[PS] Group Policy retrieval for active users - Workstation/Server [Windows]

Good evening again!

This time I am back with quite an easy one.

The scenario. Users are logged in on their workstation/server and you need to know which group policies they are getting loaded in (either computer or user)! (Assuming there is a reason for doubt on whether or not they are getting the correct ones from the domain GPO)

You can log in to an administrator account on the workstation/server and use a normal gpresult but that won't help you find out whether there are user-specific policies loaded in. Not to mention workstations mostly only allow 1 active user in at a time.
You can use remote tools to try to retrieve it but more than not those will run it as SYSTEM and bring back an empty sheet.
You can call all the customer users and check it on their account one by one. This actually is a working option... it will also take 2+ days and if the users do not have enough security rights, it will still not work.

Gpresult can be run in such a way that it uses a username to retrieve the information on that users applied group policies.

So, considering the above... all I need is the username of the active user to make the gpresult command work. However, with a massive amount of workstations/servers and users sometimes changing devices it is mostly not an option to manually fill in each username.
Then I wondered, what is something that is mostly only active when an user is logged in and runs under the user itself? And it hit me, Windows Explorer.
Normal Windows users of course always have Windows Explorer running as it is basically the part that defines their GUI and furthermore, it runs under the user's name. Meanwhile, SYSTEM and most other system-related/non-users running processes do not use it in any way.

So, what I made is a very simple Powershell addition that checks for running processes called explorer.exe.
It then checks what username it is running under and sorts that name on being unique. This is due to the fact that explorer.exe can be active multiple times under 1 user, and we do not want the gpresults of the same user to be retrieved 10 times.
After that it puts the name in a variable and then uses that name in the gpresult.
It does this for every active/logged-in user it finds.

This way you can run it from a different device towards the target, use a gpo (add to the code to make it into a log file and place it somewhere on the device or network) or use remote software to retrieve the information for you.

While it can be executed on both workstations and servers, I feel like most use can be gained from using it with workstations.
Workstation-wise this simple script has already worked some wonders in some scenarios whereby devices might not have connected to a domain in a long while and need to be checked for specific policies that might or might not be wanted/need to be adjusted .. or whether domain-connected devices are actually correctly getting their group policies applied.

You can add /scope computer or /scope user in between the computername and the /user command to limit the gpresult to either computer policies or user policies!
Also, a warning that if no user is logged in, it will give an error telling you that the /user was not recognized.

Hoping that either this solution or the way of thinking around the issue will help someone advance their scripts!

- Powershellder

Categories: Powershell, Group Policy, User, Windows, Script