This utility scans all GPOs in your domain and looks for Deny ACEs . If it finds them, it reports out the GPO, the Trustee (i.e. user,group, computer) that is assigned to the ACE and the permission that is set to denied (usually permGPOApply for Read and Apply Group Policy permissions).