Windows Server 2008 and Windows Vista : Common GPO Troubleshooting Tools (part 3) - GPResult, GPOTool

6/27/2014 9:52:14 PM


This tool reports the final settings applied from the GPOs on the local computer and from Active Directory. The tool works in conjunction with the RSoP tool. If you are troubleshooting the actual settings, attempting to determine which GPOs applied, or seeking other details of GPO application on a computer, this is an essential tool.

GPResult is a built-in tool for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. If you are running Windows 2000, you must obtain the tool from the Microsoft Windows 2000 Resource Kit. The two versions are not compatible.

GPResult is a pure command-line tool, but it can provide invaluable information regarding the GPOs for a target system. The tool reports on both user and computer policies. If you run the GPResult tool with just the /R switch, it reports the important information regarding the GPOs in the command prompt window. If you want to save the report in HTML format, use the /H switch in combination with the path and file name, such as gpresult /h c:\gpresult.html. The resulting .html file is shown in Figure 2.

The GPResult command-line tool provides a report on the current Group Policy settings in HTML format.
Figure 2. The GPResult command-line tool provides a report on the current Group Policy settings in HTML format.

If this is not enough information to help you identify your GPO problem, you can expand the output by using the /V switch, which is the verbose option. This will include more detailed information about the GPOs that were applied, including setting information.

If the verbose information is not enough, you can use the “super verbose” switch, /Z. This will give you all that the verbose option does, as well as binary information on some of the GPO settings, if you need to troubleshoot down to this level.


As with any other command-line tool, typing gpresult /? will provide information on all switches and examples.


GPUpdate will automatically cause a refresh of the GPOs from the local computer and all of the GPOs at the Active Directory level. If you do not want to log off and log back on, restart the computer, or wait for the periodic refresh interval, this is an ideal option for applying GPOs. Use of this tool is very common for testing or initially implementing GPO settings.

The tool allows you to update just the user GPO, just the computer GPO, or both user and computer GPOs. If you run the tool with no switches, it will refresh both user and computer GPO settings.

A valuable feature of this tool is the option to “force” the application of the GPOs from Active Directory, even if the GPO version number has not changed. This is ideal for ensuring that any local settings that have been altered manually are changed back to what the GPO indicates they should be.


Using the /force switch with GPUpdate will not force a foreground refresh of Group Policy. The only way to force a foreground refresh of Group Policy is to restart the computer for computer settings and log off and log back on for user settings.

A drawback of the tool is that you cannot use it remotely; it works only for the computer where it is being run.


GPOTool helps locate inconsistencies with the GPO versions stored in Active Directory and in SYSVOL. Of course, we now know that an inconsistent GPO for these two storage locations can break them.

GPOTool is available in the resource kits for both Windows 2000 and Windows Server 2003. If you do not have one of these resource kits, you can download GPOTool from Microsoft at

GPOTool checks for inconsistency between Active Directory and SYSVOL versions of the same GPO across peer domain controllers. This information can help you determine whether replication latency is causing failure of computers or users to receive updates to new GPO settings that have not yet converged between domain controllers.

Some of the more interesting and useful switches included with GPOTool include /checkacl and /verbose. The /checkacl switch verifies the SYSVOL ACL, which is often changed by administrators trying to lock down and target GPOs.

  •  Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 4) - Summary of Group Policy Event IDs
  •  Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 3) - Divide the Custom View of the Log into Three Phases
  •  Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 2)
  •  Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 1) - Group Policy Operational Log
  •  Windows 8 : Managing Windows Update (part 4) - Viewing update history, Rolling back updates
  •  Windows 8 : Managing Windows Update (part 3) - Managing Windows Update in Windows 8 native interface
  •  Windows 8 : Managing Windows Update (part 2) - Configuring update settings
  •  Windows 8 : Managing Windows Update (part 1) - Accessing Windows Update settings by using Control Panel
  •  Windows 8 : Working with location-based settings and connection methods
  •  Windows Server 2008 R2 : Active Directory lightweight directory services
    GTS - youtube channel
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us