settinguserinit

TroubleshootingGroupPolicyinMicrosoftWindowsServerMicrosoftCorporationPublished:July2003Updated:November2004AbstractThiswhitepaperhelpsyoutroubleshootthemostcommonproblemsaffectingthedeploymentofGroupPolicyinaWindowsServer2003orWindowsServer2000environment.
TotroubleshootGroupPolicy,youneedtounderstandtheinteractionsbetweenGroupPolicyanditssupportingtechnologies(suchasMicrosoftActiveDirectorydirectoryserviceandtheFileReplicationService),andthewaysthattheGroupPolicyobjectsthemselvesaremanaged,deployed,andapplied.
Withthatunderstanding,youcanusespecifictoolstofindanswerstospecificquestiontoidentifyandresolveproblems.
ThiswhitepaperdiscussesthelikelysourcesforproblemswithGroupPolicyapplicationandadministration,andsuggestswaystoidentifythesourceofproblemsyoumightencounter.
Italsosummarizesmanyofthetools(suchasGroupPolicyManagementConsoleandGPupdate.
exe),logfiles,andotherresourcesthatyoucanusetotroubleshootproblemswithGroupPolicy.
ThiswhitepaperdoesnotprovidedetailedinformationaboutGroupPolicyoritssupportingtechnologies,butdoesreferyoutosourcesforthatinformation.
TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.
BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
Thisdocumentisforinformationalpurposesonly.
MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.
Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.
ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
Theexamplecompanies,organizations,products,peopleandeventsdepictedhereinarefictitious.
Noassociationwithanyrealcompany,organization,product,personoreventisintendedorshouldbeinferred.
2003MicrosoftCorporation.
Allrightsreserved.
Microsoft,ActiveDirectory,Windows2000Server,WindowsServer2003,andWindowsXPProfessionalGroupPolicyOverview1FeedbackonthisPaper1InfrastructureRequirements2Windows2000orWindowsServerDomainwithActiveDirectory2OrganizationalUnitMembershipandGPOLinks2NetworkConnectivityandConfiguration2DomainNameSystem3SYSVOLShare3ActiveDirectoryandFileSystemReplication3DefaultDomainPolicyGPOandDefaultDomainControllersPolicyGPO3ClientOperatingSystem4UnderstandingGroupPolicyProcessing5TroubleshootingGroupPolicyCoreFunctionality6FlowchartforTroubleshootingGroupPolicyCoreFunctionality6NavigatingtheTroubleshootingFlowchart7GPOApplied,PolicySettingListed8GPOInheritance(SettingListed)9Replication(SettingListed)9GroupPolicyRefresh(SettingListed)9AsynchronousApplicationofGroupPolicy(SettingListed)10Client-SideExtensionIssue(SettingListed)10LoopbackProcessing(SettingListed)10GPOApplied,PolicySettingNotListed11Replication(SettingNotListed)11GroupPolicyRefresh(SettingNotListed)12LackofOperatingSystemSupport(SettingNotListed)12GPONotApplied,ListedasDenied12SecurityFiltering(GPODenied)13DisabledLink(GPODenied)13InaccessibleGPO(GPODenied)13EmptyGPO(GPODenied)13WMIFilter(GPODenied)13GPONeitherAppliednorDenied13ScopeofManagement(GPONotatClient)14Replication(GPONotatClient)14GroupPolicyRefresh(GPONotatClient)15NetworkConnectivity(GPONotatClient)15DetailsforTroubleshootingCoreGroupPolicyApplicationFunctionality15NetworkConnectivity15Troubleshooting15Slowlinks16Troubleshooting16DNS16Troubleshooting16Multi-homedcomputers17MissingorCorruptedFiles17Troubleshooting17ReplicationConvergence17Troubleshooting18GroupPolicyRefresh19Troubleshooting19TrustRelationships20Troubleshooting20OUMembershipsandGPOLinking20Troubleshooting20AddingaUserorComputertoanOU21UserSettingsvs.
ComputerSettings21Troubleshooting21SecurityFiltering22Troubleshooting22Cachedcredentials22Troubleshooting23WMIFiltering23GroupPolicyInheritanceRules23Troubleshooting24MigratingGPOsBetweenForests25Troubleshooting25LoopbackProcessing25Troubleshooting26DetailsforTroubleshootingClient-SideExtensions27OperatingSystemSupport27Troubleshooting27AsynchronousProcessingandLogonOptimizationinWindowsXP27RegistryCSE28ScriptsCSE29SoftwareInstallationCSE29Troubleshooting30FolderRedirectionCSE31Troubleshooting31NTFSPermissionsforFolderRedirectionRootFolder32Share-Level(SMB)PermissionsforFolderRedirectionShare32NTFSPermissionsforEachUser'sRedirectedFolder32TroubleshootingGroupPolicyAdministration33DomainControllerSelectionintheGroupPolicyObjectEditorandGPMC33Troubleshooting33Security33Troubleshooting33ExposingPreferencesinAdministrativeTemplates33TroubleshootingTools34GPMCasaTroubleshootingTool34GroupPolicyResults34TogenerateaGroupPolicyResultsreport:34SummaryTab35Table2SummaryTabofGroupPolicyResultsReports35SettingsTab35PolicyEventsTab35Table3PolicyEventsTabofGroupPolicyResultsReports36GroupPolicyModeling37TogenerateaGroupPolicyModelingreport:37ViewingActiveDirectoryObjectsandGPOs37ScriptingBuilt-intoGPMC37OtherGroupPolicyTools38GPResult.
exe38GPMonitor.
exe38GPOTool.
exe38SoftwareInstallationDiagnosticsTool(addiag.
exe)39ToolsforTroubleshootingExternalIssues39Sonar.
exe39ActiveDirectorySupportTools40OtherWindowsServer2003Command-LineTools40Appendix:GroupPolicyLogFiles41ClientLogFiles41Table4ClientLogFilesforTroubleshootingGroupPolicy-42ServerLogFiles43Table5ServerLogFilesforTroubleshootingGroupPolicy43Appendix:MigratingfromWindowsNT4.
044Table6MigratingfromWindowsNT4.
0:GroupPolicyApplication45Appendix:GroupPolicyandRoamingUserProfiles46Troubleshooting46Appendix:Resources47FeedbackonthisPaper47NewsgroupsAboutGroupPolicy47GroupPolicyOverviewYoucanuseGroupPolicytomanagetheconfigurationsoncomputersthroughoutnetworkswithdomainsbasedonMicrosoftWindowsServer2003orMicrosoftWindows2000.
YoucanalsouseGroupPolicytomeetservice-levelagreements.
Forexample,youcanmakesoftwareavailabletousersbasedontheirsecuritygroupmembershipsandothercriteriaandtoenforcetheorganization'spoliciesregardingcomputerusage.
GroupPolicydependsonseveraltechnologiesinWindowsServer2003andWindows2000.
TheseincludeActiveDirectory,DirectoryNameSystem(DNS),andFileReplicationService(FRS).
GroupPolicyisdeliveredtoclientsbasedontheplacementofboththecomputerandtheuseraccountintheActiveDirectoryhierarchy.
Inaddition,GroupPolicyusesthesecuritygroupsdefinedthroughActiveDirectorytodeterminewhetherpoliciesareapplied,aswellastocontrolwhocanmanageGroupPolicyintheorganization.
TheinteractionsbetweenGroupPolicyanditssupportingtechnologiesmakeGroupPolicyflexible.
ItisimportanttounderstandtheseinteractionswhentroubleshootingGroupPolicy.
BeforeyouworkwithGroupPolicy,youneedafirmunderstandingoftheinteractionsbetweenGroupPolicyanditssupportingtechnologiesandthewaysGroupPolicyobjectsthemselvesaremanaged,deployed,andapplied.
ThiswhitepaperhighlightssomekeypointstokeepinmindasyoutroubleshootGroupPolicyproblems.
FordetailedinformationaboutGroupPolicyandthevarioussupportingtechnologies,seeDesigningaManagedEnvironment(http://go.
microsoft.
com/fwlink/LinkId=4755)intheMicrosoftWindowsServer2003DeploymentKit.
TheGroupPolicyManagementConsole(GPMC)istherecommendedtoolformanagingGroupPolicy.
GPMCisalsoanexcellenttroubleshootingtool.
IfyouhavealicensedcopyofWindowsServer2003,GPMCisavailabletoyouasafreedownloadfromtheMicrosoft.
comGroupPolicyHomePage.
ItcanbeinstalledonanycomputerrunningeitherMicrosoftWindowsServer2003orWindowsXPProfessional.
ThecomputerthatrunsWindowsXPProfessionalmusthaveServicePack1orlaterand.
NETFrameworkinstalled.
YoucanuseGPMCtomanageGroupPolicyindomainsbasedonWindowsServer2003orWindows2000.
Formoreinformation,seeIntroductiontoGroupPolicyforWindowsServer2003.
(http://go.
microsoft.
com/fwlink/LinkId=14958).
FeedbackonthisPaperIfyouhaveanycommentsaboutthispaper,contactmailto:gpdocs@microsoft.
com.
InfrastructureRequirementsProblemswiththeapplicationofGroupPolicyofteninvolvethetechnologiesonwhichGroupPolicydepends,orwitheasy-to-correctoversightsintheimplementationofGroupPolicyitself.
ThissectionprovidesaquickreviewofthesedependenciesandsummarizeshowtheyrelatetotroubleshootingGroupPolicy.
Windows2000orWindowsServerDomainwithActiveDirectoryGroupPolicyisnotsupportedinearlieroperatingsystemssuchasMicrosoftWindowsNT4.
0.
WindowsNT4.
0policiescannotbeappliedusingGroupPolicy.
IfyouaremigratingfromWindowsNT4.
0toWindows2000orWindowsServer2003,seeMigratingfromWindowsNT4.
0.
YourActiveDirectorystructureshouldbedesignedwithanunderstandingofGroupPolicyinheritancerulessothatitcansupportyourobjectivesforusingGroupPolicy.
FormoreinformationabouthowyourActiveDirectorystructureaffectsyourGroupPolicyimplementation,seeDesigningaManagedEnvironment(http://go.
microsoft.
com/fwlink/LinkId=4755)intheWindowsServer2003DeploymentKitandthewhitepaper,"WindowsServer2003GroupPolicyInfrastructure"(http://go.
microsoft.
com/fwlink/LinkId=14950)TousetheloopbackfeaturesofGroupPolicy,thecomputermustbeinaWindows2000orWindowsServer2003domain,asmusttheuser.
YoucannotdeployGroupPolicytousersinaWindowsNT4.
0domainbyapplyingloopbacktoacomputerinaWindows2000orWindowsServer2003domain.
OrganizationalUnitMembershipandGPOLinksToreceivetheGroupPolicyobjectsthatarecreatedandstoredatthedomainlevel,theuserorcomputermustbeamemberofasite,domain,ororganizationalunit(OU)thatlinkstoaGPO.
GroupmembershipisnotthebasisforGroupPolicyapplication,butisusedtofurtherrestricttheapplicationoftheGPO–thisiscalledsecurityfiltering.
FormoreinformationabouthowyourActiveDirectorystructuresupportsyourGroupPolicyimplementation,seeDesigningaManagedEnvironment(http://go.
microsoft.
com/fwlink/LinkId=4755)intheWindowsServer2003DeploymentKit.
NetworkConnectivityandConfigurationForGroupPolicytobereceivedattheclient,theremustbenetworkconnectivitybetweentheclientandthedomaincontroller.
Severalissuescanaffectnetworkconnectivity:TCP/IPisusedasthetransportforGroupPolicy,soTCP/IPmustbeimplementedinyournetwork.
FormoreinformationaboutTCP/IP,seeDesigningaTCP/IPNetwork(http://go.
microsoft.
com/fwlink/LinkId=4707)intheWindowsServer2003DeploymentKit.
Ifyouuseafirewall,besurethatInternetControlMessageProtocol(ICMP)isenabledonthenetwork.
Formoreinformation,see"InternetControlMessageProtocol(ICMP)"inHelpandSupportCenterforMicrosoftWindowsServer2003.
Auserwhocanlogonwithcachedcredentialsmightnotbeawareofaconnectivityissue.
Formoreinformation,seeCachedcredentialslaterinthispaper.
Ifacomputer'sclockisnotsynchronizedwithotherclocksonthenetwork,thatcomputercanencounteravarietyofproblems,includingauthenticationproblems.
Authenticationproblemscanbemaskedifauserisabletologontothecomputerwithcachedcredentials.
Inthiscase,theuserappearstohaveloggedontothenetworksuccessfullybutisunabletoaccesssystemresourcesincludingGroupPolicy.
Tocheckfortimesynchronizationissues,comparethetimeanddateontheclientwiththetimeanddateonothersystemresources.
Toavoidtheproblem,usetheWindowsServer2003TimeServicetokeepthecomputersonyournetworksynchronized.
FormoreinformationaboutclocksynchronizationandtheTimeService,see"WindowsTimeService"inHelpandSupportCenterforWindowsServer2003.
DomainNameSystemTheclientusesthefullyqualifieddomainnametoaccessthedomaincontroller(includingtheSYSVOLshare)whenreadingtheGPO.
Inorderfortheclienttoobtainthefullyqualifieddomainname,theDomainNameSystem(DNS)mustbefunctioning.
IfGroupPolicysettingsthatapplytothatclientrequireaccesstoothernetworkresources,theclient-sideextensions(CSE)toGroupPolicymightuseDNStolocatethoseresources.
Forbestresults,donotusehostfileswithDNS.
Itismoreefficient,morescalable,andlesserror-pronetoconfigureDNStoworkdynamically.
Formoreinformation,onDNS,seeDeployingDNS(http://go.
microsoft.
com/fwlink/LinkId=4709)intheMicrosoftWindowsServer2003DeploymentKit.
SYSVOLShareGPOinformationisstoredintwolocations.
TheGroupPolicycontainer(GPC)portionoftheGPOisstoredinActiveDirectory.
TheGroupPolicytemplateportionisstoredinafile-basedlocationundertheSYSVOLfolderondomaincontrollers.
ClientsmustbeabletoaccesstheSYSVOLfolderandretrieveinformationfromtheGroupPolicytemplateinordertoapplyGroupPolicysettings.
Forthisreason,theSYSVOLsharemustbeaccessibletotheclient.
IfyoususpectSYSVOLproblems,firstcheckreplicationissues,asdescribedin"ReplicationConvergence"laterinthispaper.
ActiveDirectoryandFileSystemReplicationTwotypesofreplicationarerequired:ActiveDirectoryreplicationandfilesystemreplication.
BothmustbefunctioningbeforeyoucandeployGroupPolicy.
