This example analyzes the output of Group Policy Results when run in verbose mode using the following command line:
gpresult /v
When GPResult is run with any mode, the following operating system information is always displayed at the top of the output:
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Wednesday, September 29, 1999 at 2:47:26 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2128
Terminal Server Mode: Not supported
This output provides you with:
Following the operating system output comes general information for the current user.
The output begins by detailing the user's configuration. This includes domain membership, domain type, and the current site as indicated below:
User Group Policy results for:
CN=Alan Steiner,OU=Users,OU=Test,DC=ntdev,DC=microsoft,DC=com
Domain Name: NTDEV
Domain Type: Windows 2000
Site Name: Red-Bldg99
Following this the output details profile information about the user. The output details the roaming profile (if applicable) and location of the current profile that is in use.
Roaming profile: \\ntprofiles\roamprof\AlanS
Local profile: C:\Documents and Settings\AlanS
Next the output details all the security groups that the user belongs to:
The user is a member of the following security groups:
GROUP1\Domain Users
\Everyone
BUILTIN\Administrators
BUILTIN\Users
BUILTIN\Power Users
GROUP1\RedirectedDesktop
GROUP1\Department 15333
GROUP1\mydocs1
\LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
Following the details of security group membership, the output continues by detailing all of the user's security privilege information:
The user has the following security privileges:
Bypass traverse checking
Manage auditing and security log
Back up files and directories
Restore files and directories
Change the system time
Shut down the system
Force shutdown from a remote system
Take ownership of files or other objects
For the complete list of security privileges that may be displayed by GPResult, please refer to Security Privileges below.
After detailing security privileges, a time stamp of when the last time Group Policy was applied to current user and the domain controller from which the policy was applied to the current user are listed.
###############################################################
Last time Group Policy was applied: Monday, September 06, 1999 at 9:25:40 AM
Group Policy was applied from: NTDS.ntdev.microsoft.com
===============================================================
Next, if any registry-based policies have been applied to the user, the following is displayed:
The user received "Registry" settings from these Group Policy objects (GPOs):
Local Group Policy
Revision Number: 40
Unique Name: Local Group Policy
Domain Name:
EU-DesktopLockDown-Admin
Revision Number: 12 (Active Directory) 12 (Sysvol)
Unique Name: {EF06ECF2-A8C9-11D2-B575-0008C7457B4E}
Domain Name: group.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
EU-DesktopSetup-Admin
Revision Number: 7 (Active Directory) 7 (Sysvol)
Unique Name: {29021088-BF90-11D2-8614-00C04FF621C4}
Domain Name: group.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
Output details:
Next the details of the actual registry-based settings that were applied are displayed:
The following settings were applied from: Local Group Policy
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System
ValueName: VerboseStatus
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ValueName: NoSMHelp
ValueType: REG_DWORD
Value: 0x00000001
The following settings were applied from: Default Domain Policy
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
ValueName: NoManageMyComputerVerb
ValueType: REG_DWORD
Value: 0x00000001
KeyName: Software\Microsoft\Windows\CurrentVersion\Policies\System
ValueName: VerboseStatus
ValueType: REG_DWORD
Value: 0x00000001
Output details:
Note
If any of the registry settings is written to a location outside the locations the Group Policy handles, this registry setting is not a true policy setting. Group Policy uses only the following locations:
If any registry settings outside of these locations are applied, the following warning is also displayed.
+++++++ Warning! The next registry setting is not a true policy setting
+++++++ and will be left in the registry when the GPO
+++++++ that created it is no longer applied.
If any Folder Redirection policy settings have been applied to the user, output similar to the following is displayed:
===============================================================
The user received "Folder Redirection" settings from these GPOs:
EU-RedirectedDesktop-User1
Revision Number: 14 (Active Directory) 14 (Sysvol)
Unique Name: {C19B776C-A8E8-11D2-9BEB-00A024070A22}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
EU-FolderRedirection-User1
Revision Number: 12 (Active Directory) 12 (Sysvol)
Unique Name: {FBEE2508-BCAA-11D2-B3EE-00C04FA3787A}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
Desktop is redirected to \\ntpolicy1\desktop\%username%
My Pictures is redirected to \\ntpolicy1\mydocs1\%username%\My Pictures
My Documents is redirected to \\ntpolicy1\mydocs1\%username%
Output details:
If any Scripts policy settings have been applied to the user, output similar to the following is displayed:
===============================================================
The user received "Scripts" settings from these GPOs:
EU-Marketing
Revision Number: 12 (Active Directory) 12 (Sysvol)
Unique Name: {EF068882-A229-11D2-B575-0008C7457B4E}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
EU-Canada
Revision Number: 44 (Active Directory) 44 (Sysvol)
Unique Name: {HJ924782-A444-11D2-B444-00039573954F}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
Logon scripts specified in: EU-Marketing
\\marketing1\logon$\adlogon.bat
Logoff scripts specified in: EU-Marketing
\\marketing1\logon$\adlogoff.bat
Logon scripts specified in: EU-Canada
