GPO Viewer is a tool I wrote back in 2002 to display which GPOs have been applied to a workstation by reading the results from the GPO engine that are stored in the registry of the machine. It can be used to read the GPO status of both local and remote workstations, the details of each workstation are displayed in a separate window to allow results from different machines to be compared.
I’ve dusted it off, updated the graphics, added some additional error checking, and updated some of the terminology to reflect the changes since I wrote it. GPO Viewer provides a graphical user interface to display the policies that have been applied to both the machine and users that have logged onto the workstation. It provides the ability to drill down on each policy and show the details of the GPO engine and in the case where a policy wasn't applied, the reasons why. It also has the ability to save the GPO status details to a file so the details can be reviewed later.
To retrieve the GPO details from a remote machine, the user context running the program must have administrator rights on the remote workstation and the remote registry service must be running.
The screenshoot below shows the results of the a scan against a domin controller.
The Open option on File menu is used to select the workstation that use which to scan. In the Select Computer dialog enter the name of the workstation you wish the scan or leave the field blank to scan the local machine.
The workstation result window is split into to two sections, the left handside for the machine based policies and right handside for the user policies. Both section provide similar details on the policies that have been applied, while the left handside only display one set of policies that have been applied to the machine, the User section displays all the users that have logged onto the machines and the policies that were applied to that user the last time the policy engine ran.
We will now breakdown each section and provides a little more information of the details that are displayed in each section, the details are the same for the computer and user policies, where there are differences these are called out below.
GPO Processing Status
The first three entries provide the details on the status of the policy engine, Operation Completed Normally is displayed if the engine completed without any errors, however, if an error occurred the error details will be displayed. Next is the start and finish times for the last time the Policy Engine ran. The Link Speed option is only displayed in the machine section, and will display a warning if the link speed test has been identified that the machine is connected to the domain controller over a slow link as defined by the policy configuration settings.
The policies that are applied are displayed next, they are listed in the order in which they are applied. For policies that have been applied a green icon is shown next to the name of the policy, if a policy is not applied a red icon is displayed. You can expand the item to display the details of the policy and the reasons why the policy was not applied.
When a policy is expanded it shows the details from the GPO engine. By default the icon colour for these items is blue, however, if an entry indicates that something failed, the icon will be red. The Policy Assigned or Policy Not Assigned shows if the computer or user has been assigned the Appy Policy right. GPO Section shows if the GPO section has been enabled, this is controlled by the GPO Status, i.e. User configuration settings disabled or Computer configuration settings disabled option in GPMC. If a section is enabled but the section doesn't contain any settings then a GPO Section is Empty entry will also be displayed. GPO GUID is the name of the group policy object in AD. Options displays if the policy has enforce option enabled or not, if the policy is set to enforce a padlock is shown next to the status icon. The SOM displays the OU to which the policy is linked in AD. The Version and Section Revision entries display the version details for the policy, which is either the computer or user section version number. WMI Filter Passed show the results of the WMI filter test, if there is no WMI filter applied to the policy the result will be true. The WMI Filter entry display the GUID of the WMI filter that is assigned to the policy.
This is the list of groups that the machines, or the user is a member of. This information is based on the machine's or user's access token and not the group membership in AD, as they can be different depending on when the machine was last rebooted, this can effect which policies are applied.
In this example the section is enabled, however the section is empty, so the GPO is reported as not being applied This common for the local policy.
In the next example the machine or user have not been assigned the Apply Policy permission and is reported as Policy Not Assigned, as a side effect the WMI filter is also marked as failed.
In this last example the WMI filter test has failed so the policy failed to be applied. The SOM reference for the WMI filter is displayed, you will need to use NetTools, GPO Explorer, WMI Filters, to determine the name and details of the filter.
The File menu has options to export and load the GPO engine results for both the computer and user details to a file, these files have a GVX file extension, these can then be reviewed later or when the machines is not available. As this uses registry fragments to save the details, you still need administrator or SE_RESTORE_NAME and SE_BACKUP_NAME user rights to load and view these files.