Solved

Check applied GPO's on all domain computers

Posted on 2016-08-08
6
269 Views
Last Modified: 2016-08-15
I know I can view applied group policy objects by going to the workstation, opening command prompt and running gpresult /h but I would like to generate reports from all workstations in the domain.

Is was thinking of creating a script "gpresult /h \\server-share\%username%.html" to run on all workstations.

Is there perhaps an easier way to do this?
0
Comment
Question by:Gary Cook
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41748209
You can run the Group Policy Modeling wizard in GPMC to examine what settings will apply to a computer or user (Or OU) based on how the GPOs are linked. https://technet.microsoft.com/en-us/library/cc771389(v=ws.11).aspx has instructions on using the wizard.

That said, though, Policies are generally applied at the OU level, and unless you are setting granular GPO permissions to block application by specific users or groups (This is not recommended), running the Modeling wizard for a specific OU of objects will allow you to see how everything in that OU will apply the policy.

So you could do as you suggest, which would give you the Group Policy modeling data directly from the computers, or you could run the Modeling wizard on each OU that holds computers or users in the environment and get the same results, but with fewer files and less data to shuffle through.

The only thing you would need to pay special attention to with the modeling method is which GPOs are set to enable Loopback Policy processing, and where those GPOs are linked. OUs that have that policy enabled in any GPO will cause User policies to apply to users that log in to computers in that OU.
0
 

Author Comment

by:Gary Cook
ID: 41749955
Thanks Adam for your input but unfortunately not what I was looking for. The modeling wizards helps to check that the correct security groups are assigned to the policies but I have come across some workstations that were unable to apply policies as they could not find the correct location of the policy store. What I need is to collect GPResults from each workstation on the network remotely instead of going each workstation manually to check that they are able to apply GPO. The flaw that I have found with GPRESULT.exe is that even if I specify /SCOPE COMPUTER it still fails to collect the information because the domain administrator account has not physically logged on to each workstation.
0
 
LVL 41

Expert Comment

by:Adam Brown
ID: 41750290
What have you tried? Psexec should let you push the gpresult command out to all computers, and includes a switch to run in system context. That should make things easier. There's also remote powershell.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Gary Cook
ID: 41750306
I have tried a script written by Nirmal Sharma over at WindowsNetworking.com
http://www.windowsnetworking.com/articles-tutorials/netgeneral/reporting-application-gpos-remote-computers-and-generating-report-part2.html

This script references a txt file with computer names to run the following command per workstation.
FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R > %L_GPResult.TXT

But for every computer I get the following error message
INFO: The user "DOMAIN\Administrator" does not have RSOP data.

A quick Google search led me to some articles explaining that GPRESULT.exe retrieves settings from the registry and because the domain administrator account hasn't physically logged on to each workstation it can't retrieve the COMPUTER applied group policies.

Even if I try GPResult.exe /S %L /USER %USERNAME% /SCOPE Computer /R > %L_GPResult.TXT
I get this error message:
INFO: The user "%USERNAME%" does not have RSOP data.
0
 

Accepted Solution

by:
Gary Cook earned 0 total points
ID: 41750513
After a whole day of searching and trying different scripts I found an application from Microsoft.
Group Policy Inventory (GPInventory.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=14126&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network by running multiple Resultant Set of User Policy (RSOP) or Windows Management Instrumentation (WMI) queries. The query results can be exported to either an XML or a text file, and can be analyzed in Excel.
0
 

Author Closing Comment

by:Gary Cook
ID: 41756113
Found a solution on my own
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
Here's a look at newsworthy articles and community happenings during the last month.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question