gpresult & gpupdate — Group Policy Diagnostics and Refresh

What it is

gpresult and gpupdate are the two CLI tools that every Windows admin uses to answer the question "why isn't this Group Policy applying the way I expect?". gpresult is the diagnostic — it prints (or saves as an HTML report) the Resultant Set of Policy (RSoP) for a given user and computer, showing exactly which Group Policy Objects applied, which were filtered out, and which settings won. gpupdate is the verb — it forces an immediate background refresh of policy from the domain controller (or local policy on a workgroup machine) without waiting for the default 90-minute interval. Both ship in C:\Windows\System32\ on every Windows version since Vista and require a console run as the user whose policy you care about (the local machine context is always available; querying another user usually needs admin).

When to use which

These two tools are typically run back-to-back during GPO troubleshooting: change a GPO on the DC, run gpupdate /force on the client, then run gpresult to confirm it actually applied.

Group Policy refresh cadence is important context: domain members refresh every 90 minutes + 0–30 minutes random offset by default; domain controllers refresh every 5 minutes. Computer policy applies at boot, user policy at logon; both refresh in the background after that. Some categories (folder redirection, software install) only apply at logon/boot — /force alone won't trigger them without /logoff or /boot.

gpresult — Resultant Set of Policy

gpresult.exe reads the policy results that the Group Policy engine cached the last time it applied (%WINDIR%\System32\GroupPolicy\ plus a WMI namespace). It does not re-query the DC — it shows what is currently in effect on this box.

Syntax

gpresult has three primary output modes: /r (short text), /v (verbose text), and /h <file> (HTML report). /x produces XML. Scope and user filters narrow what's reported.

gpresult [/S host [/U user [/P pwd]]] [/SCOPE {USER|COMPUTER}] [/USER targetuser] {/R | /V | /Z | /X file.xml | /H file.html [/F]}

Output: (varies — text or written file)

Essential options

The quick summary — /r

/r is the everyday invocation. It prints the user/computer name, domain, security groups, applied GPOs, and any denied GPOs.

gpresult /r

Output:

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
(C) 2018 Microsoft Corporation. All rights reserved.

Created on 5/24/2026 at 10:14:22 AM

RSOP data for CONTOSO\Alice on MYHOST : Logging Mode
---------------------------------------------------------

OS Configuration:            Member Workstation
OS Version:                  10.0.26100
Site Name:                   Default-First-Site-Name
Roaming Profile:             N/A
Local Profile:               C:\Users\Alice
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
    CN=MYHOST,OU=Workstations,DC=contoso,DC=local
    Last time Group Policy was applied: 5/24/2026 at 9:43:11 AM
    Group Policy was applied from:      dc01.contoso.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CONTOSO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Workstation Security Baseline
        Disable LLMNR
        BitLocker Required

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Server Hardening
            Filtering:  Denied (Security)

        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        Authenticated Users
        Domain Computers
        Workstations

USER SETTINGS
--------------
    CN=Alice,OU=Users,OU=NewYork,DC=contoso,DC=local
    Last time Group Policy was applied: 5/24/2026 at 9:43:14 AM
    Group Policy was applied from:      dc01.contoso.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CONTOSO
    Domain Type:                        Windows 2008 or later

    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Map Network Drives
        Restrict Control Panel

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Helpdesk Tools
            Filtering:  Denied (Security)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        NewYork Users
        Authenticated Users

Filtering by scope

When you only care about one side, /scope skips the other half and runs faster. Common during user-policy troubleshooting where the computer-side is enormous.

gpresult /r /scope:user

Output:

USER SETTINGS
--------------
    CN=Alice,OU=Users,OU=NewYork,DC=contoso,DC=local
    Last time Group Policy was applied: 5/24/2026 at 9:43:14 AM
    ...
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Map Network Drives
        Restrict Control Panel

gpresult /r /scope:computer

Output:

COMPUTER SETTINGS
------------------
    CN=MYHOST,OU=Workstations,DC=contoso,DC=local
    Last time Group Policy was applied: 5/24/2026 at 9:43:11 AM
    ...
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy
        Workstation Security Baseline
        Disable LLMNR
        BitLocker Required

Verbose — /v

/v extends /r with every setting that was applied: registry settings, scripts, software installations, folder redirections. Output runs to hundreds of lines — pipe to a file or more.