IfActiveDirectoryreplicationisworkingproperly,butfilesystemreplicationisnot,youmighthavesuccesswheneditingormanagingGroupPolicywithActiveDirectorySitesandServicesandwithActiveDirectoryUsersandComputers,buttheapplicationofGroupPolicytoclientswillfail.
Formoreinformation,see"ReplicationConvergence"laterinthispaper.
DefaultDomainPolicyGPOandDefaultDomainControllersPolicyGPOTwodefaultGPOsareinstalledwhenadomainiscreated–theDefaultDomainPolicyandtheDefaultDomainControllersPolicy.
Ingeneral,editingtheDefaultGPO'sisneithernecessarynorrecommended,withtheexceptionofsomesecuritysettingsthatmustbeedited.
IfthesettingsinthesedefaultGPOsareincorrectlyconfiguredyoumighthaveproblemswithclientauthentication,directoryreplication,FRS,andothercomponents.
Forexample,ifthedefaultpoliciesaredamagedbydeletingtheGroupPolicytemplatefilesorbymodifyingthesettingsinthemsothattheynolongerfunctionasdesigned,youneedtorestorethem.
InWindowsServer2003domains,youcandothisbyusingDcgpofix.
exe,whichisincludedwithWindowsServer2003operatingsystems.
ThistoolrestorestheseGPOstotheiroriginalsettings.
Anysettingsthathavebeenadded,includingthoseaddedbyapplicationssuchasSystemsManagementServerorExchangethathavebeeninstalledonthedomaincontroller,willbelost.
Formoreinformation,see"Dcgpofix"inHelpandSupportCenterforWindowsServer2003.
ThereisnotoolforrepairingthedefaultpoliciesinWindows2000domains,butyoucanrepairthemmanually.
Forinformationonhowtodoso,contactMicrosoftProductSupportServices.
ClientOperatingSystemGroupPolicyreliesonclientfunctionalitythatisbuiltintoWindows2000,MicrosoftWindowsXPProfessional,andWindowsServer2003.
Iftheclientisrunninganearlieroperatingsystem,itcannotprocessGPOsandapplyGroupPolicysettings.
Inaddition,somesettingsaresupportedonlyoncertainoperatingsystems.
WindowsXPandWindowsServer2003provideSupportedOninformationforeachadministrativetemplatepolicysetting.
ThisinformationisexposedwhenyouuseGPMCtoviewareportofGPOsettings.
UnderstandingGroupPolicyProcessingBeforediscussingGroupPolicytroubleshooting,youneedageneralunderstandingofhowGroupPolicyisprocessedattheclient.
GroupPolicyprocessinghastwodistinctphases:coreGroupPolicyprocessingandCSEprocessing.
WhenaclientbeginstoprocessGroupPolicy,itmustdeterminewhetheritcanreachadomaincontroller,whetheranyGPOshavechanged,andwhatpolicysettings(basedonclientsideextension)mustbeprocessed.
ThecoreGroupPolicyengineperformstheprocessingthisinthisinitialphase.
Policysettingsaregroupedintodifferentcategories,suchasadministrativetemplates,security,folderredirection,wireless,IPsec,EFS,andSoftwareInstallation.
ThesettingsineachcategoryrequireaspecificCSEtoprocessthem,andeachCSEhasitsownrulesforprocessingsettings.
ThecoreGroupPolicyenginecallstheCSEsthatarerequiredtoprocessthesettingsthatapplytotheclient.
ThisdocumentfocusesfirstontroubleshootingcoreGroupPolicyprocessing,andthenontroubleshootingCSEprocessing.
TroubleshootingGroupPolicyCoreFunctionalityThissectionprovidesastructuredapproachtotroubleshootingGroupPolicycorefunctionality.
InWindowsXPandWindowsServer2003,amechanismcalledResultantSetofPolicy(RSoP)allowsyoutotrackthefinalsetofprocessedpolicysettings.
RSoPcanalsobeusedtotrackproblemswiththecoreGroupPolicyprocessing.
GPMCprovidesaneasyviewintotheRSoPdatathroughitsGroupPolicyResultstool.
ThissectionisbasedontheuseofGroupPolicyResultsreportstoviewandanalyzeRSoPdata.
Therearethreemainpartsofthissection:FlowchartforTroubleshootingGroupPolicyCoreFunctionalityhelpsyouquicklyeliminatemanyofthepossiblecausesoftheproblem,basedonthreequestionsthatareeasilyansweredfromtheGroupPolicyResultsreport.
NavigatingtheGroupPolicyTroubleshootingFlowcharttellsyouwheretolookintheGroupPolicyResultsreportfortheinformationreferredtointheflowchart,andtiesobservedresultstopossiblerootcauses.
DetailsforTroubleshootingGroupPolicyCoreFunctionality-formoredetailedinformation,includingtroubleshootingtips,fortherootcausesyouhaveidentifiedasmostlikelyinthepreviousstep.
Thefollowinginformationisnotcoveredinthissection,butisprovidedlaterinthispaper:DetailsforTroubleshootingClient-SideExtensionsaddressesproblemswiththeCSEsthatprocessspecifictypesofsettings,suchassecuritysettingsorSoftwareInstallationsettings.
TroubleshootingGroupPolicyAdministrationisdevotedtoproblemswithGroupPolicyadministration.
FlowchartforTroubleshootingGroupPolicyCoreFunctionalityUsetheflowchart(seeFigure1)inthissectiontoquicklyidentifythelikelyrootcausesforunexpectedGroupPolicybehavior,basedonthreequestionsthatareeasilyansweredfromtheGroupPolicyResultsreport.
Hereisanexampleofhowyoucanusetheflowchart:YouhavecreatedanewsettinginaGPO,butthesettingisnotbeingappliedtoaspecificcomputer/usercombinationwhereyouexpectittobeapplied.
YougenerateaGroupPolicyResultsreportforthatcomputeranduser.
ThereportshowsthattheGPOhasbeenapplied,butthesettingisnotlistedinthereport.
Followingthedecisionpointsintheflowchartyoufindreplication,GroupPolicyrefresh,operatingsystemsupport,andslowlinkprocessingaspotentialcauses.
YoudeterminethatreplicationandGroupPolicyrefreshseemthemostlikelyreasonsfortheproblem.
Forabriefexplanationofhoweachofthesetwofactorsmightapplyinthiscase,youlookinthe"NavigatingtheGroupPolicyTroubleshootingFlowchart"section.
Basedontheinformationpresentedthere,youdecidethatforthecaseyouareinvestigatingGroupPolicyrefreshseemsthemorelikelycause,withreplicationasapossiblebutlesslikelyculprit.
Foramoredetailedexplanationandspecifictroubleshootingtipsonthesetwoissues,youlookin"DetailsforTroubleshootingGroupPolicyCoreFunctionality.
"LookingatthetroubleshootingtipsforGroupPolicyrefresh,youconcludethatthisistheprobablecauseandonethatyoucaneasilytestbyrunningGPupdate.
AfteryourunGPupdate,youseethedesiredbehaviorontheclient.
WhenyourefreshtheGroupPolicyResultsreportforthatcomputerwiththatuserloggedon,youseethatthesettingasbeenappliedandthattheGPOyoumodifiedwasthewinningGPO.
Figure1GroupPolicyTroubleshootingFlowchartNavigatingtheTroubleshootingFlowchartThetroubleshootingflowchartfocusesoncoreGroupPolicyprocessing.
ItsprimarypurposeistohelpyouvalidatethattheunderlyinginfrastructureisinplacetosupportdeliveryofGPOstotheclient,thattheuserandcomputerareappropriatelytargetedtoreceivetheintendedGPOs,andthatGroupPolicyprocessingputsthecorrectGPOsintoeffect.
AGroupPolicyResultsreportistheprimaryresourcefortroubleshootingGroupPolicyusingthisflowchart.
Specifically,wheninvestigatingaproblem,theadministrator—wherepossible—shouldgenerateaGroupPolicyResultsreportfortheuserandcomputercombinationencounteringtheproblem.
Thesectionsofthereportcontaintheinformationyouusetonavigatethroughtheflowchart.
ForinstructionsongeneratingaGroupPolicyResultsreport,see"DetermineResultantSetofPolicywithGroupPolicyResults"inGPMCHelp.
AnexampleofaGroupPolicyResultsreportisshowninFigure2.
Figure2ExampleofaGroupPolicyResultsReportThisexampleshowstheSummarytabofthereportwiththeGroupPolicyObjectssectionsunderComputerConfigurationSummaryandUserConfigurationSummaryexpanded.
ByexaminingtheGPMCResultsreport,youcanfindanswerstothefollowingthreebasicquestionsassociatedwiththeflowchart:WastheGPOappliedtotheclientTheSummarytabshowsthisinformation.
IsthepolicysettinglistedinGPMCResultsTheSettingstabshowsthisinformation.
IstheGPOlistedasDeniedinGPOResultsTheSummarytabshowsthisinformation.
EachquestionisansweredunderthefollowingheadingsthatcorrespondtotheflowchartinFigure3.
GPOApplied,PolicySettingListedInthisscenariotheclienthassuccessfullyreceivedtheGPOandthespecificpolicysettingisineffectattheclient.
Thismeansthattheonlyproblemisthattheactualvalueofthepolicysettingisincorrect.
SeetheSettingstaboftheGroupPolicyResultsreportforinformationabouttheindividualsettingsthathavebeenapplied.
Figure3GPOApplied,PolicySettingListedThefollowingfactorscancontributetothisscenario:GPOInheritance(SettingListed)AlthoughGPOshavebeenapplied,andthecorrectpolicysettingislisted,GroupPolicyinheritancemightresultinanunexpectedGPO"winning"andprovidingadifferentvaluefromtheoneexpected.
Thesettingsarenestedbysourceandtype;clickShowonthenestedrowstoexposethesettings.
ThenlookattheWinningGPOcolumntodiscoverwhichGPOdefinesthevalueforthepolicysetting.
Formoreinformation,seeGroupPolicyInheritanceRulesinthesectionDetailsforTroubleshootingCoreGroupPolicyApplicationFunctionality.
Replication(SettingListed)AfterachangeismadetoeithertheGPOortheuserorcomputer,thatchangemustbereplicatedthroughoutthenetwork.
IfyouexpectedthewinningGPOtosupplyavalueforthesettingotherthanthevaluethatwasactuallyapplied,itmightbethattheGPOwaschangedrecently,butthechangehasnotyetbeenreplicatedtothedomaincontrollerthatsuppliedtheGPOtotheclient.
Formoreinformation,see"ReplicationConvergence"laterinthispaper.
GroupPolicyRefresh(SettingListed)IfGroupPolicyRefreshhasnotoccurredsincethewinningGPOwasmodifiedandreplicated,theoldvalueforthesettingisapplied.
AfterthechangestoaGPOhavebeenreplicatedtotheclient'sdomaincontroller,theyneedtobetransmittedtotheclient.
ThisoccurswhentheclientrefreshesGroupPolicy.
Untilthishasoccurredthechangewillnotbereflectedattheclient.
Youcaneitherwaitforabackgroundrefreshorforcetherefresh.
Formoreinformation,seeGroupPolicyRefresh.
AsynchronousApplicationofGroupPolicy(SettingListed)GroupPolicycanbeappliedafterthecomputerhasstartedandtheuserhasloggedon.
ThisiscalledasynchronousapplicationofGroupPolicy,incontrasttosynchronousprocessingthatoccursaspartofstartuporlogon.
Iftheproblemiswithasettingthatcanonlybeappliedduringstartuporlogon,itmighthavebeendetectedduringasynchronousGroupPolicyprocessing–forexampleaspartofaGroupPolicyrefreshorduringtheasynchronousprocessingusedforlogonoptimizationinWindowsXP.
Formoreinformation,seeAsynchronousProcessingandLogonOptimizationinWindowsXP.
Client-SideExtensionIssue(SettingListed)AfterthecoreGroupPolicyenginehascompletedinitialprocessingoftheGPOs,itpassesspecificsettingstoCSEstoprocess.
Ifthesettingislistedbutthevalueiswrongorthebehaviorontheclientdoesnotreflectthesettingvalue,thefailuremighthaveoccurredafterthissettingwaspassedtoaCSEtoprocess.
Forexample,evenifaFolderRedirectionsettinghasbeensuccessfullypassedtotheFolderRedirectionCSE,theCSEmightnotbeabletocompleteprocessingforthesetting.
Formoreinformation,seeDetailsforTroubleshootingClient-SideExtensions.
LoopbackProcessing(SettingListed)Loopbackprocessingisawaytoenforceasetofusersettingsatacomputerregardlessofwhologsonatthatcomputer.
Typically,usersettingsareappliedbasedonthesiteandOUmembershipoftheuser.
Ifloopbackprocessingissetforacomputer,theusersettingsforanyoneloggedontothatcomputeraredependent(partiallyorfully)onthesiteandOUmembershipofthecomputer.
Thebehaviordependsonthemodeofloopbackprocessing.
InReplacemode,onlytheusersettingsdefinedinGPOsappliedtothecomputerareused.
InMergemode,usersettingsfromGPOsthatwouldnormallyapplytotheuserareusedprovidedtheydonotconflictwithusersettingsinGPOsthatapplytothecomputer.
LoopbackprocessingonlyworksifthecomputeranduserarebothinWindows2000orWindowsServer2003domains.
Theycanbeindifferentdomains,andonecanbeinaWindows2000domainwhiletheotherisinaWindowsServer2003domain.
YoucannotdeployGroupPolicytousersinaWindowsNT4.
0domainbyapplyingloopbacktoacomputerinaWindows2000orWindowsServer2003domain.
Securityfilterscanaffectthewayloopbackprocessingisapplied.
EvenwhentheGPOsassociatedwiththecomputerareusedtodefineusersettings,theuser'scredentials–notthecomputer'scredentials–arevalidatedagainsttheGPO'ssecurityfilter.
Thereforetheuser'scredentialsdeterminewhethertheGPOshouldbeapplied.
Forexample,youcouldcreateaGPOwithasecurityfilterthatrestrictstheGPOtosystemadministrators,andthenassociatethatGPOwithacomputerthatisconfiguredforloopbackprocessing.
ThesettingsinthatGPOwouldonlybeappliedwhenasystemadministratorisloggedon.
Todeterminewhetherloopbackprocessingisineffect,lookfortheUserGroupPolicyloopbackprocessingmodesettingontheSettingstabofthereport,underComputerConfiguration\AdministrativeTemplates\System/GroupPolicy.
Formoreinformation,seeLoopbackProcessing.
GPOApplied,PolicySettingNotListedIntheGroupPolicyResultsreport,thestructureoftheSettingstabissimilartothestructureusedintheGroupPolicyObjectEditor.
ExpandthesectionsontheSettingstabbyclickingShow.
Iftheexpectedpolicysettingdoesnotappearatall,eithernoupdatedGPOcontainingtheexpectedsettingreachedtheclient,orthesettingmightnotbeprocessedattheclient.
