<

Why You Should Use GPResult and Abandon RSOP.MSC

Published on
19,775 Points
10,175 Views
1 Endorsement
Last Modified:
Awarded
From Windows 2000 through Vista, the go to tool for troubleshooting Group Policy on the client was RSOP.msc. GPResult was always, at least for me, a second choice in troubleshooting. Yes, GPResult had unique features and was certainly useful at times. The similar interfaces between RSOP.MSC and the Group Policy Management Editor made troubleshooting so much easier.

RSOP.MSC
Beginning with Windows Vista SP1, Microsoft made GPResult the primary tool for troubleshooting Group Policy on a client and started pushing organizations to do the same.

Warning when Running RSOP

This was done for a few reasons, including:
•The ability to log a greater number of client side extensions (CSEs) such as Group Policy Preferences. As you will notice, the two pictures above only show Administrative templates and Security settings.
•The ability to use a graphical view or a command line view with a single tool.
•To provide a standard open format for searching, scripting, etc.
•Easier remote usage

 

Clarifying Some Terms

Before we dive further down the GPResult rabbit hole, we need to clear up the usage of RSOP. Technically, RSOP stands for Resultant Set Of Policy. So when asked, "what's the RSOP of that machine?" - you are being asked for the final application of Group Policy. You are not being asked to run the RSOP.MSC tool.

To keep things simple, I prefer to ask my co-workers, "what's the GPResult?" This eliminates confusion between the two tools.

 

Using GPResult

With GPResult, you have two main ways of operating - Command Line or Graphical. Most of the time, I stick with the Graphical view because 99% of the time the Graphical view has everything I need.

Help with GPResult
To get the graphical view of GPResult, run this command: GPResult /h Report.htm /f . The /h generates a file name in a HTML format. The /f overwrites an existing file (Report.htm) if it exists. To run GPResult in the command line, I normally run GPResult /r /z. This generates a super-verbose report that contains the RSOP summary data.

 

Running Remotely

While you can use the /S parameter in GPResult to specify a remote machine, I prefer using the Group Policy Results Wizard in the Group Policy Management Console (GPMC). This can be found at the very bottom of GPMC.

GPResult Wizard
By proceeding through the wizard, you can select remote computers and remote users. When finished, you will see the entire Group Policy Result for both the computer and the user. You will also be able to see:

•OU location for both Computer and User
•Group Memberships
•Length and status of processing time for each CSE (ex: Folder Redirection - Success- 1.2 seconds)
•Links to the Group Policy event log
•Detailed information for all policies and preferences.

 

One Last (maybe) Better Way

I spend a lot of my day inside of Active Directory Users and Computers (ADUC). I also hate switching windows just to grab a tool. Because of this, I add most scripts/tools that I use into a custom ADUC MMC. One script that I've added is a GPResult script.


$computer= Read-Host "What is the computer name?"
$User= Get-WmiObject Win32_Computersystem -ComputerName $computer | Select-Object Username
$Username=$User.Username

if ($Username -eq $null) {
Get-WmiObject Win32_NetworkLoginProfile -ComputerName $computer | Select-Object Caption
$InputUser=Read-Host "What user would you like to use?"
}

if ($Username -eq $null) {
gpresult.exe /s $Computer /user $InputUser /h Report.htm /f
}

else {
gpresult.exe /s "$Computer" /user "$Username" /h Report.htm /f
}

start report.htm

Open in new window



This script prompts you for a computer name and then looks up the current logged in user on the remote machine. If no logged in user is found, it looks up previous logged in users and prompts you for a user to use. It will then generate a GPResult and launch the report automatically! While probably not perfect, this script saves me a ton of time.

This article first appeared on my blog, DeployHappiness
1
Comment
0 Comments

Featured Post

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Join & Write a Comment

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month