Friday, July 9, 2010

Use the Command Line with GPRESULT to troubleshoot Group Policy

If your policy is not being applied as expected, the main thing you’ve to do about this is examining the Resultant Set of Policy (RSoP) for the User and the Computer experiencing problems with policy settings. Okay, if you want to view the RSoP, you can use the Gpresult command-line utility.

With the Gpresult utility, you can get the following:
•    Special settings applied for folder redirection, software installation, disk quota, IPSec, and scripts
•    The last time Group Policy was applied
•    The domain controller from which policy was applied and the security group memberships for the computer and user
•    The complete list of GPOs that were applied as well as the complete list of GPOs that were not applied because of filters

The following is the basic syntax of the Gpresults:
gpresult /s ComputerName /user Domain\UserName
From the above syntax, ComputerName is the name of the Computer that you want to log policy results and the Domain\UserName indicates the user that you want to log policy results. Consider that you want to view the RSoP for CorpPC85 and the user Tedg in the Cpandl domain, you can get the following command.
gpresult /s corppc85 /user cpandl\tedg

Moreover, you can get output that is more detailed by using any of the following verbose options. The /v parameter turns on Verbose output and brings the result that are displayed only for the policy settings in effect. At the same time, the /z parameter is able turn the Verbose output with settings for policy settings ON. As the Gpresult output can be fairly long, it is required to create an HTML report by using the /h parameter or an XML report by using the /x parameter.

gpresult /s corppc85 /user cpandl\tedg /h gpreport.html
gpresult /s corppc85 /user cpandl\tedg /x gpreport.xml

You can get an idea if you read the above provided parameters.