Performing Resultant Set of Policy Queries with the GPRESULT Tool

by [Published on 10 March 2005 / Last Updated on 10 March 2005]

The hierarchical nature of group policies can make troubleshooting group policy related issues very cumbersome, especially on unfamiliar networks. One way to greatly simplify the troubleshooting process is to use Windows XP’s GPRESULT tool. In this article, I will introduce you to this tool and show you how to use it.

One of the things that I have always liked about the Active Directory environment is that you can gain such granular control over the behavior of your network through the use of group policies. Group policies can become a double edged sword though. When group policies are applied incorrectly, all sorts of unexpected side effects can occur.

Normally, the side effects of an inappropriate group policy setting aren’t that big of a problem if you are working with servers on your own network. After all, you are familiar with the way that your network normally behaves. If you change a group policy setting and Windows starts behaving strangely then it is a pretty good indication that you defined the new setting incorrectly or at an inappropriate location, and probably need to go back and see what went wrong.

If you are a consultant who works on other people’s networks though, you don’t usually have the luxury of being intimately familiar with the network’s configuration. If you get called in to diagnose a problem on a client’s network, you may be able to determine that the problem is group policy related in a matter of minutes. However, it can take days to figure out exactly which group policy element is causing the problem because the group policy can be so complex.

The good news is that there is a troubleshooting tool called GPRESULT that you can use to diagnose complex group policy problems much more quickly. This tool was originally a part of the Windows 2000 Server Resource Kit. However, when Microsoft created Windows XP, they extended the tool’s capabilities and included it with the operating system.

Why Use GPRESULT?

The only way that you can really appreciate the GPRESULT tool is if you understand how much work it saves you. I want to save plenty of space for discussing the GPRESULT tool, so I don’t want to get into a full blown discussion of the Active Directory and all its intricacies. However, I do want to take just a second and explain what makes group policies so complex, for the benefit of anyone who is new to Windows networking.

The thing that you have to understand about the Active Directory is that although the various Active Directory elements are stored primarily on domain controllers, the Active Directory is not a flat structure, but rather a hierarchical structure. In order to help the Active Directory scale well to larger networks, Microsoft designed the Active Directory so that group policies can be applied at multiple levels of the Active Directory hierarchy.

The first level that group policies are applied to is the local computer. Machines running Windows 2000, XP, and 2003 have a built in local security policy. The local security policy is a type of group policy that allows machines to remain secure even if they aren’t logged into a domain. Group policies can also be applied within the Active Directory at the site, domain, and Organizational Unit levels. A group policy doesn’t necessarily have to exist in all four locations, but it can.

When multiple group policies exist, Windows combines the group policies into what’s known as an effective policy. Windows does this by starting at the lowest level (the local computer) and working to the highest level (the organizational unit). As the various group policies are processed, they are combined to form the effective policy. If any settings within two or more policies contradict each other, then the higher level policy takes precedence over the lower level policy for the contradictory setting.

At first, the way that group policies are processed might not sound that complex. Where the complexity really comes into play though is that multiple policies can apply at each level. Furthermore, there are group policy settings that apply to the currently logged on user, while other group policy settings apply to the workstation. Therefore, it is possible that the user’s policy allows some sort of action, but the computer’s policy prohibits it, or visa versa.

My point is that the group policy contains hundreds, if not thousands of options that can be set (If someone has bothered to count them all, you will have to E-mail me and let me know how many there are). However, just because you set a group policy option, it doesn’t mean that the policy element that you have set will ever take effect. It could be filtered out by a higher level policy. If you are trying to troubleshoot an unfamiliar network, you could spend a really long time trying to track down some obscure group policy setting that is causing problems unless you use GPRESULT or a similar tool.

