Reporting Application of GPOs on Remote Computers and Generating A Report (Part 2)

If you would like to be notified when Nirmal Sharma releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the first part in this article series please go to Reporting Application of GPOs on Remote Computers and Generating A Report (Part 1).

Introduction

In the Part I of this article series I explained some useful GPResult commands that you can use to get the GPOs applied to user and computer objects from remote computers. GPResult.exe does not provide a parameter that can be used to check application of a particular GPO on remote computers. It also does not help you generate a report. In case you need to generate a report, you will be required to write a script.

Overview of the Script

The script is designed using the CMD language. In case you need to modify the script to suit your requirement, you are welcome to do so. The script uses FOR loop function to process all computers mentioned in the Computers.TXT file. Inside FOR loop function, script uses GPResult command line tool to get GPOs applied to computers on remote computer. The current script version is 1.0 as indicated in the below screenshot.

Image
Figure 1

There are three files available with the script; Computers.TXT, Config.CFG, and the script itself named CheckGPOStatus.CMD. Here is the explanation of each file:

  • Computers.TXT: The Computers.TXT file contains the list of computers, which are processed by the CheckGPOStatus.CMD script. It is necessary that you add each computer name (either FQDN or IP Address of the computer) on each line.
  • Config.CFG: The Config.CFG holds the configuration for the script. This file specifies the GPO name that will be checked by the CheckGPOStatus.CMD script on remote computers. Config.CFG file also includes the SCOPE option. For example, if it is a user GPO that you need to check on the remote computers, make sure to change the scope from COMPUTER to USER and if it is a computer GPO then modify the scope value from USER to COMPUTER. Using Config.CFG file, you can also enable/disable connectivity test, enabling/disabling logging, etc.
    Note:
    Currently, Config.CFG can support only COMPUTER value for Scope option. In Part III of this article series, I will modify the script to include statements for USER scope.
  • CheckGPOStatus.CMD: This is the main script that you will need to run after preparing Computers.TXT and modifying the settings in the Config.CFG file.

Above files are required for the script to run normally. In case any of the files are not present, the script will not run. Apart from the above files, the script also creates below files:

  • GPResult_<ComputerName>.TXT: This is the file that holds the output of the GPResult.exe command for each computer. GPResult_ComputerName.TXT file is stored in the C:\CheckGPO\GPResult folder. In case you need to check GPResult for a specific computer, you can always go to C:\CheckGPO\GPResult folder and then look for GPResult_ComputerName.TXT file. Please note the script will delete computer specific GPResult files when you run the script next time. In case you don’t want the script to create GPResult files for each computer, you can disable it by editing the Config.CFG file.
  • ScriptProcessing.LOG: Script also creates a log file under C:\CheckGPO\LOG folder. The log file name is ScriptProcessing.log. In case report does not show any GPO data for a particular remote computer, you can always check the ScriptProcessing.log file to identify the cause of the failure. In case you need to disable logging, you can also do so by editing the Config.CFG file.
  • GPOReport.CSV: This is the report file that contains the reporting data from all computers. This report file is located under C:\CheckGPO\Report folder.

Requirements

Before you can run the script, please make sure to meet the following requirements:

  • A central computer is required to run the script against the computers specified in the Computers.TXT file.
  • The script checks to make sure a computer is reachable by pinging the remote computer before it can process the GPResult.exe command. In case you have enabled connectivity test in Config.CFG File, make sure remote computers are reachable from the central computer.
  • You must be logged on to the central computer using a user account that has administrative access to the remote computers. It is recommended to log on using a user account that is part of the Domain Admin security group.
  • Create a folder named C:\CheckGPO on the central computer.
  • Create three sub-folders under C:\CheckGPO folder; C:\CheckGPO\Log, C:\CheckGPO\Report, and C:\CheckGPO\GPResult.
  • Download the GetGPOReport.ZIP and unzip all the files in the C:\CheckGPO folder. You can download the script from here. After unzipping files to C:\CheckGPO folder, rename CheckGPOStatus.CMC to CheckGPOStatus.CMD