gpresult /v > gp.txt
notepad gp.txt

Output: (writes file, no console output)

rem Just the registry settings under user-scope
gpresult /v /scope:user | findstr /C:"Registry Setting"

Output:

        Registry Setting (Enabled): NoControlPanel
        Registry Setting (Enabled): DisableLockWorkstation
        Registry Setting (Enabled): RestrictRun

The HTML report — /h

This is the deliverable for any non-trivial policy debugging or audit. The HTML report is color-coded (applied = green, denied = red, error = yellow), includes every setting with its winning GPO, and is what Microsoft Premier Support will ask for first. Use /f to overwrite an existing file.

gpresult /h C:\Audit\rsop.html /f

Output:

INFO: Creating report in C:\Audit\rsop.html ...

rem Open it in the default browser
start C:\Audit\rsop.html

Output: (browser opens)

The report has three main sections:

• Summary — user, computer, last refresh time, slow link, errors.
• Computer Details / User Details — each applied GPO + every setting with its winning GPO and value.
• Component Status — per-extension success/failure (Registry, Scripts, Folder Redirection, Software Installation, etc.).

XML report — /x

For automation, /x produces a machine-readable XML dump that can be parsed with PowerShell or xmlstarlet.

gpresult /x C:\Audit\rsop.xml /f

Output:

INFO: Creating report in C:\Audit\rsop.xml ...

# Parse applied GPO names from the XML
[xml]$r = Get-Content C:\Audit\rsop.xml
$r.Rsop.ComputerResults.GPO | Select-Object Name, Enabled, AccessDenied

Output:

Name                              Enabled AccessDenied
----                              ------- ------------
Default Domain Policy             true    false
Workstation Security Baseline     true    false
Server Hardening                  false   true

Querying a remote machine

/s <host> runs gpresult against another computer. The querying user must be admin on the target; Remote Procedure Call (RPC) endpoints must be reachable.

gpresult /s srv01 /r

Output:

RSOP data for CONTOSO\Alice on SRV01 : Logging Mode
---------------------------------------------------------
...

rem Alternate credentials
gpresult /s srv01 /u CONTOSO\Alice /p P@ssw0rd /r

Output:

RSOP data for CONTOSO\Alice on SRV01 : Logging Mode
...

Querying a different user on this machine

The signed-in user is queried by default. Pass /user <name> (admin required) to inspect another currently-signed-in user.

rem List who has cached policy data on this box
gpresult /h "%TEMP%\me.html" /f

Output:

INFO: Creating report in C:\Users\Alice\AppData\Local\Temp\me.html ...

rem Report as another logged-on user (admin only)
gpresult /user CONTOSO\Bob /r

Output:

RSOP data for CONTOSO\Bob on MYHOST : Logging Mode
...

Quick error reasons

The /r output's "GPOs were not applied because they were filtered out" section gives a one-word reason per denied GPO. Decode it before diving deeper.

gpupdate — refresh policy

gpupdate.exe signals the Group Policy engine to evaluate policy immediately. It does not change any GPOs — it just downloads, evaluates, and applies the current set.

Syntax

gpupdate is simple: a verb-less command with switches. With no arguments, it triggers a background refresh of any changed settings on both user and computer sides.

gpupdate [/target:{computer|user}] [/force] [/wait:N] [/logoff] [/boot] [/sync]

Output: (status lines on success, errors on failure)

Essential options

The default invocation

gpupdate alone refreshes both user and computer policy in the background. It returns immediately while the engine continues working — use /wait to block.

gpupdate

Output:

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Force — reapply everything

/force tells the engine to apply every setting regardless of whether the GPO version number has changed. Use it after you suspect a setting reverted or a GPO change isn't being noticed.

gpupdate /force

Output:

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Refreshing one side only

If you know only the user-side or only the computer-side changed, halve the work with /target.

gpupdate /force /target:user

Output:

Updating policy...

User Policy update has completed successfully.

gpupdate /force /target:computer

Output:

Updating policy...

Computer Policy update has completed successfully.

Handling extensions that need logoff or reboot

Some policy categories can't be applied while the user is logged on or while computer-side extensions are running. /logoff and /boot schedule the appropriate action automatically.

rem Folder Redirection only applies at logon — schedule a forced logoff
gpupdate /force /logoff

Output:

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

A logoff is required for the following settings to take effect:

    Folder Redirection
    Drive Maps

The system is going to log off now. Continue with logoff? (Y/N)

rem Software install policy applies only at boot
gpupdate /force /boot

Output:

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

A reboot is required for the following settings to take effect:

    Software Installations

The system will reboot now to apply the policy changes.

