Ok, in the interest of full disclosure, I despise the network admin at work and today I think the final straw got loaded on to the proverbial camel's back.
I have been working in the IT field for nearly 15 years and have always used gpresult to identify and diagnose active directory policy issues. I have been engaged in a week long argument with our windows admin claiming that the GPO's are not applying to more than 400 machines we have. My claim is based on the fact that when I run a gpresult on any machine every policy returns "not applied (reason unknown)".
His response is "gpresult is not accurate, you have a corrupt profile."
Personally, I think I have a corrupt admin.
I open the floor for discussion
The comments above say it all. I've not once heard about anyone complaining about the reliability/credibility of gpresult. Your admin should get a new ego.
Having spent entirely too much of my life for the past three weeks banging my head on GPO/Profile issues (only on the admin side), I felt some fear reading this question. Happily, we have no ERP deployment going so I feel safe whew.
Yes. About that. In my particular case, gpresult is returning the correct list of policies but they're not actually doing what they're supposed to. Evidence in the event-logs suggests they're attempting to apply but failing. This is what suggests a bad profile (specifically a badly created Default User profile, as these are computer-lab stations for students).
When a station can't even figure out what GPOs it needs to apply, it's usually pretty noisy about it in the event-logs. I had that happen a month ago, and it turned out that the workstation in question had the NetBIOS TCP/IP Helper service disabled. Another one managed to pick the one Domain Controller it couldn't get to. Both were diagnosed through event-log reading and some network diagnostics on the machine in question.
Well, your admin sounds like he is deflecting. I agree with everyone here. To answer your specific question, gpresult does not include local security policy. The RSOP MMC snap-in (
rsop.msc) does include it since it is a nice fancy GUI, but I was disappointed when the HTML report did not include them. That stuff can be kind of important, and it was to me at the time. Made me look foolish when I was with a bunch of people and used it to "get the answer" when the employee in the know was out. I was convinced he had not applied any secpol customizations. FAIL!To answer your GPO problem: are these GPO's linked from one OU to another? Our SOP is for our "domain admins," since we are a very large IT department, to link them from the OU where they create different GPOs based on their target audience and with the appropriately locked-down permissions for admin group (staff, students, special projects, etc.). If you do not enable the linked GPO at the target OU level, it will obviously not apply. If this guy does not know his stuff, this sounds like an obvious way to make the policy not apply. Just right-click the linked OU at the target OU with
gpmc.mscand click Enable (in case you are not familiar). Hope that helps.