Why You Should Use GPResult and Abandon RSOP.MSC
Published:
Browse All Articles > Why You Should Use GPResult and Abandon RSOP.MSC
From Windows 2000 through Vista, the go to tool for troubleshooting Group Policy on the client was RSOP.msc. GPResult was always, at least for me, a second choice in troubleshooting. Yes, GPResult had unique features and was certainly useful at times. The similar interfaces between RSOP.MSC and the Group Policy Management Editor made troubleshooting so much easier.
![RSOP.MSC]()
Beginning with Windows Vista SP1, Microsoft made GPResult the primary tool for troubleshooting Group Policy on a client and started pushing organizations to do the same.
![Warning when Running RSOP]()
This was done for a few reasons, including:
•The ability to log a greater number of client side extensions (CSEs) such as Group Policy Preferences. As you will notice, the two pictures above only show Administrative templates and Security settings.
•The ability to use a graphical view or a command line view with a single tool.
•To provide a standard open format for searching, scripting, etc.
•Easier remote usage
Clarifying Some Terms
Before we dive further down the GPResult rabbit hole, we need to clear up the usage of RSOP. Technically, RSOP stands for Resultant Set Of Policy. So when asked, "what's the RSOP of that machine?" - you are being asked for the final application of Group Policy. You are not being asked to run the RSOP.MSC tool.
To keep things simple, I prefer to ask my co-workers, "what's the GPResult?" This eliminates confusion between the two tools.
Using GPResult
With GPResult, you have two main ways of operating - Command Line or Graphical. Most of the time, I stick with the Graphical view because 99% of the time the Graphical view has everything I need.
![Help with GPResult]()
To get the graphical view of GPResult, run this command: GPResult /h Report.htm /f . The /h generates a file name in a HTML format. The /f overwrites an existing file (Report.htm) if it exists. To run GPResult in the command line, I normally run GPResult /r /z. This generates a super-verbose report that contains the RSOP summary data.
Running Remotely
While you can use the /S parameter in GPResult to specify a remote machine, I prefer using the Group Policy Results Wizard in the Group Policy Management Console (GPMC). This can be found at the very bottom of GPMC.
![GPResult Wizard]()
By proceeding through the wizard, you can select remote computers and remote users. When finished, you will see the entire Group Policy Result for both the computer and the user. You will also be able to see:
•OU location for both Computer and User
•Group Memberships
•Length and status of processing time for each CSE (ex: Folder Redirection - Success- 1.2 seconds)
•Links to the Group Policy event log
•Detailed information for all policies and preferences.
One Last (maybe) Better Way
I spend a lot of my day inside of Active Directory Users and Computers (ADUC). I also hate switching windows just to grab a tool. Because of this, I add most scripts/tools that I use into a custom ADUC MMC. One script that I've added is a GPResult script.
This script prompts you for a computer name and then looks up the current logged in user on the remote machine. If no logged in user is found, it looks up previous logged in users and prompts you for a user to use. It will then generate a GPResult and launch the report automatically! While probably not perfect, this script saves me a ton of time.
This article first appeared on my blog, DeployHappiness
Beginning with Windows Vista SP1, Microsoft made GPResult the primary tool for troubleshooting Group Policy on a client and started pushing organizations to do the same.
This was done for a few reasons, including:
•The ability to log a greater number of client side extensions (CSEs) such as Group Policy Preferences. As you will notice, the two pictures above only show Administrative templates and Security settings.
•The ability to use a graphical view or a command line view with a single tool.
•To provide a standard open format for searching, scripting, etc.
•Easier remote usage
Clarifying Some Terms
Before we dive further down the GPResult rabbit hole, we need to clear up the usage of RSOP. Technically, RSOP stands for Resultant Set Of Policy. So when asked, "what's the RSOP of that machine?" - you are being asked for the final application of Group Policy. You are not being asked to run the RSOP.MSC tool.
To keep things simple, I prefer to ask my co-workers, "what's the GPResult?" This eliminates confusion between the two tools.
Using GPResult
With GPResult, you have two main ways of operating - Command Line or Graphical. Most of the time, I stick with the Graphical view because 99% of the time the Graphical view has everything I need.
To get the graphical view of GPResult, run this command: GPResult /h Report.htm /f . The /h generates a file name in a HTML format. The /f overwrites an existing file (Report.htm) if it exists. To run GPResult in the command line, I normally run GPResult /r /z. This generates a super-verbose report that contains the RSOP summary data.
Running Remotely
While you can use the /S parameter in GPResult to specify a remote machine, I prefer using the Group Policy Results Wizard in the Group Policy Management Console (GPMC). This can be found at the very bottom of GPMC.
By proceeding through the wizard, you can select remote computers and remote users. When finished, you will see the entire Group Policy Result for both the computer and the user. You will also be able to see:
•OU location for both Computer and User
•Group Memberships
•Length and status of processing time for each CSE (ex: Folder Redirection - Success- 1.2 seconds)
•Links to the Group Policy event log
•Detailed information for all policies and preferences.
One Last (maybe) Better Way
I spend a lot of my day inside of Active Directory Users and Computers (ADUC). I also hate switching windows just to grab a tool. Because of this, I add most scripts/tools that I use into a custom ADUC MMC. One script that I've added is a GPResult script.
$computer= Read-Host "What is the computer name?"
$User= Get-WmiObject Win32_Computersystem -ComputerName $computer | Select-Object Username
$Username=$User.Username
if ($Username -eq $null) {
Get-WmiObject Win32_NetworkLoginProfile -ComputerName $computer | Select-Object Caption
$InputUser=Read-Host "What user would you like to use?"
}
if ($Username -eq $null) {
gpresult.exe /s $Computer /user $InputUser /h Report.htm /f
}
else {
gpresult.exe /s "$Computer" /user "$Username" /h Report.htm /f
}
start report.htm
This script prompts you for a computer name and then looks up the current logged in user on the remote machine. If no logged in user is found, it looks up previous logged in users and prompts you for a user to use. It will then generate a GPResult and launch the report automatically! While probably not perfect, this script saves me a ton of time.
This article first appeared on my blog, DeployHappiness
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Comments (0)