Solved

Check applied GPO's on all domain computers

Posted on 2016-08-08
6
137 Views
Last Modified: 2016-08-15
I know I can view applied group policy objects by going to the workstation, opening command prompt and running gpresult /h but I would like to generate reports from all workstations in the domain.

Is was thinking of creating a script "gpresult /h \\server-share\%username%.html" to run on all workstations.

Is there perhaps an easier way to do this?
0
Comment
Question by:Gary Cook
  • 4
  • 2
6 Comments
 
LVL 40

Expert Comment

by:Adam Brown
ID: 41748209
You can run the Group Policy Modeling wizard in GPMC to examine what settings will apply to a computer or user (Or OU) based on how the GPOs are linked. https://technet.microsoft.com/en-us/library/cc771389(v=ws.11).aspx has instructions on using the wizard.

That said, though, Policies are generally applied at the OU level, and unless you are setting granular GPO permissions to block application by specific users or groups (This is not recommended), running the Modeling wizard for a specific OU of objects will allow you to see how everything in that OU will apply the policy.

So you could do as you suggest, which would give you the Group Policy modeling data directly from the computers, or you could run the Modeling wizard on each OU that holds computers or users in the environment and get the same results, but with fewer files and less data to shuffle through.

The only thing you would need to pay special attention to with the modeling method is which GPOs are set to enable Loopback Policy processing, and where those GPOs are linked. OUs that have that policy enabled in any GPO will cause User policies to apply to users that log in to computers in that OU.
0
 

Author Comment

by:Gary Cook
ID: 41749955
Thanks Adam for your input but unfortunately not what I was looking for. The modeling wizards helps to check that the correct security groups are assigned to the policies but I have come across some workstations that were unable to apply policies as they could not find the correct location of the policy store. What I need is to collect GPResults from each workstation on the network remotely instead of going each workstation manually to check that they are able to apply GPO. The flaw that I have found with GPRESULT.exe is that even if I specify /SCOPE COMPUTER it still fails to collect the information because the domain administrator account has not physically logged on to each workstation.
0
 
LVL 40

Expert Comment

by:Adam Brown
ID: 41750290
What have you tried? Psexec should let you push the gpresult command out to all computers, and includes a switch to run in system context. That should make things easier. There's also remote powershell.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:Gary Cook
ID: 41750306
I have tried a script written by Nirmal Sharma over at WindowsNetworking.com
http://www.windowsnetworking.com/articles-tutorials/netgeneral/reporting-application-gpos-remote-computers-and-generating-report-part2.html

This script references a txt file with computer names to run the following command per workstation.
FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R > %L_GPResult.TXT

But for every computer I get the following error message
INFO: The user "DOMAIN\Administrator" does not have RSOP data.

A quick Google search led me to some articles explaining that GPRESULT.exe retrieves settings from the registry and because the domain administrator account hasn't physically logged on to each workstation it can't retrieve the COMPUTER applied group policies.

Even if I try GPResult.exe /S %L /USER %USERNAME% /SCOPE Computer /R > %L_GPResult.TXT
I get this error message:
INFO: The user "%USERNAME%" does not have RSOP data.
0
 

Accepted Solution

by:
Gary Cook earned 0 total points
ID: 41750513
After a whole day of searching and trying different scripts I found an application from Microsoft.
Group Policy Inventory (GPInventory.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=14126&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network by running multiple Resultant Set of User Policy (RSOP) or Windows Management Instrumentation (WMI) queries. The query results can be exported to either an XML or a text file, and can be analyzed in Excel.
0
 

Author Closing Comment

by:Gary Cook
ID: 41756113
Found a solution on my own
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Drive update software 34 70
Password change / expire 4 39
Windows 2012 R2 DFS Replication 12 35
Group Policy - Setting deafult Home Page 3 19
This article runs through the process of deploying a single EXE application selectively to a group of user.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question