Gpresult Does Not Enumerate the Resultant Computer Security Policy (258595)



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

This article was previously published under Q258595

SUMMARY

Although the Gpresult.exe command-line tool displays information about the result that Group Policy has on the current computer and logged-on user, it does not reveal details of the security policy.

This article describes how to determine the resultant Windows 2000 computer security policy.

MORE INFORMATION

To determine the current security policy on a Windows 2000-based computer, use the Security Configuration and Analysis snap-in in Microsoft Management Console (MMC):
  1. Start MMC and add the Security Configuration and Analysis snap-in.
  2. Right-click Security Configuration and Analysis under Console Root in the left pane, and then click Open Database.
  3. Type any database name (for example, Testdb).
  4. When you are prompted to select an import template, choose the appropriate .inf template. For a domain controller, choose Basicdc.inf; for a server, choose Basicsv.inf; for a workstation, choose Basicwk.inf. When you choose the Basicdc.inf template (for a domain controller), you may receive an error message. Ignore the error message and continue. For additional information about this error message, click the article number below to view the article in the Microsoft Knowledge Base:

    250454 Error Returned Importing the BASICDC Security Template

  5. Right-click Security Configuration and Analysis under Console Root in the left pane, and then click Analyze Computer Now.
  6. The Perform Analysis dialog box prompts you for path for the Error log. Accept the default or choose the appropriate path.
  7. The analyzer checks these items: User Rights Assignment, Restricted Groups, Registry, File System, System Services, and Security Policy. This process may take several minutes.
The following items are enumerated in the left pane in MMC under Security Configuration and Analysis: Account Policies, Local Policies, Event Log, Restricted Groups, System Services, Registry, and File System.

Expanding these items displays the underlying system settings. When you are viewing a branch or subbranch, the right pane (the Details pane) displays several columns. The first column indicates the name of the individual policy in the analysis results. For Account Policies, Local Policies, and Event Log, the second column indicates the security value in your template. The third column indicates the current security level in the system analyzed. For the remaining types of policies, the second and third columns represent comparison results specific to the type of policy.

In any type of policy, a red X indicates a difference from the base configuration. A green check mark indicates consistency with the base configuration. No icon indicates that the security attribute was not included in your template, and is therefore not analyzed.

Note that this analysis is static and only accurately reflects the settings that exist at the time of the analysis. Changes in the security settings are not displayed in the analysis until you perform a new analysis.

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

250842 Troubleshooting Group Policy Application Problems

250454 Error Returned Importing the BASICDC Security Template

230263 How to Create Custom MMC Snap-in Tools


Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kbenv kbinfo KB258595