• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Active Directory Articles
• Understanding Active Directory
• Active Directory Management Tools
• Active Directory Objects
• Active Directory replication
• Active Directory Security
• Active Directory Security Principal Accounts
• Active Directory Terminology and Concepts
• Backing Up and Restoring Active Directory
• Configuring and Troubleshooting Active Directory Replication
• Managing Active Directory Performance
• Publishing Resources in Active Directory
• Troubleshooting Active Directory availability
• What is New in Windows Server 2003 Active Directory
• Deploying Software through Group Policy
• Group Policy Terminology and Concepts
• Implementing and Managing Group Policy Objects
• Implementing Folder Redirection using Group Policy
• Planning a Group Policy
• Troubleshooting Group Policy
• Creating and Managing Domain Controllers
• Creating and Managing Forests and Domains
• Forest and Domain Functional Levels
• The Global Catalog Server
• Managing Recipient Objects Address List and Distribution and Administrative Groups
• Operations Master Roles
• Understanding Forests and Domains
• Understanding Group Types and Scopes
• Understanding Organizational Units
• Understanding Trust Relationship
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Troubleshooting Group Policy

Through Group Policy, you can apply a wide variety, and number of user configuration settings and computer configuration settings to users and computers in Active Directory. If your Active Directory environment includes a hierarchy with many different organizational unit (OU) levels, with group policies applied at these different levels within the hierarchy, you can most certainly anticipate that you are going to be troubleshooting Group Policy behavior and Group Policy settings. There are going to be situations when the settings of Group Policy are going to be producing an expected result. Group Policy settings are contained in Group Policy Objects (GPOs), which are in turn linked to sites, domains, or OUs in Active Directory. The GPOs linked to sites, domain, and OUs in Active Directory are then applied to user objects and computer objects that are located within these container type objects. GPOs are processed in a synchronous manner. What this means is that the processing of one GPO must be completed before the next GPO is processed. Depending on the manner in which the GPOs are configured and linked, the GPO processing time at computer startup, or user logon could become quite substantial. This typically occurs in large environments when the Group Policy settings have to be conveyed across the network, and over slow WAN links. Group Policy also stops processing certain policies when it detects a slow link connection. While you would need to be familiar with troubleshooting issues specific to Group Policy settings, you would also at times need to troubleshoot network connectivity issues and examine the underlying operating system which Group Policy depends on. These elements could also be affecting the behavior of a GPO. Remember that Group Policy interrelates with other system components as well.

The common Group Policy issues that need to be resolved are listed below:

• GPOs are not being processed at the site level, domain level, or OU level.
• GPOs are not being applied to users and computers because they cannot be accessed by the appropriate user objects or computer objects.
• GPOs are being applied to the incorrect users and computers.
• When Group Policy settings are being applied, computer startup and use logon times are unacceptably long due to the GPO processing time.
• There may be occurrences when GPO inheritance produces the incorrect results. The Block Policy Inheritance option and No Override option could be configured incorrectly.
• Folder redirection is not occurring as it should be.
• System folders are being redirected to the incorrect locations.
• The incorrect configuration of the Offline File Feature could result in files and folder not being available when the network connection is lost, and files not being synchronized.
• When Group Policy is used to deploy software, users may have the incorrect NTFS and share permissions to access the network share where the installation packages are being stored. This results in the user not being able to install any published or assigned applications.
• Applications that were published in Active Directory do not appear in Add/Remove Programs in Control Panel.
• Applications which were assigned to a computer are not being installed.

Just by looking at the common Group Policy issues which could occur, you can see that Administrators have to be familiar with Group Policy troubleshooting techniques. Windows Server 2003 includes a number or tools and utilities which you can use to troubleshoot GPO behavior, software deployment, and security policies.

