Client-side extensions could cause a Group Policy object to fail. Fortunately, there are a few different ways to track down Windows GPO settings.
GPO settings are processed by the Winlogon process with the help of client-side extensions. If a client-side extension fails, the related GPO settings will not apply. Built-in Windows tools enable desktop administrators to see whether a particular GPO and its settings are applied. Some of these tools can also be executed for remote computers.
GPResult is a powerful command-line tool that can report GP settings applied on a windows device.
- GPResult /R — This reports only the GPOs that have been applied to user and computer accounts. This is useful if you need to check only if a particular GPO was applied. The output is shown on the screen.
- GPResult /Z — The /Z parameter can be used if you need to see both GPOs and policy settings applied to the computer.
- GPResult /H <ReportFileName.html> — The /H parameter instructs the command to report GPOs and settings from each Group Policy that has been applied and saves the output to the ReportFileName.HTML file. The /H parameter is useful if you need to see both GPOs and policy settings applied to the local computer.
- GPResult /S <Computer Name> — This instructs the command to get the GPResult from a remote computer.
Although the GPResult tool provides /S parameter to check the application of GPOs and its settings on a remote computer, the best option would be to use remote command execution tools such as PSExec.exe or Windows Management Instrumentation Command line (WMIC). PSExec.exe and WMIC tools run interactively on remote computers.
RSOP.MSC, which is a graphical user interface (GUI) tool, is the preferred utility for checking the GPOs and settings applied to a local or remote computer. With RSOP.MSC, you can quickly determine if there were any problems while applying GPOs from an Active Directory domain controller. You can also find it in the Group Policy Management GUI by following steps: Group Policy Management > Forest: xxxx.xxx > Group Policy Results, right click the Group Policy Results, Choose Group Policy Results Wizard…
If you need to see the reason for the failures, you can always go to the property page for the Computer/User Configuration and then click on the “Error Information” tab. To connect and collect the GPO RSOP data from a remote computer, in the RSOP.MSC snap-in, go to Action Menu, and then click on “Change Query.”
The use of GPResult.exe is preferred over RSOP.MSC if you want to perform scripted tasks against several Windows computers.
To check whether or not a Group Policy was applied a local or remote computer, you can just use the Registry Editor. Note that it will show only which GPOs were applied. In other words, since the policy settings applied from a GPO are stored at a number of places in the registry, it would be difficult to know which settings were applied unless you know how and where GPO policy settings are stored in the registry.
A computer keeps its information about applied GPOs at the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History registry location. That key contains subkeys, which contain the names of GPOs that have been applied to the computer.
Registry Editor also allows admins to connect to the registry of a remote computer, provided the “Remote Registry” service is running on the remote device. In order to check the application of a GPO on a remote computer, connect to the remote registry and then navigate to the above registry location.
There are many PowerShell cmdlets available to perform GPO related tasks, one of which can help you generate GPO settings from a local or remote computer — the Get-GPResultantSetOfPolicy PowerShell cmdlet.
This cmdlet is the quickest and easiest way to get the GPO RSOP data for a user, computer or both from a local or remote computer. The Get-GPResultantSetOfPolicy cmdlet is very similar to the RSOP.MSC, except it supports reporting GPO RSOP to XML format and allows commands to run against a remote computer from the command line. To check GPOs and policy settings applied to the local computer, execute the following command:
- Get-GPResultantSetOfPolicy -ReportType XML -path C:\MyReports\GPOReport.XML
In case you need to run the command against a remote computer and store the output to a local computer, execute this command:
- Get-GPResultantSetOfPolicy -ReportType HTML -Computer PC1.TechTarget.com -Path C:\MyReports\GPOReport_PC1.html
Similarly, the command below generates a report for the computer PC1 and user James in the TechTarget.com domain.
- Get-GPResultantSetOfPolicy -User James -Computer TechTarget.com\PC1 -ReportType html –Patch C:\MyReports\PC1_GPOReport.html.
Although Get-GPResultantSetOfPolicy supports the –Computer parameter, you can specify only one computer name to collect the GPO RSOP data. To run the command for multiple computers, you can use the “ForEach” PowerShell cmdlet to read the computer names from a text file and then process the Get-GPResultantSetOfPolicy command.
To check the result of the group policy operational log:
Start the Event Viewer.
- Click the arrow next to Applications and Services Logs.
Click the arrow next to Microsoft, and then Windows, and then Group Policy.
You can also check from Windows logs > System.
This is not a buit-in tools in Windows system, but we can download from Microsoft Download Center.
Example 1: Export all Group Policy events
You can use GPLogView to export all Group Policy–related events from the system log and the operational log.
gplogview -o gpevents.txt
Example 2: Export Group Policy events with a specific Activity ID
GPLogView filters Group Policy–related events by Activity ID, which is useful when troubleshooting a specific instance of Group Policy processing.
gplogview -a 8A7C7CE5-F7D0-4d32-8700-57C650A53839 -o gpevents.txt
Example 3: Monitor Mode
You can use GPLogView to capture Group Policy events in real time. GPLogView writes all Group Policy related events to the command window, as they occur. Press CTRL+C to exit monitor mode, or press Q and ENTER.
Example 4: Using an external event log for input
By default, GPLogView reads the events logs on the current Windows Vista computer. However, you can change the GPLogView input source to an exported event log from another Windows Vista computer. This change gives you the ability to export multiple views of Group Policy processing that happened on another computer.
|The saved event log must come from a computer running Windows Vista. GPLogView does not work with saved event logs from earlier releases of Microsoft Windows.|
gplogview-i savedevents.evtx -o gpevents.txt
You can view these and other commands supported by GPLogView by invoking command line Help.