Issue: return a Resultant Set of Policy, RSOP, as a user without full local admin rights.
Why is this an issue? User Context. To return full results for both Computer and User policies you have to run the command prompt with elevated Admin rights. And because you’ve executed the command in the Admin user context you will return User policies for the Admin and not the currently logged in user.
User Context example – While logged in as a non administrative user, open Regedit via Run As Administrator. Now export a Reg Key to the Desktop and check your Desktop. Yep no file there! Because the file saved to the Desktop of the user that ran the command:
Solution: Fire up the command prompt and slap the username in there! Oh and CD to a folder in your profile or in root for easier non UAC protected access. I always make a temp folder in the root of C, old man over here. Next up use /h for saving output to HTML and make up a filename ending in .html for viewing in a browser. More commands here – gpresult commands. Launch your newly created file in Internet Explorer and click Allow Blocked Content when prompted. There you have it, full computer and user policies for the current active non administrator user!
Sample command for outputting RSOP to an HTML file for a non admin user
C:\temp>gpresult /user *username* /h gpr-glocal.html
- Search for CMD
- Right click and choose Run As Administrator (if you don’t you will not get the full set of policies, even if the logged in user is a local administrator)
- cd \temp (change to a folder you can easily find and have full rights to)
- gpresult is the command
- username is the account you’re trying to capture RSOP for (g.local in example below)
- /h generates HTML formatted results
- gpr-local.html is the file name (any name .htm or .html)