Figure4GPOApplied,PolicySettingNotListedReplication(SettingNotListed)AfterasettingisaddedtoeitheraGPO,thatchangemustbereplicatedthroughoutthenetwork.
IfthesettingisspecifiedintheGPObutisnotlistedintheGroupPolicyResultsreportontheclient,itmightbethatthesettingwasrecentlyaddedtotheGPO,butthechangehasnotyetbeenreplicatedtothedomaincontrollerthatsuppliedtheGPOtotheclient.
.
Formoreinformation,see"ReplicationConvergence"laterinthispaper.
GroupPolicyRefresh(SettingNotListed)IfGroupPolicyRefreshhasnotoccurredsincethewinningGPOwasmodifiedandreplicated,anewlyaddedsettingwillnotbeapplied.
AfterthechangestotheGPOhavebeenreplicatedtotheclient'sdomaincontroller,theyneedtobetransmittedtotheclient.
ThisoccursduringGroupPolicyrefresh.
Youcaneitherwaitforabackgroundrefreshorforcetherefreshbyrunninggpupdate,byloggingoff/on(foruserconfiguration),orbyrestartingthecomputer(forcomputerconfiguration).
Formoreinformation,seeGroupPolicyRefresh.
LackofOperatingSystemSupport(SettingNotListed)Somepolicysettingsaresupportedononlycertainoperatingsystemsorrequireaminimumservicepacktobeapplied.
WhenaGPOdeliversapolicysettingtoaclientcomputerthatdoesnotsupportthatsetting,theoperatingsystemignoresthesetting.
Formoreinformation,seeOperatingSystemSupport.
GPONotApplied,ListedasDeniedIftheGPOsuccessfullyreachestheclient,itappearseitherinthelistofDeniedGPOsorinthelistofAppliedGPOs.
AGPOcanbeexplicitlydeniedforanyofanumberofreasons.
Figure5GPONotApplied,ListedasDeniedTodeterminewhetheraGPOisdenied,lookontheSummarytabortheGroupPolicyResultsreport.
UnderComputerConfigurationSummaryandagainunderUserConfigurationSummary,clickShowtoexpandGroupPolicyObjects,andthenshowDeniedGPOs.
ThereasonforthedenialisgivenforeachdeniedGPO.
SecurityFiltering(GPODenied)TheuserorcomputerdoesnothavetheuserrightsassignedfortheGPO.
TherequiredprivilegesareReadandApplyGroupPolicy.
Alternatively,aGPOmightbeassociatedwithaDenyACE,whichoverridesanyotherprivilegesgrantedtotheuserorcomputer.
Formoreinformation,seeAccessControlandSecurityFiltering.
DisabledLink(GPODenied)ThereisalinktotheGPOfromasite,domain,orOUinthehierarchyoftheuserorcomputer,butthatlinkhasbeenexplicitlydisabled.
YoucanquicklyscanthenavigationpaneofGPMCfordisabledlinks,asdescribedinViewingActiveDirectoryobjectsandGPOsinthe"TroubleshootingTools"sectionofthispaper.
InaccessibleGPO(GPODenied)ThereisalinktotheGPO,buttheGPOcannotbeaccessed.
Thereareseveralpossiblereasonsforthis:ThepermissionsontheGPOoronfoldersinthepathtotheGroupPolicytemplateareinsufficientforittobeaccessedandread.
IfthissituationoccurstheComponentStatussectionoftheGroupPolicyResultsreportwillindicateFailureforthecomponentGroupPolicyInfrastructure.
TheGPOmighthavebeendeleted,butthelinktoitremainsforsomereason(suchasreplicationlag).
NetworkconnectivityproblemsmightpreventaccesstotheGPO.
Theclientisunabletocontactanydomaincontroller.
Formoreinformation,seethesectionsMissingorCorruptedFiles,Replication,andAccessControlandSecurityFiltering.
EmptyGPO(GPODenied)AGPOwillbedeniedifithasnosettings.
ThisoccurswhenanadministratorhasconfiguredaGPOandlinkedtoit,buthasnotsetanypolicysettingswithintheGPO.
EitherremovethelinktotheGPOoraddpolicysettingstotheGPO.
IftherearenoremaininglinkstotheGPO,youmightwanttodeleteit.
WMIFilter(GPODenied)AWMIfilterappliedtoaGPOisessentiallyaBoolean(true/false)decisionastowhethertheentireGPOshouldbeappliedtotheclientcomputer.
ThefilterisevaluatedattheclientwhenGPOisapplied.
BasedontheembeddedWQLquery,theGPOwilleitherbeenabledordisabled.
SeeWMIFilteringforfurtherdetails.
GPONeitherAppliednorDeniedAlltheGPOsthatreachtheclientappearontheSummarytabineithertheGroupPolicyObjectsAppliedsectionortheGroupPolicyObjectsDeniedsection.
Therearefourlistsaltogether:twolists(AppliedGPOsandDeniedGPOs)underComputerConfigurationSummaryforsettingsthataredeliveredfromthecomputer'sActiveDirectoryhierarchy,andanothertwounderUserConfigurationSummaryforsettingsthataredeliveredfromtheuser'sActiveDirectoryhierarchy.
IftheGPOisnotlistedaseitherAppliedorDeniedundereitherConfigurationSummary,itdidnotreachtheclient.
AlsonotewhethertheGPOislistedintheexpectedConfigurationSummary(ComputersorUsers).
Thatcanaffectwhichsettingsareactuallyapplied,particularlyifloopbackprocessingisineffect.
Figure6GPONeitherAppliedNorDeniedScopeofManagement(GPONotatClient)OneofthemostcommoncausesofaGPOnotbeingappliedtoauserorcomputeristhattheGPOisnotlinkedtoasite,domain,orOUofwhichthecomputeroruserisamember.
GPOsaredeliveredtoclientsbasedonthesiteandOUmembershipsofthecomputerandthelogged-onuser;groupmembershipsareonlyusedtofurtherrestrictapplicationoftheGPO.
SeeOrganizationalUnit(OU)MembershipandGPOLinksforfurtherdetails.
Replication(GPONotatClient)AfteranadministratorhaslinkedaGPOtoasite,domain,orOUinthehierarchyoftheuserorcomputer,thechangemustbereplicatedtothedomaincontrollerfromwhichtheclientretrieveditsGPOs.
Also,iftheuserorcomputerhasrecentlybeenaddedtoanOU,theGPOsthatapplytothatOUmightnotbeappliedtotheclientuntilthechangeinOUmembershiphasbeenreplicatedtothedomaincontrollerfromwhichtheclientretrievesGPOs.
Formoreinformation,see"ReplicationConvergence"laterinthispaper.
GroupPolicyRefresh(GPONotatClient)AfteranadministratorhaslinkedaGPOtoasite,domain,orOUinthehierarchyoftheuserorcomputer,andthechangehasbeenreplicatedtotheclient'sdomaincontroller,theGPOstillneedstoreachtheclient.
ThisoccursduringGroupPolicyrefresh.
Youcaneitherwaitforabackgroundrefreshorforcetherefresh.
Formoreinformation,seeGroupPolicyRefresh.
NetworkConnectivity(GPONotatClient)GroupPolicyrequiresareliablenetworkinginfrastructuretoensureappropriatecommunicationbetweentheclientcomputerandadomaincontroller.
ThisincludesTCP/IP,DNSandotherdependenttechnologies,SeeNetworkConnectivityforfurtherdetails.
DetailsforTroubleshootingCoreGroupPolicyApplicationFunctionalityYoucangetawealthofinformationaboutGroupPolicyapplicationonaclientbygoingtotheGroupPolicyResultsnodeinGPMCandgeneratingareportforthatclient.
TheGroupPolicyTroubleshootingFlowchartandthetextthataccompaniesittellyouwhattolookforinthatreportandwhichfactorsmightberesponsiblefortheresultsyousee.
ThissectiondiscussesthefactorsthataffectcoreGroupPolicyfunctionality:thedeliveryofGPOstotheclientsbywayofthedomaincontrollersandtheevaluationoftheorderedsetofGPOstobeappliedtotheclient.
EachtimeGroupPolicyisappliedthefullsetofGPO'sisreevaluatedandreappliedifthereisachange.
Inadditiontothiscorefunctionality,therearespecialcasesforsoftwaredistribution,FolderRedirection,scriptsprocessing,administrativetemplates,security,etc.
ThesefunctionsarehandledbyGroupPolicyCSEsandarediscussedunderFactorsAffectingGroupPolicyClient-SideExtensions.
NetworkConnectivityObviously,GroupPolicycannotbedeliveredtoclientswhoarenotconnectedtothenetwork.
Inthiscasetheusercanlogonwithcachedcredentials,andthelastsetofpoliciesthatthecomputerreceivedwillbeapplied.
ThisisrelevanttoauserwhologsontoacorporatenetworkthroughaVPNconnection.
Inthisscenario,theusualapplicationofGroupPolicydoesnotoccurbecausetheuserisalreadyloggedontothecomputerbeforetheVPNconnectionisestablished.
OnewaytoensurethatthenormalGroupPolicyprocessingoccursatlogonisbyusingtheoptiontoconnecttoaremotenetworkthroughtheinitiallogonprompt(Ctrl-Alt-Del).
OtherissuesthatarerelatedtonetworkconnectivitywithregardtoGroupPolicyapplicationincludeslowlinks,DNSproblems,andmulti-homedclients.
Thesearediscussedinthissection.
Aclientmightalsobeunabletoaccessnetworkresourcesduetotimesyncproblems,asdiscussedintheInfrastructureRequirementsatthebeginningofthisdocumentunderNetworking.
Networkconnectivitycanalsobetherootcauseofreplicationproblems.
TroubleshootingTotestfornetworkconnectivityproblems,checksystemeventlogsontheclientcomputer(lookforfailedaccessattempts).
Youcanalsousethepingornetdiagcommandstotestnetworkconnectivity.
Formoreinformation,see"UsingNetworkDiagnostics"and"ActiveDirectorysupporttools"inHelpandSupportCenterforWindowsServer2003.
TCP/IPmustbeenabledonthenetworkandontheclient.
ICMPisusedtodetectaslowlinkwhentheclientinitiallyconnectstoadomaincontroller,andthereforeisrequiredforGroupPolicy.
ICMPmustalsobeenabledifafirewallisinuse.
Bydefault,thepacketsizeusedforslowlinkdetectionis2048bytes.
Routersandfirewallsmustalsosupportthispacketsizetoensurethatslowlinkdetectioncansucceed.
Formoreinformation,seeTCP/IPandICMPunderInfrastructureRequirementsearlierinthisdocument.
SlowLinksBydefault,GroupPolicydefinesaslowlinkas500kilobitspersecondorless.
Youcanchangethissettinginthecomputerconfiguration,theuserconfiguration,orboth.
ThesettingisintheAdministrativeTemplates;lookunderSystemandthenunderGroupPolicy.
TroubleshootingWhenthecomputerisconnectedtothenetworkoveraslowlink,SecuritysettingsandAdministrativeTemplatesettingsarealwaysapplied.
Bydefault,SoftwareInstallation,scripts,andFolderRedirectionsettingsarenotappliedoveraslowlink.
GroupPolicyisnotprocessediftheuserconnectstothenetworkoveraslowlinkwithcachedcredentials.
ToensurethatGroupPolicyisappliedoveraslowlink,theusermustselecttheLogonusingdialupconnectioncheckboxwhileusingtheLogondialogbox.
EvenifGroupPolicysettingsareconfiguredtorunscriptsoverslowlinks,thescriptsmightbeexecutedsoslowlythattheyexceedtheconfiguredtime-outperiod.
InthiscasethescriptwillfailtocompleteandaUserIniteventwillbeposted.
DNSGroupPolicyapplicationrequiresclientstoaccessspecifiedservers,includingdomaincontrollersandotherserverssuchassharepointsandinstallpoints.
GroupPolicymanagementalsorequiresaccesstodomaincontrollers.
DNSisusedtolocateandidentifytheseservers.
InWindowsServer2003,ActiveDirectoryrequiresDNSsupport.
Ifthenetworkisfunctioning,butclientsorGPMCconsolesareunabletolocatetheservers,theremightbeaproblemwithyournetwork'sDNSsystem.
TroubleshootingFirst,PingthecomputerusingtheNetBIOSname.
ThenPingthecomputeragainusingthefullyqualifieddomainnameofthetargetcomputer.
IfthefirstPingworksbuttheseconddoesnotthenthereisprobablyaDNSproblem.
UseNetdiag.
exetoresearchtheproblemfurther.
UseDcdiag.
exetotroubleshootdomaincontrollers,anduseNetdiag.
exetotroubleshootclientcomputers.
ThesetoolscanhelpdeterminebothserverandclientDNSmisconfigurations.
Formoreinformation,seearticleQ265706,"DCDiag/NetDiagFacilitateJoinandDCCreation"intheMicrosoftKnowledgeBase(http://go.
microsoft.
com/fwlink/LinkId=4441).
Multi-HomedComputersIfaclienthasmultiplenetworkadaptersconnectedtomultiplenetworks,assignthehighestprioritytothenetworkadapterthatconnectstothenetworkthatisprovidingGroupPolicytothatclient.
Formoreinformation,seeMicrosoftKnowledgeBaseArticle258296(http://go.
microsoft.
com/fwlink/LinkId=17909).
MissingorCorruptedFilesGroupPolicyinformationiscontainedinfilesonboththedomaincontrollersandtheclients.
Ifanyofthesefilesaremissingorcorrupted,onlysomeornoneofthepoliciescanbeapplied.
Forabriefdiscussionofthisissue,see"SYSVOLShare"earlierinthisdocument.
TroubleshootingUseGPOtool.
exetocheckforthepresenceandintegrityofthefollowingfilesintheSYSVOLshareanditssubfoldersonthedomaincontroller.
FilesintheGroupPolicytemplate.
Registry.
pol(Search%windir%\debug\usermode\UserEnv.
logforreferencestothisfile).
ThisfileisusedforprocessingadministrativetemplatesthroughtheregistryCSE.
Whenaprocessisunabletoaccessafile,itgeneratesanevent.
Whetherthiseventisrecordeddependsontheeventseverityandwhetherverboseloggingisenabledforthatprocess.
CheckthePolicyEventstabintheGroupPolicyResultsreportforeventsthatpointtoproblemsaccessingfiles.
YoucanalsouseEventViewerontheclienttoviewtheApplicationlogs,andyoucanenableandviewverboseloggingforUserEnvandforspecificCSEstoGroupPolicy.
Formoreinformation,see"Appendix:GroupPolicyLogFiles.
"Ontheclient,checkforthepresenceandintegrityofthefollowingfilesinthe%windir%\system32folder.
