Issue: return a Resultant Set of Policy, RSOP, as a user without administrative rights.
Why? Because you have to launch the Command Prompt as Administrator in order to get a full set of policies, an account for which there is no Group Policy applied!
User Context – You want to see the Computer and current active Users policies. But if your end user doesn’t have local administrative rights you have to run the gpresult commands below with elevated Administrator level credentials – and you’re now checking policies for the Administrator running the command, not the end user. Running with elevated privileges takes you out of the current users context and runs as the. This is why the command prompt launches out of c:\windows\system32 and not the users profile directory, or why a reg file export from Regedit isn’t on the active Desktop it’s in the Desktop folder of the account you just ran as! Blah blah blah… on to the solution!!
Solution: Fire up the command prompt and slap the user name in there! Oh and CD to a folder in your profile or in root for easier non UAC protected access. I always make a temp folder in the root of C, old man over here. Next up use /h for saving output to HTML and make up a filename ending in .html for viewing in a browser. More commands here – gpresult commands. Launch your newly created file in Internet Explorer and click Allow Blocked Content when prompted. There you have it, full computer and user policies for the current active non administrator user!
Sample command for outputting RSOP to an HTML file for a non admin user
C:\temp\gpresult /user g.local /h gpr-glocal.html
- cd \temp (switch to a folder you can easily find and have full rights to)
- Gpresult is the command
- g.local would be whatever user you’re trying to capture RSOP for
- /h generates HTML formatted results
- gpr-local.html is the file name (can be anything you want .htm or html)