If you would like to read the next part of this article series please go to Reporting Application of GPOs on Remote Computers and Generating A Report (Part 2).
There are two types of GPO settings that can be configured to apply to both computer and user objects. GPO settings that are defined in the User Configuration node apply to user objects while GPO settings that are defined in the Computer Configuration node apply to computer objects. Since GPO settings are processed by the client-side-extensions installed on the Windows client computers, it is not necessarily true that all GPO settings of a GPO will apply. However, before you start to investigate as to why GPO settings are not applied at a local or remote computer, it would be necessary for you to know if the GPO, where these settings are configured, has actually been reached to target computers. There are several ways to report the application of Group Policy Objects on Windows computers that are joined to an Active Directory domain. You can use GPResult.exe, Resultant Set of Policies (RSOP.msc), and GPResultantSetOfPolicy PowerShell cmdlet to get GPO settings from a local or remote computer. GPResult.exe command line tool allows you to collect GPO settings and a list of GPOs from a remote computer by specifying the remote computer name with “/S” parameter. When running GPResult.exe for a local or remote computer, you can use various parameters as explained below:
- GPResult /R parameter reports only GPO names. In case you need to see only GPO names that have been applied to both user and computer objects on a local or remote computer, this is the parameter you are going to use.
- GPResult /V parameter collects GPO names and GPO settings that have been applied to both computer and user objects on a local or remote computer.
As stated earlier, before troubleshooting application of GPO settings, it is important to know if the GPO was applied or not on a computer. In case you need to get only GPO names from local or remote computers, you are going to use “/R” parameter with GPResult.exe command. Since the primary focus of this article is geared towards getting a list of GPOs applied to the user and computer objects, we are going to use “/R” parameter in the GPResult commands explained throughout this article. Let’s take a look at some of useful GPResult commands that you can use to get GPO names from the remote computers.
To report GPO names from a remote computer, you can use the below GPResult command:
- GPResult.exe /S PC1 Computer /R
The above command helps you retrieve a list of Group Policy Objects from remote computers (PC1) that have been applied to both user and computer objects. In case you need to see GPO names that are applied only to computer object, you can use /SCOPE parameter as shown in the below command:
- GPResult.exe /S PC1 /SCOPE Computer /R
The above command executes on PC1, gets the GPO names that are applied to the computer object and then displays the results on the screen. Note that above commands run only on one computer that is PC1. It is because GPResult /S parameter does not support specifying multiple computer names. In case you need to execute GPResult command on multiple computers, you can create a TEXT file, add all computer names in the TEXT file and then have the TEXT file processed through the FOR loop function as shown in the below command:
- FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R
Note that you can run the above command to get the GPO names from all computers specified in a TEXT file, but results are shown on the screen for all computers. If you want to capture the output to a TEXT file, you can use redirector (>) after the FOR loop command as shown in the below command:
- FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R >> Results.TXT
The above command captures GPResult.exe output from all computers in one file named Results.TXT. In case you want to store GPResult output in a separate TEXT file for each computer, you can use the below command:
- FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R > %L_GPResult.TXT
Note the use of “%L_GPResult. TXT” in the above command. It directs FOR loop command to store GPResult for each remote computer in a separate TEXT file (i.e. %L_GPResult.txt). %L is the variable that holds the current computer name being processed.
So far the above commands help you retrieve GPO names for a computer object. In case you need to get GPO names for a user object, all you need to do is to replace the “/SCOPE Computer” with “/SCOPE User” value in the above commands. Please note when running GPResult.exe with “/SCOPE User” parameter, GPResult.exe requires that the user is logged on to the target computer. In other words, GPResult.exe can fetch GPO names for a user object only if a user is logged on to the target computer. In case a user is not logged on to the target computer, you must specify the target username using /USER parameter as shown in the command below:
- FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE User /USER <UserName> /R >> L%_Results.TXT
So as long as you are looking for a report on GPOs that are applicable to a computer object, you can use the above commands with “/SCOPE Computer” parameter, but the challenge is to get the GPOs applied to a user object. Since GPResult.exe requires that a user is logged onto the target machine, GPResult might not return any data for computers where no users are logged on. This is the issue IT Admins have been facing when they need to retrieve GPO names and GPO settings for a user object from remote computers. As long as you know the name of the users corresponding to each system, you can use “/User” parameter and then get the user GPO data. The problem I see here is that not all organizations maintain a list of computers with their associated username. Anyway, this is the issue that I will be addressing in Part III of this article series. Let’s preserve our focus on reporting application of a GPO that is applicable to computer objects.
Although the results for all computers are captured in a separate TEXT file for each computer, there are still a few problems as listed below:
- In case you need to see the GPO name for a specific computer, you would need to scroll through each file to check if a GPO was applied for a computer successfully. This might take a considerable amount of time if you need to check GPO names for thousands of computers.
- Secondly, any errors returned during GPResult.exe are not captured by the above commands. For example, in case a computer is not reachable or any error that is returned when running the GPResult.exe command, will not be captured in the TEXT file.
- Finally, the above commands will report all Group Policy Objects for a remote computer. In other words, GPResult.exe does not provide a parameter that can be used to check a particular GPO.
Overall, you can run GPResult.exe for multiple remote computers by using the FOR loop function and store the output in a separate text file, but you will still need to write a couple of statements in a script to collect the data returned by the GPResult.exe to prepare a nice report. I have designed a script, which you can use to check application of a particular GPO on multiple remote computers from a central location. Script not only helps you generate a report in CSV format, but also provides logging capability to check for any errors that might occur when processing GPResult command on remote computers. I will explain the use of the script in the second part of this article series.
Conclusion
The first part of this article series explained the use of GPResult.exe command line tool to get the GPO names from remote computers. In the second part of this article series, I am going to provide you a script that you can use to get a report on the GPO names that have been applied to a computer object on remote machines.
If you would like to read the next part of this article series please go to Reporting Application of GPOs on Remote Computers and Generating A Report (Part 2).
The “For” script doesn’t work; I keep getting an error “missing opening ‘(‘ after keyword for”