Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Why You Should Use GPResult and Abandon RSOP.MSC

Joseph MoodyBlogger and wearer of all hats.
From Windows 2000 through Vista, the go to tool for troubleshooting Group Policy on the client was RSOP.msc. GPResult was always, at least for me, a second choice in troubleshooting. Yes, GPResult had unique features and was certainly useful at times. The similar interfaces between RSOP.MSC and the Group Policy Management Editor made troubleshooting so much easier.

Beginning with Windows Vista SP1, Microsoft made GPResult the primary tool for troubleshooting Group Policy on a client and started pushing organizations to do the same.

Warning when Running RSOP

This was done for a few reasons, including:
•The ability to log a greater number of client side extensions (CSEs) such as Group Policy Preferences. As you will notice, the two pictures above only show Administrative templates and Security settings.
•The ability to use a graphical view or a command line view with a single tool.
•To provide a standard open format for searching, scripting, etc.
•Easier remote usage


Clarifying Some Terms

Before we dive further down the GPResult rabbit hole, we need to clear up the usage of RSOP. Technically, RSOP stands for Resultant Set Of Policy. So when asked, "what's the RSOP of that machine?" - you are being asked for the final application of Group Policy. You are not being asked to run the RSOP.MSC tool.

To keep things simple, I prefer to ask my co-workers, "what's the GPResult?" This eliminates confusion between the two tools.


Using GPResult

With GPResult, you have two main ways of operating - Command Line or Graphical. Most of the time, I stick with the Graphical view because 99% of the time the Graphical view has everything I need.

Help with GPResult
To get the graphical view of GPResult, run this command: GPResult /h Report.htm /f . The /h generates a file name in a HTML format. The /f overwrites an existing file (Report.htm) if it exists. To run GPResult in the command line, I normally run GPResult /r /z. This generates a super-verbose report that contains the RSOP summary data.


Running Remotely

While you can use the /S parameter in GPResult to specify a remote machine, I prefer using the Group Policy Results Wizard in the Group Policy Management Console (GPMC). This can be found at the very bottom of GPMC.

GPResult Wizard
By proceeding through the wizard, you can select remote computers and remote users. When finished, you will see the entire Group Policy Result for both the computer and the user. You will also be able to see:

•OU location for both Computer and User
•Group Memberships
•Length and status of processing time for each CSE (ex: Folder Redirection - Success- 1.2 seconds)
•Links to the Group Policy event log
•Detailed information for all policies and preferences.


One Last (maybe) Better Way

I spend a lot of my day inside of Active Directory Users and Computers (ADUC). I also hate switching windows just to grab a tool. Because of this, I add most scripts/tools that I use into a custom ADUC MMC. One script that I've added is a GPResult script.

$computer= Read-Host "What is the computer name?"
                      $User= Get-WmiObject Win32_Computersystem -ComputerName $computer | Select-Object Username
                      if ($Username -eq $null) {
                      Get-WmiObject Win32_NetworkLoginProfile -ComputerName $computer | Select-Object Caption
                      $InputUser=Read-Host "What user would you like to use?"
                      if ($Username -eq $null) {
                      gpresult.exe /s $Computer /user $InputUser /h Report.htm /f
                      else {
                      gpresult.exe /s "$Computer" /user "$Username" /h Report.htm /f
                      start report.htm

Open in new window

This script prompts you for a computer name and then looks up the current logged in user on the remote machine. If no logged in user is found, it looks up previous logged in users and prompts you for a user to use. It will then generate a GPResult and launch the report automatically! While probably not perfect, this script saves me a ton of time.

This article first appeared on my blog, DeployHappiness
Joseph MoodyBlogger and wearer of all hats.

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.