Client-side extensions could cause a Group Policy object to fail. Fortunately, there are a few different ways to track down Windows GPO settings.

GPO settings are processed by the Winlogon process with the help of client-side extensions. If a client-side extension fails, the related GPO settings will not apply. Built-in Windows tools enable desktop administrators to see whether a particular GPO and its settings are applied. Some of these tools can also be executed for remote computers.

GPResult

 

GPResult is a powerful command-line tool that can report GP settings applied on a windows device.

• GPResult /R — This reports only the GPOs that have been applied to user and computer accounts. This is useful if you need to check only if a particular GPO was applied. The output is shown on the screen.
• GPResult /Z — The /Z parameter can be used if you need to see both GPOs and policy settings applied to the computer.
• GPResult /H <ReportFileName.html> — The /H parameter instructs the command to report GPOs and settings from each Group Policy that has been applied and saves the output to the ReportFileName.HTML file. The /H parameter is useful if you need to see both GPOs and policy settings applied to the local computer.
• GPResult /S <Computer Name> — This instructs the command to get the GPResult from a remote computer.

Although the GPResult tool provides /S parameter to check the application of GPOs and its settings on a remote computer, the best option would be to use remote command execution tools such as PSExec.exe or Windows Management Instrumentation Command line (WMIC). PSExec.exe and WMIC tools run interactively on remote computers.

RSOP.MSC

RSOP.MSC, which is a graphical user interface (GUI) tool, is the preferred utility for checking the GPOs and settings applied to a local or remote computer. With RSOP.MSC, you can quickly determine if there were any problems while applying GPOs from an Active Directory domain controller. You can also find it in the Group Policy Management GUI by following steps: Group  Policy Management > Forest: xxxx.xxx > Group Policy Results, right click the Group Policy Results, Choose Group Policy Results Wizard…

 If you need to see the reason for the failures, you can always go to the property page for the Computer/User Configuration and then click on the “Error Information” tab. To connect and collect the GPO RSOP data from a remote computer, in the RSOP.MSC snap-in, go to Action Menu, and then click on “Change Query.”

The use of GPResult.exe is preferred over RSOP.MSC if you want to perform scripted tasks against several Windows computers.

 

Registry Editor

To check whether or not a Group Policy was applied a local or remote computer, you can just use the Registry Editor. Note that it will show only which GPOs were applied. In other words, since the policy settings applied from a GPO are stored at a number of places in the registry, it would be difficult to know which settings were applied unless you know how and where GPO policy settings are stored in the registry.

A computer keeps its information about applied GPOs at the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History registry location. That key contains subkeys, which contain the names of GPOs that have been applied to the computer.

Registry Editor also allows admins to connect to the registry of a remote computer, provided the “Remote Registry” service is running on the remote device. In order to check the application of a GPO on a remote computer, connect to the remote registry and then navigate to the above registry location.

 

Powershell

There are many PowerShell cmdlets available to perform GPO related tasks, one of which can help you generate GPO settings from a local or remote computer — the Get-GPResultantSetOfPolicy PowerShell cmdlet.

This cmdlet is the quickest and easiest way to get the GPO RSOP data for a user, computer or both from a local or remote computer. The Get-GPResultantSetOfPolicy cmdlet is very similar to the RSOP.MSC, except it supports reporting GPO RSOP to XML format and allows commands to run against a remote computer from the command line. To check GPOs and policy settings applied to the local computer, execute the following command:

• Get-GPResultantSetOfPolicy -ReportType XML -path C:\MyReports\GPOReport.XML

In case you need to run the command against a remote computer and store the output to a local computer, execute this command:

• Get-GPResultantSetOfPolicy -ReportType HTML -Computer PC1.TechTarget.com -Path C:\MyReports\GPOReport_PC1.html

Similarly, the command below generates a report for the computer PC1 and user James in the TechTarget.com domain.

• Get-GPResultantSetOfPolicy -User James -Computer TechTarget.com\PC1 -ReportType html –Patch C:\MyReports\PC1_GPOReport.html.

Although Get-GPResultantSetOfPolicy supports the –Computer parameter, you can specify only one computer name to collect the GPO RSOP data. To run the command for multiple computers, you can use the “ForEach” PowerShell cmdlet to read the computer names from a text file and then process the Get-GPResultantSetOfPolicy command.

 

Event Viewer

To check the result of the group policy operational log:

1. Start the Event Viewer.

2. Click the arrow next to Applications and Services Logs.

3. Click the arrow next to Microsoft, and then Windows, and then Group Policy.

4. Click Operational.

You can also check from Windows logs > System.

GPlogView

This is not a buit-in tools in Windows system, but we can download from Microsoft Download Center.

Example 1: Export all Group Policy events

Example 2: Export Group Policy events with a specific Activity ID

Example 3: Monitor Mode

Example 4: Using an external event log for input

 

References

 

https://technet.microsoft.com/en-us/library/cc749336(v=ws.10).aspx