Waiting for completion

By default gpupdate returns immediately and the actual refresh continues in the background. /wait:N blocks for up to N seconds; /wait:-1 waits forever.

gpupdate /force /wait:120

Output:

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Synchronous next refresh

/sync tells the engine that its next background refresh should be foreground (synchronous). Useful for ensuring a script step waits for full extension processing before continuing.

gpupdate /target:computer /sync

Output:

Updating policy...
The system will be rebooted so that the changes can be applied.

(The system will reboot at the next scheduled refresh — usually within seconds.)

Common pitfalls

1. gpresult shows cached data — it does NOT re-query the DC. Run gpupdate /force first if you've just made a change on the DC.
2. /r on a new user shows "no data available" — RSoP isn't recorded until the user has logged on at least once. The fresh-OOBE user must sign in to populate WMI.
3. gpresult /h denies output if file exists — must use /f to overwrite, otherwise the command fails with "the report cannot be created".
4. /user <name> only works for currently-loaded users — you cannot query a user who has never logged on; the engine has no RSoP for them.
5. gpupdate /force doesn't update everything — Folder Redirection, Drive Mapping, Logon Scripts, and Software Installation only run at user logon or computer boot, not on background refresh. Use /logoff or /boot for those.
6. Slow link detection skips some extensions — over a < 500 kbps link, certain heavy extensions (Software Install, Folder Redirection) are skipped. gpresult reports Connected over a slow link? Yes.
7. Block inheritance + enforced GPOs interact — a GPO marked Enforced on a parent OU overrides Block Inheritance on the child. The /r output won't always explain this clearly — read the HTML report's Applied GPOs order.
8. Loopback processing changes user-scope semantics — when a GPO sets User Group Policy loopback processing mode to Replace or Merge, the user-side GPOs that apply are those linked to the computer's OU, not the user's. Confusing during troubleshooting.
9. Anti-virus on \\sysvol\<domain>\Policies — third-party AV scanning SYSVOL can make policy fetch slow enough to time out (/wait:600 boundary). Exclude the path on file servers.
10. gpupdate exits 0 even when extensions failed — the Updating policy messages report success per side, but individual extensions can have failed. Check Event Viewer → Applications and Services Logs → Microsoft → Windows → GroupPolicy/Operational for per-extension errors.
11. Local GPO is rarely the culprit on domain-joined boxes — domain policy overwrites it. gpresult /r shows Local Group Policy: Not Applied (Empty) on most domain members, which is normal.
12. gpresult /s over RPC needs WMI on remote — the WMI service must be running on the target machine; firewalls must allow DCOM (TCP 135 + dynamic ports). PSRemoting (Invoke-Command) is a more modern alternative.
13. /p cannot be combined with /x or /h — Microsoft Learn explicitly notes that the password parameter is incompatible with XML or HTML output modes; supplying both returns "Invalid syntax". Drop /u and /p when generating reports, or run the report locally.
14. ARM64 /h quirk — on ARM64 versions of Windows, only the gpresult.exe shipped in C:\Windows\SysWow64\ honours /h; the native ARM64 binary in System32 returns an error. Invoke the SysWow64 copy explicitly when scripting HTML reports on ARM hardware.
15. One output flag is required — except for /?, every gpresult invocation must include exactly one of /r, /v, /z, /x, or /h. Omitting them prints the usage banner without an error code, which scripts often miss.

Real-world recipes

Diagnose "my new GPO didn't take effect"

The canonical workflow. Make a change in GPMC, then run this on the client.

rem 1. Force a refresh on the client
gpupdate /force

Output:

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

rem 2. Quick check: is the GPO listed in 'Applied' or 'Filtered'?
gpresult /r | findstr /C:"My New GPO"

Output:

        My New GPO

If it appears under Filtered with Denied (Security), fix security filtering. If it doesn't appear at all, check the GPO link and the OU the computer/user lives in:

rem 3. Confirm the user's OU (where user-side GPOs are linked)
gpresult /r | findstr /B /C:"    CN="

Output:

    CN=MYHOST,OU=Workstations,DC=contoso,DC=local
    CN=Alice,OU=Users,OU=NewYork,DC=contoso,DC=local

rem 4. Full HTML report for the ticket
gpresult /h "%USERPROFILE%\Desktop\gpresult_%COMPUTERNAME%.html" /f

Output:

INFO: Creating report in C:\Users\Alice\Desktop\gpresult_MYHOST.html ...

