View
221
Download
0
Category
Preview:
Citation preview
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 1/21
Module 11:
TroubleshootingGroup Policy Issues
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 2/21
Module Overview
• Introduction to Group Policy Troubleshooting
• Troubleshooting Group Policy Application
• Troubleshooting Group Policy Settings
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 3/21
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 4/21
Scenarios for Group Policy Troubleshooting
Common scenarios that require troubleshooting:
Policies are applied but settings are inconsistent
Polices not applied
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 5/21
Preparing to Troubleshoot Group Policy
Basic troubleshooting steps:
Perform basic checks to test network connectivity: usediagnostic tools such as netdiag or ping
Check Event Viewer entries
Ensure that DNS is functioning by using NSlookup
Check that the domain controller is functioning and reachable:use diagnostic tools such as dcdiag, the set command,or Kerbtray
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 6/21
Tools for Troubleshooting Group Policy
Group Policy troubleshooting tools:
• Group Policy reporting – RSOP
• GPResult
• Gpotool
• Gpupdate
• Dcgpofix
• GPOLogView
• Group Policy log files
• Group Policy Management Scripts
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 7/21
Demonstration: Using Group PolicyDiagnostic Tools
In this demonstration, the instructor will demonstrate theuse of:
•GPResult in regular and verbose mode
•GPOTool
•Gpupdate
•GPLogView
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 8/21
Lesson 2: Troubleshooting GroupPolicy Application
• Troubleshooting Group Policy Inheritance: Block, enforce,Disable, Security, WMI filter(allow/deny)
• Troubleshooting Group Policy Filtering
• Troubleshooting Group Policy Replication: FRS(sysvol), Repadmin
• Troubleshooting Group Policy Refresh
• Discussion: Troubleshooting Group Policy Configuration
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 9/21
Troubleshooting Group Policy Inheritance
Sales
Production
Domain
No GPOsettings apply
No GPOsettings apply
GPOs
Blocked inheritance preventshigh-level policies from applyingto entire OU subtrees
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 10/21
Troubleshooting Group Policy Filtering
Sales
Production
Domain
Mengph
Kimyo
GroupApplyGroupPolicy
ApplyGroupPolicyDeny
Read andApplyGroupPolicy
Read andApplyGroupPolicyAllow
GPO
WMI
filter
Group Policy filteringmay affect only
certain users orcomputers in OUs
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 11/21
GPTGPT
GPCGPC
Troubleshooting Group Policy Replication
• Group Policy objects consist of Group Policy templates
and Group Policy containers
• GUID Partition Table (GPT) and GPOs replicate usingdifferent mechanisms
• Replication issues can cause domain controllers tohave inconsistent versions of Group Policy
• The GPOTool can check for policy consistencyacross all domain controllers
DC1 DC2GPO1
Version 3
GPO1
Version 2
AD DS Replication
File Replication ServiceGPTGPT
GPCGPC
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 12/21
Troubleshooting Group Policy Refresh
If the Group Policy is not refreshing as expected:
Check refresh intervals for users and computers
Verify that the user has logged off and on, or that thecomputer has been restarted
Check if there are cached credentials, because they maydelay the effect of Group Policy: logon/off twice to refresh
Check to see if the Loopback policy is enabled: computer setting predominate
Use gpupdate to:
• Manually refresh updated Group Policy settings• Force refresh of all Group Policy settings
• Force a reboot or logoff, if required, to refreshthe settings
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 13/21
Discussion: Troubleshooting GroupPolicy Configuration
In this discussion, you will create a flow chart fortroubleshooting Group Policy
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 14/21
Lesson 3: Troubleshooting Group Policy Settings
• How Client Side Extension Processing Works
• Troubleshooting Administrative Template Policy Settings
• Troubleshooting Security Policy Settings
• Troubleshooting Script Policy Settings
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 15/21
How Client Side Extension(CSE) Processing Works
• Client side extensions are DLLs that process group
policy settings (not blocked by software restrictions)
• Some CSEs do not process if a slow link is detected
• Some CSEs are always applied and cannot be turned off
List of client side extensions:
• Security settings
• Administrative Templates
• Software installation• Scripts
• Folder redirection
• Internet Explorer maintenance
T bl h ti Ad i i t ti T l t
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 16/21
Troubleshooting Administrative TemplatePolicy Settings
When troubleshooting Administrative Templates,
consider that: Administrative Templates are either true polices(user cannot edit)
or preferences(user can edit)
Settings that are preferences will tattoo the registryand remain in effect until they are specifically reversed
Settings that are true policies are reversed when thepolicy no longer applies
The operating system and service pack level determineif the computer can accept a policy setting
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 17/21
Troubleshooting Security Policy Settings
When troubleshooting security policy settings,consider that:
Account policies are passed to clients from the domain controller
Security settings come from the GPO that have the highest priority
The domain controller receives account policies from a domainlevel policy
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 18/21
Troubleshooting Script Policy Settings: .vvs insidesysvol : replicate by FRS
consider the following: start-up>logon>logoff>shut down
Validate the script
Ensure that Group Policy is configured correctly
Ensure that users and computer have access to the script
Ensure that the script is replicating properly
Use the Group Policy tools to ensure that Group Policyis applied correctly
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 19/21
Lab: Troubleshooting Group Policy Issues
• Exercise 1: Troubleshooting Group Policy Scripts
• Exercise 2: Troubleshooting GPO Lab-11B
• Exercise 3: Troubleshooting GPO Lab-11C
• Exercise 4: Troubleshooting GPO Lab-11D
Logon information
Virtual machine NYC-DC1, NYC-CL1
User name Administrator
Password Pa$$w0rd
Estimated time: 60 minutes
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 20/21
Lab Review
• If a policy at the domain level is set for enforcement whileanother policy at the OU level with a conflicting setting
also is set to be enforced, which policy setting will the OUclients receive?
• If you use group policy to configure the slow-link detectionthreshold to be zero, what does that indicate?
8/14/2019 6425A_11 Trouble Shooting GPO
http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 21/21
Module Review and Takeaways
• Considerations
• Tools
• Review questions
Recommended