This utility scans all GPOs in your domain and looks for Deny ACEs . If it finds them, it reports out the GPO, the Trustee (i.e. user,group, computer) that is assigned to the ACE and the permission that is set to denied (usually permGPOApply for Read and Apply Group Policy permissions). You can also export the list of returned GPOs to CSV from the Tools menu.
Requires .Net Framework 4.5.2+ and Windows 8, 10, Server 2012-R2, 2016 or 2019