The tools and utilities which you can use to assist in troubleshooting Group Policy are listed below:

• Resultant Set Of Policy (RSOP) Wizard
• Gpresult.exe
• Gpupdate.exe
• WinPolicies
• GPOTool
• Event Viewer
• Log Files

Troubleshooting Group Policy Infrastructure

As mentioned previously, the underlying operating system and network connectivity can influence whether Group Policy settings are applied to users and computers. The system components within the underlying operating system that you should examine when Group Policy fails are listed below:

• The DNS service should be running, and configured correctly on the domain controller(s) within your Active Directory environment. If DNS is not running and configured correctly, your Active Directory clients would be unable to find domain controllers, and ultimately access any GPOs.
• DNS also plays a role in the folder redirection feature of Group Policy. A client needs DNS to locate the network location of redirected system folders.
• For a user or computer to fall within the scope of a GPO, the user has to be a member of the site, domain, or OU that the particular GPO is linked to.
• To access Group Policy templates, clients require access to the SYSVOL share located on the domain controllers. Ensure that clients have the correct permission to access the SYSVOL share. Problems with replication could also result in clients experiencing problems in accessing Group Policy templates.
• Ensure that Active Directory replication, and file system replication are occurring as should be

The tools that you can use to assist in troubleshooting the underlying operating system components which Group Policy depends on are:

• Replmon, can be used to verify Active Directory and file system replication.
• Group Policy Management Console (GPMC) can assist in troubleshooting the GPO behaviour. You can use the GPMC to determine which GPOs are enabled and being processed, and the manner in which GPOs are linked to sites, domains, and OUs.

Because the processing of GPOs rely on network connectivity between the client workstation and the domain controller(s) that are members of the sites or domains within Active Directory, a loss of network connectivity can result in no Group Policy settings being processed. A few issues that should be addressed when you are experiencing network connectivity problems are listed below:

• Verify that the TCP/IP protocol is installed and running within your environment. For GPOs to be processed, the TCP/IP protocol must be running.
• GPOs are also dependent on the Internet Control Message Protocol (ICMP) for the detection of slow network links. The firewall configuration within your environment would determine whether ICMP packets should be enabled between the domain controllers and network clients.
• Verify that the time and date on the network client is in sync with the time and date of the domain controllers and the remainder of the network clients. The Windows Time Service is normally used to ensure that the time and date of clients and domain controllers are synchronized. If a client's clock is not synchronized, authentication problems would occur; and the client may not be able to access any GPOs.

You can use the tools listed below to verify network connectivity between network clients and Active Directory domain controllers:

• Netstat utility
• Ping utility

Using Resultant Set of Policy (RSOP) to Troubleshoot Group Policy

The Resultant Set Of Policy Wizard and the Gpresult command-line utility can be used to create RSoP queries that would determine the RSoPs for any users and computers which are defined in the RSoP query. The Resultant Set Of Policy feature is new in Windows Server 2003, and can assist in greatly reducing the quantity of time spent on troubleshooting GPOs. Through RSoP, you can query the existing policies which you have linked to a site, domain, or OU; and which are applied to users and computers.

RSoP can generate information on the following Group Policy settings:

• Administrative Templates
• Folder Redirection
• Security Settings
• Software Installation
• Scripts
• Internet Explorer Maintenance

Because numerous GPOs are typically applied in Active Directory, you can use the RSoP feature to determine which policies are applied to the user or computer which you are troubleshooting. RSoP also indicates which Group Policy settings have precedence. RSoP can assist in determining whether security templates have been applied correctly. It also points out instances when any settings are overwritten because of conflicting policy settings.

The four types of information which you can view in the RSoP console are:

• Individual Group Policy settings
• The list of GPOs associated with the RSoP query
• The scope of management associated with the RSoP query
• GPO revision information

RSoP has two modes:

• Logging mode: You would use RSoP logging mode to determine which existing policy settings have been applied to a user or computer. Logging mode basically generates information on your existing Group Policy settings. Logging mode should be used for the purposes listed below:
  • Determine how policy settings are being affected by security groups and local policy.
  • Discover failed Group Policy settings and overwritten Group Policy settings.
• Planning mode: You would use RSoP planning mode to simulate the effects of new Group Policy settings before implementing the GPOs in your production environment. Planning mode should be used for the purposes listed below:
  • To test policy precedence
  • To simulate GPO processing over a slow network link.
  • To simulate loopback processing.

