Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

Group Policy Troubleshooting Tools

Summary: This article provides information about tools for troubleshooting Group Policy issues in Windows operating systems.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content


Symptoms

SLN155604_en_US__1icon Note: There are several tools available to assist with troubleshooting Group Policy issues. This article is limited to tools built into Windows. For additional information on GPO troubleshooting, go to the QUEST website.

 


Table of Contents:

  1. Use GPRESULT to List Applied Policies

  2. Troubleshoot with Resultant Set of Policy (RSoP)

  3. Reset the Default Domain Policy and the Local Security Policy

 

1. Use GPRESULT to List Applied Policies

Before beginning to test for policy issues, make sure you don’t have unapplied policies that will skew the results. Start by running Gpupdate /force to ensure that the latest policies are applied. The gpresult command can then be used to list the GPOs that are currently applied to the user and/or computer in question. The following list shows some examples of the switches available with gpresult:

  • gpresult /s ComputerName /user Domain\UserName /r
    Lists summary of applied GPOs when the specified user is logged onto the specified computer.

  • gpresult /s ComputerName /user Domain\UserName /r /scope user
    Lists only user policies from the above report. Omits computer policies.

  • gpresult /s ComputerName /user Domain\UserName /h gpreport.html
    Generates the same report as the first example but saves it in an HTML file.

  • gpresult /s ComputerName /u domain\UserCred /p p@ssW23 /user Domain\UserName /r
    Generates the same report as the first example but uses the specified credentials to run the command.

  • gpresult /s ComputerName /user Domain\UserName /z > policy.txt
    Generates a very verbose report of user and computer policy settings and saves it in a text file.

Note the difference between the /u and /user switches: the /u switch is used to specify user credentials for running the gpresult command, while the /user switch specifies the user account whose policy data will be included in the report.

The /? switch gives the complete list of options available with gpresult.

For more information on the gpresult syntax, please refer to the Microsoft Gpresult TechNet article.
 

Back to Top

 

Cause

2. Troubleshoot with Resultant Set of Policy (RSoP)

The Group Policy Management Console contains the Group Policy Results Wizard, also known as Resultant Set of Policy (RSoP). Access the Group Policy Results Wizard by clicking Start, then Run, then typing gpmc.msc. When you open up the console, you will see the Group Policy Results tab at the bottom. Additional RSoP documentation is available on the Microsoft TechNet website.

To complete the wizard, perform the following steps:

  1. Right-click and choose Run Group Policy Results Wizard.

  2. Choose this computer or another computer.

  3. Select a specific user.

  4. Click Finish to complete the wizard.

The result is a file directly under the results folder that you can use to determine which policy settings are being applied and the GPOs that are responsible for those settings.

In contrast to the Group Policy Results Wizard, which can only report the settings currently being applied, the Group Policy Modeling Wizard is useful for generating hypothetical scenarios, such as moving a user or computer account to a different OU, without actually making changes to the environment.

For additional information on Group Policy Modeling, refer to the Microsoft TechNet website.
 


Back to Top

 

Resolution

3. Reset the Default Domain Policy and/or Default Domain Controllers Policy

The Default Domain Policy GPO and Default Domain Controllers Policy GPO apply to the entire domain and all domain controllers in the domain, respectively. Problems or improperly configured settings in either of these GPOs can have widespread effects. In the event that you encounter problems with either of these GPOs that are unable to be resolved by normal means, the dcgpofix command can reset either or both of these GPOs to their default settings.
 

SLN155604_en_US__1icon Note: The dcgpofix command should be considered a last resort. Any changes that have been made to the GPO(s) being reset will be lost. This could impact the entire domain.
 

To reset your Default Domain Policy and/or Default Domain Controllers Policy GPO to their default settings, perform the following steps:

  1. Log on as a Domain Administrator to a Domain Controller.

  2. Open an elevated command prompt.

  3. Enter the parameter to reset:

    • dcgpofix /target:Domain to reset the Domain GPO.

    • dcgpofix /target:DC to reset the Default DC GPO.

    • dcgpofix /target:both to reset both the Domain and Default DC GPOs.

  4. After you enter the appropriate command in Step 3, enter Y to both prompts.

  5. Close the command window.

For additional information on the dcgpofix command, refer to the Microsoft Technet website.
 

Though not as widespread, problems can occur if you have edited a machine's Local Security Policy. This policy can also be reset to its default settings with the following steps:

 

  1. Log into an account with local administrative rights on the machine in question.

  2. Click Start, Run, then enter "cmd" in the prompt, then <Enter> to start a command session.

  3. Enter secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose to reset Local Security Policy.

    Source: Microsoft Technet discussion thread.



Back to Top

 

Article Properties


Affected Product

Servers

Last Published Date

28 Sep 2023

Version

4

Article Type

Solution