This article is also available as a TechRepublic download.

Anyone who’s ever had to work with group policies knows they
can be complicated to manage. Part of the complexity is the fact that group
policies are applied hierarchically. Policies can be applied at the local
computer, site, domain, and organizational unit levels of the Active Directory.
Policies at these various levels are combined together to form the effective
policy. The fact that multiple policies can be used means that there is a good chance that at
least some of the various group policy settings will be contradictory. Windows
contains algorithms for dealing with contradictory group policy settings. Although
Windows deals with these contradictions effortlessly, you can be quite tedious
for an administrator to manually determine the effective policy for a user or
computer.

Fortunately, Microsoft realizes that determining policy
effectiveness can be tough to do manually. As such, they have created a couple
of tools that are intended to make the job easier. Probably the most well-known
of these tools is the Resultant Set of Policy Snap-in for Microsoft Management
Console. There is also a lesser known command line tool called GPRESULT. Both
of these tools accomplish the same basic task, but do so in a different way.

The Resultant Set of Policy Snap-in

I don’t want to spend too much time talking about the
Resultant Set of Policy Snap-in, because I want to focus most of this article
on the GPRESULT tool. However, I do want to give you a brief overview of what
the Resultant Set of Policy Snap-in is and how it is used.

The Resultant Set of Policy tool is designed to help you
determine the effective policy for a particular user and/or computer. You can
access this tool by entering the MMC command at the Run prompt. When you do,
the server will load an empty Microsoft Management Console. Select the
Add/Remove Snap-in command from the console’s File menu. When you do, you’ll
see the Add/Remove Snap-in properties sheet. Click the Add button found on the
properties sheet’s Standalone tab to reveal a list of available snap-ins.
Select the Resultant Set of Policy Snap-in from the list, and click me Add
button followed by the Close and OK buttons.

Once the Resultant Set of Policy Snap-in is loaded into the
console, right-click on the Resultant Set of Policy container and select the
Generate RSOP Data command from the resulting shortcut menu. Doing so will
launch the Resultant Set of Policy Wizard. Click To bypass the wizard’s welcome
screen. The next screen that you’ll see asks you if you want to use logging
mode or planning mode. Select the logging mode option and click Next to
continue.

At this point, the wizard will ask you which computer you
want to see the resultant set of policy for. You have the option of choosing
either the current computer, another computer, or of ignoring computer based
policies altogether. Click Next to continue.

The next screen that you’ll encounter asks you which user
account you’ve like for the resultant set of policy to be based on. Again, you
have the option of choosing either the user that is currently logged in,
another user account, or of ignoring user account related policies altogether. Click
Next to continue.

The wizard will now display a brief summary of the options
that you’ve chosen. Click Next and the wizard will begin compiling the
resultant set of policy for the user and/or computer that you’ve specified. This
process can take a few minutes to complete. When the wizard finishes compiling
the policy information, click the Finish button and you’ll be taken to a
console similar to the one shown in Figure A. As you can see in the figure, the
resultant set of policy is displayed in the format similar to the head of the
Group Policy Editor. You can navigate through the console can see what the
resultant set of policy is for each policy setting.

Figure A

The resultant set of policy is displayed in graphical format within this
console.

GPRESULT

As you saw in the section above, the Resultant Set of Policy
Snap-in is very easy to use and it gives you all of the information that you
need. What if you needed to determine the effective policy for a large number
of users or computers though? This is
where the GPRESULT tool comes into play.

GPRESULT gives you the same basic type of information as the
Resultant Set of Policy Snap-in does. The primary difference is the GPRESULT is
a command line tool. This means that you can easily use GPRESULT to script and
log the resultant set of policy for large numbers of users and/or computers. Another
difference between GPRESULT and the Resultant Set a Policy Snap-in is the
GPRESULT provides you with configuration information in addition to information
derived from the various group policies. I will talk more about this
configuration information later.

The GPRESULT tool is installed automatically along with the
Resultant Set of Policy snap in. To run this tool, all you have to do is to
open a Command Prompt window and enter the GPRESULT command. Upon doing so, you’ll
see a screen similar to the one shown in Figure B.

Figure B

This is what the GPRESULT tool looks like when it is run with no
parameters.

As you can see in the figure, GPRESULT provides you with a
wealth of information even when you run it with no parameters. In fact, the
information provided by a GPRESULT is so lengthy that it can not fit within a
single screen capture. That being the case, I want to talk about the various
types of information that GPRESULT provides you with before I begin discussing
the parameters that can be used with the tool.

If you look at the figure, you can see that the first
section just contains some basic information about the currently logged in user
on the current computer. For example, GPRESULT lists the computer’s operating
system, its Terminal Server mode, the site that the computer belongs to,
whether or not the computer is a domain controller, and the location of the
user’s profile.

The next thing that GPRESULT displays is information
regarding computer level group policy settings. This section begins by
displaying some more basic, but helpful, information. For example, you can see
the last time that the policy was applied, and which server the policy was read
from. This section also shows the current domain name and to the domain type,
which is actually a reflection of the domain’s functional level.