Using GPRESULT

GPRESULT is a command line tool. You can access it directly from the Windows command prompt by typing GPRESULT. When you enter the GPRESULT command, you will be presented with group policy information for the current user on the current computer. You don’t have to specify any switches to get this information. However, switches do exist that will provide you with group policy information for a different user or computer. You can also request more verbose information through the use of switches. The syntax for the GPRESULT command is as follows:

gpresult [/s Computer [/u Domain\User /p Password]] [/user TargetUserName] [/scope {user|computer}] [/v] [/z]

Parameters

/s Computer : Specifies the name or IP address of a remote computer. (Do not use backslashes.) The default is the local computer.

/u Domain\User : Runs the command with the account permissions of the user that is specified by User or Domain\User. The default is the permissions of the current logged-on user on the computer that issues the command.

/p Password : Specifies the password of the user account that is specified in the /u parameter.

/user TargetUserName : Specifies the user name of the user whose RSOP data is to be displayed.

/scope {user|computer} : Displays either user or computer results. Valid values for the /scope parameter are user or computer. If you omit the /scope parameter, gpresult displays both user and computer settings.

/v : Specifies that the output display verbose policy information.

/z : Specifies that the output display all available information about Group Policy. Because this parameter produces more information than the /v parameter, redirect output to a text file when you use this parameter (for example, gpresult /z >policy.txt).

/?: Displays help at the command prompt.

 Viewing The Output

When you enter the GPRESULT command, Windows displays three different categories of information; operating system information, computer settings, and user settings. Before I show you what the output looks like, keep in mind that I am basing the information that I am showing you on a network with a very simple configuration (local and default domain policies only). If you are troubleshooting a network with more advanced security information, you can expect to receive more detailed information.

Operating System Settings

The operating system settings portion of the GPRESULT output is basically designed to give you a little information about the machine that you are analyzing. And the network that it is connected to. One thing that you need to be aware of about this section though is that it can be a bit misleading. In the sample output below, you will notice that GPRESULT tells me that my test machine is connected to a Windows 2000 domain. In actuality though, I am connected to a Windows Server 2003 domain. There isn’t a single Windows 2000 Server on my network. It’s just that the tool was developed prior to the release of Windows 2003. Here is what this section of the output looks like:

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 3/2/2005 at 9:04:59 PM

RSOP results for PRODUCTION\Administrator on STEWIE : Logging Mode
-------------------------------------------------------------------
OS Type:                     Microsoft Windows XP Professional
OS Configuration:            Member Workstation
OS Version:                  5.1.2600
Domain Name:                 PRODUCTION
Domain Type:                 Windows 2000
Site Name:                   Default-First-Site-Name
Roaming Profile:
Local Profile:               C:\Documents and Settings\Administrator.PRODUCTION.
000
Connected over a slow link?: No

Computer Settings

If you look at the sample output below, you can see that the computer settings section tells you which group policy objects have been applied to the computer. It also gives you information about which group policy objects were filtered out and which security groups the computer belongs to. The output looks something like this:

COMPUTER SETTINGS
------------------
    CN=STEWIE,CN=Computers,DC=production,DC=com
    Last time Group Policy was applied: 3/2/2005 at 9:01:36 PM
    Group Policy was applied from:      tazmania.production.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups:
    --------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Users
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        STEWIE$
        Domain Computers

User Settings

The user settings section gives you basically the same type of information as the computer settings section did. The only difference is that the information applies to the user rather than to the computer. Remember, there are completely different group policy settings for users and computers. The sample output looks like this:

USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=production,DC=com
    Last time Group Policy was applied: 3/2/2005 at 7:39:37 PM
    Group Policy was applied from:      tazmania.production.com
    Group Policy slow link threshold:   500 kbps

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups:
    ----------------------------------------------------
        Domain Users
        Everyone
        Debugger Users
        BUILTIN\Users
        BUILTIN\Administrators
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        LOCAL
        Domain Admins
        Enterprise Admins
        Group Policy Creator Owners
        Schema Admins

Conclusion

In this article, I have explained that troubleshooting group policy related problems can be extremely tedious because of the number of potential group policy objects and they way that some objects can override other objects. I then went on to explain how the GPRESULT tool, included with Windows XP, can make the cumbersome troubleshooting process easier.

Featured Links