Powershell – Get-GPResultantSetOfPolicy throws “…the report cant be generated for user…”

group-policypowershell

I am trying to generate the RSOP from serveral of our servers. All I need are the Computer not the User results.

This is the PowerShell code I am using: 

$computers = (Get-ADComputer -Filter ... -SearchBase ...).Name 

foreach  ($computer in $computers)
{
    Get-GPResultantSetOfPolicy -Computer $computer -ReportType xml -Path ...
}

This is going to throw an exception on some of the servers which is basically saying I have never logged in and therefor no Profile exists.

Get-GPResultantSetOfPolicy : The Resultant Set of Policy (RSoP) report
cannot be generated for user MyUser on the MyComputer computer because
there is no RSoP logging data for that user on that computer. This
could be because the user has never logged onto that computer.
Parameter name: User At line:1 char:1
+ Get-GPResultantSetOfPolicy -computer MyComputer -ReportType xml -path d:\ …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (Microsoft.Group…OfPolicyCommand:GetGPResultantSetOfPolicyCommand)
[Get-GPResultantSetOfPolicy], ArgumentException
+ FullyQualifiedErrorId : NoLoggingData,Microsoft.GroupPolicy.Commands.GetGPResultantSetOfPolicyCommand

The default behaviour of this cmdlet is to use the default user, meaning the user executing the cmdlet.

Of course there is the -User parameter, that lets me choose a user, from which I know a loggin has happend on the target server (and therefor a windows profile exists). But this gets cumbersome as I would have to use e.g. Get-WmiObject Win32_UserProfile -ComputerName MyComputer first to retrieve a list of available user profiles and then choose one of them to execute Get-GPResultantSetOfPolicy later on…

The plain old gpresult.exe behaves exactly in the same odd way… I dont want/cant rdp into each server to generate a windows profile beforehand.

In my opinion there are two possibilites:

  1. Use Scripting to generate a windows profile on each server and
    then get back to Get-GPResultantSetOfPolicy
  2. RDP into each machine… (not feasable)

Questions:

  • Any other possibility I am missing?
  • How have others solved/worked around this issue?
  • How can I generate/create a Windows Profile using powershell without rdp'ing?

Best Answer

I have the same situation and found a solution using gpresult. Here are my additions to your code fragment:

$computers = (Get-ADComputer -Filter ... -SearchBase ...).Name 

foreach  ($computer in $computers)
{
    $LogPath = "\\Fileserver\share\RSOP_" + $computer + "_" + $(get-date).tostring('yyyy-MM-dd_hhmmss') + ".html"

    gpresult /S:"$computer" /H:"$logpath" 
}

This takes each computer in your search and creates a RSOP log using the computer name and date run.

Hope this helps those looking for bulk RSOP reports.

Related Topic