Issue: return a complete Resultant Set of Policy, RSoP, for a standard user logged in without full local admin rights.
Why is this an issue? User Context. To return full results for both Computer and User policies you have to run the command prompt with elevated Admin rights. And… because you’ve executed the command in the Admin user context you will return User policies for the Admin and not the currently logged in user.
User Context example – While logged in as a user without local admin rights, open Regedit via Run As Administrator. Now export a Reg Key to the Desktop and check your logged in users Desktop. Yep no file there! Because the file saved to the Desktop of the Admin user that ran the command: c:\users\*admin-username*\Desktop.
Solution: Fire up the command prompt and slap the username in there! Oh and CD to a folder in your profile or in root for easier non UAC protected access. I always make a temp folder in the root of C, old man over here. Next up use /h for saving output to HTML and make up a filename ending in .html for viewing in a browser. More commands here – gpresult commands. Launch your newly created file in Internet Explorer and click Allow Blocked Content when prompted. There you have it, full computer and user policies for the current active non administrator user!
gpresult syntax examples
- GPRESULT /R
- GPRESULT /H GPReport.html
- GPRESULT /USER targetusername /V
- GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
- GPRESULT /S system /U username /P password /SCOPE USER /V
- More about gpresult from Microsoft
gpresult example for outputting RSoP of your target user to an HTML file
- C:\temp> gpresult /user *targetusername* /h filename.html
- Utilize “targetusername” for your user and /h to output to a file
Create an HTML report for your Target User
- Search for CMD in the start menu
- Right click and choose Run As Administrator (if you don’t you will not get the full set of policies, even if the logged in user is a local administrator!)
- cd \temp (change to a folder you can easily find and have full rights to)
- gpresult is the command – all the Group Policies being applied to user and computer
- targetusername is the account you’re trying to capture RSoP for (g.local is the user in this example)
- /h generates HTML formatted results
- gpr-local.html is the file name (any name .htm or .html)
YES! I’ve been trying to crack this issue for a while. Thanks for the tip!