How to Configure Windows Server 2016 Group Policy Results

Group Policy Results provides a real-world report of the policies that were actually processed during the last Group Policy refresh cycle on a live client machine. Unlike Group Policy Modelling, which simulates a hypothetical scenario on a domain controller, Group Policy Results queries the RSoP (Resultant Set of Policy) data stored on the client itself. This makes it the primary tool for diagnosing why a user or computer is or is not receiving a specific policy setting in production.

Running Group Policy Results from GPMC

In the Group Policy Management Console, expand the domain tree and right-click Group Policy Results. Select Group Policy Results Wizard. The wizard prompts you for:

Computer Selection: Choose This computer for the local machine, or Another computer and enter the target hostname. You need remote registry access (WMI) and Administrator rights on the target.

User Selection: Choose the user whose policy data to retrieve. Only users who have logged on to that machine are available. Optionally choose Do not display user policy settings to report only computer policy.

The wizard connects to the remote machine via WMI and retrieves the stored RSoP data, then renders it as an HTML report in the GPMC right pane.

Generating a Results Report from the Command Line

For remote machines or scripted workflows, gpresult is the most efficient approach. Generate an HTML report for a specific user on a remote computer:

gpresult /s RemotePC01 /user CONTOSOjsmith /h C:ReportsGPResult_jsmith.html /f

Generate a report for the current user and machine in text format:

gpresult /r

Include verbose output with all applied settings:

gpresult /v > C:ReportsGPResult_verbose.txt

Super-verbose mode, which includes all possible settings and their sources:

gpresult /z > C:ReportsGPResult_superverbose.txt

Reading the Results Report

The HTML report is divided into two sections: Computer Configuration and User Configuration. Each section shows:

Summary: The domain name, site, OU of the object, last refresh time, and whether slow link processing was detected. The refresh timestamp is critical—if it is many hours old, the client may not be communicating with a domain controller.

Applied GPOs: GPOs are listed in application order (highest precedence last wins). Each entry shows the GPO name, link location, and whether it was enforced.

Denied GPOs: GPOs that were linked to a parent OU but not applied. Common reasons include Empty (no settings), WMI Filter (filter evaluated false), Disabled, and Inaccessible (Access Denied)—the last indicating a missing Read permission.

Settings: Each applied setting is shown with the GPO that provided the winning value, enabling conflict analysis.

Comparing Expected vs Actual Policy

If a setting is not applied as expected, use both Group Policy Modelling and Group Policy Results reports side by side. Run Modelling for the same user and computer combination, then compare the Applied GPOs lists. Any GPO that appears in Modelling but not Results (or vice versa) points to the cause of the discrepancy.

Check the last refresh time in the Results report:

gpresult /r | Select-String "Last time Group Policy was applied"

If the timestamp is stale, force a refresh:

Invoke-Command -ComputerName RemotePC01 -ScriptBlock { gpupdate /force }

Bulk Results Collection Across Multiple Machines

For auditing or change validation across a group of machines, collect results in bulk:

$computers = Get-ADComputer -Filter {OperatingSystem -like "*Windows 10*"} |
    Select-Object -ExpandProperty Name

foreach ($pc in $computers) {
    try {
        gpresult /s $pc /h "C:Reports$pc.html" /f 2>$null
        Write-Host "Collected: $pc"
    } catch {
        Write-Warning "Failed: $pc - $_"
    }
}

Automating Results Collection with Invoke-Command

For environments with WinRM enabled, use PowerShell remoting to gather RSoP data more efficiently:

Invoke-Command -ComputerName RemotePC01 -ScriptBlock {
    $rsop = Get-WmiObject -Namespace "rootrsopcomputer" -Class "RSOP_Session"
    $rsop | Select-Object CreationTime, UserSID, Flags
}

Group Policy Results is the definitive record of what happened, not what should have happened. Making it part of your incident response and change validation workflows ensures that Group Policy troubleshooting is data-driven rather than guesswork.