How to create and run an RSoP query to troubleshoot existing policy settings for a specified user and computer:

1. Click Start, Run, and enter mmc in the Run dialog box. Click OK.
2. Click Add/Remove Snap-in on the File menu.
3. Click the Standalone tab, and then click Add.
4. Select Resultant Set of Policy, and click Add. Click Close.
5. Click OK.
6. In the MMC, right-click Resultant Set of Policy and select Generate RSoP Data on the shortcut menu.
7. Click Next on the initial page of the Resultant Set Of Policy Wizard.
8. Select Logging mode on the Mode Selection page. Click Next.
9. When the Computer Selection page opens, select to either run the RSoP query on This Computer, or Another Computer.
10. You can also select the Do not display policy settings for the selected computer in the results | display user policy settings only checkbox. Click Next.
11. When the User Selection page opens, you can select that the query use the Current User, or you can choose the Select A Specific User option.
12. You can also select the Do not display policy settings for the selected user in the results | display computer policy settings only checkbox. Click Next.
13. Verify the parameters that you set for the RSoP query on the Summary Of Selections page. Click Next.
14. Click Finish on the Completing The Resultant Set Of Policy Data Wizard page.
15. The RSoP console would display the data which resulted from running the RSoP query.

Using Gpresult.exe to Troubleshoot Group Policy

You can use the Gpresult.exe command-line utility available in Windows Server 2003 to create RSoP queries which can collect and report RSoP data or information on users and computers. Gpresult.exe can be used to gather the information listed below which could be useful when you have to troubleshoot Group Policy.

• Information on the OS, computer and user.
• Group Policy information, including:
  • When Group Policy was last applied
  • The domain controller which applied Group Policy
  • Information on all GPOs that are applied, and details for these
  • Information on the Registry settings that are applied, and details for these
  • Scripts
  • Software management information and details on published and assigned applications
  • Disk quota information
  • Internet Protocol (IP) security settings
  • Redirected folder information, and details on these.

The syntax of the Gpresult command and its parameters are listed below:

gpresult [/s computer [/u domain\user /p password]] [/user username] [/scope {user|computer}] [/v] [/z]

• /s computer, defines the IP address/name of a remote computer. The local computer is used by default.
• /u domain\user, specifies the user account that should be used to run the command. The permissions of the user currently logged on are used by default.
• /p password, the password of the user account
• /user username, the user name for which RSoP information should be shown.
• /scope {user|computer, used to define that user settings or computer settings should be displayed. Both are displayed by default.
• /v, indicates output to show verbose policy information
• /z, indicates output to show all policy information

Using Gpupdate.exe to Troubleshoot Group Policy

You can use the Gpupdate.exe command-line utility to perform the following tasks:

• To refresh GPOs immediately, if it is not being processed correctly
• To refresh a GPO immediately, after you have made a change to its Group Policy settings.

The Gpupdate.exe command-line utility is new in Windows Server 2003. It replaces the Secedit, refresh policy command which was used in Windows 2000.

The syntax of the Gpupdate command and its parameters are listed below:

Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync]

• /Target:{Computer | User}, indicates whether only the computer policy setting or only the user policy settings are refreshed. Both types of policy settings are refreshed by default.
• /Force, specifies to reapply all policy settings. Only the policy settings that have changed as from the last Group Policy refresh are refreshed by default.
• /Wait:<value>, specifies the number of seconds to wait for all policy processing to finish. The default value is 600 seconds. A value of 0 indicates to Gpupdate not to wait, while a value of 1 indicates to Gpupdate to wait indefinitely.
• /Logoff, compels the user to logoff the computer after the Group Policy settings are refreshed.
• /Boot, results in a reboot after the Group Policy settings are refreshed.
• /Sync, results in the next policy application to occur synchronously on computer startup, or user logon.

Using the Group Policy Management Console (GPMC) to Troubleshoot Group Policy

The Group Policy Management Console (GPMC) incorporates numerous Group Policy operations into one management console, and therefore enables you to manage Group Policy settings within your environment from one location. The GPMC can be used to examine all sites, domains, OUs and GPOs within your enterprise. The GPMC consists of an MMC, a set of automated scripts which can be run from the command line, and a set of batch files. The scripts included in the Group Policy Management Console (GPMC) can be used to list and view the following GPO information:

• Information on a GPO
• All the GPOs in a domain
• All disabled GPOs
• View unlinked GPOs in a domain
• View GPOs by policy extension
• View GPOs by security group
• View GPOs with duplicate names
• View GPOs with no security filtering
• View scope of management information

Because of the information which you can view using the GPMC, it can be of assistance when you need to troubleshoot GPO behaviour. It allows you to examine the settings of a specific GPO, and is can also be used to determine how your GPOs are linked to sites, domains, and OUs. To access the GPMC, click Start, Administrative Tasks, and then click Group Policy Management. The Group Policy Results report collects information on a computer and user, to list the policy settings which are enabled. To create a Group Policy Results report, right-click Group Policy Results, and select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results Wizard, which guides you through various pages to set parameters for the information that should be displayed in the Group Policy Results report.

