Using PowerShell to evaluate group policy issues

The basic idea behind group policy is really simple — assemble a collection of security and configuration settings that can be applied to a user or to a computer. Although this is a simple concept, the actual implementation can be anything but. Group policy is hierarchical and can be assigned at various levels including the local computer, and the domain, site, and organization levels of the Active Directory. Furthermore, there can be separate policy settings for the user and for the computer. As if all of that were not enough, it is possible for group policy objects to contradict one another.

Of course, Microsoft has long had rules in place that establish an order of precedence for group policy objects, and deal with any contradictions that might occur. Even so, it can be a tedious process to determine which group policy objects are in use at a given time, and where a particular group policy setting was assigned. However, PowerShell can make light work of evaluating group policy issues.

Before you begin

Before you get started, you will need to do a bit of configuration work. PowerShell’s group policy-related cmdlets are a part of the Group Policy module, and this module is not installed in Windows by default. To install this module, simply install the Group Policy Management feature, as shown below. If you don’t want to use the Windows GUI, you can install the feature through PowerShell by using the Install-WindowsFeature cmdlet.

group policy issues

Once the required feature has been installed, you will need to import the Group Policy module into PowerShell. The command used for doing so is:

Import-Module GroupPolicy

You can see all of the group policy-related cmdlets that are available to you within the module, by using this command:

Get-Command -Module GroupPolicy

Here is what the output looks like.

group policy issues

The Resultant Set of Policy

The primary command that is used to evaluate the manner in which group policy objects are being applied is the Get-GPResultantSetofPolicy cmdlet. It is important to note the spelling of this cmdlet, as some websites incorrectly report the cmdlet’s spelling as Get-ResultantSetofPolicy rather than Get-GPResultantSetofPolicy.

The Get-GPSresultantSetofPolicy cmdlet can help you evaluate the group policy settings that are in effect for a particular user and / or computer. Here is the cmdlet’s full syntax, as listed by Microsoft:

Get-GPResultantSetofPolicy -Path -ReportType { |} [-Computer ] [-User ] [
As PowerShell cmdlets go, this cmdlet really isn’t all that complicated. Some PowerShell cmdlets support an absolutely ridiculous number of parameters, but this cmdlet only has a few. That being the case, I want to take a moment and talk about some of the more important parameters.

Path – When you run the Get-GPResultantSetofPolicy cmdlet, the cmdlet’s output is written to a report file rather than being displayed on the screen. The Path parameter is a required parameter that is used to determine where the report file will be placed.

ReportType – PowerShell gives you a choice as to the format of the report file that is created. A report can be created either as an XML file or as an HTML file. You can make this determination by using the ReportType parameter. Incidentally, the ReportType parameter is a required parameter.

Computer – As previously discussed, the Resultant Set of Policy can be made up of multiple group policy objects. These objects can be applied either to user accounts or to computer accounts. The Computer parameter allows you to specify the name of a computer that you want to evaluate. The Computer parameter is optional, and it can be used by itself or combined with the User parameter.

PowerShell is very flexible with regard to the Computer parameter’s usage. The computer name can be entered in a wide variety of formats. The most commonly used formats are the Fully Qualified Domain Name (FQDN) and the NetBIOS name, but other naming conventions are also supported, as outlined in Microsoft’s documentation.

User – The User parameter is an optional parameter you can use to specify the name of the user whose group policy settings you want to evaluate. The User parameter can be used by itself or combined with a computer name. Like the Computer parameter, the user parameter is very flexible with regard to the input that is accepted. You can enter the username by itself, or you can combine the username with the domain name in various formats as outlined in the documentation.

As you would expect of a PowerShell cmdlet that has such a simple syntax, using Get-GPResultantSetOfPolicy is easy. In fact, if you want to evaluate the group policy settings for the account that you are using, on the computer that you are logged into right now, then you don’t even have to specify the User or Computer parameter. All you have to do is specify the report type and path. Such a command might look like this:

Get-GPResultantSetOfPolicy -ReportType HTML -Path C:\Reports]RSOP.HTM

group policy issues

Here is what the report looks like.

group policy issues

If you wanted to specify a username and a computer name, then the command really isn’t much different. Such a command would look something like this:

Get-GPResultantSetOfPolicy -ReportType HTML -Path C:\Reports\RSOP.HTM -User Poseylab\User1 -Computer WKS1

Of course, I inserted a username and a computer name from my own lab. You would obviously need to substitute values from your own environment.

As you can see, Microsoft makes it easy to get Resultant Set of Policy data using PowerShell. Even if you are not experiencing group policy issues, the Get-GPResultantSetOfPolicy cmdlet is worth taking a look at because the report also shows you things like group policy performance data and group policy errors.

Leave a Comment

Your email address will not be published.

Scroll to Top