none
Running gpresult remotely only for computer policies

    Question

  • Hi guys,

    I have always had problems running gpresult remotely when going only for computer policies.  If I run the command "gpresult /r /s computername /SCOPE COMPUTER" why does it come back and tell me that my account has no RSOP data?  Is there a better way to do this?  I do not care about the USER GPOs(hence the /SCOPE COMPUTER), but it tries to make me look up accounts that have logged onto the computer before and then will ask for their passwd if I specifiy their account using the /u options.  I know I must be missing something simple, but just cannot figure out what it is.  My account is an admin on the remote computers, but I have never logged on to those computers before.  My guess is the /R is trying to gather user info, but I have tried other options as it seems to require either /R, /X, /H, /V but all those options have same issue.  I know it must be a simple syntax issue, but can anyone help me with a simple method to gather a list of computer GPOs that have been applied to a computer remotely?  If anyone knows of anything easier way through psexec or something like that, let me know.  I know I can run rsop against remote computer, but that is not what I am looking for. 

    Thanks,

    Dan


    Dan Heim
    • Edited by dheim Tuesday, January 17, 2012 5:37 PM
    Tuesday, January 17, 2012 5:36 PM

Answers

  • Hi Dan,

    See here - at the bottom of the page there is a script by Darren Mar-Elia which might work for your situation.

    Best regards,

    Vlad


    " Never panic before reboot ! "
    • Marked as answer by dheim Wednesday, January 25, 2012 3:27 PM
    Wednesday, January 25, 2012 2:11 AM

All replies

  • Hi,

    Based on my test, gpresult /r /s computername /SCOPE COMPUTER can get the correct gpresult.log.

    I'd like to confirm you run the command with a local administrator.

    If the OS version is vista or later, please also try to disable the UAC or run the command with elevated permission.


    Best Regards
    Elytis Cheng


    Please remember to click “Mark as Answer” on the post that

    Elytis Cheng

    TechNet Community Support

    Wednesday, January 18, 2012 1:52 AM
    Moderator
  • Hi Elytis,

    I think you are incorrect on this one.  My account is a local admin and I do run the command with eleveted permissions with the same result.  The reason it might have worked for you is if you run the command against a computer that you have personally connected to before, contains your profile, then it will complete successfully.  Since we have thousands of computers that I have not logged into, it is very tough for me to remotely get the gpresults for their computer account.  I think it is a bug with the Microsoft software. Anytime you use the /s switch along with /SCOPE COMPUTER, it forces you to use a switch that wants to pull user information.  If you have never logged onto those computers before, it just will not work, even though you are just trying to gather the gpresults for the computer GPOs.


    Dan Heim
    Monday, January 23, 2012 6:47 PM
  • Have you tried the use of psexec tool ?
    " Never panic before reboot ! "
    Tuesday, January 24, 2012 12:32 AM
  • Yes - I tried psexec and have failed with that as well.  If it works for you on a computer, without your profile already on it, please let me know the command you ran.

    Thanks


    Dan Heim
    Tuesday, January 24, 2012 4:16 AM
  • Yes - I tried psexec and have failed with that as well.  If it works for you on a computer, without your profile already on it, please let me know the command you ran.

    Thanks


    Dan Heim


    I used the command like : psexec \\computername -u domain\username gpresult

    You can also use psexec \\computername -u .\username gpresult (local user = local admin account on the distant computer, not yours)

    This command will ask you for the password and then will proceed with the execution of the gpresult command.

    The gpresult in fact is starting a rsop querry (if I am not mistaken). So, if you want to get the rsop for a User account, you should use this user account in the querry. When using a local user account, you should get only the GPO at Computer level and not User level. But again, it depends on what you are looking for.


    " Never panic before reboot ! "
    • Edited by Voldar Tuesday, January 24, 2012 4:08 PM
    Tuesday, January 24, 2012 4:01 PM
  • P.S. You can always use the gpmc console and get rsop of whatever computer you want (if in your AD, of course).
    " Never panic before reboot ! "
    • Edited by Voldar Tuesday, January 24, 2012 4:21 PM
    Tuesday, January 24, 2012 4:10 PM
  • This is not working.  I ran that exact command under my username with elevated permissions and it asked for my passwd and then gave me the error "DOMAIN\username" does not have rsop data.  I am just trying to retrieve computer policy results remotely
    Dan Heim
    • Edited by dheim Tuesday, January 24, 2012 4:18 PM
    Tuesday, January 24, 2012 4:18 PM
  • Hi Dan,

    Ok, I see your problem. In my domain, I have the same local admin account with the same password (changed every 90 days) on each workstation. And at least one time this local account was connected on the computer. So, I used the second command to retrieve the information about the computer GPO, but not using my personal domain account but the local admin account.


