?
Solved

Check applied GPO's on all domain computers

Posted on 2016-08-08
6
Medium Priority
?
443 Views
Last Modified: 2016-08-15
I know I can view applied group policy objects by going to the workstation, opening command prompt and running gpresult /h but I would like to generate reports from all workstations in the domain.

Is was thinking of creating a script "gpresult /h \\server-share\%username%.html" to run on all workstations.

Is there perhaps an easier way to do this?
0
Comment
Question by:Gary Cook
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 42

Expert Comment

by:Adam Brown
ID: 41748209
You can run the Group Policy Modeling wizard in GPMC to examine what settings will apply to a computer or user (Or OU) based on how the GPOs are linked. https://technet.microsoft.com/en-us/library/cc771389(v=ws.11).aspx has instructions on using the wizard.

That said, though, Policies are generally applied at the OU level, and unless you are setting granular GPO permissions to block application by specific users or groups (This is not recommended), running the Modeling wizard for a specific OU of objects will allow you to see how everything in that OU will apply the policy.

So you could do as you suggest, which would give you the Group Policy modeling data directly from the computers, or you could run the Modeling wizard on each OU that holds computers or users in the environment and get the same results, but with fewer files and less data to shuffle through.

The only thing you would need to pay special attention to with the modeling method is which GPOs are set to enable Loopback Policy processing, and where those GPOs are linked. OUs that have that policy enabled in any GPO will cause User policies to apply to users that log in to computers in that OU.
0
 

Author Comment

by:Gary Cook
ID: 41749955
Thanks Adam for your input but unfortunately not what I was looking for. The modeling wizards helps to check that the correct security groups are assigned to the policies but I have come across some workstations that were unable to apply policies as they could not find the correct location of the policy store. What I need is to collect GPResults from each workstation on the network remotely instead of going each workstation manually to check that they are able to apply GPO. The flaw that I have found with GPRESULT.exe is that even if I specify /SCOPE COMPUTER it still fails to collect the information because the domain administrator account has not physically logged on to each workstation.
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 41750290
What have you tried? Psexec should let you push the gpresult command out to all computers, and includes a switch to run in system context. That should make things easier. There's also remote powershell.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:Gary Cook
ID: 41750306
I have tried a script written by Nirmal Sharma over at WindowsNetworking.com
http://www.windowsnetworking.com/articles-tutorials/netgeneral/reporting-application-gpos-remote-computers-and-generating-report-part2.html

This script references a txt file with computer names to run the following command per workstation.
FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R > %L_GPResult.TXT

But for every computer I get the following error message
INFO: The user "DOMAIN\Administrator" does not have RSOP data.

A quick Google search led me to some articles explaining that GPRESULT.exe retrieves settings from the registry and because the domain administrator account hasn't physically logged on to each workstation it can't retrieve the COMPUTER applied group policies.

Even if I try GPResult.exe /S %L /USER %USERNAME% /SCOPE Computer /R > %L_GPResult.TXT
I get this error message:
INFO: The user "%USERNAME%" does not have RSOP data.
0
 

Accepted Solution

by:
Gary Cook earned 0 total points
ID: 41750513
After a whole day of searching and trying different scripts I found an application from Microsoft.
Group Policy Inventory (GPInventory.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=14126&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network by running multiple Resultant Set of User Policy (RSOP) or Windows Management Instrumentation (WMI) queries. The query results can be exported to either an XML or a text file, and can be analyzed in Excel.
0
 

Author Closing Comment

by:Gary Cook
ID: 41756113
Found a solution on my own
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are IT support and need to work after hours to resolve customer issues then here are a few tips on how to handle after hours support
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question