This tool reports the final settings applied from the GPOs on the
local computer and from Active Directory. The tool works in conjunction
with the RSoP tool. If you are troubleshooting the actual settings,
attempting to determine which GPOs applied, or seeking other details of
GPO application on a computer, this is an essential tool.
GPResult is a built-in tool for Windows XP, Windows Vista, Windows
Server 2003, and Windows Server 2008. If you are running Windows 2000,
you must obtain the tool from the Microsoft Windows 2000 Resource Kit.
The two versions are not compatible.
GPResult is a pure command-line tool, but it can provide invaluable
information regarding the GPOs for a target system. The tool reports on
both user and computer policies. If you run the GPResult tool with just
the /R switch, it reports the important information regarding the GPOs
in the command prompt window. If you want to save the report in HTML
format, use the /H switch in combination with the path and file name,
such as gpresult /h c:\gpresult.html. The resulting .html file is shown
in Figure 2.
If this is not enough information to help you identify your GPO
problem, you can expand the output by using the /V switch, which is the
verbose option. This will include more detailed information about the
GPOs that were applied, including setting information.
If the verbose information is not enough, you can use the “super
verbose” switch, /Z. This will give you all that the verbose option
does, as well as binary information on some of the GPO settings, if you
need to troubleshoot down to this level.
Note
As with any other command-line tool, typing gpresult /? will provide information on all switches and examples.
GPUpdate
will automatically cause a refresh of the GPOs from the local computer
and all of the GPOs at the Active Directory level. If you do not want
to log off and log back on, restart the computer, or wait for the
periodic refresh interval, this is an ideal option for applying GPOs.
Use of this tool is very common for testing or initially implementing
GPO settings.
The tool allows you to update just the user GPO, just the computer
GPO, or both user and computer GPOs. If you run the tool with no
switches, it will refresh both user and computer GPO settings.
A valuable feature of this tool is the option to “force” the
application of the GPOs from Active Directory, even if the GPO version
number has not changed. This is ideal for ensuring that any local
settings that have been altered manually are changed back to what the
GPO indicates they should be.
Warning
Using the /force switch with GPUpdate will not force a foreground
refresh of Group Policy. The only way to force a foreground refresh of
Group Policy is to restart the computer for computer settings and log
off and log back on for user settings.
A drawback of the tool is that you cannot use it remotely; it works only for the computer where it is being run.
GPOTool helps locate inconsistencies with the GPO versions stored in
Active Directory and in SYSVOL. Of course, we now know that an
inconsistent GPO for these two storage locations can break them.
GPOTool is available in the resource kits for both Windows 2000 and
Windows Server 2003. If you do not have one of these resource kits, you
can download GPOTool from Microsoft at http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96eeb18c4790cffd&displaylang=en.
GPOTool checks for inconsistency between Active Directory and SYSVOL
versions of the same GPO across peer domain controllers. This
information can help you determine whether replication latency is
causing failure of computers or users to receive updates to new GPO
settings that have not yet converged between domain controllers.
Some of the more interesting and useful switches included
with GPOTool include /checkacl and /verbose. The /checkacl switch
verifies the SYSVOL ACL, which is often changed by administrators
trying to lock down and target GPOs.
