Group Policy tools


GPOTool is an older command-line tool that seems to still work fine on Windows 2008.  It’s purpose is to verify whether the GPT and GPC are synchronized throughout your Active Directory environment.  You can run the tool without any switches and it will check every GPO on every DC, which can quickly become a very cumbersome and lengthy process in a large enterprise environment.  Or, if you are only interested in a specific GPO, you can list it by name or GUID and GPOTool will return only the results you care about.  Also, if you are only interested in testing the policies as they appear on a particular Domain Controller, you can do that as well.

Here is an example of how you would use GPOTool in each case:

In this first screenshot, you can see that we’ve run GPOTool without any switches and it has returned a list of the policies it found, given us their name and GUID, and told us whether the policy was okay or not (if you ever get any other result than Policy OK, this points to GPT and GPC being out of sync).  If you use the /verbose switch, you will get a great deal more information about each policy, as I’ve shown below:

As you can see, if you really want to understand what’s happening under the hood, you’ll probably want to use the /verbose switch.  You can see quite a bit of additional information for each GPO, including:

  • GPO Name
  • Version of the GPO in Active Directory (GPC version)
  • Version of the GPO in SYSVOL (GPT version)
  • Whether user and/or machine side policies are configured

Of course, if you only care about a single GPO, you can run GPOTool with the /gpo switch and this will be your result:

As usual, you can set the /verbose switch and get additional information about this single GPO if you so desire.

Finally, if you only want to target a specific DC, just add the /dc switch and specify the fully-qualified name of the Domain Controller you want.  Below, I’ve combined all of the switches to get verbose details of a single GPO as it looks on one DC:

GPOTool is helpful to you in your troubleshooting, but don’t immediately jump to conclusions if it reports as inconsistent.  Because of the differences between FRS and AD replication, there may be some lag before you will see both the GPT and GPC replicated to each of your DCs.  If you test this and the inconsistency persists, however, you likely have an issue with either AD or FRS replication that needs to be investigated.


As I mentioned above, there will almost certainly be times when you need to make a change to a GPO and have it update immediately.  With GPUpdate, you can force the background refresh on a client to kick in immediately (note: you cannot force the foreground process through GPUpdate).  GPUpdate runs only on the local client since it’s telling the client to pull updates immediately and to do this, we need to be on the client that initiates the request.

GPUpdate is a command-line tool and it has a number of parameters that are of interest to us:

  • /Target: {Computer|User} – this switch allows your client to request only the machine or user-side settings from its GPOs.  If this switch is not used, both user and computer settings are updated
  • /Force – this switch causes your client to re-apply all of the policies assigned to it, though it only assigns policies that have been changed (it won’t cause the client to re-apply every setting if some of them have not been changed since the last update)
  • /Logoff – using this switch, you can force a logoff which will allow policies that process in the foreground to be processed
  • /Boot – this switch causes your client to reboot after the policies are applied (again, to allow for processing of policies that only apply after a reboot)

Here is an example of what this might look like in your environment:

As you can see, the interface doesn’t tell you much.  In this screenshot, I have asked my client to pull the computer-side settings for its GPOs and I’ve selected /force to ensure that the policies are refreshed.  This caused background processing to start immediately and we can see that it finished successfully.  If I had configured a particular setting on a GPO, I could run a tool like the Resultant Set of Policies (RSOP) to find out if that setting had taken effect.  If you’re doing troubleshooting and need to know whether policies are applying, this is probably the easiest way to verify policy updates are working.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: