Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Check applied GPO's on all domain computers

Posted on 2016-08-08
6
Medium Priority
?
665 Views
Last Modified: 2016-08-15
I know I can view applied group policy objects by going to the workstation, opening command prompt and running gpresult /h but I would like to generate reports from all workstations in the domain.

Is was thinking of creating a script "gpresult /h \\server-share\%username%.html" to run on all workstations.

Is there perhaps an easier way to do this?
0
Comment
Question by:Gary Cook
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41748209
You can run the Group Policy Modeling wizard in GPMC to examine what settings will apply to a computer or user (Or OU) based on how the GPOs are linked. https://technet.microsoft.com/en-us/library/cc771389(v=ws.11).aspx has instructions on using the wizard.

That said, though, Policies are generally applied at the OU level, and unless you are setting granular GPO permissions to block application by specific users or groups (This is not recommended), running the Modeling wizard for a specific OU of objects will allow you to see how everything in that OU will apply the policy.

So you could do as you suggest, which would give you the Group Policy modeling data directly from the computers, or you could run the Modeling wizard on each OU that holds computers or users in the environment and get the same results, but with fewer files and less data to shuffle through.

The only thing you would need to pay special attention to with the modeling method is which GPOs are set to enable Loopback Policy processing, and where those GPOs are linked. OUs that have that policy enabled in any GPO will cause User policies to apply to users that log in to computers in that OU.
0
 

Author Comment

by:Gary Cook
ID: 41749955
Thanks Adam for your input but unfortunately not what I was looking for. The modeling wizards helps to check that the correct security groups are assigned to the policies but I have come across some workstations that were unable to apply policies as they could not find the correct location of the policy store. What I need is to collect GPResults from each workstation on the network remotely instead of going each workstation manually to check that they are able to apply GPO. The flaw that I have found with GPRESULT.exe is that even if I specify /SCOPE COMPUTER it still fails to collect the information because the domain administrator account has not physically logged on to each workstation.
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 41750290
What have you tried? Psexec should let you push the gpresult command out to all computers, and includes a switch to run in system context. That should make things easier. There's also remote powershell.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 

Author Comment

by:Gary Cook
ID: 41750306
I have tried a script written by Nirmal Sharma over at WindowsNetworking.com
http://www.windowsnetworking.com/articles-tutorials/netgeneral/reporting-application-gpos-remote-computers-and-generating-report-part2.html

This script references a txt file with computer names to run the following command per workstation.
FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R > %L_GPResult.TXT

But for every computer I get the following error message
INFO: The user "DOMAIN\Administrator" does not have RSOP data.

A quick Google search led me to some articles explaining that GPRESULT.exe retrieves settings from the registry and because the domain administrator account hasn't physically logged on to each workstation it can't retrieve the COMPUTER applied group policies.

Even if I try GPResult.exe /S %L /USER %USERNAME% /SCOPE Computer /R > %L_GPResult.TXT
I get this error message:
INFO: The user "%USERNAME%" does not have RSOP data.
0
 

Accepted Solution

by:
Gary Cook earned 0 total points
ID: 41750513
After a whole day of searching and trying different scripts I found an application from Microsoft.
Group Policy Inventory (GPInventory.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=14126&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network by running multiple Resultant Set of User Policy (RSOP) or Windows Management Instrumentation (WMI) queries. The query results can be exported to either an XML or a text file, and can be analyzed in Excel.
0
 

Author Closing Comment

by:Gary Cook
ID: 41756113
Found a solution on my own
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introducing Priority Question, our latest feature.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question