Group Policy (GP) is a Windows management feature that allows you to control multiple users’ and computers’ configurations within an Active Directory environment. In this article, we shall discuss how to analyze group policies applied to a user and computer account. With GP, all Organizational Units, sites, or domains can be configured from a single and central place. Please see Remote Server Administration Tools: To install RSAT on Windows Server, and what is Group Policy Object and how can it be launched in Windows.
Since group policies are used to preset Windows settings, and determine what user can and can’t do, and if you ever wanted to know what group policies are enabled on your computer, here are a few ways of finding them out.
You may want to see the following articles as well. Why use RSAT? How to Install RSAT on Windows 10, how to resolve this “Thunderbolt” application is not in use anymore and can be safely uninstalled.
Via the Resultant Set of Policy Management Console
This is the easiest way to determine the group policies applied to you. There it is a very powerful built-in command prompt used for auditing group policy settings.
Alternatively, search for “run” and type rsop.msc into the run box and then hit enter or – Win + R keyboard combination to bring up a run box, type rsop.msc into the run box and then hit enter. View Post
When this is run, this will analyze and process the policies applied to you.
After its analysis, it will display the resultant set of Policies applied to you.
Now click on each folder. Moreover, Empty folders imply no policies are applied to you. These are currently the only policies applied to my device via the computer configuration.
Please see How to determine GPO from GUID or Name, Handy Shutdown commands available in Windows, and how to Install HTML Web Client for Microsoft RDS.
Via the Command line
Furthermore, It should be noted that you have to specify the scope of the results. However, To find all the policies that are applied to your user account, you would use the following command:
gpresult /Scope User /v
This will process and display the results as shown below.
Then if you scroll down, you will see the the Resultant Set Of Policies for User section.
If you are looking for all policies applied to your Computer, all you need to do is change the scope:
gpresult /Scope Computer /v
More output
More output – Administrative template
Alternatively, there is a shortcut command that can be applied to get the desired result.
Please see how to Create a web page to visualize the output of BitLocker Script, and How to work with Windows Performance Toolkit.
User Side Policies
To apply all the policies to your user account, simply run the command below from the command prompt.
gpresult /r
Additionally, This will give only the user-side of group policies applied.
Computer Side Policies
Therefore, To get this policy, simply run the command prompt with administrative privilege, this will output policies relating to the computer.
gpresult /r
Note: The command prompt has to be run with administrators rights
GPRrport Command (Output HTML)
Similarly, reading the group policies objects summary data from the command prompt is usually not feasible every time in detail. Nevertheless, Thus, to get it in an easily readable form, we can export the data into the HTML format. Open a Command Prompt and type the following:
cd Desktop
GPRESULT /H GPReport.htmlSpecify the GPresult Path
The /H command with the location and filename specifies where the file will be saved. To do this, please run the command below.
gpresult /H <path>
gpresult /H c:\gpresults.htmlGroup Policy For Specific User
Moreover, This command is used to display the group policies for the specific user or system that lies in the network domain. Nonetheless, To display the specific user policy summary you must be aware of the user’s credentials. The command is as follows:
gpresult /R /USER targetusername /P passwordNote: The specified user must have logged on at least once the computer before you can gather the RSoP data.
Get GPResult of Remote Computer
To get the policy result of a user you don’t need access to the computer. Because we can also get the applied policies from a remote computer with the /S parameter. For example, to get the applied policies from the computer TDA01 for user Christian, we can employ the command below.
gpresult /S TDA01 /user christian /RTo run this command in another user context, you will need to specify the /u switch.
gpresult /S TDA01 /u christian /RTo view the computer settings of the user you can also specify the scope. The scope can either be USER or COMPUTER:
gpresult /USER christian /SCOPE Computer /Rgpresult /USER christian /SCOPE USER /RYou can also generate a Group Policy Object (GPO) report for a remote PC, you can use the Get-GPOReport PowerShell cmdlet.
Get-GPOReport -Name "Default Domain Policy" -Server "TDA02" -ReportType Html -Path "C:\GPOReport.html"All you have to do is replace the "Default Domain Policy" with the name of the GPO you want to report on, and the "RemotePCName "TDA02" with the name of the remote PC, and the -Path with the desired location and name for your report file.
You could also use the comand below. The file that this command produces (gpresult-<computer name>.html) uses the same information format as the local computer version (gpresult.html) uses.
gpresult /S <computer name> /H c:\gpresult-<computer name>.htmlPlease see “how to Disable Developer Tools in Microsoft Edge using Registry or Group Policy in Windows“, and how to Restrict the number of tabs a user can open in Chrome and Edge.
Export GPResult to HTML
So to make the gpresult data more readable we can export the result to an HTML file. The HTML file is formatted the same as the Settings tab in the Group Policy Management Console.
When you export to HTML you don’t need to specify /R or one of the verbose parameters /Z or /V. It will generate a detailed HTML for you with all the verbose information you need. You do need to specify the path and file name:
gpresult /USER christian /H c:\gpresult.htmlNote: If the filename already exists you might get an error. To overwrite the file you can use the /f parameter to force overwriting of the existing file.
Furthermore, I hope you found this blog post on how to analyze group policies applied to a user and computer account helpful. However, If you have any questions, please let me know in the comment session.
Great info. One thing I don’t understand that the new server GPO has been applied to the local PC and can be seen from running “rsop.msc” but not from local GOP “gpedit”? just wonder why? Thanks
Thank you for the comment! Is your device domain joined?