Before beginning to test for policy issues, make sure you don’t have unapplied policies that will skew the results. Start by running Gpupdate /force to ensure that the latest policies are applied. The gpresult command can then be used to list the GPOs that are currently applied to the user and/or computer in question. The following list shows some examples of the switches available with gpresult:
gpresult /s ComputerName /user Domain\UserName /r
Lists summary of applied GPOs when the specified user is logged onto the specified computer.
gpresult /s ComputerName /user Domain\UserName /r /scope user
Lists only user policies from the above report. Omits computer policies.
gpresult /s ComputerName /user Domain\UserName /h gpreport.html
Generates the same report as the first example but saves it in an HTML file.
gpresult /s ComputerName /u domain\UserCred /p p@ssW23 /user Domain\UserName /r
Generates the same report as the first example but uses the specified credentials to run the command.
gpresult /s ComputerName /user Domain\UserName /z > policy.txt
Generates a very verbose report of user and computer policy settings and saves it in a text file.
The Group Policy Management Console contains the Group Policy Results Wizard, also known as Resultant Set of Policy (RSoP). Access the Group Policy Results Wizard by clicking Start, then Run, then typing gpmc.msc
. When you open up the console, you will see the Group Policy Results tab at the bottom. Additional RSoP documentation is available on the Microsoft TechNet website.
To complete the wizard, perform the following steps:
Right-click and choose Run Group Policy Results Wizard.
Choose this computer or another computer.
Select a specific user.
Click Finish to complete the wizard.
The Default Domain Policy GPO and Default Domain Controllers Policy GPO apply to the entire domain and all domain controllers in the domain, respectively. Problems or improperly configured settings in either of these GPOs can have widespread effects. In the event that you encounter problems with either of these GPOs that are unable to be resolved by normal means, the dcgpofix command can reset either or both of these GPOs to their default settings.
To reset your Default Domain Policy and/or Default Domain Controllers Policy GPO to their default settings, perform the following steps:
Log on as a Domain Administrator to a Domain Controller.
Open an elevated command prompt.
Enter the parameter to reset:
dcgpofix /target:Domain
to reset the Domain GPO.
dcgpofix /target:DC
to reset the Default DC GPO.
dcgpofix /target:both
to reset both the Domain and Default DC GPOs.
After you enter the appropriate command in Step 3, enter Y to both prompts.
Close the command window.
For additional information on the dcgpofix command, refer to the Microsoft Technet website.
Though not as widespread, problems can occur if you have edited a machine's Local Security Policy. This policy can also be reset to its default settings with the following steps:
Log into an account with local administrative rights on the machine in question.
Click Start, Run, then enter "cmd
" in the prompt, then <Enter> to start a command session.
Enter secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
to reset Local Security Policy.
Source: Microsoft Technet discussion thread.