Have you ever applied a Group Policy Object (GPO) to an Active Directory organizational unit (OU) and wanted to verify whether or not they are applied? If so, you need to understand the gpresult
command.
Scan Your AD for 930+ Million Compromised Passwords. Download Specops Password Auditor, a FREE read only tool that identifies password-related vulnerabilities.
In this tutorial, you will learn how to use the gpresult
command to verify Group Policy settings on local and remote Windows machines.
Let’s get started!
Prerequisites
If you’d like to follow along with the examples in this tutorial, be sure you have the following:
- An Active Directory domain. Any version will work. This tutorial will be using a domain called HomeLab.Local.
- A domain-joined Windows PC with at least one GPO applied to it. If you’d like to learn how to invoke
gpresult
remotely, you’ll need a second domain-joined PC. This tutorial will use two Windows 10 computers called Win10VM1 and Win10VM2. - Local administrator rights on your local PC and remote PC.
Understanding the GPResult Command
GPResult is a command-line tool built into Windows that generates reports on policies applied to a domain-joined computer for both user-based and computer-based policies.
When an Active Directory admin assigns a GPO to an OU, the computers or users in that OU then check in to apply those settings. When the target computers receive the GPO is where gpresult
comes in.
The time that each computer actually receives and applies those settings depends on the Group Policy refresh interval.
The gpresult
utility allows you to run a command on these target computers to confirm the GPOs you think should be applied actually are.
Getting Help with GPResult
Like many other command-line utilities, gpresult
has a simple built-in help system. This help system lets you easily find all of those hard-to-remember switches.
You can find all of the switches gpresult
provides by simply running gpresult
with no switches as shown below. Rather than coming back to this post when you’re wondering what a parameter does, remember the built-in help exists!
Retrieving Resultant Set of Policy (RSOP) Data
Running gpresult
with no parameters will only show help information. You need it to retrieve some information! To start out, let’s first cover how the /r
switch or resultant set of policy works.
Resultant Set of Policy (RSOP) is a Group Policy add-on that allows you to query various aspects of Group Policy. RSOP is a great way to discover the result of the policy assigned to a computer.
GPResult
displays RSOP data in logging mode which includes policy settings like user and computer OU path, domain name, AD group memberships, security settings, and applied GPOs for both users and computers.
To use gpresult
to query RSOP data, open cmd.exe or PowerShell as administrator. invoke gpresult
with the /r
switch as shown below.
Gpresult /R
You can see below that, among other things, gpresult
returns all of the GPOs that the particular computer (COMPUTER SETTINGS) and GPOs targeting all users that will log onto the computer (USER SETTINGS).
You can run
gpresult /R
on a non-admin command prompt but it will only show policies applied to the user who is running the command.
Getting Granular: Finding Detailed Applied Group Policy Info
If you simply need to discover what GPOs are applied to a particular computer or user(s) on that computer, the RSOP data you get from the /r
switch will work. But RSOP data only goes so far. RSOP data does not provide information such as the last execution time of a logon script, the registry key the GPO is created in, and more.
To discover as much information as gpresult
can provide, use the /v
or verbose switch as shown below.
Gpresult /V
Check out just all of the information that /v
provides. That’s a lot of information!
Check out the differences in /r
and /v
below. You’ll see that /r
only provides the GPO name while /v
provides the logon script file name and last time the script executed on the computer.
Limiting GPresult to User or Computed-Based Settings
As mentioned, gpresult
, by default, returns both user and computer-based settings. Sometimes, especially when managing GPOs with hundreds of settings, the amount of output may get overwhelming.
If you need to only look for settings applied to the computer or user, gpresult
allows you to limit the scope of the query using the /scope
parameter. By specifying either computer
or user
as the /scope
parameter argument, gpresult
will only return settings applied to all users or the computer.
To see RSOP data for all policies in the computer
scope, run the below command.
Gpresult /R /Scope computer
How about finding all policies in verbose mode for all users only?
Gpresult /V /Scope user
The
/scope
parameter can be used in addition to other switches like/r
and/v
to limit the scope of either command.
If you’re running cmd.exe or PowerShell as administrator and invoke GPResult, it will return Group Policy settings for all users. If you use the /scope user
switch, it will remove computer-based settings but will still return settings for all users.
If you need to limit settings to a single user logged on at the same time, use the /user
parameter followed by the desired username as an argument.
Gpresult /R /user user01
If you attempt to query RSOP data for a user that doesn’t exist, GPResult will return the message
The user "<user>" does not have RSOP data
.
Exporting GPresult Output
Sometimes just returning information to the command-line console isn’t enough. Perhaps you need to build a report or share the results with someone else. In that case, you need to export results to some other format.
You can export GPResult output in a few different ways.
Exporting Results to a Text File
One of the easiest ways to export results to a file is using the command prompt or PowerShell’s output redirection feature. By “piping” the command-line results to a file with the redirection operator >
followed by a text file name, the text will contain exactly what you’d see in the console.
The below command would return all RSOP data and create a file called C:\Temp\RsopReport.txt containing the entire results of the GPResult command.
Gpresult /R > c:\Temp\RsopReport.txt
Exporting Results to an HTML or XML File
Unlike the native redirection from a command prompt to a text file, you can also generate and save the applied policy information to an HTML or XML file. Using the /H
switch (for HTML) or the /X
switch (for XML) followed by the path to the requested HTML file, GPResult will create a nicely-formatted HTML file with output.
Gpresult /H c:\Temp\RsopData.html
Gpresult /X c:\Temp\RsopXMLRreport.xml
If the file already exists, GPResult will return an error. Force GPResult to overwrite the existing file by using the
/F
switch.
Running GPResult Remotely
Throughout this tutorial, you’ve been running GPResult locally. Using the /s
parameter, GPResult can also run retrieve all of the same Group Policy settings remotely too.
For example, to find RSOP data for the user user01 that has logged onto the remove win10vm1 computer at least once, you’d run the following:
gpresult /R /S win10vm1 /user user01
Maybe you’re logged into a computer that doesn’t have rights to query Group Policy information on a remote computer. In that case, GPResult will fail unless you specify alternate credentials.
Specify alternate credentials by using the /U
(username) and /P
(password) parameters as shown below.
gpresult /R /S win10vm1 /scope user /U homelab\MyLabAdmin /P password
Are compromised passwords lurking in your Active Directory? Download Specops Password Auditor and scan for password vulnerabilities for FREE!
Conclusion
You should now know how to use the GPResult command to query applied Group Policy settings on both local and remote computers. This handy command is a great discovery and troubleshooting tool in any Active Directory admin’s arsenal.
The next time you find yourself wondering, “How do I confirm a domain-joined computer has applied the GPO I expect?”, what tool will you use?