5 Troubleshooting and Backing Up GPOs

8/10/2019 5 Troubleshooting and Backing Up GPOs

1/51


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 1/51

5 Troubleshooting and Backing Up GPOs

Section Topics

Using Group Policy Troubleshooting Tools

Integration of RSoP Functionality

Using Logging Options

Backing Up, Restoring, Importing, and Copying GPOs

Building Migration Tables

Section Objectives

After completing this section, you will be able to:

Describe the Group Policy troubleshooting tools

Describe the GPMC tools that have RSoP functionality

Describe the GPO logging tools used to obtain more detail about the GPO processing issues

Explain how to back up, restore, import, and copy GPOs using the GPMC

Explain how to build migration tables

Section Overview

This section explains how to use the RSoP tools to determine whether policies are being

rocessed in the correct manner. It also explains how to use the available tools to troubleshoot


2/51



olicy issues; back up, restore, import, copy, and search for GPOs; and migrate GPOs from

one domain to another.

Using Group Policy Troubleshooting Tools

igure 104: Using Group Policy Troubleshooting Tools

inding out where an unwelcome Group Policy setting came from can be hard if you are not

aware of the tools that are available for the various versions of Windows. In Windows Server

2003, you will find some of the Group Policy troubleshooting tools on the Windows operating

system CD in the Support\Toolsfolder. The Windows 2003 Resource Kit has additional

ools for Group Policy troubleshooting. Many of the Group Policy troubleshooting tools are

ow built into the Windows Server 2008 and later operating systems.

Note: The gpotool.exe and replmon.exe tools are considered deprecated and are no

longer supported or enhanced by Microsoft. They are now replaced by other tools and

functionality in newer versions of Windows.

This topic describes some of the more common tools that you can use with Group Policy,

hich are listed in Figure 104. This topic also explains how you can use these tools toroubleshoot Group Policy.


3/51



Group Policy Results

igure 105: Group Policy Results

icrosoft supplies several command-line tools that you can use to troubleshoot Group Policy

deployment and the health of the existing GPOs. One of these tools is Gpresult (Group Policy

esults). The Gpresult tool is useful for analyzing many facets of Group Policy. It provides

SoP details as shown in Figure 105.

Gpresult Tool Options

igure 106: Gpresult Tool Options

igure 106 shows some of the Gpresult tool options. The complete list is shown in Figure 107.

GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]


4/51



[/USER targetusername] [/R | /V | /Z] [(/X | /H) [/F]]

Description:

This command line tool displays the Resultant Set of Policy

(RSoP)

information for a target user and computer.

Parameter List:

/S system Specifies the remote system to connect

to.

/U [domain\]user Specifies the user context under which

the command

should execute.

Can not be used with /X, /H.

/P [password] Specifies the password for the

given user

context. Prompts for input if omitted.

Can not be used with /X, /H.

/SCOPE scope Specifies whether the user or the

computer

settings needs to be displayed.

Valid values: "USER","COMPUTER".

/USER [domain\]user Specifies the user name for which

the RSOP data

is to be displayed.

/X Saves the report in XML format at

the location

and with the file name specified


5/51


6/51



Examples:

GPRESULT /R

GPRESULT /H GPReport.html

GPRESULT /USER targetusername /V

GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z

GPRESULT /S system /U username /P password /SCOPE USER /V

igure 107: Gpresult Options: Complete List

Note

When you use the super-verbose option (/Z) in the Gpresults tool, the output will

overload the command prompt window. Use the redirect (>) option and direct the output to a

ile: C:\gpresult /Z > gpsettings.txt

Group Policy Update

igure 108: Group Policy Update


7/51



indows 2000 computer systems used the Secedit command-line tool to refresh Group Policy

settings without rebooting. For Windows XP and later versions, the command-line tool,

Gpupdate is used.

unning gpupdate without any switches will ask for a gpupdate of any policies whose

ersion numbers are not up to date. It will, therefore, only download the policies that have

changed.

Some policy changes do not update with this normal refresh. On other occasions, the version

umbering on the policies may become out of sync. In these situations, it may be necessary to

force a download of all the policies from scratch using the gpupdate /force command.

nfortunately, in a large environment where many policies are available, the gpupdate /force

command will download all of the policies that could apply to the user or computer.

Therefore, use the /force switch only when it is necessary.

sing the Gpupdate Tool

To use the Gpupdate tool, open a command prompt and type gpupdate.exe. You can use

arious switches to control the output of the Gpupdate tool.

