Format: Brief Scope
When you are trying to determine why policy is not being applied as expected, one of first things you should do is examine the Resultant Set of Policy (RSoP) for the user and computer experiencing problems with policy settings. Using the Gpresult command-line utility, you can view RSoP.
This will give you the various GPOs that are applied and denied to the computer and user. It will show what area each is located in, the last process time, what security group the object is in, and more.
The most general usage:
gpresult /h result.html
This will make an html page in whatever directory you are currently in. I suggest switching to the c:\ first.
This is directly from the CLI:
GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope] [/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]] Description: This command line tool displays the Resultant Set of Policy (RSoP) information for a target user and computer. Parameter List: /S system Specifies the remote system to connect to. /U [domain\]user Specifies the user context under which the command should execute. Can not be used with /X, /H. /P [password] Specifies the password for the given user context. Prompts for input if omitted. Can not be used with /X, /H. /SCOPE scope Specifies whether the user or the computer settings needs to be displayed. Valid values: "USER", "COMPUTER". /USER [domain\]user Specifies the user name for which the RSOP data is to be displayed. /X <filename> Saves the report in XML format at the location and with the file name specified by the <filename> parameter. (valid in Windows Vista SP1 and above and Windows Server 2008 and above) /H <filename> Saves the report in HTML format at the location and with the file name specified by the <filename> parameter. (valid in Windows Vista SP1 and above and Windows Server 2008 and above) /F Forces gpresult to overwrite the file name specified in the /X or /H command. /R Displays RSoP summary data. /V Specifies that verbose information should be displayed. Verbose information provides additional detailed settings that have been applied with a precedence of 1. /Z Specifies that the super-verbose information should be displayed. Super- verbose information provides additional detailed settings that have been applied with a precedence of 1 and higher. This allows you to see if a setting was set in multiple places. See the Group Policy online help topic for more information. /? Displays this help message. Examples: GPRESULT /R GPRESULT /H GPReport.html GPRESULT /USER targetusername /V GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z GPRESULT /S system /U username /P password /SCOPE USER /V
- Troubleshooting Group Policy
- Resultant Set of Policy
- How to See Which Group Policies are Applied to Your PC and User Account
- Determine Resultant Set of Policy
- Simulate Resultant Set of Policy Using Group Policy Modeling
- Dcgpofix: Recreates the default Group Policy Objects (GPOs) for a domain
To force a "pull" replication, ie when logged into a secondary DC FROM the primary DC: repadmin /syncall /AeD
You will see several "Syncing Partition:" messages, hopefully each ending with:
CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors.
To force a "push" replication (push out from the main DC): repadmin /syncall /APeD
- How To Use Repadmin for Active Directory Troubleshooting
- Troubleshooting AD Replication error 8453: "Replication access was denied."