Solution: The user “DOMAINuser” does not have RSOP data. Troubleshooting RSoP: link. May not be that helpful though. It sounds like that the workstations are not picking up the replaced policies – the issue is that they seem to have corrupted policies as well. You could try resetting the accounts in AD – but this has never really worked for me. Gpresult /user myAccount /v C: dev me.txt -Ensure C: Dev me.txt exists. Another option is to display summary information only which may be entirely visible in the command window: gpresult /user myAccount /r. The accounts are listed under the heading: The user is a part of the following security groups -.
GPResult is a command-line utility for determining the resultant set of policy for a given user and/or computer. In other words, it shows you what Group Policy Objects have been applied and their settings. This is typically one of the first tools I go to when troubleshooting Group Policy from a client once basic connectivity has been confirmed (e.g. Network/DNS). The tool itself is very simple to use and I will run through some common examples below.
List GPOs Applied with Summary Data
/r
Displays RSOP summary data
This is pretty useful when you simply want to see what GPOs have applied and in what order. It will also display summary data, such as last time group policy was applied, which Domain Controller it was applied from, the site, security groups and if the slow link threshold has been activated. If you are unsure if a GPO has been applied, this is a quick way of checking.
Here we see that 4 GPOs have applied to the Computer settings portion.
If you don’t want to view both Computer and Users settings in the output you can request one or the other with the /scope
flag.
The output reads fairly well from within the command prompt, but if you need to export the output you could use either of the following.
Gpresult /r > gpresult.txt
Export output to a text fileGpresult /r |clip
Export output to Windows clipboard
I can’t see the Computer Settings?
If UAC is enabled, running GPResult without elevating the command prompt will only show you the user settings. If you want to see both user and computer settings, elevate the command prompt by either tapping the winkey+cmd then ctrl+shift+enter or right click on the command prompt and select run as administrator. If you elevate with an admin account different to the currently logged in user (common if the user does not have administrator rights), then you will receive an error message stating INFO: The user “domainuser” does not have RSOP data. This is because GPResult is using the elevated user’s context. To work around this, specify the standard user that you are troubleshooting.
Generate HTML Report
/h
Saves the report in HTML format/f
Forces GPresult to overwrite the file name specified with /h/user
Specifies the user name for which the RSOP data is to be displayed
To get a more graphical view of what’s going on, you can generate a HTML report. This gives a detailed break down of each setting and the GPO from which it came. This view is particularly nice as you can show all and use ctrl+f to find a particular policy or setting.
Run GPResult on Remote Computer
/s
Specifies the remote system to connect to
Powershell Error Rsop Data
This allows you to run GPResult on a remote system, all of the above applies.
Info The User Does Not Have Rsop Data
The following GPOs were not applied because they were filtered out
You may see this for a few reasons. The first that the policy is empty in which case you’ll see Filtering: Not Applied (Empty), this is fairly self explanatory. The second is Filtering: Denied (Security), which typically boils down to the “Apply Group Policy” permission on the GPO. You may also see Filtering: Denied (Unknown Reason) which is similar to (Security) in that the “Read” permissions has been denied.
To review the last two examples, launch the GPMC (Group Policy Management Console). Find the offending GPO, and select Delegation- from there you may see an additional group or a single user or machine that has been added.
Click on advanced and review the permissions against the object. In this case you can see that the Seven computer object has been denied Apply Group Policy resulting in the Filtering: Denied (Security) message.
If in doubt, select Advanced -> Effective Access and enter the required computer or user object. If you scroll down to around halfway you’ll see the Apply Group Policy permission with either a green tick of a red cross against it. If deny read has been granted every permission will have a red cross next to it.
The User Does Not Have Rsop Data
I hope this gives you the basics behind GPResult and some good real world example to aid in your Group Policy troubleshooting.