The syntax for the Gpupdate.exe command is:

pupdate [/target:{computer | user}] [/force] [/wait:value] [/logoff] [/boot]

ollowing are the details for each of the switches:

By default, both user and computer policy settings are updated. Use the following switch to

specify that only the user or computer policy settings are immediately updated.

/target: Computer | User

By default, only the policy settings that have been changed are applied. Use the followingswitch to reapply all the policy settings:

/force


8/51



Use the following switch to set the number of seconds you have to wait for the processing

of the policy to finish:

/wait:value

Use the following switch to log off from the selected computer after the policy settings have

been updated:

/logoff

Some policy settings can be processed only at startup; for example, computer-based policy

settings usually require a reboot. Use the following switch to restart your computer after the

policy settings have been updated:

/boot

ote

The default update cycle for refreshing Group Policy is 90 minutes (with a

andom 30-minute offset) on domain members and 5 minutes on domain controllers.

GPMC Remote Update


9/51



igure 109: GPMC Remote Update

n Windows Server 2012 and Windows 8 Client, the GPMC now has a GPUpdate option

uilt-in to the console. Using this option will perform a remote GPUpdate against any

computers in the selected OU.

The remote update is sent out as a scheduled request with a random time interval so that all

systems to not attempt to perform the update simultaneously.

Group Policy Verification Tool

igure 110: Group Policy Verification Tool


10/51


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 10/51

very domain in Active Directory should have more than one domain controller. When you

ave multiple domain controllers, you can use the Gpotool command-line tool to ensure that

he contents of all the linked Sysvolfolders in the domain contain valid and up-to-date GPOs.

ote

The Gpotool is considered a deprecated tool as of Windows Server 2012 and has

een replaced by greater functionality within the GPMC via the Infrastructure Status tab.

The Gpotool tool can also check for version mismatches between the GPT stored in the

Sysvolfolder and the GPC in Active Directory.

f errors occur, check the System and Directory Services event logs on the listed domain

controller showing the problem. For instance, if you want to verify if a GPO called Corporate

esktop Settingson a certain domain called MyDomainis in sync, type the following in a

command prompt window:

Gpotool/gpo:Corporate Desktop Settings/dc:MyDomain

hen you use the Gpotool tool, you can also check the following Group Policy components:

Group Policy object consistency: You can check the GUID of each GPO and all Sysvol

data.

Group Policy object replication: You can check the times and instances of when

replication has occurred.

Friendly-name searching: You can search your GPOs by the given name of each GPO.

Selective search: You can specify which domain controllers the Gpotool tool will query.

Multiple domains: You can check policies in different domains.

Verbose mode: You can display a validation list of each working GPO and a detailed error


11/51



report of each damaged GPO policy.

ote

You can download the Gpotool tool from www.microsoft.com.

GPMC Infrastructure Status

igure 111: GPMC Infrastructure Status

The GPMC Infrastructure Status tab allows you to check the replication status of the domain

o make sure Group Policy files and settings are being replicated successfully to other domain

controllers.

This tool is informational only and does not provide an option to perform replication. You can

se the Repadmin command-line tool if you need to manually force replication to occur..

Replication Monitor
http://www.microsoft.com/


12/51



igure 112: Replication Monitor

You can use the Active Directory Replication Monitor (Replmon) tool to gather a wide variety

of replication details. You can also use it to monitor the replication status of current GPOs per

domain.

ote

The Replmon tool is considered a deprecated tool as of Windows Server 2008

and has been replaced by the more functional command-line Repadmin.exe tool.

The following topics explain how to use the Replmon tool to check the current GPO

eplication status and to check the GPO version numbers.

sing the Replmon Tool to Check Replication Status

To check the current GPO replication status, follow these steps:

1. Open the Replmontool from the Support Toolsmenu.

2. Right-click Add Monitored Serverand enter the FQDN of the server.


13/51


14/51



igure 113: Using the Replmon Tool to Check GPO Version Numbers

To find additional details on the replication status, right-click the server icon and, from the

context menu, select Show Group Policy Replication.

Any differences between the GPC and the GPT will result in different version numbers: the

ersioncolumn corresponds to the GPC status, and the Sysvol version represents the GPT.

You can add additional domain controllers to the view of the Replmon tool for comparison

urposes.

Repadmin


15/51



igure 114: Repadmin

The Repadmin.exe command-line tool can be used to perform all of the functions that are

ound within the graphical Replmon tool and more.