ReplacesuspectorfilesmissingfromtheCDfortheclient'soperatingsystem.
TheSystemFileChecker(Sfc.
exe)canbeusedtoscanallprotectedfilestoverifytheirversions.
UserEnv.
dllDskquota.
dllFdeploy.
dllGptext.
dllAppmgmts.
dllGptext.
dllScecli.
dllReplicationConvergenceMostnetworksusemorethanonedomaincontrollerforfaulttoleranceandperformancereasons.
Anyofthesedomaincontrollerscanrespondtosystemrequestsfromcomputersinthedomain—authenticationrequestsorGroupPolicyrefreshrequests,forexample.
Forconsistentbehaviorthroughoutthenetwork,allthedomaincontrollersneedtobeprovidingthesameinformationtoclients.
Thisisaccomplishedbyreplicatingthedataamongthedomaincontrollersinasingledomain.
Twoformsofreplicationareemployed:ActiveDirectoryreplicationcopiesthechangestodirectoryinformationtothedatastoresonotherdomaincontrollers.
ThereplicatedinformationincludestheGroupPolicycontainerforeachGPO,aswellasinformationabouttherelationshipsbetweenActiveDirectorycontainersthatGroupPolicyclient-sideextensionsusetodeterminewhatGroupPolicysettingsapplytothem.
ActiveDirectoryreplicationoccursatasetintervalandcanbeforced.
FileReplicationservice(FRS)copieschangestofilestootherdomaincontrollers,sothatthefilesaremirroredfromonedomaincontrollertoanother.
ThisincludestheSYSVOLshare,whichcontainsGroupPolicytemplateforeachGPO.
FRSreplicationoccursatsetintervalsaccordingtoitsreplicationscheduleandcannotbeforced.
Therecanbealagtimeafterachangehasbeenmadeononedomaincontrollerbeforethechangeisreplicatedtoallotherdomaincontrollers.
Thepropagationandresolutionofthesechangesthroughoutthenetworkisanongoingprocesscalledreplicationconvergence.
TroubleshootingUntilchangestoaGPOhavebeenreplicatedtothedomaincontrolleraclientisaccessing,thatclientwillreceivetheearlierversionoftheGPOduringGroupPolicyrefresh.
IfyoususpectbothreplicationandGroupPolicyrefreshissues,addressthereplicationissuefirst.
ThenrefreshGroupPolicyattheclient.
ChangestotheOUmembershipsofcomputersandusersalsoneedtobereplicatedbeforetheycanbereflectedinGroupPolicyapplicationattheclient.
Formoreinformationsee"OrganizationalUnitMembershipandGPOLinks.
"Ingeneral,itisbesttousethesamedomaincontrollerforallGPOeditingortoagreeaprocess–suchasdelegatedadministrationofGPO's–tominimizethelikelihoodofthesameGPObeingeditedondifferentdomaincontroller.
IfchangesaremadetothesameGPOattwodifferentdomaincontrollers,thelastchangewins.
Also,ifyoudelegatecontrolofaspecificGPOtoausergroup,membersofthatgroupmightbeunabletoperformthedelegatedtasksuntilthepermissionshavebeenreplicatedtotheirdomaincontroller.
Formoreinformationsee"DomainControllerSelectionintheGroupPolicyObjectEditorandGPMC"laterinthispaper.
Thereareseveraloptionsfortroubleshootingreplicationissues:TheGroupPolicycontainerandGroupPolicytemplateareeachassignedversionnumbers,whichareincrementedwhentheGPOismodified.
UseGPOTooltoverifythattheversionsaresynchronized.
UseEventViewertoexaminethedirectoryserviceforeventlogonthedomaincontroller.
ActiveDirectoryreplicationerrorswillappearwithsource=KCC.
UseEventViewertoexaminetheFileReplicationserviceeventlogonthedomaincontroller.
FRSerrorswillappearwithsource=NTFRS.
VerifythattheSYSVOLshareexistsonthedomaincontroller.
Youshouldbeabletofind\\domain_controller_name\SYSVOL,wheredomain_controller_nameisthefullyqualifieddomainname(nottheNetBIOSname)ofthedomaincontroller.
TotroubleshootActiveDirectoryreplicationissues,usereplmon.
exeandtheotherActiveDirectorysupporttoolsthatshipwithWindowsServer2003.
Thesearelistedin"ActiveDirectorysupporttools"inHelpandSupportCenterforWindowsServer2003.
YoucanuseGPOtool.
exetoidentifyproblemsrelatedtodomaincontrollerhealth,includingActiveDirectoryreplicationandFRSissues.
Totroubleshootfilereplicationissues,checkthestatusoftheDirectoryFileServicelinksandtargetsasdescribedin"TocheckstatusofaDFSroot,DFSlink,ortarget"inHelpandSupportCenterforWindowsServer2003.
GroupPolicyrequiresDirectoryFileService.
YoucanusetheSonar.
exetooltocheckthehealthoftheSYSVOLshare.
GroupPolicyRefreshGroupPolicyrefreshreferstotheretrievalofGPOsbyaclient.
DuringGroupPolicyrefresh,theclientcontactsanavailabledomaincontroller.
IfanyGPOshavechanged,thedomaincontrollerprovidesalistofalltheappropriateGPOs,regardlessofwhethertheirversionnumbershaveactuallychanged.
ReplicationandGroupPolicyrefresharebothinstancesoflag-timeissues:thesystemisworkingproperly,butchangeshavenotyetappearedattheclient.
TroubleshootingBydefault,GPOsareprocessedbyCSEsatthecomputeronlyiftheversionnumberofatleastoneGPOhaschangedonthedomaincontrollerthatthecomputerisaccessing.
Youcanusepolicysettingstochangethisbehavior.
SomeCSEsprocessunchangedGPOsiftheuser'sgroupmembershiphaschanged.
Atstartup,GroupPolicyisrefreshed,andcomputersettingsareapplied.
GroupPolicyisrefreshedandcomputerandusersettingsareappliedinthefollowinginstances:Whenauserlogson.
Whengpupdateisrunattheclientcomputer.
Attherefreshinterval,ifoneisconfiguredatthatcomputer.
Bydefault,domaincontrollersarerefreshedeveryfiveminutes,andallothercomputersarerefreshedevery90minutes,witharandomfactorofupplusorminus30minutes.
ToseethelasttimetheGPOsfromthecomputer'sOUwereprocessed,lookontheSummarytaboftheGroupPolicyResultsreportunderComputerConfigurationSummary,andthenunderGeneral.
ToseethelasttimetheGPOsfromtheuser'sOUwereprocessed,lookontheSummarytaboftheGroupPolicyResultsreportunderUserConfigurationSummary,andthenunderGeneral.
TocollectGroupPolicyrefreshinformationfromclientsandstorethematacentrallocation,usegpmonitor.
exe.
ThistoolisincludedintheWindowsServer2003DeploymentKit.
NoteSometypesofsettingscanonlybeappliedduringlogon.
TheseincludeFolderRedirection,RoamingProfiles,andSoftwareInstallationsettings.
IfthesesettingsarereceivedwhenGroupPolicyisrefreshed,thesettingsareevaluated,buttheyarenotapplieduntilthenexttimetheuserlogson.
IfthecomputerisrunningWindowsXPandthesesettingsfirstreachthecomputerduringlogon,theymightnotbeapplieduntilthenexttimetheuserlogson.
Forsomeextensions,itmighttaketwoorthreelogonsforthesettingstobeapplied.
Formoreinformationsee"AsynchronousProcessingandLogonOptimizationinWindowsXP"laterinthispaper.
AsimplewaytotroubleshootasuspectedGroupPolicyrefreshissueistoforcetherefreshbyrunninggpupdateandeitherrestartingthecomputer,orbyloggingoffandloggingonagain.
IfFolderRedirection,roamingprofiles,orSoftwareInstallationisinvolvedandthecomputerisrunningWindowsXP,rungpupdateandthenlogoffandlogbackon.
Youmightneedtologoffandlogbackonmorethanonce.
Formoreinformation,see"AsynchronousProcessingandLogonOptimizationinWindowsXP"laterinthispaper.
TrustRelationshipsYoucanlinkGPOsacrossdomains,providedthereisatrustrelationshipbetweenthem.
Ifthetrustrelationshipisbroken,clientswillbeunabletoaccesstheGPOandrelatedfiles.
Youmightalsoencounterperformanceissueswithlinksacrossdomains.
GPMCsupportsmanagementofotherforestsfromwithintheconsolewhenthereisatrustrelationshipbetweenthoseforestsandtheforestinwhichyouruseraccountresides.
However,youcannotlinkaGPOinoneforesttoasite,domain,orOUinadifferentforest.
TroubleshootingIftheGPOcannotbeappliedduetolackoftrust,itwillappearinthelistofDeniedGPOsandthereasongivenwillbeInaccessible.
UseActiveDirectoryDomainsandTrustsornltest.
exetoverifythetrustrelationship,andtoifrepairitifnecessary.
IfyouarenotconcernedabouttheidenticalGPObeingappliedinbothdomains,copytheGPOtothedomainwiththeActiveDirectorycontainersyouwanttolinktoit.
Formoreinformationsee"ForestsinGroupPolicyManagementConsole"inGPMCHelpand"Foresttrusts"inHelpandSupportCenterforWindowsServer2003.
OUMembershipsandGPOLinkingGPOsareappliedtoaclientonlyiftheyarelinkedtoasite,domain,orOUtowhichthecomputerortheuseratthatcomputerbelongs.
Fortroubleshootingpurposes,youneedasolidunderstandingofyourorganization'sActiveDirectorystructureandtheGroupPolicyinheritanceandfilteringrules.
WiththisinformationandtheResultantSetofPolicy(RSoP)functionalityinWindowsServer2003andWindowsXP,youcanmanipulateyourActiveDirectorystructureandyourGroupPolicylinksandfilterstodelivertargetedsettingstotheusersandcomputersinyourorganization.
Thesameinformationisneededtotroubleshootsituationswherethesemanipulationsproduceanunexpectedresult.
TroubleshootingCheckActiveDirectoryUsersandComputerstoseewhatsite,domain,andOUtheuserandthecomputerarein.
InGPMC,expandtheActiveDirectorycontainersthatcontaintheaffectedclient.
Inthenavigationpane,scanthelistofGPOsforeachcontainerfordisabledlinks.
GPOsarefilteredaccordingtotheActiveDirectorygroupsthattheusersandcomputersbelongto.
TheActiveDirectoryobjectsinwhichyouplaceyourActiveDirectorygroupsandthewaysyougroupusersorcomputersaffecthowGPOscanbedistributedandapplied.
ActiveDirectoryandFRSreplicationlagcanaffecteitherpartoftheGPO.
IfyouhaveanOUthatcontainsotherOUsandyouremoveReadpermissionstotheparentOU,thennopolicywillbeprocessedbycomputersorusersinthatOUhierarchy.
IfthereareconflictingsettingsintheGPOsthatapplytotheclient,theyareresolvedaccordingtotheGroupPolicyinheritancerules,whicharediscussedelsewhereinthissection.
AddingaUserorComputertoanOUWhenauserorcomputerisaddedtoanOU,twothingsneedtohappenbeforetheGPOsthatthenewOUlinkstoareappliedtotheclient:ThenewOUassignmentmustbereplicatedtotheclient'sdomaincontroller.
Formoreinformation,see"ReplicationConvergence"earlierinthispaper.
Afterthereplicationiscomplete,youmusteitherlogoffandlogbackonagainiftheuseraccountmovedtothenewOU,orrestartthecomputerifthecomputermovedtothenewOU.
Somesettingscanonlybeappliedatsystemstartuporlogon.
Formoreinformationsee"AsynchronousProcessingandLogonOptimizationinWindowsXP"laterinthispaper.
UserSettingsvs.
ComputerSettingsInmostcases,thecomputersettingsaretakenfromGPOsthatarelinkedtonodesinthehierarchythatthecomputerbelongsto,andusersettingsaretakenfromGPOsthatarelinkedtonodesinthehierarchythattheuserbelongsto.
Theexceptionsareloopbackprocessing,whichisdiscussedinGeneralIssuesforCSEProcessing,andexplicitdenials,whicharediscussedinthewhitepaper,WindowsServer2003GroupPolicyInfrastructure(http://go.
microsoft.
com/fwlink/LinkId=14950).
Therearetwomainissuesinvolvingusersettingsandcomputersettings.
Thefirstiswhensettingsareapplied–atsystemstartup,atlogon,orthroughbackgroundrefreshwhilethecomputerisinuse.
ThesecondishowconflictsareresolvedafterinheritanceruleshavebeenappliedtodeterminetheGPOsthatapplytotheclient.
TroubleshootingLoopbackprocessingcandeterminewhichGPOsprovideusersettings.
Formoreinformation,seeLoopbackProcessing.
Ifasettingisnotsupportedbytheoperatingsystemrunningonthecomputerwheretheuserlogson,thesettingisignored.
Formoreinformation,seeOperatingSystem.
ComputersettingsarenotapplieduntilGroupPolicyisrefreshedonthatcomputer,orthecomputerisrestarted.
UsersettingsarenotapplieduntilGroupPolicyisrefreshedonthatcomputer,ortheuserlogson.
Someusersettings,notablythoseinvolvingSoftwareInstallationorFolderRedirection,cannotbeapplieduntiltheuserlogson.
IfthecomputerisrunningWindowsXPandlogonoptimizationisineffect,theusermightneedtologonmorethanonce.
Formoreinformationsee"AsynchronousProcessingandLogonOptimizationinWindowsXP"laterinthispaper.
ThecomputerconfigurationsettingsanduserconfigurationsettingsforaclientarelistedintheGroupPolicyResultsorGroupPolicyModelingreportforthatclient,ontheSettingstab.
ThecomputerconfigurationsettingsanduserconfigurationsettingsforaGPOarelistedintheGPO,ontheSettingstab.
SecurityFilteringGrouppolicycanbeusedtoprovideordenyaccesstoprogramsanddatainyournetwork,andtoenforcepoliciesregardingcomputerconfigurationbasedonassignedprivilegesandsecuritygroupmemberships.
ThisisaccomplishedbyusingtheaccesscontrolfunctionalitybuiltintoWindows2000ServerandWindowsServer2003domainsandisknownassecurityfiltering.
YoucanrestrictapplicationofallthesettingsinaGPOonthebasisofsecuritygroupmembershipsbysettingasecurityfilteronthatGPO.
Ifthecomputeraccountoruseraccountdoesnotmeetthesecurityfilteringcriteria,theentireGPOwillbedeniedatthatclient.
Forexample,youcanassignspecialsettingstoalltheadministratorsinaportionofthehierarchybysettingthesecurityfiltertoapplytheGPOtoalladministrators,andthenlinkingtheGPOtothehighestnodeintheportionofthehierarchywhereyouwantthesettingstoapply.
