Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules which control the working environment of user accounts and computer accounts.
Group Policy in part controls what users can and can't do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.
Command-line tools for Group Policy
- Gpresult: You can use this tool to see what policy is in effect. Gpresult is useful for troubleshooting.
- Gpupdate: This tool causes policy to be refreshed immediately, and it permits certain options to be specified on the command line. Gpupdate replaces and improves the Windows 2000 command secedit /refreshpolicy.
Intended for administrators, the Group Policy Results (GPResult.exe) command line tool verifies all policy settings in effect for a specific user or computer. Administrators can run GPResult on any remote computer within their scope of management. By default, GPResult returns settings in effect on the computer on which GPResult is run.
To run GPResult on your own computer:
- 1. Click Start, Run, and enter cmd to open a command window.
- 2. Type gpresult and redirect the output to a text file as shown in screen-shot below.
Figure: Directing GPResult data to a text file
- 3.Enter notepad gp.txt to open the file. Results appear as shown in the screen-shot below.
Figure: Verifying policies with GPResult
GPResult Syntax
gpresult [/s Computer [/u Domain\User /p Password]] [/user TargetUserName] [/scope {user|computer}] [/v] [/z]]
Parameters
- /s Computer : Specifies the name or IP address of a remote computer. (Do not use backslashes.) The default is the local computer.
- /u Domain\User : Runs the command with the account permissions of the user that is specified by User or Domain\User. The default is the permissions of the current logged-on user on the computer that issues the command.
- /p Password : Specifies the password of the user account that is specified in the /u parameter.
- /user TargetUserName : Specifies the user name of the user whose RSOP data is to be displayed.
- /scope {user|computer} : Displays either user or computer results. Valid values for the /scope parameter are user or computer. If you omit the /scope parameter, gpresult displays both user and computer settings.
- /v : Specifies that the output display verbose policy information.
- /z : Specifies that the output display all available information about Group Policy. Because this parameter produces more information than the /v parameter, redirect output to a text file when you use this parameter.
- /?: Displays help at the command prompt.
Gpupdate
Refreshes local and Active Directory-based Group Policy settings, including security settings. This command supersedes the now obsolete /refreshpolicy option for the secedit command.
Syntax
gpupdate [/target:{computer|user}] [/force] [/wait:value] [/logoff] [/boot]
Parameters
- /target:{computer|user} : Processes only the Computer settings or the current User settings. By default, both the computer settings and the user settings are processed.
- /force : Ignores all processing optimizations and reapplies all settings.
- /wait:value : Number of seconds that policy processing waits to finish. The default is 600 seconds. 0 means "no wait"; -1 means "wait indefinitely."
- /logoff : Logs off after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the user logs on, such as user Software Installation and Folder Redirection. This option has no effect if there are no extensions called that require the user to log off.
- /boot : Restarts the computer after the refresh has completed. This is required for those Group Policy client-side extensions that do not process on a background refresh cycle but that do process when the computer starts up, such as computer Software Installation. This option has no effect if there are no extensions called that require the computer to be restarted.
- /?: Displays help at the command prompt.
