However, the user portion of GPO is not applied. If you type 'gpresult /v' the result is: INFO: The User does not have RSoP data. If I log into the same RDS session server with a user that is in the FSLogix exclude list, no profile disk is mounted, and the user portion of the GPO is processed correctly as expected. The User Does Not Have Rsop Data; Rsop Data Not Available; Rsop Command Line; This is because the user specified has never logged onto the PC before. If you need to gather RSOP data without logging onto a PC, try using the GPMC management console and running the Group Policy Modelling Wizard instead. Group Policy – GPResult Examples. The user “domain user” does not have RSOP data.
RSoP, Resultant Set of Policy, and GPResult are two of those tools you absolutely have to know about if you’re using Group Policy in your environment or you’ll wish you had known about it sooner. Through the Group Policy Management Console you can see all the settings that a specific GPO will apply to machines and users in that OU but because the Active Directory is hierarchical you have to drill down into further Organizational Units in order to find if a more specific GPO might be affecting the target machines. If only we could see from the computer’s perspectives what group policies were being applied to it… We can! Using RSoP and GPResult, we can get exactly that kind of information.
RSoP
The Resultant Set of Policy MMC snap-in has a nice interface and is easily used. Just go to Start, Run and enter rsop.msc. This will flash up a quick screen with a summary of the environment it’s processing.
When the progress reaches 100%, it will pull up a report for the policies upon which the computer and the user are having applied. You can browse the list, which mirrors the Group Policy Management Console, and see which policies the machine is seeing, which might not quite match what you’ve set in the Active Directory server.
You can also use this to diagnose any errors. For example, if a software deployment isn’t coming through for some reason, you can verify that it has access to the policy and has received the command. You can also see any related errors to help your troubleshooting.
GPResult
Starting with Vista SP1, RSoP no longer shows all of the group policies that a computer might have being applied to it. Instead, Microsoft recommends that you use the command line tool GPResult.
Just open the Command Prompt and type:
Being a command line tool, it opens up the possibilities to include it in scripting. There are a large number of options you can use with GPResult to get exactly what you want. You can use it to create a nicely formatted HTML or XML report and you can also use it to run remotely on another system and as a different user (provided you know the password).
The report will look something like this:
From the command line help file, GPResult has these options:
GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]
[/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]]
Description:
This command line tool displays the Resultant Set of Policy (RSoP)
information for a target user and computer.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain]user Specifies the user context under which the
command should execute.
Can not be used with /X, /H.
/P [password] Specifies the password for the given user
context. Prompts for input if omitted.
Can not be used with /X, /H.
/SCOPE scope Specifies whether the user or the
computer settings needs to be displayed.
Valid values: “USER”, “COMPUTER”.
/USER [domain]user Specifies the user name for which the
RSOP data is to be displayed.
/X <filename> Saves the report in XML format at the
location and with the file name specified
by the <filename> parameter. (valid in
Windows Vista SP1 and Windows Server 2008)
/H <filename> Saves the report in HTML format at the
location and with the file name specified by
the <filename> parameter. (valid in Windows
Vista SP1 and Windows Server 2008)
/F Forces gpresult to overwrite the file name
specified in the /X or /H command.
The User Does Not Have Rsop Data
/R Displays RSoP summary data.
/V Specifies that verbose information should
be displayed. Verbose information provides
additional detailed settings that have
been applied with a precedence of 1.
/Z Specifies that the super-verbose
information should be displayed. Super-
verbose information provides additional
detailed settings that have been applied
with a precedence of 1 and higher. This
allows you to see if a setting was set in
multiple places. See the Group Policy
online help topic for more information.
/? Displays this help message.
Examples:
GPRESULT /R
GPRESULT /H GPReport.html
GPRESULT /USER targetusername /V
GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
GPRESULT /S system /U username /P password /SCOPE USER /V
Are there any other tools out there that fall into that category ‘I wish I knew about that earlier‘ that you’d recommend? Let me hear them in the comments.
GPResult is a command-line utility for determining the resultant set of policy for a given user and/or computer. In other words, it shows you what Group Policy Objects have been applied and their settings. This is typically one of the first tools I go to when troubleshooting Group Policy from a client once basic connectivity has been confirmed (e.g. Network/DNS). The tool itself is very simple to use and I will run through some common examples below.
List GPOs Applied with Summary Data
/r Displays RSOP summary data
This is pretty useful when you simply want to see what GPOs have applied and in what order. It will also display summary data, such as last time group policy was applied, which Domain Controller it was applied from, the site, security groups and if the slow link threshold has been activated. If you are unsure if a GPO has been applied, this is a quick way of checking.
Here we see that 4 GPOs have applied to the Computer settings portion.
If you don’t want to view both Computer and Users settings in the output you can request one or the other with the /scope flag.
The output reads fairly well from within the command prompt, but if you need to export the output you could use either of the following.
Gpresult /r > gpresult.txt Export output to a text fileGpresult /r |clip Export output to Windows clipboard
I can’t see the Computer Settings?
If UAC is enabled, running GPResult without elevating the command prompt will only show you the user settings. If you want to see both user and computer settings, elevate the command prompt by either tapping the winkey+cmd then ctrl+shift+enter or right click on the command prompt and select run as administrator. If you elevate with an admin account different to the currently logged in user (common if the user does not have administrator rights), then you will receive an error message stating INFO: The user “domainuser” does not have RSOP data. This is because GPResult is using the elevated user’s context. To work around this, specify the standard user that you are troubleshooting.
Generate HTML Report
/h Saves the report in HTML format/f Forces GPresult to overwrite the file name specified with /h/user Specifies the user name for which the RSOP data is to be displayed
To get a more graphical view of what’s going on, you can generate a HTML report. This gives a detailed break down of each setting and the GPO from which it came. This view is particularly nice as you can show all and use ctrl+f to find a particular policy or setting.
Run GPResult on Remote Computer
/s Specifies the remote system to connect to
This allows you to run GPResult on a remote system, all of the above applies.
The following GPOs were not applied because they were filtered out
You may see this for a few reasons. The first that the policy is empty in which case you’ll see Filtering: Not Applied (Empty), this is fairly self explanatory. The second is Filtering: Denied (Security), which typically boils down to the “Apply Group Policy” permission on the GPO. You may also see Filtering: Denied (Unknown Reason) which is similar to (Security) in that the “Read” permissions has been denied.
The User Does Not Have Rsop Data Gpresult Windows 10
To review the last two examples, launch the GPMC (Group Policy Management Console). Find the offending GPO, and select Delegation- from there you may see an additional group or a single user or machine that has been added.
Click on advanced and review the permissions against the object. In this case you can see that the Seven computer object has been denied Apply Group Policy resulting in the Filtering: Denied (Security) message.
If in doubt, select Advanced -> Effective Access and enter the required computer or user object. If you scroll down to around halfway you’ll see the Apply Group Policy permission with either a green tick of a red cross against it. If deny read has been granted every permission will have a red cross next to it.
The User Does Not Have Rsop Data Server 2012
I hope this gives you the basics behind GPResult and some good real world example to aid in your Group Policy troubleshooting.