Before we close up the chapter, I wanted to talk about the two most popular command-line management tools for GP. Although I've mentioned both of these utilities earlier in this chapter, I wanted to give each of them a thorough treatment in this section for easier reference and use.
GPUPDATE will refresh Group Policy settings that are stored either on individual machines or through Active Directory. It's fairly straightforward to use.
To refresh the GP settings on the current workstation, just issue the GPUPDATE command itself:
gpupdate
You can target either computer or user settings using the /target switch. If the switch is omitted, both computer and user settings are refreshed. To refresh computer settings on the current machine:
gpupdate /target:computer
You can force the refresh of GP settings with the /force switch:
gpupdate /target:computer /force
Finally, you can force a logoff and/or a reboot with the /logoff and /boot switches, respectively:
gpupdate /logoff gpupdate /boot
GPRESULT will return a listing of all policies applied to a user and computer, the OUs in which the computer and user are located, the site they are in, and a lot more information. The remote computers need to run at least Windows XP or Server 2003 for GPRESULT to return accurate information.
You can return a simple report using the currently logged on user at your workstation by simply issuing the command itself without any switches:
gpresult
The following is a sample of the report you'll receive:
Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001
Created On 5/9/2005 at 12:15:16 PM
RSOP data for R2TEST\Administrator on R2B2SRV1 : Logging Mode
--------------------------------------------------------------
OS Type: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Configuration: Primary Domain Controller
OS Version: 5.2.3790
Terminal Server Mode: Remote Administration
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\Administrator
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=R2B2SRV1,OU=Domain Controllers,DC=r2test,DC=corp,DC=hasselltech,DC=local
Last time Group Policy was applied: 5/9/2005 at 12:12:31 PM
Group Policy was applied from: r2b2srv1.r2test.corp.hasselltech.local
Group Policy slow link threshold: 500 kbps
Domain Name: R2TEST
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Controllers Policy
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Turn off System Restore
Filtering: Denied (Security)
The computer is a part of the following security groups
-------------------------------------------------------
BUILTIN\Administrators
Everyone
BUILTIN\Pre-Windows 2000 Compatible Access
BUILTIN\Users
Windows Authorization Access Group
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
This Organization
R2B2SRV1$
Domain Controllers
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
USER SETTINGS
--------------
CN=Administrator,CN=Users,DC=r2test,DC=corp,DC=hasselltech,DC=local
Last time Group Policy was applied: 5/9/2005 at 12:02:32 PM
Group Policy was applied from: r2b2srv1.r2test.corp.hasselltech.local
Group Policy slow link threshold: 500 kbps
Domain Name: R2TEST
Domain Type: Windows 2000
Applied Group Policy Objects
-----------------------------
Default Domain Policy
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
Turn off System Restore
Filtering: Disabled (GPO)
The user is a part of the following security groups
---------------------------------------------------
Domain Users
Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
This Organization
LOCAL
Domain Admins
Group Policy Creator OwnersTo get information for the user jhassell on the remote workstation JH-WNXP-LTP using GPRESULT, run:
gpresult /s JH-WNXP-LTP /USER jhassell
Likewise, to get information for the user ljohnson in the domain R2TEST on the remote workstation 192.168.1.120, run:
gpresult /s 192.168.1.120 /USER R2TEST\ljohnson
You also can add the /V option to enable verbose logging, which will display detailed information and not just a summary view, or /Z, to enable extended verbose logging (even more details). Use the /SCOPE MACHINE option with /Z to look at only computer configuration policies; similarly, use /SCOPE USER to look at user configuration policies. You can redirect the output of GPRESULT to a text file using the standard > DOS redirect operator.