<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Why You Should Use GPResult and Abandon RSOP.MSC

Published on
20,362 Points
10,762 Views
1 Endorsement
Last Modified:
Awarded
From Windows 2000 through Vista, the go to tool for troubleshooting Group Policy on the client was RSOP.msc. GPResult was always, at least for me, a second choice in troubleshooting. Yes, GPResult had unique features and was certainly useful at times. The similar interfaces between RSOP.MSC and the Group Policy Management Editor made troubleshooting so much easier.

RSOP.MSC
Beginning with Windows Vista SP1, Microsoft made GPResult the primary tool for troubleshooting Group Policy on a client and started pushing organizations to do the same.

Warning when Running RSOP

This was done for a few reasons, including:
•The ability to log a greater number of client side extensions (CSEs) such as Group Policy Preferences. As you will notice, the two pictures above only show Administrative templates and Security settings.
•The ability to use a graphical view or a command line view with a single tool.
•To provide a standard open format for searching, scripting, etc.
•Easier remote usage

 

Clarifying Some Terms

Before we dive further down the GPResult rabbit hole, we need to clear up the usage of RSOP. Technically, RSOP stands for Resultant Set Of Policy. So when asked, "what's the RSOP of that machine?" - you are being asked for the final application of Group Policy. You are not being asked to run the RSOP.MSC tool.

To keep things simple, I prefer to ask my co-workers, "what's the GPResult?" This eliminates confusion between the two tools.

 

Using GPResult

With GPResult, you have two main ways of operating - Command Line or Graphical. Most of the time, I stick with the Graphical view because 99% of the time the Graphical view has everything I need.

Help with GPResult
To get the graphical view of GPResult, run this command: GPResult /h Report.htm /f . The /h generates a file name in a HTML format. The /f overwrites an existing file (Report.htm) if it exists. To run GPResult in the command line, I normally run GPResult /r /z. This generates a super-verbose report that contains the RSOP summary data.

 

Running Remotely

While you can use the /S parameter in GPResult to specify a remote machine, I prefer using the Group Policy Results Wizard in the Group Policy Management Console (GPMC). This can be found at the very bottom of GPMC.

GPResult Wizard
By proceeding through the wizard, you can select remote computers and remote users. When finished, you will see the entire Group Policy Result for both the computer and the user. You will also be able to see:

•OU location for both Computer and User
•Group Memberships
•Length and status of processing time for each CSE (ex: Folder Redirection - Success- 1.2 seconds)
•Links to the Group Policy event log
•Detailed information for all policies and preferences.

 

One Last (maybe) Better Way

I spend a lot of my day inside of Active Directory Users and Computers (ADUC). I also hate switching windows just to grab a tool. Because of this, I add most scripts/tools that I use into a custom ADUC MMC. One script that I've added is a GPResult script.


$computer= Read-Host "What is the computer name?"
$User= Get-WmiObject Win32_Computersystem -ComputerName $computer | Select-Object Username
$Username=$User.Username

if ($Username -eq $null) {
Get-WmiObject Win32_NetworkLoginProfile -ComputerName $computer | Select-Object Caption
$InputUser=Read-Host "What user would you like to use?"
}

if ($Username -eq $null) {
gpresult.exe /s $Computer /user $InputUser /h Report.htm /f
}

else {
gpresult.exe /s "$Computer" /user "$Username" /h Report.htm /f
}

start report.htm

Open in new window



This script prompts you for a computer name and then looks up the current logged in user on the remote machine. If no logged in user is found, it looks up previous logged in users and prompts you for a user to use. It will then generate a GPResult and launch the report automatically! While probably not perfect, this script saves me a ton of time.

This article first appeared on my blog, DeployHappiness
1
0 Comments

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Next Article:

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month