Troubleshooting Policy Inheritance

To successfully troubleshoot policy inheritance issues, you need to thoroughly understand how policy inheritance affects the application of Group Policy settings within GPOs. You also need to understand how enabling the Block Policy Inheritance option and No Override option affect policy inheritance. Inheritance signifies that Group Policy settings which affect user configuration and computer configuration are the resultant set of policies inherited from parent containers. Policies are usually passed down from a parent container to its associated child containers. When the policy setting for a parent OU is set to Enabled or Disabled; and the child OU does not have the same policy setting configured, the child OUs inherits the policy setting of its parent OU. The exception being that a Group Policy setting defined for a child OU overrides the same setting which it inherited from its parent OU.

Group policy settings are processed in the order specified below:

1. Local GPO: Because the local GPO is applied first, it means that policies defined at the local computer have the least priority.
2. Site GPO: Site GPOs are GPOs which are linked to sites. The order of the different site GPOs are determined and defined by the Administrator.
3. Domain GPOs: Domain GPOs are applied next. GPOs linked to a domain have precedence over site GPOs and local GPOs.
4. OU GPOs linked to the OU highest in the Active Directory hierarchy are applied before any other OUs. OU GPOs linked to the OU closest to the user or computer is then applied. When the OU that contains the user or computer has a GPO linked to it; that GPO is applied last.

Block Policy Inheritance can be explicitly specified for a site, domain or OU; and is not applied to any GPOs or GPO links. When enabled for a site, domain or OU; it prevents any Group Policy settings from passing down from higher up in the tree, to the particular site, domain or OU for which it is enabled. The only exception is that any GPO links which have the No Override settings enabled are not blocked, but are applied. When the No Override setting is enabled for a GPO which is linked to a site, domain or OU, no Group Policy settings contained in the particular GPO is overridden by other GPOs. Because of the hierarchical manner in which GPOs are applied, and there happens to be more than one GPO which has the No Override setting enabled, the GPO highest in the tree has precedence.

A few techniques for troubleshooting Group Policy inheritance are listed below:

• GPOs can only be linked to sites, domains and OU, and then applied to users and computers.
• Remember that while child OUs, by default inherit the Group Policy Settings of its associated parent OUs; child domains do not inherit Group Policy settings from parent domains.
• A factor to consider when troubleshooting policy inheritance is that when both the Block Inheritance option and the No Override option are enabled, the No Override option has precedence.
• Remember that the Block Inheritance applies to the entire site, domain, or OU; and therefore can prevent Group Policy settings from being applied. If you have a situation where a particular GPO is not being applied, verify that the GPO is not being blocked.
• Verify that the user or computer belong to a security group that has the Allow â€" Apply Group Policy permission. Check whether the user or computer belong to a security group that has the Allow â€" Read permission.
• The Enforce option results in a GPO being applied to each user or computer object in a site, domain, or OU. Bear in mind that when multiple GPOs are applied with the Enforce option enabled, the Group Policy setting which is enforced initially enjoys precedence.
• Because of the nature of certain Group Policy settings, they cannot be inherited at the OU level. A few examples of these Group Policy settings are password policies and account lockout policies. Password policies and account lockout policies are applied at the domain level in Active Directory.
• When resolving conflicting GPO issues, remember that a GPO contains multiple Group Policy settings. It is possible to have a situation when only one of the Group Policy settings within the GPO results in a conflict. In this case, the remainder of the Group Policy settings would be applied.