    " Never panic before reboot ! "
    • Edited by Voldar Tuesday, January 24, 2012 4:28 PM
    Tuesday, January 24, 2012 4:27 PM
  • I am having problems running rsop remotely as well.  Maybe I am missing something that I should put in a policy for all the workstations?  If I run either dsa.msc, as admin, or mmc, as admin, and use the tool to only gather RSOP data from a remote computer I am getting "Access is Denied" and I tried mutiple computers, which I double-checked and I am an administrator on.
    Dan Heim
    Tuesday, January 24, 2012 4:27 PM
  • I figured it is something like that.  I work for a large company and my account has never logged onto most of the workstations, laptops, kiosks, etc.  This looks like a Microsoft bug as I just want to gather group policy results remotely, and could care less about any user policies
    Dan Heim
    • Edited by dheim Tuesday, January 24, 2012 4:30 PM
    Tuesday, January 24, 2012 4:29 PM
  • Hi Dan,

    Is it possible your firewall on the workstations is the one that is messing with you ? Because as far as I know, rsop is WMI based... so the problem might be here.


    " Never panic before reboot ! "
    Tuesday, January 24, 2012 4:34 PM
  • I will check that because that makes more sense
    Dan Heim
    Tuesday, January 24, 2012 4:37 PM
  • I second Voldar. GPRESULT and RSOP both need WMI connectivity. UAC and Firewall policies may be a reason. Try connecting to the remote computer via WMI.

    Connecting to WMI on a Remote Computer
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa389290%28v=vs.85%29.aspx

    Regards,
    Amit Saxena (Microsoft).
    Please remember to use “Mark as Answer” or "vote as helpful" on the posts that help you.

    Keep Walking!
    Tuesday, January 24, 2012 4:45 PM
  • I am checking and do not think it is a firewall problem.  So you guys are telling me that you have no problems gathering gpresult info from remote computers that you do not have a profile on?
    Dan Heim
    • Edited by dheim Tuesday, January 24, 2012 5:01 PM
    Tuesday, January 24, 2012 5:01 PM
  • Hi Dan,

    I can confirm that psexec \\computername gpresult does not work IF there is no user profile on the machine with the name of the user that starts the command. The message will be (and this even using the /scope computer option) :

    INFO: The user "domain\username" does not have RSOP data.
    gpresult exited on computername with error code 0.

    I can also confirm that using the GPMC console I CAN retrieve the RSOP of any computer on my domain, whether I have been or not logged on it before.

    Hope it helps you in the resolution of your problem.


    " Never panic before reboot ! "
    • Edited by Voldar Tuesday, January 24, 2012 6:46 PM
    Tuesday, January 24, 2012 6:28 PM
  • Hey Voldar,

    I do think WMI/RPC might be getting blocked coming back.  That explains the issue with RSOP no longer working properly, but not an answer for the original thread with being able to run gpresult remotely against any computer, that you have never logged on before.  If anyone does get that to work, please let me know.  Thanks for your help and for stating what does work and what does not work.  I basically get the same results with psexec and gpresult, even though I only want to view what computer GPOs were applied to a remote machine.  There might be some 3rd party admin utilities to help with this, but I do not know of any.

    Thanks,

    Dan


    Dan Heim
    Tuesday, January 24, 2012 10:12 PM
  • Hi Dan,

    See here - at the bottom of the page there is a script by Darren Mar-Elia which might work for your situation.

    Best regards,

    Vlad


    " Never panic before reboot ! "
    • Marked as answer by dheim Wednesday, January 25, 2012 3:27 PM
    Wednesday, January 25, 2012 2:11 AM
  • > computer policies. If I run the command "gpresult /r /s /computername/
    > /SCOPE COMPUTER" why does it come back and tell me that my account has
    > no RSOP data?
     
    gpresult has many bugs in it and it is quite outdated. Drop it in favor
    of using gpmc.msc (interactively) or the GPMC COM interface (fully
    scriptable).
     
    sincerely, Martin
     

    A bissle "Experience", a bissle GMV... Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, January 25, 2012 10:20 AM
  • Thanks Voldar.  I guess it is good to know that gpresult does not work very well, but that script looks like a decent work-around
    Dan Heim
    Wednesday, January 25, 2012 3:27 PM