Check applied GPO's on all domain computers

I know I can view applied group policy objects by going to the workstation, opening command prompt and running gpresult /h but I would like to generate reports from all workstations in the domain.

Is was thinking of creating a script "gpresult /h \\server-share\%username%.html" to run on all workstations.

Is there perhaps an easier way to do this?
Gary CookSupport EngineerAsked:
Who is Participating?
 
Gary CookConnect With a Mentor Support EngineerAuthor Commented:
After a whole day of searching and trying different scripts I found an application from Microsoft.
Group Policy Inventory (GPInventory.exe)
https://www.microsoft.com/en-us/download/details.aspx?id=14126&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

Group Policy Inventory (GPInventory.exe) allows administrators to collect Group Policy and other information from any number of computers in their network by running multiple Resultant Set of User Policy (RSOP) or Windows Management Instrumentation (WMI) queries. The query results can be exported to either an XML or a text file, and can be analyzed in Excel.
1
 
Adam BrownSr Solutions ArchitectCommented:
You can run the Group Policy Modeling wizard in GPMC to examine what settings will apply to a computer or user (Or OU) based on how the GPOs are linked. https://technet.microsoft.com/en-us/library/cc771389(v=ws.11).aspx has instructions on using the wizard.

That said, though, Policies are generally applied at the OU level, and unless you are setting granular GPO permissions to block application by specific users or groups (This is not recommended), running the Modeling wizard for a specific OU of objects will allow you to see how everything in that OU will apply the policy.

So you could do as you suggest, which would give you the Group Policy modeling data directly from the computers, or you could run the Modeling wizard on each OU that holds computers or users in the environment and get the same results, but with fewer files and less data to shuffle through.

The only thing you would need to pay special attention to with the modeling method is which GPOs are set to enable Loopback Policy processing, and where those GPOs are linked. OUs that have that policy enabled in any GPO will cause User policies to apply to users that log in to computers in that OU.
0
 
Gary CookSupport EngineerAuthor Commented:
Thanks Adam for your input but unfortunately not what I was looking for. The modeling wizards helps to check that the correct security groups are assigned to the policies but I have come across some workstations that were unable to apply policies as they could not find the correct location of the policy store. What I need is to collect GPResults from each workstation on the network remotely instead of going each workstation manually to check that they are able to apply GPO. The flaw that I have found with GPRESULT.exe is that even if I specify /SCOPE COMPUTER it still fails to collect the information because the domain administrator account has not physically logged on to each workstation.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Adam BrownSr Solutions ArchitectCommented:
What have you tried? Psexec should let you push the gpresult command out to all computers, and includes a switch to run in system context. That should make things easier. There's also remote powershell.
0
 
Gary CookSupport EngineerAuthor Commented:
I have tried a script written by Nirmal Sharma over at WindowsNetworking.com
http://www.windowsnetworking.com/articles-tutorials/netgeneral/reporting-application-gpos-remote-computers-and-generating-report-part2.html

This script references a txt file with computer names to run the following command per workstation.
FOR /F “Tokens=*” %L IN (Computers.TXT) DO GPResult.exe /S %L /SCOPE Computer /R > %L_GPResult.TXT

But for every computer I get the following error message
INFO: The user "DOMAIN\Administrator" does not have RSOP data.

A quick Google search led me to some articles explaining that GPRESULT.exe retrieves settings from the registry and because the domain administrator account hasn't physically logged on to each workstation it can't retrieve the COMPUTER applied group policies.

Even if I try GPResult.exe /S %L /USER %USERNAME% /SCOPE Computer /R > %L_GPResult.TXT
I get this error message:
INFO: The user "%USERNAME%" does not have RSOP data.
1
 
Gary CookSupport EngineerAuthor Commented:
Found a solution on my own
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.