Preparing Files

Before you execute the script, make sure to modify the Computers.TXT file located in the C:\CheckGPO folder. All you need to do is to specify the computer names in the text file. Please make sure to specify one computer name on each line. The Computers.TXT should look like below:

Image
Figure 2

Next, modify Config.CFG file, as shown in the screenshot below that is located under C:\CheckGPO folder:

Image
Figure 3

  • GPOToCheck: Here you need to specify the GPO name that you want the script to check on the remote computers. As shown in the above screenshot, currently Config.CFG is configured to check “Screen Saver GPO” on the remote computers.
  • Scope: Scope can be USER or COMPUTER. Please make sure to specify scope in capital letters. Note that the current version of the script can work only if the Scope is set to COMPUTER. If you set the Scope to USER, the script will exit.
  • PING: By default, the script checks connectivity of the remote computers before processing the next statements. Some environment might not have the ping enabled. If it is the case, modify the Config.CFG file and set the value of Ping to NO.
  • Logging: By default, the script creates a log file named ScriptProcessing.log. It is recommended to keep logging enabled for troubleshooting purposes.
  • GPResultFiles: By default, the script creates a text file for each computer that contains the GPResult data it collected from each computer. In case you need to disable creation of GPResult_ComputerName.TXT file, all you need to do is to set the value of GPResultFiles to NO in the Config.CFG file.

Running Script

Follow the steps outlined below to run the script:

  1. On the central computer, go to Command Prompt, and then switch to the C:\CheckGPO folder.
  2. Make sure to verify the C:\CheckGPO\Report, C:\CheckGPO\GPResult and C:\CheckGPO\LOG sub-folders exist.
  3. From the command prompt, execute the CheckGPOStatus.CMD script. Once executed, the CheckGPOStatus.CMD will process all the computers from Computers.TXT one by one as shown in the screenshot below:

Image
Figure 4

  1. Once the script is finished running for all the computers mentioned in the Computers.TXT file, a message will be shown as to let you know that the report is ready as shown in the screenshot below:

Image
Figure 5

Note:
At any time during the script processing, you can press CTRL+C to terminate the script.

Opening Report File

The script generates a report in CSV file, which is located under C:\CheckGPO\Report folder. The GPOReport.CSV report file can be opened in Microsoft Excel. Basically, the report file includes the status of GPO application for each compute in one line. As you can see in the screenshot below, script processed a total of five computers from Computers.TXT and one computer reports that the GPO “Screen Saver GPO” has not been applied yet. Other computer (Computer4) reports that there were some issues when running the GPResult.exe command.

Image
Figure 6

Troubleshooting

Script might fail to run for a computer. You might not see the GPO application status in the report file for a particular computer. If that is the case, open the C:\CheckGPO\LOG\ScriptProcessing.LOG file to know the cause of the failure. As you can see in the below screenshot, “Computer is NOT Reachable” error is reported for Computer3. Similarly, in case GPResult command does not execute successfully for a computer, the same will be highlighted in the ScriptProcessing.log file.

Image
Figure 7

Conclusion

You saw how easy it is to check application of a computer GPO using the script provided with this article. Currently, the script can check only the application of a GPO for the computer object. In Part III of this article series, I will upgrade the script to check the user GPOs on remote computers. In case you run into any issues while running the script or you don’t see the desired results, please drop me an email at nirmal_sharma @ mvps.org or nirmal_ks @ outlook.com.

If you would like to be notified when Nirmal Sharma releases the next part of this article series please sign up to the WindowsNetworking.com Real time article update newsletter.

If you would like to read the first part in this article series please go to Reporting Application of GPOs on Remote Computers and Generating A Report (Part 1).

About The Author

1 thought on “Reporting Application of GPOs on Remote Computers and Generating A Report (Part 2)”

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top