Properly implementing group policy in a Windows 2003-based network can be confusing and irritating. In this article, Brien Posey shows how you can use the GPRESULT tool to check group policies to make sure they're executing properly.
Anyone who's ever had to work with group policies knows they can be complicated to manage. Part of the complexity is the fact that group policies are applied hierarchically. Policies can be applied at the local computer, site, domain, and organizational unit levels of the Active Directory. Policies at these various levels are combined together to form the effective policy. The fact that multiple policies can be used means that there is a good chance that at least some of the various group policy settings will be contradictory. Windows contains algorithms for dealing with contradictory group policy settings. Although Windows deals with these contradictions effortlessly, you can be quite tedious for an administrator to manually determine the effective policy for a user or computer.
Fortunately, Microsoft realizes that determining policy effectiveness can be tough to do manually. As such, they have created a couple of tools that are intended to make the job easier. Probably the most well-known of these tools is the Resultant Set of Policy Snap-in for Microsoft Management Console. There is also a lesser known command line tool called GPRESULT. Both of these tools accomplish the same basic task, but do so in a different way.
The Resultant Set of Policy Snap-in
I don't want to spend too much time talking about the Resultant Set of Policy Snap-in, because I want to focus most of this article on the GPRESULT tool. However, I do want to give you a brief overview of what the Resultant Set of Policy Snap-in is and how it is used.
The Resultant Set of Policy tool is designed to help you determine the effective policy for a particular user and/or computer. You can access this tool by entering the MMC command at the Run prompt. When you do, the server will load an empty Microsoft Management Console. Select the Add/Remove Snap-in command from the console's File menu. When you do, you'll see the Add/Remove Snap-in properties sheet. Click the Add button found on the properties sheet's Standalone tab to reveal a list of available snap-ins. Select the Resultant Set of Policy Snap-in from the list, and click me Add button followed by the Close and OK buttons.
Once the Resultant Set of Policy Snap-in is loaded into the console, right-click on the Resultant Set of Policy container and select the Generate RSOP Data command from the resulting shortcut menu. Doing so will launch the Resultant Set of Policy Wizard. Click To bypass the wizard's welcome screen. The next screen that you'll see asks you if you want to use logging mode or planning mode. Select the logging mode option and click Next to continue.
At this point, the wizard will ask you which computer you want to see the resultant set of policy for. You have the option of choosing either the current computer, another computer, or of ignoring computer based policies altogether. Click Next to continue.
The next screen that you'll encounter asks you which user account you've like for the resultant set of policy to be based on. Again, you have the option of choosing either the user that is currently logged in, another user account, or of ignoring user account related policies altogether. Click Next to continue.
The wizard will now display a brief summary of the options that you've chosen. Click Next and the wizard will begin compiling the resultant set of policy for the user and/or computer that you've specified. This process can take a few minutes to complete. When the wizard finishes compiling the policy information, click the Finish button and you'll be taken to a console similar to the one shown in Figure A. As you can see in the figure, the resultant set of policy is displayed in the format similar to the head of the Group Policy Editor. You can navigate through the console can see what the resultant set of policy is for each policy setting.
|The resultant set of policy is displayed in graphical format within this console.|
As you saw in the section above, the Resultant Set of Policy Snap-in is very easy to use and it gives you all of the information that you need. What if you needed to determine the effective policy for a large number of users or computers though? This is where the GPRESULT tool comes into play.
GPRESULT gives you the same basic type of information as the Resultant Set of Policy Snap-in does. The primary difference is the GPRESULT is a command line tool. This means that you can easily use GPRESULT to script and log the resultant set of policy for large numbers of users and/or computers. Another difference between GPRESULT and the Resultant Set a Policy Snap-in is the GPRESULT provides you with configuration information in addition to information derived from the various group policies. I will talk more about this configuration information later.
The GPRESULT tool is installed automatically along with the Resultant Set of Policy snap in. To run this tool, all you have to do is to open a Command Prompt window and enter the GPRESULT command. Upon doing so, you'll see a screen similar to the one shown in Figure B.
|This is what the GPRESULT tool looks like when it is run with no parameters.|
As you can see in the figure, GPRESULT provides you with a wealth of information even when you run it with no parameters. In fact, the information provided by a GPRESULT is so lengthy that it can not fit within a single screen capture. That being the case, I want to talk about the various types of information that GPRESULT provides you with before I begin discussing the parameters that can be used with the tool.
If you look at the figure, you can see that the first section just contains some basic information about the currently logged in user on the current computer. For example, GPRESULT lists the computer's operating system, its Terminal Server mode, the site that the computer belongs to, whether or not the computer is a domain controller, and the location of the user's profile.