Some operations are certainly more visual in the Replmon tool, but the Repadmin.exe tool hashe advantage of being scriptable and less cumbersome when performing multiple operations.

Since Replmon is deprecated, Repadmin should be used in most situations today.

The syntax for Repadmin is as follows:

C:\>repadmin

Usage: repadmin [/u:{domain\user}] [/pw:

{password|*}]

[/retry[:][:]]

[/csv]

Use these commands to see the help:

/? Displays a list of commands available for use

in repadmin and

their

description.

/help Same as /?

/?: Displays the list of possible arguments ,

appropriate

syntaxes and examples for the specified command

.

/help: Same as /?:

/experthelp Displays a list of commands for use by advanced

users only./listhelp Displays the variations of syntax available for

the DSA_NAME,


16/51



DSA_LIST, NCNAME and OBJ_LIST strings.

/oldhelp Displays a list of deprecated commands that

still work but

are no longer supported by Microsoft.

Supported commands (use /? for detailed help):

/kcc Forces the KCC on targeted domain controller(s) to

immediately

recalculate its inbound replication topology.

/prp This command allows an admin to view or modify the

password replication policy for RODCs.

/queue Displays inbound replication requests that the DC

needs to issue

to become consistent with its source

replication partners.

/replicate Triggers the immediate replication of the

specified directory

partition to the destination domain controller

from the

source DC.

/replsingleobj Replicates a single object between any two

domain

controllers that have common directory

partitions.

/replsummary The replsummary operation quickly and

concisely summarizes

the replication state and relative health of a

forest.


17/51



/rodcpwdrepl Triggers replication of passwords for the

specified user(s)

from the source (Hub DC) to one or more Read

Only DC's.

/showattr Displays the attributes of an object.

/showobjmeta Displays the replication metadata for a

specified object

stored in Active Directory, such as attribute

ID, version

number, originating and local Update Sequence

Number (USN),

and

originating server's GUID and Date and Time

stamp.

/showrepl Displays the replication status when specified

domain

controller

last attempted to inbound replicate Active

Directory

partitions.

/showutdvec displays the highest committed Update Sequence

Number (USN)

that the targeted DC's copy of Active

Directory shows as

committed for itself and its transitive

partners.

/syncall Synchronizes a specified domain controller with

all replication


18/51



partners.

Supported additional parameters:

/u: Specifies the domain and user name separated by a

backslash

{domain\user} that has permissions to perform

operations in

Active Directory. UPN logons not supported.

/pw: Specifies the password for the user name entered

with the /u

parameter.

/retry This parameter will cause repadmin to repeat its

attempt to bind

to the target dc should the first attempt fail

with one of

the

following error status:

1722 / 0x6ba : "The RPC Server is unavailable"

1753 / 0x6d9 : "There are no more endpoints

available from

the

endpoint mapper"

/csv Used with /showrepl to output results in comma

separated

value format. See /csvhelp

Note: Most commands take their parameters in the order of

"Destination or

Target DSA_LIST", then a "Source DSA_NAME" if


19/51



required, and finally

the

NC or Object DN if required.

(or ) is a Directory Service

Agent binding

string. For Active Directory Domain Services, this

is simply a

network

label (such as a DNS, NetBios, or IP address) of a

Domain

Controller.

For Active Directory Lightweight Directory

Services, this must be

a

network label of the AD LDS server followed by a

colon and the

LDAP

port of the AD LDS instance

Examples (AD DS): dc-01

dc-01.microsoft.com

Examples (AD LDS): ad-am-01:2000

ad-am-01.microsoft.com:2000

is the Distinguished Name of the

root of the NCExample: DC=My-Domain,DC=Microsoft,DC=Com

Note: Text (Naming Context names, server names, etc) with

International

or

Unicode characters will only display correctly if

appropriate fonts

and

language support are loaded.


20/51



Get-GPResultantSetOfPolicy

igure 115: Get-GPResultantSetOfPolicy

Get-GPResultantSetOfPolicy is a PowerShell cmdlet that can perform the same type of

operations as the Gpresult.exe comand. However, this tool is more powerful since it is able to

ully utilize the PowerShell pipeline and object structure.

The Get-GPResultantSetOfPolicy cmdlet can output the RSOP data in either an HTML or

ML format. The HTML output will be identical to that produced by GPresult or the Policyesults output in the GPMC.