Inventory: which GPOs apply to a fleet of computers?

For each host, dump XML and aggregate applied GPO names into a CSV.

# Run from an admin workstation
$hosts = Get-Content C:\Audit\hostlist.txt
$out = foreach ($h in $hosts) {
    try {
        $xml = gpresult /s $h /x /f /target:computer 2>$null
        $r = [xml](Get-Content "C:\Audit\rsop_$h.xml" -ErrorAction Stop)
        foreach ($g in $r.Rsop.ComputerResults.GPO | Where-Object Enabled -eq 'true') {
            [pscustomobject]@{ Host = $h; GPO = $g.Name; Denied = $g.AccessDenied }
        }
    } catch {
        [pscustomobject]@{ Host = $h; GPO = "ERROR: $_"; Denied = "" }
    }
}
$out | Export-Csv C:\Audit\applied_gpos.csv -NoTypeInformation

Output:

(creates C:\Audit\applied_gpos.csv with one row per host/GPO pair)

Force a logoff after refresh for Folder Redirection changes

Folder Redirection only applies at user logon. After updating the GPO, this one-liner schedules the forced logoff with a 30-second grace.

gpupdate /force /target:user /logoff

Output:

Updating policy...

User Policy update has completed successfully.

A logoff is required for the following settings to take effect:

    Folder Redirection

The system is going to log off now. Continue with logoff? (Y/N)

Show the security groups whose membership controls GPO application

Security filtering is the most common reason a GPO doesn't apply. The /r output already lists every group the computer/user is a member of — pipe it through findstr.

gpresult /r /scope:computer | findstr /R /B "        [A-Z]"

Output:

        BUILTIN\Administrators
        Everyone
        Authenticated Users
        Domain Computers
        Workstations

If the GPO is filtered to "Workstations" the computer is in the group, so denial means a WMI filter or block-inheritance is the cause, not security filtering.

Audit: how stale is policy on every machine?

Last refresh time is in gpresult /r's output. Pipe it through findstr for a one-liner.

@echo off
echo "Host","LastApplied" > stale.csv
for /f "delims=" %%h in (hostlist.txt) do (
    for /f "tokens=2 delims=:" %%t in (
        'gpresult /s %%h /r /scope:computer 2^>NUL ^| findstr /C:"Last time Group Policy was applied"'
    ) do echo "%%h","%%t" >> stale.csv
)
type stale.csv

Output:

"Host","LastApplied"
"MYHOST"," 5/24/2026 at 9:43:11 AM"
"SRV01"," 5/24/2026 at 8:12:50 AM"
"SRV02"," 5/20/2026 at 11:30:00 AM"

Anything older than 4 hours indicates a refresh problem (slow link, DC unreachable, GPSVC stopped).

Verify a specific setting won the conflict

When two GPOs touch the same setting, the one applied last (lowest in the link order) wins. The HTML report shows the winning GPO per setting.

gpresult /h C:\Audit\rsop.html /f
start C:\Audit\rsop.html

Output:

INFO: Creating report in C:\Audit\rsop.html ...

In the report, search for the setting name (Ctrl+F in the browser). The "Winning GPO" column names the GPO that supplied the effective value.

One-liner: refresh, then immediately summarize

A convenience wrapper for the diagnostic loop.

gpupdate /force && gpresult /r

Output:

Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
...
RSOP data for CONTOSO\Alice on MYHOST : Logging Mode
---------------------------------------------------------
...

Generate per-user HTML reports for an OU

PowerShell pairs Get-ADUser with gpresult to produce one report per user (each must run on a box where the user is signed in or has signed in).

# From an admin desktop where Alice and Bob both have profiles
foreach ($u in 'Alice','Bob') {
    & gpresult /user "CONTOSO\$u" /h "C:\Audit\rsop_$u.html" /f
}

Output:

INFO: Creating report in C:\Audit\rsop_Alice.html ...
INFO: Creating report in C:\Audit\rsop_Bob.html ...

Sources

• gpresult — Microsoft Learn
• gpupdate — Microsoft Learn