\\toronto3\logon$\pplogon.bat
Logoff scripts specified in: EU-Canada
\\toronto3\logon$\adlogoff.bat
Output details:
If any Application Management policy settings have been applied to the user, output similar to the following is displayed:
===============================================================
The user received "Application Management" settings from these GPOs:
EU-CorpStandard
Revision Number: 156 (Active Directory) 156 (Sysvol)
Unique Name: {9B4293472AC06-44D2-B22A-0008C7457E8J}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
EU-RedmondSite
Revision Number: 1536 (Active Directory) 1536 (Sysvol)
Unique Name: {9B4999999AC06-12O2-B66A-0008C7457B4E}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
The user has been assigned the following applications:
Microsoft Office 2000 Premium (RTM)
GPO Name: EU-CorpStandard
Removal Option: Application is uninstalled when policy is removed
Microsoft FrontPage 20000
GPO Name: EU-RedmondSite
Removal Option: Application is uninstalled when policy is removed
The user has installed the following published applications:
WinZip 7.0
GPO Name: EU-CorpStandard
Removal Option: Application is uninstalled when policy is removed
Output details:
If GPResult had instead been run in Super verbose mode (/s), it would also have provided information on which applications would be available in Add/Remove Programs. The output would look similar to the following:
The user has the following applications available in Add/Remove Programs:
Microsoft Money 99
GPO Name: EU-RedmondSite
Installed: No
Connection Manager Self Host -- Smart Card Corpnet Access
GPO Name: EU-RedmondSite
Installed: No
Microsoft Excel 97 SR2 (Legacy Deployment)
GPO Name: EU-RedmondSite
Installed: No
Output details:
For other Group Policy extensions that ship with Windows 2000 that have been applied to the user, the following is displayed for each of these extensions:
===============================================================
The user received "Name of the Extension" settings from these GPOs:
EU-SecurityB31
Revision Number: 14 (Active Directory) 14 (Sysvol)
Unique Name: {C19ASDAS-ADD8-11D2-9BEB-002342342342}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
EU-SecurityHR
Revision Number: 12 (Active Directory) 12 (Sysvol)
Unique Name: {FBEASDAS-BDDA-11D2-B3EE-002342342342}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
This section repeats the same processes as above for User Output, but this time displays information for the computer that the user has logged on to.
The output begins with general information for the computer, including the computer name and location, domain name, domain type and site name as indicated below.
###############################################################
Computer Group Policy results for:
CN=DEVPC01,CN=Computers,DC=ntdev,DC=microsoft,DC=com
Domain Name: NTDEV
Domain Type: Windows 2000
Site Name: Red-Bldg99
After detailing the general information, the output shows a time stamp of when the last time Group Policy was applied to this computer and the domain controller from which Computer Group Policy was applied.
###############################################################
Last time Group Policy was applied: Monday, September 07, 1999 at 7:51:59 AM
Group Policy was applied from: NTDS.ntdev.microsoft.com
===============================================================
The Registry Based Policy, Folder Re-direction, and other Group Policy extensions that have been applied to this computer are detailed at this point. This information is output in the same format as detailed earlier in this document for the User Output.
In addition, the Computer section displays the following when applicable:
If any IP Security policy settings have been applied to the computer, output similar to the following is displayed:
===============================================================
The computer received "IP Security" settings from these GPOs:
EU-IPSecDefaultClientPol-RandyRam
Revision Number: 5 (Active Directory) 5 (Sysvol)
Unique Name: {6EB61A60-A991-11D2-9BEB-00A024070A22}
Domain Name: ntdev.microsoft.com
Linked to: Domain (DC=ntdev,DC=microsoft,DC=com)
Policy Name: NTDEV Default Client Policy
Description: All NTDEV machines get this
Policy Path: LDAP://CN=ipsecPolicy{163E9FDB-A9AE-11D2-AFD6-006097936A9F},
CN=IP Security,CN=System,DC=ntdev,DC=microsoft,DC=com
Output details:
If any Microsoft Disk Quota policy settings have been applied to the computer, output similar to the following is displayed:
===============================================================
The computer received "Microsoft Disk Quota" settings from these GPOs:
Local Group Policy
Revision Number: 25
Unique Name: Local Group Policy
Domain Name:
Source: Local computer
Disk Quotas enabled: Yes
Disk Quotas enforced: Yes
Quota limit: 80 MB
Warning level: 120 MB
Log event when quota limit exceeded: No
Log event when quota warning level exceeded: No
Apply policy to removable media: No
Output details:
Complete list of security privileges that can be tracked by GPResult in verbose mode:
"Create a token object"
"Replace a process level token"
"Lock pages in memory"
"Increase quotas"
"Add workstations to domain"
"Act as part of the operating system"
"Manage auditing and security log"
"Take ownership of files or other objects"
"Load and unload device drivers"
"Profile system performance"
"Change the system time"
"Profile single process"
"Increase scheduling priority"
"Create a pagefile"
"Create permanent shared objects"
"Back up files and directories"
"Restore files and directories"
"Shut down the system"
"Debug programs"
"Generate security audits"
"Modify firmware environment values"
"Bypass traverse checking"
"Force shutdown from a remote system"
"Remove computer from docking station"
"Synchronize directory service data"
"Enable computer and user accounts to be trusted for delegation"