7

Is there a way to get gpresult to work without never logging in to computer as an actual user?

Lets say UserA is logging in to computer XYZ. You login via TeamViewer to it or are there locally as AdminA, you right click Run As Administrator, type in your administative credentials you type in the famous gpresult /R command to get computer GPO's and it's simply not there. 

gpresult /R
INFO: The user adm.test does not have RSoP data.

You try to do it remotely and it fails as well... 

gpresult /S DDD9D5 /SCOPE COMPUTER /R
INFO: The user does not have RSoP data.

How to force it so you can actually get that data as Domain Admin or Administrator on that computer (but not a user) and a user that has never actually logged in to that computer?

For years I thought this was just "working" but it seems I've always been logged in to the computer via RDP or other means and it always worked. Now it doesn't... and I need a way to debug this properly.

Is my only option actually to login as standard user and then do the commands?

MadBoy
  • 3,725
  • 15
  • 63
  • 94
  • Looks like the correct way to do this is to not even use `gpresult` at all, but to use powershell, including `Get-GPResultantSetOfPolicy`. See: https://social.technet.microsoft.com/Forums/ie/en-US/fcee40ef-85e9-4abe-b0a5-d9a0555c5a23/running-gpresult-remotely-only-for-computer-policies?forum=winserverGP – Todd Wilcox Nov 13 '17 at 19:14

1 Answers1

8

Yes, it can be done without doing a interactive login, although you need to know a user that has actually done an interactive login on that computer. In your case, UserA would do it. Then, from an elevated prompt:

gpresult /user UserA /scope computer /r

Also, from a remote computer:

gpresult /s RemoteComputer /user UserA /scope computer /r

I really don't get why you need to specify a user when using /scope computer, but this is how it works...

curropar
  • 631
  • 3
  • 18
  • I always thought if you write /user UserA it would ask for user credentials. That's nice to know. Thanks – MadBoy Nov 15 '17 at 19:27
  • Me too; but you know, I was in the same position as you and trial error lead me to this ;-) Glad to help! – curropar Nov 16 '17 at 08:18
  • @curropar I think the piece you're probably missing -- and I'm going on experience here -- is loopback policies. thus the reason for the need to specify a user. Sometimes the user policies are superseding the computer settings because of such a configuration of your group policy object(s). Remember the purpose of RSoP is to generate the resulting set of policy as it would be evaluated, rather than simply a list and show you the "winners". – Kyp Nov 18 '17 at 06:03
  • It's the other way around: user policies override computer policies, except when there's a loopback policy. So RSoP of the computer makes sense in terms of getting the base configuration. Then of course, user policies will apply, and those policies will depend on the OU of the user, but that's a step further. – curropar Nov 19 '17 at 16:29