The next thing that GPRESULT displays is information regarding computer level group policy settings. This section begins by displaying some more basic, but helpful, information. For example, you can see the last time that the policy was applied, and which server the policy was read from. This section also shows the current domain name and to the domain type, which is actually a reflection of the domain's functional level.
Next, GPRESULT shows you which group policy objects were applied. For example, if you look at Figure B, you can see that the default domain controllers policy and the default domain policy were both applied.
Just below the list of group policy objects that have been applied is a list of group policy objects that have not been applied because they've been filtered out. If you look at Figure B, you'll see that in this particular case no group policy objects have actually been filtered out.
The last section shown in Figure B displays the security groups that the computer is a member of. Although security group information is not directly related to group policies, it can be very helpful to know which security groups the computer belongs to if you are trying to troubleshoot a security problem.
Just as the GPRESULT tool displays configuration and group policy related information for the computer is running on, it also display similar information regarding the user account that you are currently logged in with. If you look it Figure C, you'll see the user information that GPRESULT displays.
|The information that GPRESULT displays regarding the currently logged on user is similar to the information that it displays regarding the computer that it is currently running on.|
Like the Computer Settings section, the User Settings section begins by providing you with some basic information about the user account. For example, you can see the last time that the policy was applied to the user account, and which domain controller policy was read from.
Just below this basic information you can see which group policy objects have been applied to the user account, and which group policy objects were not applied because they were filtered out. Finally, GPRESULT displays which security groups the user account belongs to.
You might have noticed in the previous two screenshots, that the GPRESULT tool showed you which group policy objects have been applied, but did not actually give you a true resultant set of policy. That doesn't mean that the GPRESULT tool can't give you a resultant set of policy though.
To get the GPRESULT tool to give you resultant set of policy information, you must use the /V switch to indicate that the GPRESULT tool should run in verbose mode. If you look at Figure D, you can see a small sample of the type of information that the GPRESULT tool gives you when running in verbose mode.
|If you want the GPRESULT tool to give you resultant set of policy information, you must run it with the /V switch.|
Believe it or not, the GPRESULT tool can actually provide you with more verbose information than what you have already seen. To get super verbose resultant set of policy information, just use the /Z switch instead of the /V switch.
What the difference is between these two switches is that the /V switch displays the same type of resultant set of policy information that you would see if you were using the Resultant Set of Policy Snap-in. In contrast, running the GPRESULT tool with the /Z switch produces the same information, but also lists each group policy object that a particular setting was defined in. This allows you to view all occurrences of the group policy setting, even if those occurrences are not present in the resultant set of policy.
Choosing the User and Computer
When I walked you through the Resultant Set of Policy Snap-in earlier, you saw with the wizard prompted you as to which user account and which computer you wanted to compile policy information for. The GPRESULT tool can do the exact same thing. You must simply take advantage of some command line switches.
Let's start out by looking at how to specify a specific computer. To specify the computer name, you would simply use the /S switch in conjunction with the computer's name. For example, if you wanted the GPRESULT tool to compile policy information related to a computer named COMPUTER1, you can do so by entering the following command:
GPRESULT /S COMPUTER1
Upon running this command, you see policy information related to how group policy objects would be applied to the user who's currently logged in, if that user or working off of COMPUTER1.
The GPRESULT tool also allows you to specify which user account you would like to see policy information related to. To specify a user account, just use the /USER switch and then specify the domain and username of the user that you would like to see policy information for. For example, if you pointed to see policy information related to a user account named USER1, and that user existed in the CONTOSO domain, the net command would look like this:
As you can see, specifying the age user account name or a computer name is fairly straightforward. One issue that you may sometimes run into though is that you may lack sufficient permissions to view resultant set of policy information for a particular user or computer. When this happens, you have the option of specifying a set of user credentials for the GPRESULT tool to run under. To do so, you would use the /U and the /P switches.
The /U switch is used to specify a username and domain, and the /P switch is used to specify a password for the account. For example, suppose that you wanted to run the GPRESULT tool as the administrator from the CONTOSO domain. To do so, you would use the following command:
CONTOSO\Administrator /P P@ssw0rd
The GPRESULT Scope
The last thing that I want to show you, is how to set a scope for the GPRESULT tool. As you may recall, when I walked you through the Resultant Set of Policy wizard earlier, the wizard contained an option that you could use to view either only computer related policy information or only user related policy information. The GPRESULT tool can do the exact same thing. Using a simple switch, you can force the GPRESULT tool to ignore either the user or the computer portion of the policy.
To do so, you would use the /SCOPE switch. You would follow the /SCOPE switch with either the word USER or COMPUTER, depending on the type of information that you want displayed. For example, if you only wanted to display computer related policy settings, you would use this switch: