope computer

How about finding all policies in verbose mode for all users only?

Gpresult /V /Scope user

The /scope parameter can be used in addition to other switches like /r and /v to limit the scope of either command.

If you’re running cmd.exe or PowerShell as administrator and invoke GPResult, it will return Group Policy settings for all users. If you use the /scope user switch, it will remove computer-based settings but will still return settings for all users.

If you need to limit settings to a single user logged on at the same time, use the /user parameter followed by the desired username as an argument.

Gpresult /R /user user01

If you attempt to query RSOP data for a user that doesn’t exist, GPResult will return the message The user "<user>" does not have RSOP data.

Exporting GPresult Output

Sometimes just returning information to the command-line console isn’t enough. Perhaps you need to build a report or share the results with someone else. In that case, you need to export results to some other format.

You can export GPResult output in a few different ways.

Exporting Results to a Text File

One of the easiest ways to export results to a file is using the command prompt or PowerShell’s output redirection feature. By “piping” the command-line results to a file with the redirection operator > followed by a text file name, the text will contain exactly what you’d see in the console.

The below command would return all RSOP data and create a file called C:\Temp\RsopReport.txt containing the entire results of the GPResult command.

Gpresult /R > c:\Temp\RsopReport.txt

Exporting Results to an HTML or XML File

Unlike the native redirection from a command prompt to a text file, you can also generate and save the applied policy information to an HTML or XML file. Using the /H switch (for HTML) or the /X switch (for XML) followed by the path to the requested HTML file, GPResult will create a nicely-formatted HTML file with output.

Gpresult /H c:\Temp\RsopData.html
Gpresult /X c:\Temp\RsopXMLRreport.xml

If the file already exists, GPResult will return an error. Force GPResult to overwrite the existing file by using the /F switch.

Running GPResult Remotely

Throughout this tutorial, you’ve been running GPResult locally. Using the /s parameter, GPResult can also run retrieve all of the same Group Policy settings remotely too.

For example, to find RSOP data for the user user01 that has logged onto the remove win10vm1 computer at least once, you’d run the following:

gpresult /R /S win10vm1 /user user01
Finding RSOP data
Finding RSOP data

Maybe you’re logged into a computer that doesn’t have rights to query Group Policy information on a remote computer. In that case, GPResult will fail unless you specify alternate credentials.

Specify alternate credentials by using the /U (username) and /P (password) parameters as shown below.

gpresult /R /S win10vm1 /scope user /U homelab\MyLabAdmin /P password
Specify alternate credentials
Specify alternate credentials

Are compromised passwords lurking in your Active Directory? Download Specops Password Auditor and scan for password vulnerabilities for FREE!

Conclusion

You should now know how to use the GPResult command to query applied Group Policy settings on both local and remote computers. This handy command is a great discovery and troubleshooting tool in any Active Directory admin’s arsenal.

The next time you find yourself wondering, “How do I confirm a domain-joined computer has applied the GPO I expect?”, what tool will you use?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!