A group was created in the Active Directory Users and Computers to give local admin rights to certain users on our domain. After taking over management of this system from a previous employee I am unable to find what group policy objects are applied to this specific group in Group Policy Management.
Is there a way I can search for or view GPOs applied to this group?
You would likely want to use the Resultant Set of Policy (RSOP) tool, which is outlined at the bottom of this Technet article.
1. From your client machine, go to Start/Run and open a blank MMC by typing mmc.exe.
2. Within the blank MMC console go to File and choose Add/Remove Snap-in....
3. From the Add or Remove Snap-ins window, scroll down until you see the Resultant Set of Policy snap-in. Highlight it and select the Add button.
From here, the are two modes. "Planning" and "Logging." You are likely looking for planning, which would allow you to view what policies would apply if an object were located within a certain group or OU.
I wrote a script that I think will do this:
$groupname = "domain.com\group.name"
$AllGPOs = Get-GPO -all | sort DisplayName #| Where-Object {$_.Displayname -like "whatever.*"}
Write-Host "Found $($AllGPOs.Count) GPOs in the domain!"
Foreach($gpo in $AllGPOs) {
Write-Host "Checking $($gpo.DisplayName)..."
get-gppermission -Guid $gpo.Id -TargetName $groupname -targettype Group -ErrorAction SilentlyContinue
}
gpresult /z > results.txt on a given computer that is having the issue if #1 above doesn't get you where you want. This might help determine that even though the modeling wizard says it should be getting a certain GPO what is actually transpiring on the client itself along with error codes, etc.