Get-GPResultantSetOfPolicy syntax:

PS C:\test> help Get-GPResultantSetOfPolicy -full

NAME

Get-GPResultantSetOfPolicy

SYNOPSIS

Outputs the Resultant Set of Policy (RSoP) information

for a user, a

computer, or both to a file.

SYNTAX


21/51



Get-GPResultantSetOfPolicy [-Computer ] [-User

] -Path

-ReportType []

DESCRIPTION

The Get-GPResultantSetofPolicy cmdlet outputs the

Resultant Set of Policy

(RSoP) information for a user, a computer, or both to a

file.

-Computer Specifies the name of the computer for

which to generate

the report.

-Path Specifies the path to the report file.

-ReportType Specifies the report type in either HTML

or XML.

-User The name of the use for which to

generate the report.

-------------------------- EXAMPLE 1 ----------------------

----

C:\PS>get-gpresultantsetofpolicy -reporttype xml

-path c:\reports\LocalUserAndComputerReport.xml

-------------------------- EXAMPLE 2 ----------------------

----

C:\PS>Get-GPResultantSetOfPolicy -reporttype xml -computer

computer-

08.contso.com


22/51



-path c:\reports\computer-08.xml

Invoke-GPUpdate

igure 116: Invoke-GPUpdate

nvoke-GPUpdate is a new PowerShell cmdlet that can perform more powerful GPUpdate

operations. It can be used to update the local or a remote machine or users settings. It can

also be used to schedule a GPUpdate in the future, up to 31 days later. The refresh isautomatically offset by a random delay.

nvoke-GPUpdate syntax:

NAME

Invoke-GPUpdate

SYNOPSIS

Schedule a remote Group Policy refresh (gpupdate) on the

specified

computer.

SYNTAX

Invoke-GPUpdate [[-Computer] ] [[-


23/51



RandomDelayInMinutes] ]

[-AsJob []] [-Boot []] [-

Force

[]] [-LogOff []] [-Target

]

[]

Invoke-GPUpdate [[-Computer] ] [[-

RandomDelayInMinutes] ]

[-AsJob []] [-Boot []] [-

LogOff

[]] [-Sync []] [-Target

]

[]

-AsJob Runs the cmdlet as a background job.

-Boot Causes a computer restart after

policies are applied

for CSEs that require a restart.

-Computer The name of the remote computer to

schedule a refreshfor.

-Force Reapplies all policy settings instead

of only

updating changes.

-Logoff Causes a logoff after policies are

applied for CSEs

that require a logoff / logon to be applied.


24/51



-ReandomDelayInMinutes The amount of time that the Task

Scheduler will wait

before running the refresh.

-Sync Causes user policies applied at logon

to be performed

Synchronously instead of the default Asynchronous processing.

-Target Refresh only the User or Computer

policy settings.

-------------------------- EXAMPLE 1 --------------------------

PS C:\> Invoke-GPUpdate

This command schedules a Group Policy refresh on the computer on

which you are

running theInvoke-GPUpdate cmdlet.

-------------------------- EXAMPLE 2 --------------------------

PS C:\> Invoke-GPUpdate -computer COMPUTER-02 -Target user -Sync

This command schedules a Group Policy refresh on a remotecomputer

(CONTOSO\COMPUTER-02) which will only schedule to update the user

policy

settings in synchronous mode.

Integration of RSoP Functionality


25/51



igure 117: Integration of RSoP Functionality

You can troubleshoot Group Policy via the RSoP (Resultant Set of Policy) snap-in to the

MC (Rsop tool [rsop.msc]). When you are planning and testing or troubleshooting Group

olicy, RSoP helps to trace how the policy links are applied for a specified user and a

specified computer. It also identifies effective settings and winning policy objects.

n the spirit of making the GPMC the primary tool for Group Policy management, Microsoft

as integrated RSoP functionality into the GPMC (with a slight change to the names of the

ools).

This integration means that:

RSoP logging mode in the RSoP console becomes Group Policy Results in the GPMC.

RSoP planning mode in the RSoP console becomes Group Policy Modeling in the

GPMC.

hen you consider the HTML reporting capabilities of the GPMC, it is hard to see why

anybody would continue to use the RSoP tool if they have access to GPMC. In fact,

icrosoft recommends that you abandon the older tool.



26/51



igure 118: Group Policy Results

The Group Policy Results tool in the GPMC corresponds to the RSoP logging mode and

resents real information that reflects how the policy is applied. To start a modeling run, in

he console pane of the GPMC window, right-click the Group Policy Resultsnode, and

select Group Policy

Results Wizard.