Next, GPRESULT shows you which group policy objects were
applied. For example, if you look at Figure B, you can see that the default
domain controllers policy and the default domain policy were both applied.

Just below the list of group policy objects that have been
applied is a list of group policy objects that have not been applied because
they’ve been filtered out. If you look at Figure B, you’ll see that in this
particular case no group policy objects have actually been filtered out.

The last section shown in Figure B displays the security
groups that the computer is a member of. Although security group information is
not directly related to group policies, it can be very helpful to know which
security groups the computer belongs to if you are trying to troubleshoot a
security problem.

Just as the GPRESULT tool displays configuration and group
policy related information for the computer is running on, it also display
similar information regarding the user account that you are currently logged in
with. If you look it Figure C, you’ll see the user information that GPRESULT
displays.

Figure C

The information that GPRESULT displays regarding the currently logged on
user is similar to the information that it displays regarding the computer that
it is currently running on.

Like the Computer Settings section, the User Settings
section begins by providing you with some basic information about the user
account. For example, you can see the last time that the policy was applied to
the user account, and which domain controller policy was read from.

Just below this basic information you can see which group
policy objects have been applied to the user account, and which group policy
objects were not applied because they were filtered out. Finally, GPRESULT
displays which security groups the user account belongs to.

Verbose Logging

You might have noticed in the previous two screenshots, that
the GPRESULT tool showed you which group policy objects have been applied, but
did not actually give you a true resultant set of policy. That doesn’t mean
that the GPRESULT tool can’t give you a resultant set of policy though.

To get the GPRESULT tool to give you resultant set of policy
information, you must use the /V switch to indicate that the GPRESULT tool
should run in verbose mode. If you look at Figure D, you can see a small sample
of the type of information that the GPRESULT tool gives you when running in
verbose mode.

Figure D

If you want the GPRESULT tool to give you resultant set of policy
information, you must run it with the /V switch.

Believe it or not, the GPRESULT tool can actually provide
you with more verbose information than what you have already seen. To get super
verbose resultant set of policy information, just use the /Z switch instead of
the /V switch.

What the difference is between these two switches is that
the /V switch displays the same type of resultant set of policy information
that you would see if you were using the Resultant Set of Policy Snap-in. In
contrast, running the GPRESULT tool with the /Z switch produces the same
information, but also lists each group policy object that a particular setting
was defined in. This allows you to view all occurrences of the group policy
setting, even if those occurrences are not present in the resultant set of
policy.

Choosing the User and Computer

When I walked you through the Resultant Set of Policy
Snap-in earlier, you saw with the wizard prompted you as to which user account
and which computer you wanted to compile policy information for. The GPRESULT
tool can do the exact same thing. You must simply take advantage of some
command line switches.

Let’s start out by looking at how to specify a specific
computer. To specify the computer name, you would simply use the /S switch in
conjunction with the computer’s name. For example, if you wanted the GPRESULT
tool to compile policy information related to a computer named COMPUTER1, you
can do so by entering the following command:

GPRESULT /S COMPUTER1

Upon running this command, you see policy information
related to how group policy objects would be applied to the user who’s
currently logged in, if that user or working off of COMPUTER1.

The GPRESULT tool also allows you to specify which user
account you would like to see policy information related to. To specify a user
account, just use the /USER switch and then specify the domain and username of
the user that you would like to see policy information for. For example, if you
pointed to see policy information related to a user account named USER1, and
that user existed in the CONTOSO domain, the net command would look like this:

GPRESULT /USER
CONTOSO\USER1

As you can see, specifying the age user account name or a
computer name is fairly straightforward. One issue that you may sometimes run
into though is that you may lack sufficient permissions to view resultant set
of policy information for a particular user or computer. When this happens, you
have the option of specifying a set of user credentials for the GPRESULT tool
to run under. To do so, you would use the /U and the /P switches.

The /U switch is used to specify a username and domain, and
the /P switch is used to specify a password for the account. For example,
suppose that you wanted to run the GPRESULT tool as the administrator from the
CONTOSO domain. To do so, you would use the following command:

GPRESULT /U
CONTOSO\Administrator /P P@ssw0rd

The GPRESULT Scope

The last thing that I want to show you, is how to set a
scope for the GPRESULT tool. As you may recall, when I walked you through the
Resultant Set of Policy wizard earlier, the wizard contained an option that you
could use to view either only computer related policy information or only user
related policy information. The GPRESULT tool can do the exact same thing. Using
a simple switch, you can force the GPRESULT tool to ignore either the user or
the computer portion of the policy.

To do so, you would use the /SCOPE switch. You would follow
the /SCOPE switch with either the word USER or COMPUTER, depending on the type
of information that you want displayed. For example, if you only wanted to
display computer related policy settings, you would use this switch:

GPRESULT /SCOPE
COMPUTER