AllusersinthatportionofthehierarchywillreceivetheGPO,butonlymembersoftheadministratorsgroupwillbeaffectedbyit.
TroubleshootingToseethesecuritygroupsthatwereineffectwhenGroupPolicywasappliedtoaspecificcomputer,lookintheGroupPolicyResultsreportforthatcomputer.
UnderbothComputerConfigurationSummaryandUserConfigurationSummary,expandSecurityGroupMembershipwhenGroupPolicywasapplied.
ToseetheaccesscontrolliststhataffectwhereaGPOcanbeapplied,opentheGPOinGPMCandlookatSecurityFilteringontheScopetab.
Thisisalsowhereyouwouldchangethosesettings.
IfaGPOisincorrectlydeniedorappliedduetosecurityfilteringbecausetheuserorcomputerhaddifferentsecuritygroupmembershipsthanexpected,useActiveDirectoryUsersandComputerstocheckandifnecessarychangethesecuritygroupmemberships.
WhenrestrictingtheapplicationofaGPO,besuretoremoveAuthenticatedUsers.
OtherwisealluserswillalwaysbeaffectedbytheGPO.
ComputersaremembersoftheAuthenticatedUsersgroup.
IfyouremoveAuthenticatedUsersfromthelistontheScopetabandyouwanttheGPOtoapplytoacomputer,youmustspecificallyensurethatthecomputerbelongstoagroupthatisincludedintheSecurityFilteringsectionontheScopetab.
CachedCredentialsWhenausersuccessfullylogsontothenetwork,thecredentialsforthatusercanbecachedonthelocalcomputer.
Ifnetworkconnectivityproblemspreventtheuserfrombeingauthenticatedthenexttimetheuserlogsontothesamecomputer,thesecachedcredentialscanbeusedtogivetheuseraccesstoresourcesonthatcomputer.
Ifthecomputersuccessfullyconnectstothenetworklater,thecachedcredentialscanbeusedtoprovideaccesstonetworkresources,includingGPOsthatarereceivedatthenextGroupPolicyrefresh.
TroubleshootingIfadomaincontrollerisnotavailablewhentheuserlogsonGroupPolicycannotberefreshedatlogon.
Inthiscase,newGroupPolicysettingswillnotbeapplieduntilaGroupPolicyrefreshoccurswhileadomaincontrollerisavailable.
Someusersettingscanonlybeappliedduringlogon.
Theseincluderoaminguserprofilepath,FolderRedirectionpath,andSoftwareInstallationsettings.
Iftheuserisalreadyloggedonwhenthesesettingsaredetected,theywillnotbeapplieduntilthenexttimetheuserisloggedon.
Formoreinformation,see"AsynchronousProcessingandLogonOptimizationinWindowsXP"inthispaper.
WhenauserlogsontoacomputerlocallyandthenaccessesthenetworkbyusingadialuporVPNconnection,cachedcredentialsarealwaysused.
WMIFilteringIftheGPOislinkedtoaWMIfilter,thequeriesintheWMIfilterareevaluatedagainstthedataprovidedbyWMIontheclient.
Suchdatacanincludehardwareandsoftwareinventory,settings,andconfigurationinformation.
Ifallofthecriteriaaretrue,theGPOisapplied.
Ifanyofthecriteriaisfalse,theGPOisdenied.
IfaWMIfilterisdeleted,thelinkstotheWMIfilterarenotautomaticallydeleted.
Ifthereisalinktoanon-existentWMIfiltertheGPOwiththatlinkwillnotbeprocesseduntilthelinkisremovedorthefilterisrestored.
NoteOnlyWindowsXP,WindowsServer2003,andlateroperatingsystemssupportWMIfiltering.
Ifthecomputerisrunninganearlieroperatingsystem(suchasWindows2000),theWMIfilterisignoredandtheGPOisapplied.
Troubleshooting:Ifthefilterisnotproducingtheexpectedresults,troubleshootandeditthefilter.
WMIfiltersarestoredonaper-domainbasisseparatelyfromtheGPOsthatlinktothem.
TheycanbeaccessedinGPMContheWMIFiltersnodeunderthedomain.
FormoreinformationseeGPMConlineHelp.
YoucanalsousetheWBEMtestandWMICutilitiestotroubleshootWMIissues.
Formoreinformation,see"WindowsManagementInstrumentationCommand-line"and"WindowsManagementInstrumentationTester"inHelpandSupportCenterforWindowsServer2003.
GroupPolicyInheritanceRulesBeforeyouapplyortroubleshootGroupPolicy,youshouldbefamiliarwithGroupPolicyinheritancerules.
ThesearedescribedinGPMCHelpandin"DesigningaGroupPolicyInfrastructure"(http://go.
microsoft.
com/fwlink/LinkId=4757)intheWindowsServer2003DeploymentGuide.
GPOscanbelinkedtosites,domains,andOUs.
ThefollowinginheritancerulesapplytoGPOs:Certainsettingscanonlybesetatthedomainlevel.
Oneexampleisdomainpasswordpolicies.
IfanOUlowerinthehierarchylinkstoaGPOwithpasswordpolicysettings,thosesettingsonlyapplytothelocalaccounts.
OUsinherittheGPOslinkedtotheirparents.
ExceptionsareduetotheuseofBlockInheritanceandEnforcesettings.
(EnforcewaspreviouslycalledNoOverride.
)IncontrasttoOUs,domainsdonotinheritGroupPolicyfromparentdomains.
TheorderinwhichGPOsareappliediscriticalbecausewherethereareconflictsinsettingsbetweentheseGPOs,thelastGPOappliedwins.
ExceptionsareduetoEnforceandLoopbackProcessingsettings.
GPOsfromthemostdistantcontainerareappliedfirst,andGPOsfromthenearestcontainerareappliedlast.
GPOsfromanyoneActiveDirectorycontainerareappliedaccordingtotheirprecedence,asdefinedbythelinkorder.
Whenyouviewasite,domain,orOUinGPMC,youcanviewtheGPOslinkeddirectlytothatcontaineranditsparents,includingthelinkorder.
YoucanalsoseewhereinheritedGPOsarelinkedandwhethertheyareenforced.
TroubleshootingConflictresolutionappliestoindividualsettings,nottoentireGPOs.
ItcouldeasilyhappenthatonesettinginaGPOencountersaconflictbutallothersettingsinthatGPOareapplied.
TheGPOwiththelowestlinknumberprevailsoverotherGPOsthatthesamesite,domainorOUislinkedto.
YoucanuseGPMCtochangetheorderoflinksforaspecificsite,domain,orOU.
(Thelinksareapropertyofthesite,domain,orOU;theyarenotapropertyoftheGPO.
)EnforceandBlockInheritancesettingscancomplicatetroubleshootingbecausetheycounteracttheusualinheritancerules.
TheEnforcesettingisapropertyofthelinkbetweenanActiveDirectorycontainerandaGPO.
ItisusedtoforcethatGPOtoallActiveDirectoryobjectswithinacontainer,nomatterhowdeeplytheyarenested.
ThesettingswithinaGPOthatisenforcedoverrideothersettingsthatwouldprevailbecausetheyareappliedlater.
IfthereareconflictingsettingsinGPOsthatareenforcedattwolevelsofthehierarchy,thesettingenforcedfurthestfromtheclientprevails.
Thisisareversaloftheusualrule,inwhichthesettingfromthenearest-linkedGPOwouldprevail.
TheactualeffectofEnforceistochangetheorderofprocessing.
ThesettingsinanEnforcedGPOareprocessedafterallotherGPOssettingsareprocessed.
TheBlockInheritancesettingappliestoanentireActiveDirectorycontainer.
ItblockstheinheritanceofallGPOsexceptforthoseforwhichthelinkfromtheparentActiveDirectoryobjecttotheGPOhastheEnforcesettingenabled.
AdministratorswhohavesetBlockInheritanceontheirdomainorOUcanstillmakeexplicitlinkstoGPOselsewhereinthedomain,includingGPOsthatmightotherwisebeinherited.
(DomainsdonotinheritGPOsfromparentdomains.
)NotethatwhenBlockInheritanceisappliedatadomainlevelitblocksGPO'slinkedtosites.
MigratingGPOsBetweenForestsMigrationinthiscontextreferstotransferringaGPOfromoneforesttoanother—fromatestenvironmenttoaproductionenvironment,forexample.
MigratingfromaWindowsNT4.
0domaintoaWindows2000orWindowsServer2003domainisadifferentissueandiscoveredinMigratingfromWindowsNT4.
0.
SimplybackingupandimportingtheGPOoftendoesnotproducetheresultsyouwantbecauseGPOsincludedomain-specificinformationsuchassecurityprincipalsandUNCpaths.
GPMCincludesmigrationsupport,includingamigrationtableeditor,toaddresstheseissues.
IfaGPOthatworkedinoneforestisnotworkingasexpectedinthenewforest,youmightneedamigrationtable.
YoualsomightneedtobackupandimporttheGPOinsteadofcopyingit.
TroubleshootingCheckforatrustrelationshipbetweenthesourcedomainandthetargetdomain.
Itthereistrust,copytheGPO;ifnot,importit.
IftheGPOhasreferencestosecurityprinciplesorUNCpaths,useamigrationtable.
ThemigrationtableeditorthatisincludedwithGPMCprovideserrorchecking.
HoweverthereisstillapossibilityofmistypedUNCpaths.
FormoreinformationseeMigratingGPOsAcrossDomainswithGPMC(http://go.
microsoft.
com/fwlink/LinkId=14321).
LoopbackProcessingSomeGPOsaredeliveredtotheclientthroughtheActiveDirectoryhierarchythecomputersbelongto,andotherGPOsaredeliveredthroughtheuser'sActiveDirectoryhierarchy.
GPOsfromeithersourcecanhavebothcomputersettingsandusersettings.
Typically,theusersettingsinGPOslinkedtoasite,domain,orOUintheuser'shierarchyprevailoverusersettingsinGPOsdirectedtothecomputer.
UsersettingsinGPOsappliedtothecomputerareignored.
Ifthecomputerisconfiguredforloopbackprocessing,theusersettingsfromGPOsdirectedtothecomputerwillaffecttheprocessingoftheuser'sGroupPolicysettings.
Theexacteffectdependsonwhichmodeofloopbackprocessingisconfigured.
NoteTheuser'saccountisusedtocheckagainstsecurityfilteringforusersettings,evenifloopbackprocessingisimplemented.
Therearetwomodesforloopbackprocessing.
InLoopbackwithReplace,theGPOlistfortheuserisreplacedinitsentiretybytheGPOlistassignedbasedonthecomputer'sinheritancehierarchy.
ThisisevaluatedeachtimeGroupPolicyisapplied.
InLoopbackwithMerge,theuser-assignedsettingsareappliedafterthecomputer-assignedusersettings–ineffectthetwosetsofuserpolicysettingsaremerged.
LoopbackprocessingcanonlybeappliedtocomputersinWindows2000orWindowsServer2003domains.
TofindoutwhetherloopbackprocessingwasappliedwhenGroupPolicywasevaluatedontheclient,lookintheGroupPolicyResultsreportontheSettingstabinthefollowinglocation:ComputerConfigurationAdministrativetemplatesSystem/GroupPolicyTroubleshootingIftheloopbackprocessingisappropriateforthisclientyoumightneedtoeducatetheuserssotheyknowwhattoexpect.
Ifloopbackisdesiredanditappearsthatitisnotbeingapplied,firstverifytheloopbackpolicysetting(whichisacomputerconfigurationpolicy)hasbeenappliedtothecomputerthroughanappropriateGPO.
DetailsforTroubleshootingClient-SideExtensionsAfterthecoreGroupPolicyprocessingiscompletedattheclient,theGPOsarehandedtotheappropriateCSEs.
TheCSEsareDLLsthatprocesstheGPOs.
ACSEmightprocessonlycertaintypesofsettings.
Forexample,theScriptsCSEdealsonlywithsettingsinvolvingstartup,shutdown,logon,andlogoffscripts,whiletheFolderRedirectionCSEdealsonlywithsettingsinvolvingFolderRedirection.
SeveralCSEsshipwithWindows2000,WindowsXPProfessional,andWindowsServer2003.
OthersoftwaremanufacturersmightcreateadditionalCSEstoleverageGroupPolicyfunctionalityandmaketheirproductsmoremanageable.
BecauseCSEscannotbegintoworkuntilcoreGroupPolicyprocessingiscompleted,theissuesdescribedintheprevioussectionsapplyregardlessofwhichCSEprocessesthesetting.
Forexample,theycanallbeaffectedbynetworkconnectivityproblemsthatpreventtheGPOfromreachingtheclient,orbyinheritancerules.
OperatingSystemSupportManyGroupPolicysettingswereintroducedforWindowsXPandWindowsServer2003thatarenotsupportedbyearlieroperatingsystems.
Ifasettingisnotsupported,GroupPolicywillsettheregistrykeytothespecifiedvalue,butitiseffectivelyignoredbecausenoapplicationorcomponentwillreadthatregistrykey.
ComputersearlierthanWindows2000donotsupportGroupPolicyatall.
WMIFilteringisonlysupportedbyWindowsXP,WindowsServer2003,andlateroperatingsystems.
OtheroperatingsystemsignoretheWMIfilterandapplytheGPO.
TroubleshootingVerifythatthesettingissupportedbytheclient'soperatingsystem.
TheGroupPolicyObjectEditordisplaystheoperatingsystemswhereeachpolicysettingissupported.
AsynchronousProcessingandLogonOptimizationinWindowsXPGroupPolicycanbeappliedduringstartupandlogon(synchronousprocessing)orasabackgroundtaskafterstartuporlogonhascompleted(asynchronousprocessing).
ChangesreceivedduringperiodicGroupPolicyrefreshorinresponsetothegpupdatecommandareprocessedasynchronously.
OncomputersrunningWindowsXP,Grouppoliciesreceivedduringlogonarealsoprocessedasynchronouslybydefault,sothatthelogoniscompletedmorequickly.
SoftwareInstallationandscriptsprocessingmustbeappliedduringstartuporlogon.
FolderRedirectionassignedtotheusermustbeappliedduringlogon.
Bydefault,WindowsXPlogsauseroninasynchronousmode.
GroupPolicyisthenappliedinthebackgroundaftertheuserisloggedon.
Thisresultsinfasterlogons.
However,whenanewGPOsettingforSoftwareInstallation,Scripts,orFolderRedirectionarrivesatacomputerrunningWindowsXP,theuserhasalreadyloggedonbythetimeGroupPolicyhasbeenevaluated.
ItistoolatetoapplytheSoftwareInstallationsetting.
InthiscaseaflagissetsothatthenexttimecomputerisrebootedortheuserlogsonGroupPolicywillbeevaluatedandappliedbeforethestartuporlogoniscompleted.