Techniques for Troubleshooting Software Deployed through Group Policy

A few common software deployment issues and the strategies that can be used to resolve these issues are discussed below:

• When published applications are not being displayed in Add/Remove Programs in Control Panel:
  • Verify that the user can access Active Directory.
  • Verify that the user can access the software distribution point on the network share. You can use the Ping utility to test network connectivity.
  • Check that the user has the necessary permissions on the SDP.
  • Verify whether an option to not display the particular application in Add/Remove Programs in Control Panel, is enabled.
  • Verify that all the configured application categories are being displayed in Add/Remove Programs.
  • Verify that the user is authenticated by the domain controller.
  • Verify that Active Directory replication has synchronized all domain controllers. Replication not being synchronized can cause applications to not show up in Add/Remove Programs.
  • Configured filters or a modification in permissions could result in the application not being displayed in Add/Remove Programs in Control Panel.
  • Check whether Terminal Services is running on the user’s desktop. Deploying software through Group Policy is not supported for Terminal Services clients.
  • Run Gpresult for the user experiencing the problem to determine whether the GPO is being applied to the user.
• When software which have been assigned, do not install:
  • If the software has been assigned for a computer, restart the computer. It may be possible that the GPO was not applied because the computer was not restarted.
  • Use the Ping utility to verify that the computer can access Active Directory and the software distribution point.
  • Verify that you have copied the software to the SDP.
  • Verify that the user has Read permission and the Execute permission to the SDP.
  • Verify that the users and computers have the Allow â€" Read permission and the Allow â€" Apply Group Policy permission on the GPO.
  • Examine the Group Policy Object link to determine whether any conflicting Group Policy settings are preventing the particular GPO from being applied.
• When software which have been assigned is removed:
  • Because software is basically managed by the GPO linked to the site, domain, or OU; check whether the computer has been moved to a different location.
  • Verify that the GPO which contains the application is still applicable for the user or computer.
  • If the Uninstall Applications When They Fall Out Of The Scope Of Management checkbox is enabled, the application will automatically be uninstalled or removed when the scope of management has been modified. You can check whether this setting is enabled on the Advanced tab of the Software Installation Properties dialog box.
• When software has been removed and its shortcuts are still being displayed on the desktops of user:
  • The Windows Installer service does not remove any shortcuts which were created by users. These shortcuts have to be manually removed.
  • Verify that a new version of the application has not created these shortcuts, and then delete them.

Techniques for Troubleshooting Folder Redirection and Offline Files

A few folder redirection and Offline Files specific issues, and the strategies that can be used to resolve these issues are discussed below:

• When the system folders for which you enabled and configured folder redirection are not being redirected:
  • Verify that the client computer which you are troubleshooting is running Windows 2000 Professional or Windows XP Professional. The folder redirection feature is not supported for client computers running Windows NT 4, Windows 98 and Windows 95.
  • Check whether the user has the Full Control permission for the redirected folder. This permission is needed for the user to access the folder that contains the redirected data.
  • Check whether the server which contains the redirected folders can be accessed. If the server is offline and the Offline Files feature is a not enabled, folders are not going to be redirected.
  • Use the Gpresult.exe command-line utility to determine whether the folder redirection Group Policy settings have been applied.
• When the files which are available online, are not available offline:
  • Check whether Offline Files is enabled on the client computer. If it is not enabled, enable it.
  • Check whether the Offline Files setting for the network share is set to Automatic. If not, configure this setting.
• When the redirected folders and its content are unavailable after folder redirection has occurred:
  • Check whether a network connectivity issue is the reason why the redirected folders and its content cannot be accessed. Use the Ping utility to test network connectivity to the server containing the redirected folders.
  • Verify that the application which the user is attempting to access supports folder redirection.
  • Verify that the user has the Full Control permission.
• When the files are not being synchronized:
  • Verify that the client computer has sufficient disk space to synchronize files.
  • Check whether the files have extensions which can be synchronized. By default, files that have the .mdb, .ldb, .mdw, .mde and .db file extensions are not synchronized.
  • Verify that the user has sufficient rights (Read, Write) to the file(s) that should be synchronized.
  • Check whether network connectivity issues are preventing the user from connecting to the network share storing the files that should be synchronized.
• When a user is unable to specify files and folders to be available offline:
  • Verify that the Offline File feature is enabled.
  • Verify that the files and folders exist on the network share.
  • Check whether an existing Group Policy setting which disables Offline Files, is applied.

Bookmark Troubleshooting Group Policy

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum