System administrators have a tough time determining what settings are actually being applied to users and computers because there may be several GPOs linked at different levels of the AD hierarchy. Group Policy Results is a Group Policy Management Console feature that allows administrators to scan local or remote computers and users in order to discover which group policy objects (GPOs) are being applied.
Ensure that the required inbound Windows Firewall rules for Group Policy Results are enabled. To connect to distant computers, Windows Firewall built-in rules such as Remote Event Log Log Management (RPC-EPMAP), Remote Event Log Management (NP-in), Remote Event Log Management (RPC), and Windows Management Instrumentation (WMI-in) must be enabled. You can use Group Policy to enable the Windows Firewalls rules on all devices in your domain by utilizing a starter GPO available in Windows Server 2012 (and later) that includes the required settings. You may also use PowerShell to create a GPO with the appropriate settings and attach it to your domain so that it applies to all devices. Log in as an administrator to a domain controller or a computer with the Active Directory module for PowerShell installed, and then run the following cmdlet:
New-GPO –Name ‘Windows Firewall RSoP Ports’ –StarterGpoName ‘Group Policy Reporting Firewall Ports’ | New-GPLink –target ‘dc=ad,dc=contoso,dc=com’ –LinkEnabled yes
Note: Replace dc=ad,dc=contoso,dc=com in the target value with the Common Name (CN) of your domain.
It is always good practice to know what policy settings are being applied to a user or computer since GPO imposes a lot of restrictions and customizations on the user and computer. So, if something is amiss, a review of the policy settings will shed some light on the problem. To view the Group Policy Results, you can use the following tools:
The Resultant Set of Policy snap-in is a Microsoft Management Console (MMC) tool. It can be used to create detailed reports about applied policy settings. It has two modes:
To open the RSoP snap-in, follow these steps:
Group Policy Results: Group Policy Results is a container available in GPMC. The following steps illustrate how to use Group Policy Results:
The following information will be available in the right pane:
The gpresult command line tool, when executed, displays all the policy settings applied to a particular user or computer. The GPResult command can be executed using the Windows command prompt or PowerShell.
Let’s look at a few gpresult commands for checking group policy results:
gpresult /r /scope:user
gpresult /r /scope:computer
Note: If you do not specify a path, the file will be saved to the system32 folder.
gpresult /r >c:\report.txt
gpresult /h > C:\report.html
gpresult /x > C:\report.xml
gpresult /f /x targetlocation\report.xml
gpresult /f /h targetlocation\report.html
gpresult /R /S vm1 /user John
Note: For more information about using this tool, use the command gpresult /?Administrators use group policies to regulate how users and computers access network resources. However, when your network grows, it might become complex and counterintuitive. As a result, you must keep track of which policies apply to which computers and users in order to determine their impact. Using group policy results is the most convenient technique to evaluate group policies and their impact on multiple computers and users. To gather group policy results and evaluate whether a certain policy should be retained or deleted, you can use RSoP and the reports it generates, as well as gpresult and third-party applications.
People also read