Insituationswhereyouneedforuserstoreceivesoftware,implementfolderredirection,orrunnewscriptsinasinglelogon,applyaGPOwiththesettingAlwayswaitforthenetworkatcomputerstartupandlogontothecomputer.
ThissettingislocatedunderComputerConfiguration\AdministrativeTemplates\System\LogonintheGroupPolicyObjectEditor.
ForthissettingtotakeeffectGroupPolicymustberefreshedorthecomputerrestarted.
Table1TimingofSynchronousandAsynchronousProcessingBydefault,howispolicyprocessedontheclient@Startup@Logon@PolicyRefreshWindows2000SynchronouslySynchronouslyAsynchronouslyWindowsXPProAsynchronouslyAsynchronouslyAsynchronouslyWindowsServer2003SynchronouslySynchronouslyAsynchronouslyNoteServersdonotperformasynchronousprocessing.
RegistryCSEAdministrativeTemplatesettingstaketheformoftruepoliciesorpreferences.
PreferencescanbedeployedusingGroupPolicy,buttheycannotbeenforcedtothesamedegreeastruepolicies.
ForthisreasontheyarehiddenbydefaultintheGroupPolicyObjectEditor.
Userscanchangepreferences,buttheycannotchangetruepolicies.
Truepoliciesaremoresecurebecausetheyarestoredinsecuredregistryhives.
Changestotruepoliciesoverridebutdonotoverwriteuserpreferences.
Ifthepolicyislaterremoved,theusersettingwillagainprevail.
IftheGPOceasestoapplytotheuserorcomputer,policiesnolongerapplybutpreferencesremain.
Thisoccursiftheuserorcomputermovesoutofthesite,domain,orOUthattheGPOislinkedto,oriftheGPOisdeleted.
Ifthesettingyouareusingisapreferenceratherthanatruepolicybeawarethatbecausepreferencescanbeoverwrittenbutarenotremoved,theendusermightseetheirbehaviorasunpredictable.
Asaresult,theremightbeperceivedproblemsevenwhenpreferencesarebehavingasintended.
TroubleshootingpreferencesrequiresknowledgeaboutchangestoboththeGPOandthepreferencessetbytheuser.
TheregistryCSEwritesthevalueforthesettingtotheregistry.
Somesettingstakeeffectassoonastheyarewrittentotheregistry,butotherstakeeffectonlyatstartuporlogon.
IfyouarenotseeingtheexpectedresultsandtheGroupPolicyResultsreportshowsthatthepolicyhasbeenapplied,restartthecomputerorlogoffandlogbackon.
ScriptsCSEStartup,logon,logoff,andshutdownscriptscanbeappliedusingGroupPolicysettings.
TheScriptsCSEprocessesthesescriptsettings.
TheScriptsCSEupdatestheregistrywiththelocationofoneormorescriptfilessothattheUserInitprocesscanfindthosevaluesinthecourseofitsnormalprocessing.
WhenaCSEreportssuccess,itmightonlymeanthatthevaluehasbeenplacedintheregistry.
Eventhoughthesettingisintheregistry,therecouldbeproblemspreventingthesettingfrombeingappliedtotheclient.
Forexample,ifascriptspecifiedinaScriptsettinghasanerrorthatpreventsitfromcompleting,thatScriptCSEdoesnotdetecterror.
Scriptsprocessingcontainstwosteps:GroupPolicyprocessesaGPOandstoresthescriptinformationintheregistry:HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\Scripts(UserScripts)HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\Scripts(MachineScripts)NoteScriptisrunbymeansofaUserInitprocess.
(Bydefault,scriptsthatcannotbecompletedtimeoutafter10minutes.
)OnlyWindowsXP,WindowsServer2003,andlateroperatingsystemssupportWMIfiltering.
Ifthecomputerisrunninganearlieroperatingsystem,theWMIfilterisignoredandtheGPOisapplied.
NoteThetime-outisthetimeallotmentforallscriptstorun.
ThiscanbemodifiedusingtheComputerpolicysetting:"MaximumwaittimeforGroupPolicyScripts.
"Commonscripterrorsinclude:Badscriptpath.
Scripttime-out.
AccesstoscriptisrestrictedbymeansofACLs(typicallyforstartup/shutdownscriptsthatrunascomputer,notuser).
Ifalogonscriptfails,ittypicallydoesnotaffecttheotherscripts.
However,startupscriptsareoftenrunsynchronously,andafailureofoneofthesescriptscanaffectscriptsintendedtorunlater.
Toinvestigate,checktheApplicationEventLogforentrieswithUserInitasthesource.
SoftwareInstallationCSEAnumberofspecialissuesaffectGroupPolicysoftwareinstallation.
Forexample,networkconnectivityissuescandisruptaccesstothesoftwareinstallationpackages.
Softwareinstallationprocessingisneverperformedwhiletheuserisloggedonbecausedoingsocoulddisruptworkandresultindataloss.
ThishasimplicationswhenGroupPolicyisconfiguredtorunasynchronously.
Theseandotherissuesareaddressedinthetroubleshootingissueslistinthissection.
SoftwareInstallationismanagedbytheSoftwareInstallationCSE,whichappearsasthesourceApplicationManageronthePolicyEventstabinGroupPolicyResultsreports.
Ifyouneedadditionallogginginformation,enableverboseloggingfortheSoftwareInstallationCSEandMicrosoftWindowsInstaller,asdescribedunderAppendix:GroupPolicyLogFiles.
TheSoftwareInstallationDiagnosticstool(addiag.
exe)providesdetailedinformationabouttheapplicationsvisibleinActiveDirectoryandinstalledforthecurrentuser,aswellasgeneraldiagnosticinformationandrelatedEventLogentries.
ItisavailableintheWindows2000ServerResourceKit.
TroubleshootingStartupandlogonrequirementsSoftwareInstallationprocessingoccursonlyduringcomputerstartuporwhentheuserlogson.
Thisisbecauseprocessingperiodicallycouldcauseundesirableresults.
Forexample,ifanapplicationisnolongerassigned,itisremoved.
IfauserwereusingtheapplicationwhileGroupPolicytriestouninstallitorifanassignedapplicationupgradetakesplacewhilesomeoneisusingtheapplication,errorswouldoccur.
Ifthesoftwareinstallationsettingsareappliedthroughcomputerconfiguration,theyareappliedatstartup.
Ifsoftwareinstallationsettingsareappliedthroughuserconfiguration,theyareappliedatlogon.
IfthecomputerisrunningWindowsXPwithlogonoptimizationenabled,theuserwillneedtologonafterGroupPolicyrefresh.
Thiscanentailloggingontwoorthreetimes.
Formoreinformationsee"AsynchronousProcessingandLogonOptimizationinWindowsXP"earlierinthispaper.
AccesstosharepointsTestformistypedelementsinthepathspecificationbymanuallyfollowingthepath.
Verifythattheuseraccountorsystemaccounthasthenecessaryprivilegestotraversethepathandaccessthoseresources.
TheaccountwhoseOUsuppliedtheGPOistheonethatneedstotraversethepath.
ComputerversusUsersettings,andOUmembershipsIftheuserhasaroaminguserprofileandtheuseruninstalledtheapplicationonanothercomputerusingAddorRemovePrograms,theapplicationwillbeunavailabletothatuseroneverycomputer(withthepossibleexceptionofcomputerswhereloopbackprocessingrulesapply).
Formoreinformationaboutroaminguserprofiles,see"Usingroaminguserprofiles"inHelpandSupportCenterforWindowsServer2003.
IftheapplicationwasdeployedwiththeUninstallthisapplicationwhenitfallsoutofthescopeofmanagementoption,verifythatthecomputeranduserarestillinthenecessarysecuritygroupsandthattheGPOisstilllinkedtoasite,domain,orOUthattheuserorcomputerisin.
InstallationpackageWindowsInstallerpackagesarethepreferredpackagingforsoftwareinstallationusingGroupPolicy.
ZAPfilescanbeusedbuttheydonotsupportelevatedinstallationprivileges(theusermustbeanadministratororpoweruserinordertoinstallthesoftware).
SoftwareinstalledwithZAPfilescannotberepairedorremovedbyGroupPolicyaftertheyareinstalled.
IfproblemsoccurwhenaWindowsInstallerpackageisused,theproblemcouldbewiththepackageitself.
Forexample,thepackagemightbecorrupted.
Formoreinformation,see"WindowsInstaller"inHelpandSupportCenterforWindowsServer2003.
SeealsotheWindowsInstallertopic"ManagingoptionsforcomputersthroughGroupPolicy"inHelpandSupportCenterforWindowsServer2003.
AddorRemoveProgramsForthesoftwaretoappearintheAddNewProgramssectionofAddorRemovePrograms,itmustbePublished(notAssigned)inGroupPolicy.
TheWindowsInstallerpackagemustbewrittensuchthatthesoftwarecanappearinAddorRemovePrograms.
InstallondemandChecktheorderoffilenameextensionsspecifiedfortheGPOandensurethatthefilenameextensionisassociatedwiththeapplication,asfollows:EdittheGPO.
FindtheSoftwareSettingsnode;thereisoneunderComputerConfigurationandanotherunderUserConfiguration.
Right-clickSoftwareSettingsandselectProperties.
ThenclicktheFileExtensionstab.
Checktheclientcomputerforapplicationsthathavebeeninstalledlocally.
Ifthereisaconflict,thelocallyinstalledapplicationisusedinsteadofthedeployedapplication.
TerminalServicesUserconfigurationsettingsforSoftwareInstallationcannotbeappliedtoaterminalserver.
UseTerminalServicesManagertodeterminewhetherthecomputerisaterminalserver.
Iftheapplicationshouldbeavailableontheterminalserver,youmustinstallitasanadministratoratthatcomputer.
TheadministratorcaninstalltheapplicationfromAddorRemoveProgramsifhasbeenPublishedusingaComputerConfigurationsetting.
FolderRedirectionCSEFolderRedirectionisusedtomaintainuserdatainacentralizedlocation.
Thispermitsregularbackupsoftheinformation,andalsoprovidestheuserwithaccesstothedatafromanycomputerinthenetwork.
Thefollowingfolderscanberedirected:MyDocumentsApplicationDataDesktopStartMenuTheFolderRedirectionCSEmanagesfolderRedirection.
WheneventsfromthisCSEarelistedonthePolicyEventstabinGroupPolicyResultsreports,thesourceislistedasFolderRedirection.
TroubleshootingInordertousethefolder,thefilesystemandsharepermissionsmustbesetsuchthattheusercannavigatethepathtothefolder,andifthefolderexiststheusermusthaveownershipprivilegesonit.
(Theuserisgivenownershipofthefolderbydefaultifyouallowthefoldertobecreatedautomatically.
)Thisisacommoncauseofconfusionwithfolderredirection.
WhenusingFolderRedirectionPolicies,itisbesttoallowthesystemtocreateandsetpermissionsonthefolder.
Thisreducesthelikelihoodoferrorduetoincorrectsecuritysettings.
Formoreinformation,seeUserDataandSettingsManagement(http://go.
microsoft.
com/fwlink/LinkId=15288).
Ifyouneedtosetpermissionsmanually,ensurethattheuserhastheappropriateminimumfilesystemandsharepermissions.
Thepermissionsneededareshowninthetablesbelow:NTFSPermissionsforFolderRedirectionRootFolderUserAccountMinimumpermissionsrequiredCreator/OwnerFullControl,SubfoldersAndFilesOnlyAdministratorNoneSecuritygroupofusersneedingtoputdataonshare.
ListFolder/ReadData,CreateFolders/AppendData-ThisFolderOnlyEveryoneNoPermissionsLocalSystemFullControl,ThisFolder,SubfoldersAndFilesShare-Level(SMB)PermissionsforFolderRedirectionShareUserAccountDefaultPermissionsMinimumpermissionsrequiredEveryoneFullControlNoPermissionsSecuritygroupofusersneedingtoputdataonshare.
N/AFullControl,NTFSPermissionsforEachUser'sRedirectedFolderUserAccountDefaultPermissionsMinimumpermissionsrequired%Username%FullControl,OwnerOfFolderFullControl,OwnerOfFolderLocalSystemFullControlFullControlAdministratorsNoPermissionsNoPermissionsEveryoneNoPermissionsNoPermissionsFolderRedirection,likeSoftwareInstallationsettings,canonlybeappliedduringcomputerstartuporuserlogon.
OncomputersrunningWindowsXPwithlogonoptimizationenabled,thiscanmeanthattheuserneedstologonmorethanoncebeforethesettingtakeseffect.
Formoreinformationsee"AsynchronousProcessingandLogonOptimizationinWindowsXP"inthispaper.
Ifthepathtothefolderdoesnotexist(forexampleifthepathspecificationismistypedinthepolicysetting,iffoldersinthepathhavebeenrenamedorremoved,oriftheserverisunavailable),FolderRedirectionwillfail.
EnsurethatthecorrectFdeploy.
inifileisavailableonthedomaincontrollerthattheclientisaccessing.
TroubleshootingGroupPolicyAdministrationTheprimaryfocusofthiswhitepaperisonproblemswiththeapplicationofGroupPolicyattheclient.
HoweverthereareafewissuesofwhichyoushouldbeawarewhenperformingordelegatingGroupPolicyadministration.
DomainControllerSelectionintheGroupPolicyObjectEditorandGPMCEachdomaincontrollerhasacopyofeveryGPOinthedomain.
ThedefaultandbestpracticeistoeditGPOsontheprimarydomaincontroller(thePDCEmulator),andallowthechangestoreplicatetootherdomaincontrollers.
Ifthatisnotpracticalduetobandwidthorotherissues,administratorscanchangethedomaincontrollerfocusfortheinstancesofGPMCthattheyareusing.
TroubleshootingIfadministratorsinyourorganizationeditGPOsondifferentdomaincontrollers,setupprocessestoavoidthissortofconflict.
Forexample,youmightdelegateeditingpermissionsonindividualGPOstospecificusers,ortoagroupthatfocusesonthesamedomaincontroller.
SecurityInordertoadministerGroupPolicy,youmusthavethenecessaryprivilegestouseGPMCandtheGroupPolicyObjectEditor.
YoualsoneedprivilegestocreateGPOsortomanagelinksfromaspecificsite,domain,orOUtoGPOs.
ControlofexistingGPOscanbedelegatedtospecificusersorgroups,soitispossibleforanadministratortobeabletouseGPMCtoviewGPOs,butnotbeabletomodify,delete,orlinkthem.
TroubleshootingUseActiveDirectoryUsersandComputerstoverifythattheaccountyouareusingisamemberofagroupthathastheseprivileges.
(Checkthegroupmembershipsfortheuseraccount,andalsoverifythattheprivilegesforthegrouphavenotbeenchanged.
