The first step in using the Group Policy Inventory tool (gpinventory.exe) is to download and install it on your computer. You can get the tool from Microsoft’s website. Gpinventory queries the computers you select for system and GPO information and then displays the results in a single window. This tool makes it easy to collect information from many computers across a domain to ensure that your Group Policy is deploying the way that you expect. Follow these steps to run Gpinventory:

1. Open a PowerShell window—Choose the Windows Start button > type powershell.exe.

2. Change directories to the install directory for the Gpinventory tool—Enter: cd C:program files (x86)Windows Resource KitsTools.

3. Run Gpinventory—The command is gpinventory.exe.

4. Choose the computers to query—Query > Select Computers to Target using Active Directory.

5. Choose the information you want to gather—Query > Select Information to Gather.

6. Execute the query—Query > Run Query.

After Group Policy Inventory gathers the information you requested, it displays the results in the main window. You can view the details and save the information to analyze later. The Group Policy Inventory tool will save the results in an XML file or a text file. Use the Results menu item to save the results in either format. Group Policy Inventory is an important tool to provide validation of Group Policy in your domain. Use it after any GPO change and periodically to ensure computers and users are operating with the settings you define to comply with your security policy.

The other common tool you will use to audit GPOs is the Resultant Set of Policy (RSOP) tool. The RSOP tool is included in Windows and shows the specific settings that will result from applying GPOs to a specific user logged on to a specific computer. The Group Policy Inventory tool can include some RSOP results, but the stand-alone RSOP tool provides access to more details. RSOP is a great way to analyze the effect of any GPO changes. RSOP provides two modes of operations—logging mode to show existing GPOs and planning mode that shows the effect of planned GPO changes.

You can run RSOP using two methods. The first method runs RSOP in logging mode that defaults to the currently logged-on user on the current computer. After the initial information displays, you can easily change the user or computer and generate updated GPO information. Follow these steps to run RSOP in logging mode:

1. Choose the Windows Start button.

2. Type rsop.msc in the Run box, and then, press Enter.

3. The Resultant Set of Policy window displays the current settings for the user who is currently logged on. The display looks like the GPMC, but you can’t change any settings here.

4. If you want to run RSOP for another user or computer, open the context menu (by right-clicking) on the main item in the left panel. This item will be your username and computer name.

5. On the context menu, select Change Query.

6. Select the desired computer and user on the next two dialog boxes.

7. RSOP will calculate the effective settings using the new user and computer you provided.

RSOP also runs in a powerful planning mode. The planning mode is useful when you want to analyze the effects of a GPO change before deploying the change. Follow these steps to run RSOP in planning mode:

1. Choose the Windows Start button > Windows Administrative Tools > Active Directory Users and Computers.

2. Open the context menu of the desired object by right-clicking the desired computer, user, domain, or OU.

3. Select All Tasks > Resultant Set of Policy (Planning).

4. The next several screens ask you to provide information that describes the planned target environment. RSOP will evaluate the GPOs based on the information you provide here. You can provide the following information:

   1. User and Container—Run RSOP for any user for any container.

   2. Advanced options—Set advanced simulation conditions.

   3. Groups—Analyze the effects of adding or removing group assignments.

   4. WMI Filters—See what effects different WMI filters produce.

Group Policy Inventory and RSOP help you validate the Group Policy you have in place and evaluate how changes will affect your environment. Both tools are important components of a complete administrator’s toolbox.