)Avoidaddingtheprivilegestoanindividualuseraccount.
Ifnecessarycreateanewgroupwithanamethatclearlyindicatesitspurpose.
Changestosecuritygroups'membershipsorprivileges,ortothepermissionsonGroupPolicyobjectsoractions,needtobereplicatedtodomaincontrollersthroughoutthesystem.
Untilthisreplicationiscompletedthechangesmightbeappliedunevenly.
Inrarecasesyoumightwanttoforcereplication.
ToseeorchangetheaccesscontrolliststhataffectmanagementofaGPO,opentheGPOinGPMCandlookattheDelegationtab.
TheGPOcanonlybeappliedbymembersofgroupsthathaveReadpermissions.
Tochangethesecurityfilters,clickAdvanced.
ExposingPreferencesinAdministrativeTemplatesAdministrativeTemplatescancontainbothtruepoliciesandpreferences,butbydefaulttheGroupPolicyObjectEditorexposesonlytruepolicies.
Toexposepreferences,highlighttheAdministrativeTemplatesnodeforwhichyouwanttoseepreferences.
OntheViewmenu,clickFiltering,andthencleartheOnlyshowpolicysettingsthatcanbefullymanagedcheckbox.
TroubleshootingToolsGPMCisthepreferredtoolforadministeringGroupPolicyandisalsoanexcellenttoolfortroubleshootingGroupPolicy.
SeveralothertoolsareavailablefromtheWindowsServer2003CD,fromtheWindows2000ServerResourceKit,orasfreedownloadsfromwww.
microsoft.
com.
GPMCasaTroubleshootingToolYoucangetalotofwell-organizedinformationabouthowGroupPolicyhasbeenappliedonaspecificclientbygeneratingaGroupPolicyResultsreportfortheclient,asdiscussedinthefollowingsection.
YoucanalsotestproposedchangestoGroupPolicybygeneratingaGroupPolicyModelingreport.
GPMCincludesseveralotherfeaturesthatwillhelpyoutroubleshootGroupPolicy:TheGPMCuserinterfaceclarifiestherelationshipbetweenGPOs,theActiveDirectoryobjectsthatlinktothem,andthesitesanddomainswheretheyreside.
Youcaneasilyseewhichlinksareenabled.
Youcanautomatemanytasksusingscripting,includingtaskssuchasreportingthatsupporttroubleshooting.
YoucanviewGPOpropertiesbyclickingontheGPOoronanylinktotheGPOandlookingattheinformationonthevarioustabs.
Inaddition,twotypesofreportscanbegeneratedforclientsrunningWindowsXPorWindowsServer2003:GroupPolicyModelingreportsareusedtopredictthepoliciesthatwillbeappliedataspecificclient.
AWindowsServer2003domaincontrollerisrequiredtogenerateGroupPolicyModelingreports.
GroupPolicyResultsreportsgatherinformationdirectlyfromtheclienttoshowthepoliciesineffect,andincludekeypolicyeventsthathavebeenloggedatthatclient.
Bothofthesereportsincludevaluabletroubleshootinginformation.
Forexample,youcanseealistoftheGPOsapplied,andalsothedeniedGPOswiththereasonfordenial.
Youcanseewhichsettingsareorwouldbeapplied,andthewinningGPOthatsuppliedthevalueforthesetting.
GroupPolicyResultsGPMCleveragestheRSoPfunctionalityinWindowsServer2003andWindowsXPtoprovidereportsonthewayGroupPolicyisappliedatindividualclients.
BecausethesereportsrelyonfunctionalitythatisnewwithWindowsXPandWindowsServer2003,theclientsforwhichyougeneratethereportsmustberunningoneoftheseoperatingsystems.
TogenerateaGroupPolicyResultsreport:Right-clickGroupPolicyResults,atthebottomofthenavigationpane,andselectGroupPolicyResultsWizard.
Inthewizard,specifythecomputerorcomputer/usercombinationyouwanttoinvestigate.
ThereportthatappearsinthedetailspaneprovidesinformationaboutGroupPolicyapplicationontheclient.
SummaryTabOntheSummarytab,thefollowingsectionsappearunderbothComputerConfigurationandUserConfigurationheadingsasshowninTable2.
Table2SummaryTabofGroupPolicyResultsReportsSectionontheTabInformationGeneralComputernameThedomainandsiteofwhichthecomputerisamemberThelasttimeGroupPolicyfromthecomputer'sActiveDirectoryhierarchywasappliedUsername(ifany)ThedomainandsiteofwhichtheuserisamemberThelasttimeGroupPolicyfromtheuser'sActiveDirectoryhierarchywasappliedGroupPolicyObjectsAppliedListofGPOsthatwereapplied.
GroupPolicyObjectsDeniedListofGPOsthatweredenied,withthereasonforthefailure.
SecurityGroupMembershipwhenGroupPolicywasappliedSecuritygroupmembershipsineffectwhengrouppolicieswereevaluated.
WMIFiltersWMIfiltersthatwereapplied,whethertheyevaluatedasTrueorFalse,andwhatGPOcalledthem.
ComponentStatusSuccessorfailure,includingerrors,ofcoreclientGroupPolicyfunctionalityandCSEs.
SettingsTabOntheSettingstabyouwillfindalistoftheactualsettingsapplied.
Thesearesortedbythesourceofthesetting,forexampleComputerConfiguration/WindowsSettingsorUserConfiguration/AdministrativeTemplates.
ThereportincludesthewinningGPOforeachsetting.
WiththisinformationyoucaneasilylocatetheGPOinthenavigationpane.
TheinformationexposedwhenyouclicktheGPOdependsontheprivilegesgrantedtoyouruseraccount.
Ifyouhavesufficientprivileges,youcanrevieworeditthesettingsandalsogetalistofthesites,domains,andOUsthatlinktothatGPO.
PolicyEventsTabWhenyouuseGPMCtogenerateareportoftheresultingsetofpolicyonaclient,eventsthatwereloggedatthatclientandpertaintoGroupPolicyarelistedonthePolicyEventstab.
SourcesfortheseeventsincludethecoreGroupPolicyengineontheclient(theUserEnvprocess)andtheCSEsforGroupPolicy.
ThedisplayonthePolicyEventstabissimilartotheEventViewerdisplay.
Infact,theeventsarewhatyouwouldseeifyoulookedatEventViewerontheclientandfilteredforthesourcesthatinfluenceGroupPolicy.
ThesourcesaredefinedinTable3.
NoteToviewtheGroupPolicyeventsoncomputersrunningWindowsXPSP1orWindowsServer2003youmustbealocaladministratorthatcomputer.
IfyouhavethenecessaryprivilegestogenerateaGroupPolicyResultsreportbutyoudonothavetheprivilegestoviewGroupPolicyeventsontheclient,thePolicytabwilldisplaythemessage"Unabletoopeneventlog:AccessisDenied"insteadofthelistofevents.
Table3PolicyEventsTabofGroupPolicyResultsReportsSourceNameinPolicyEventsLogFullnameofsourceFunctionalityUserEnvUserEnvironment(GroupPolicycoreengine)LocatesandappliesGPOsatstartup,logon,ortheconfiguredPolicyRefreshInterval.
SceCliSecurityCSEReadsallGPOsthatreachtheclientanddetermineswhichpolicysettingsareapplied.
ApplicationManagementSoftwareInstallationCSEProcessesSoftwareInstallationsettings,includinginstallation,upgrades,andremoval.
FolderRedirectionFolderRedirectionCSEProcessesFolderRedirection.
UserInitScriptsCSEImplementslogon,logoff,startup,andshutdownscriptsToavoidfloodingtheclientlogfile,someloggingisblockedincertainsituations.
Forexample,ifacomputerisnotconnectedtothenetworkandauserlogsonwithcachedcredentials,theComponentStatusentriesontheSummarytaboftheGroupPolicyResultsreportshowthefailuretoaccessandapplyGroupPolicies.
However,thelistofassociatedfailureeventsdonotappearintheApplicationeventlogontheclientoronthePolicyEventstab.
NoteBydefault,UserEnvloggingisnotverbose–onlyerrorsandwarningsarereported,andtheseareallthatappearonthePolicyEventstab.
Formoreinformation,seeAppendix:GroupPolicyLogFiles.
GroupPolicyModelingBeforeyouimplementaGPO,useGroupPolicyModelingtovalidatetheeffectitwillhave.
TheGroupPolicyModelingreporthastheinformationontheSummaryandSettingstabssimilartowhatyouwouldseeforaGroupPolicyResultsreport.
GroupPolicyModelingreportsdonotcollectpolicyeventsfromtheclient.
InsteadofthePolicyEventstab,thereisaQuerytabthatliststheconditionsthatwereappliedwhencreatingthemodel.
TogenerateaGroupPolicyModelingreport:Right-clickGroupPolicyModeling,nearthebottomofthenavigationpane,andselectGroupPolicyModelingWizard.
Inthewizard,specifythecomputerorcomputer/usercombinationyouwanttoinvestigate.
ThereportthatappearsinthedetailspaneprovidesinformationabouttheanticipatedGroupPolicyapplicationonthatclient.
ViewingActiveDirectoryObjectsandGPOsThereareafewquickchecksyoucanmakeinGPMC.
Forexample,bylookingattheiconsinthenavigationpaneyoucanquicklyseewhichlinksaredisabled,whichGPOshavesomesettingsdisabled,whichGPOshaveallsettingsdisabled,andwhereinthehierarchyinheritanceisblocked.
Formoreinformation,seetheguidetoiconsinGPMCHelp.
ScriptingBuilt-intoGPMCYoucanuseGPMCsamplescriptstoquicklyperformanumberofdifferenttroubleshootingtasks.
Ifyoucan'tfindasamplescriptthatfitsyourneeds,youcaneasilymodifyasamplescript,orcreateyourownscript.
Thefollowingsamplescriptswillhelpyoutroubleshootvariousissues:ListAllGPOsinaDomain:ListAllGPOs.
wsfListDisabledGPOs:FindDisabledGPOs.
wsfListGPOInformation:DumpGPOInfo.
wsfListGPOsataBackupLocation:QueryBackupLocation.
wsfListGPOsbyPolicyExtension:FindGPOsByPolicyExtension.
wsfListGPOsbySecurityGroup:FindGPOsBySecurityGroup.
wsfListGPOsOrphanedinSYSVOL:FindOrphanGPOsInSYSVOL.
wsfListGPOsWithDuplicateNames:FindDuplicateNamedGPOs.
wsfListGPOsWithoutSecurityFiltering:FindGPOsWithNoSecurityFiltering.
wsfListSOMInformation:DumpSOMInfo.
wsfListSOMsWithLinkstoGPOsinExternalDomains:FindSOMsWithExternalGPOLinks.
wsfListUnlinkedGPOsinaDomain:FindUnlinkedGPOs.
wsfPrinttheSOMPolicyTree:ListSOMPolicyTree.
wsfForacompletelistofavailablesamplescripts,scriptdocumentationandalistofscriptinginterfacesexposedbyGPMC,pleaseseetheGroupPolicyManagementConsoleSDKlocatedat%programfiles%\gpmc\scripts\gpmc.
chmonanycomputerwhereGPMChasbeeninstalled.
(TheGroupPolicyManagementConsoleSDKisonlyavailableinEnglish.
).
OtherGroupPolicyToolsInadditiontotheGroupPolicy-specificcommand-linetoolslistedhere,anumberActiveDirectorysupporttoolsarelistedin"ActiveDirectorysupporttools"inHelpandSupportCenterforWindowsServer2003.
GPResult.
exeTherearetwoversionsofGPresult.
exe.
TheWindows2000versionshippedintheWindows2000ResourceKit,andisalsoavailableasafreedownloadontheWindows2000downloadssite(http://go.
microsoft.
com/fwlink/LinkId=12920).
ItestimatestheGroupPolicysettingsthatwouldbeappliedataspecificcomputer.
Formoreinformation,seethereadmefileincludedwiththedownload.
TheWindowsServer2003versionisincludedwithWindowsServer2003operatingsystems.
ItgathersandreportstheRSoPdataavailablefromcomputersrunningWindowsXPorWindowsServer2003.
ThereportissimilartowhatyouwouldgetbygeneratedaGroupPolicyResultsreportinGPMC.
Formoreinformation,see"Gpresult"inHelpandSupportCenterforWindowsServer2003.
GPMonitor.
exeTheGroupPolicyMonitortool,gpmonitor.
exe,collectsinformationateveryGroupPolicyrefreshandsendsthatinformationtoacentralizedlocationthatyouspecify.
Therearetwopartstothistool,thegpmonitorservice,whichcollectsthedataattheclientandsendsittothecentrallocation,andaviewerthatyoucanusetoexaminethedata.
BothportionsarewrappedinaWindowsInstallerpackage.
GpmonitorisincludedintheWindowsServer2003DeploymentKit.
Formoreinformation,seetheGpmonitorHelp.
GPOTool.
exeGPOTool.
exeisacommand-linetooltobeusedinreplicateddomains—domainsthatcontainmorethanonedomaincontroller.
IttraversesallofyourdomaincontrollersandcheckseachforconsistencybetweentheGroupPolicycontainer(informationcontainedinthedirectoryservice)andtheGroupPolicytemplate(informationcontainedintheSYSVOLshareonthedomaincontroller).
ThetoolalsodetermineswhetherthepoliciesarevalidandconsistentbetweenallofyourdomaincontrollersanddisplaysdetailedinformationabouttheGroupPolicyobjects(GPOs)thathavebeenreplicatedbetweenyourdomaincontrollers.
IfyoususpectyouarehavingproblemswithreplicationofGroupPolicyinformation,thistoolwillhelpyoudiagnoseandisolatewhereGroupPolicyisnotbeingreplicatedproperly.
Additionalfeaturesletyoudothefollowing:SearchforspecificGPOinformation,basedonthenameorthegloballyuniqueidentifiers(GUIDs)ofthatGPO.
Limityourcheckingtospecificorpreferreddomaincontrollers.
Gotootherdomainsandverifythatpoliciesarereplicatingacrossthesedomains—otherthanthedomainyouarecurrentlyworkingin.
GPOToolcandoanyofthefollowing:CheckGroupPolicyobjectconsistency.
Thetoolreadsmandatoryandoptionaldirectoryservicesproperties,version,friendlyname,extension,GUIDsandSYSVOLdata,comparesdirectoryservicesandSYSVOLversionnumbers,andperformsotherconsistencychecks.
Functionalityversionmustbe2anduser/computerversionmustbegreaterthan0iftheextensionspropertycontainsanyGUID.
ThetoolalsochecksthetimestampsofGPOsintheSYSVOLfolder.
CheckGroupPolicyobjectreplication.
ItreadstheGroupPolicyobjectinstancesfromeachdomaincontrollerandcomparesthem(selectedGroupPolicycontainerpropertiesandfullrecursivecomparefortheGroupPolicytemplate).
DisplayinformationaboutaparticularGroupPolicyobject.
Thisincludespropertiesthatcan'tbeaccessedthroughtheGroupPolicysnap-insuchasfunctionalityversionandextensionGUIDs.
BrowseGroupPolicyobjects.
Acommand-lineoptioncansearchpoliciesbasedonfriendlynameorGUID.
ApartialmatchisalsosupportedforbothnameandGUID.
Usepreferreddomaincontrollers.
Bydefault,allavailabledomaincontrollersinthedomainwillbeused;thiscanbeoverwrittenwiththesuppliedlistofdomaincontrollersfromthecommandline.
Providecross-domainsupport.
Acommand-lineoptionisavailableforcheckingpoliciesindifferentdomains.
Runinverbosemode.
Ifallpoliciesarefine,thetooldisplaysavalidationmessage;incaseoferrors,informationaboutcorruptedpoliciesisprinted.
Acommand-lineoptioncanturnonverboseinformationabouteachpolicybeingprocessed.
GPOTool.
exeshipswiththeMicrosoftWindows2000ServerResourceKitandisalsoavailableasafreedownloadatGpotool.
exe:GroupPolicyVerificationTool(http://go.
microsoft.
com/fwlink/LinkId=17911).
FormoreinformationseetheWindows2000ServerResourceKit.
SoftwareInstallationDiagnosticsTool(addiag.
exe)TheWindows2000ServerResourceKitincludesanadvancedtroubleshootingtool,SoftwareInstallationDiagnostics(addiag.
exe)thatyoucanusetogatheradditionaldiagnosticinformationwhentroubleshootingSoftwareInstallationpolicyissues.
ThebinaryexecutableforthistoolisAddiag.
exe.
Runningaddiag.
exe/fromacommandpromptprovidestheusagesyntax.
ThistooldisplaysdetailedinformationabouttheapplicationsvisibleinActiveDirectoryandinstalledforthecurrentuser,aswellasgeneraldiagnosticinformationandrelatedEventLogentries.
ToolsforTroubleshootingExternalIssuesSonar.
exeSonarisacommand-linetoolthatallowsadministratorstomonitorkeystatisticsandstatusaboutmembersofafilereplicationservice(FRS)replicaset.
UseSonartowatchkeystatisticsonareplicasetinordertomonitortrafficlevels,backlogs,andfreespace.
SonarisavailableasafreedownloadfromSonar.
exe:FRSStatusViewer(http://go.
microsoft.
com/fwlink/LinkId=16719).
ActiveDirectorySupportToolsHelpandSupportCenterinWindowsServer2003providesalistofActiveDirectorysupporttoolsinthetopic"ActiveDirectorysupporttools".
UsethesetoolstotroubleshootActiveDirectoryissues.
OtherWindowsServer2003Command-LineToolsWindowsServer2003includesanumberofcommandlinetoolsincludingping.
exe,netdiag.
exe,anddcdiag.
exe.
ForacompletereferenceofthetoolsincludedwithWindowsServer2003,see"Command-lineReferenceA-Z"inHelpandSupportCenterforWindowsServer2003.
Appendix:GroupPolicyLogFilesIfothertoolsdonotprovidetheinformationyouneedtoidentifytheproblemsaffectingGroupPolicyapplication,youcanenableverboseloggingandexaminetheresultinglogfiles.
Verboseloggingcanreduceperformanceandconsumesignificantdiskspace,soasabestpracticeenableverboseloggingonlywhennecessary.
ClientLogFilesLogfilescanbegeneratedbythecoreclientengine(UserEnv)andbyeveryCSEexcepttheScriptsCSE.
ScriptsprocessingisloggedintheApplicationlogontheclientwithsource=UserInit.
UseEventViewertoviewtheApplicationlogontheclient,orlookfortheseentriesonthePolicyEventstaboftheGroupPolicyResultsreport.
ThePolicyEventstabinGroupPolicyResultsreportsgeneratedinGPMCdisplaystheGroupPolicy–relatedeventsthatyouwouldseeifyouusedEventViewertoviewtheseeventsintheApplicationlogontheclientforwhichyougeneratedthereport.
Table4listsseverallogfilesyoucangenerateattheclientthatrelatetoGroupPolicytroubleshooting.
Table4ClientLogFilesforTroubleshootingGroupPolicy-Outputfrom:Islocatedinthisfile:Enableverboseloggingbyaddingthiskeyorvalue……tothisregistrykeyGroupPolicycore(UserEnv)andregistryCSE%windir%\debug\usermode\UserEnv.
logUserEnvDebugLevel=REG_DWORD0x10002HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinlogonSecurityCSE%windir%\security\logs\winlogon.
logExtensionDebugLevel=REG_DWORD0x2HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GpExtensions\{827d319e-6eac-11d2-a4ea-00c04f79f83a}\FolderRedirectionCSEwindir%\debug\usermode\fdeploy.
logFdeployDebugLevel=Reg_DWORD0x0fHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\DiagnosticsSoftwareInstallationCSE%windir%\debug\usermode\appmgmt.
logAppmgmtdebuglevel=dword:0000009bHKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\DiagnosticsWindowsInstaller(deployment-relatedactions)%windir%\temp\MSI*.
logLogging=voicewarmupDebug=DWORD:00000003HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\InstallerWindowsInstaller(user-initiatedactions)%temp%\MSI*.
logLogging=voicewarmupDebug=DWORD:00000003HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\InstallerNotesTheUserEnvlogsentriespertainingtoprofilesaswellasGroupPolicycoreprocessingandregistry(.
adm)processingontheclient.
TheentriespertainingtoprofilesareintermingledwiththeGroupPolicyentriesandnoteasilydistinguishedfromthem.
UseWilogutl.
exetoanalyzetheWindowsInstallerlogfiles.
Formoreinformationseehttp://msdn.
microsoft.
com/library/default.
aspurl=/library/en-us/msi/setup/wilogutl_exe.
asp(http://go.
microsoft.
com/fwlink/LinkID=16156).
ServerLogFilesYoucanenableloggingofeventsgeneratedbytheGroupPolicyObjectEditorontheServer.
Therearetwodifferentlogfiles,oneforeventsrelatingtocoreGroupPolicyprocessingandtheregistryCSE,andanotherforeventsrelatingtoallotherCSEs.
Table5listsseverallogfilesyoucangenerateattheserverthatrelatetoGroupPolicytroubleshooting.
Table5ServerLogFilesforTroubleshootingGroupPolicyOutputfrom:Islocatedinthisfile:Enableverboseloggingbyaddingthiskeyword……tothisregistrykeyGPMC:errorloggingonly%temp%\gpmgmt.
loggpmgmttracelevel=1HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\DiagnosticsGPMC:errorandverboselogging%temp%\gpmgmt.
loggpmgmttracelevel=2HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\DiagnosticsGPMC:Outputonlytologfile(nottodebugger)%temp%\gpmgmt.
loggpmgmtlogfileonly=1HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\DiagnosticsGroupPolicyObjectEditor:Core-specificentries%windir%\debug\usermode\gpedit.
logGPEditDebugLevel=REG_DWORD0x10002HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinlogonGroupPolicyObjectEditor:CSE-specificentries%windir%\debug\usermode\gptext.
logGPTextDebugLevel=REG_DWORD0x10002HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\WinlogonAppendix:MigratingfromWindowsNT4.
0IftheclientcomputerisrunningWindows2000Professional,WindowsXPProfessional,orWindowsServer2003,andifthecomputeranduseraccountsbothbelongtoWindowsNT4.
0-baseddomains,thatclientwillcontinuetoreceivesystempolicy.
IfthedomainisrunningWindows2000orWindowsServer2003,theclientwillonlyreceiveGroupPolicy.
IftheuseraccountisinActiveDirectoryandthesystemaccountisinWindowsNT4.
0,thenthecomputergetssystempolicyandtheusergetsGroupPolicy—andvice-versa.
Ifyouareplanningonusingsites,keepinmindthatifasiteisdeterminedbytheIPsubnetacomputerisin,GroupPolicywillonlybeappliedifthecomputerisrunningWindows2000orlaterandthecomputerisinaWindows2000orWindowsServer2003domainthatisusingActiveDirectory.
NoteThelocalGPOisprocessedregardlessoftheconfiguration.
FordetailsabouthowGroupPolicyisappliedwithvariousconfigurations,seeTable6.
Table6MigratingfromWindowsNT4.
0:GroupPolicyApplicationBackendAccountObjectLocationWhatAffectstheClientWindowsNT4.
0Computer:WindowsNT4.
0Atcomputerstartup:ComputerlocalGroupPolicy(onlyifchanged).
Everytimetheuserlogson:ComputerSystemPolicy.
"ComputerrefreshBeforeControl-Alt-Delete:ComputerlocalGroupPolicyonly.
Aftertheuserlogson:ComputerlocalGroupPolicyandcomputerSystemPolicy.
"User:WindowsNT4.
0Whentheuserlogson:UserSystemPolicy.
IflocalGroupPolicychanges:UserlocalGroupPolicyanduserSystemPolicy.
"UserrefreshUserlocalGroupPolicyanduserSystemPolicy.
Mixed(migration)Computer:WindowsNT4.
0Atcomputerstartup:ComputerlocalGroupPolicy(onlyifchanged).
Everytimetheuserlogson:ComputerSystemPolicy.
ComputerrefreshBeforeControl-Alt-Delete:ComputerlocalGroupPolicyonly.
Aftertheuserlogson:ComputerlocalGroupPolicyandcomputerSystemPolicy.
User:Windows2000later.
Whentheuserlogson:GroupPolicyisprocessedaftercomputerSystemPolicy.
UserrefreshUserGroupPolicy.
Mixed(migration)Computer:Windows2000orlaterDuringsystemstartup:GroupPolicy.
ComputerrefreshComputerGroupPolicyUser:WindowsNT4.
0Whentheuserlogson:UserSystemPolicy.
IflocalGroupPolicychanges:UserlocalGroupPolicyanduserSystemPolicy.
UserrefreshUserlocalGroupPolicyanduserSystemPolicy.
Windows2000orlaterComputer:Windows2000orlaterDuringcomputerstartupandwhentheuserlogson:GroupPolicy.
User:Windows2000orlaterWindows2000orlaterinaworkgroup(withoutActiveDirectory)LocalLocalGroupPolicyonly.
Ifyourcomputer/useraccountisinaWindows2000domainthatcannotbereached(forexample,youareloggingonwithcachedcredentials),thenallGroupPolicyprocessing,includingthelocalGPO,willnotbeprocessed.
Appendix:GroupPolicyandRoamingUserProfilesRoamingUserProfiles(RUP)provideusersthesamedesktopexperienceregardlessofwhichcomputerinthedomaintheylogonto.
Thisisdonebystoringtheprofileinformationonaserverandcopyingthemtothelocalcomputerwhentheuserisauthenticated,unlessthelocalcopyoftheprofileforthatuserismorerecent.
TheRUPincludesGroupPolicysettingsforuserconfigurationinadditiontoanymodificationstheusermakestotheuser'sownprofile.
TroubleshootingRoaminguserprofiles,likeSoftwareInstallationsettings,canonlybeappliedduringlogon.
OncomputersrunningWindowsXPwithlogonoptimizationenabled,thiscanmeanthattheuserneedstologonmorethanoncebeforethesettingtakeseffect.
Formoreinformationsee"AsynchronousProcessingandLogonOptimizationinWindowsXP"earlierinthispaper.
Iftheserverisnotavailablewhentheuserlogson,bothofthefollowingoccur:Thelocalcachedcopyoftheuser'sprofileisused.
Or,ifthereisnolocalprofileforthisuser,anewlocaluserprofileiscreated.
Theprofileontheserverisnotupdatedwhentheuserlogson.
AnewsettinginWindowsServer2003,Onlyallowlocaluserprofilessetting,canbeusedtopreventroaminguserprofilesfrombeingappliedatspecificcomputers.
YoucancheckforthissettingontheSettingstaboftheGroupPolicyResultsorGroupPolicyModelingreport.
Appendix:ResourcesThissectioncontainslinkstomoreinformationaboutGroupPolicyandrelatedtechnologies.
Microsoft.
comGroupPolicyHomePage(http://go.
microsoft.
com/fwlink/LinkId=17530).
ProvidesanentrypointforGroupPolicydocumentationontheWeb.
Includeslinkstodocumentation,knowledgebasearticles,supportinformation,andnewsgroups.
WindowsServer2003DeploymentKit,DesigningaManagedEnvironmentBook(http://go.
microsoft.
com/fwlink/linkid=15311).
DescribesthetechnologiesinWindows2003associatedwithdeploymentofamanagedenvironment.
HassignificantcoverageofGroupPolicyandrelatedIntelliMirrortechnologies.
Includesplanning,designingandimplementationguidance.
HelpandSupportCenterforWindowsServer2003(http://go.
microsoft.
com/fwlink/LinkId=4299).
Point-of-useinformationforadministratorsofnetworksbasedonWindowsServer2003.
"GroupPolicyAdministrationusingtheGroupPolicyManagementConsole"whitepaper(http://go.
microsoft.
com/fwlink/LinkId=14320).
ProvidestechnicaldetailsoffunctionalityinGPMC.
"MigratingGPOsAcrossDomainsUsingtheGroupPolicyManagementConsole"whitepaper(http://go.
microsoft.
com/fwlink/LinkID=14321).
ExplainshowtomoveGPOsfromonedomaintoanotherusingGPMC.
"WindowsServer2003GroupPolicyInfrastructure"whitepaper(http://go.
microsoft.
com/fwlink/LinkID=14950).
DescribesarangeoftopicsrelatedtoGroupPolicyatboththeserverandtheclientlevel.
IncludesdetailedGroupPolicyprocessingaswellasmanybestpracticesusefultotheGroupPolicyadministrator.
GroupPolicyManagementConsoleSoftwareDevelopmentKit(SDK)(http://go.
microsoft.
com/fwlink/LinkId=17912).
ProvidesinformationabouthowtousetheCOMinterfacesofGroupPolicyManagement,whichsupportscriptingmanyoftheoperationssupportedbyGroupPolicyManagementConsole.
"UserDataandSettingsManagement"(http://go.
microsoft.
com/fwlink/LinkId=15288)whitepaperWindows2000ServerResourceKit(http://go.
microsoft.
com/fwlink/LinkId=458).
DeliversreferenceandtoolsforWindowsServer2003.
FeedbackonthisPaperIfyouhaveanycommentsaboutthispaper,contactmailto:gpdocs@microsoft.
com.
NewsgroupsAboutGroupPolicyIfyouhaveaquestionaboutGroupPolicy,youcanposttothenewsgroup"microsoft.
public.
windows.
group_policy.
"