The wizard prompts you to make the following choices:

Specify which computer you want to process: the local computer or a different computer

that you specify.

Select how you want to display policy settings: the user object only, not the computer

object. (This is a check box.)

Specify which user account you want to process: the current logged-on user or a

different user that you specify. (You are limited to users who have logged on to your

computer and for whose accounts you have read access.)

hen the run is complete, the details pane of the GPMC shows three tabs:


27/51



Summary: An HTML report of the warnings, errors and alerts that may have occurred

during polciy processing.

Settings: An HTML report of the policy settings, the GPO list, security group

memberships, and WMI filters that would be applied in the scenario

Events: A list of policy-related events from the event log of the target computer and a

useful troubleshooting resource

These three tabs correlate with a new sub-node in the console pane under the Group Policy

esults node. These sub-nodes will continue to accumulate with every new run of the wizard.

y right-clicking the sub-node corresponding to a specific modeling session, you can:

Save the results to disk.

Run the query again.

Run a new query with this one as a template.

Choose Advanced View to invoke the RSoP console and view the precedence information

that does not appear in the HTML Settings report. (The HTML Setting report only lists thewinning GPO.)

Group Policy Modeling

igure 119: Group Policy Modeling

Group Policy Modeling in the GPMC corresponds to the RSoP planning mode, meaning that it

ermits you to perform a simulation before actually applying the policy. It requires that at least

one domain controller in the Active Directory forest is running Windows Server 2003 or later;


28/51


29/51



Save the results to disk.

Run the query again.

Run a new query with this one as a template.

Choose Advanced View to invoke the RSoP console and view the precedence informationthat does not appear in the HTML Settings report.

Creating an HTML File for Reporting

igure 120: Creating an HTML File for Reporting

The GPMC, and the Gpresult and Get-GPResultantSetOfPolicy command-line tools have the

ability to produce reports in the form of HTML file output. These reports can be invaluable

hen it comes to viewing and analyzing the policies that are configured and determine where

he policies came from.

Any user with read access to a given GPO can open the GPMC and view or report on its

settings, which helps IT support the users and OU administrators.

You even have some control over what appears on the report, via the Showand Hidelinks at

each section header. At the top of the report, you can also click Show Allto expand all

sections. The GPMC also allows you to:

Report on the settings contained in any particular GPO.


30/51



Under Group Policy Objects, right-click an entry and select Save Reportto create an

HTML file with the settings (see Figure 120). The report contains the full contents of the

Settingstab, plus information from the Scope, Details, and Delegationtabs.

Right-click anywhere on the Settingstab and select Printto print the report as it appears

on the window.

Report on the results of an RSoP session (that is, Group Policy Results or Group Policy

Modeling).

Under Group Policy Resultsor Group Policy Modeling,right-click a saved session

and select Save Reportto create an HTML file with the settings.

Right-click anywhere on the Settingstab and select Printto print the report as it appearson the window.

A couple of GMC reporting tips are:

To view the HTML reports that the GPMC saves, you must use at least Windows Internet

Explorer 6 or Netscape 7.

To use the show/hide capability, you must use at least Windows Internet Explorer 6.

A few problems with GPMC reporting are:

The reported data for IPSecand Wirelesssettings is incomplete.

The reported data for Windows Internet Explorer Security Zones and Privacysettings is

incomplete (customized Java settings do not appear).

The reported data for Windows Internet Explorer Content Ratings is incomplete (settings

details do not appear).

New Error Reporting Details


31/51



igure 121: New Error Reporting Details

The HTML reports that are generated by the GPMC, Gpupdate.exe and Get-

GPResultantSetOfPolicy now contain additional error reporting information. These additional

details are very useful in troubleshooting group policy issues.

After running Group Policy Results or Group Policy Modeling, the Summary tab may contain

a red X with a link listing the number of errors detected. Click on the link to display the

specific errors that occurred.

The Policy Events tab displays all Group Policy related events from the Event Log.

Using Logging Options

igure 122: Using Logging Options

You can obtain basic troubleshooting information related to Group Policy through the

indows Event Viewer. For additional troubleshooting, more detail can be enabled and sent to

he Windows Event Log and a separate Userenv.logfile.


32/51


33/51



LOGFILE 0x00010000

EBUGGER 0x00020000

You can combine the previous values. For example, you can combine VERBOSE

0x00000002 and LOGFILE 0x00010000 to get 0x00010002. This turns on both LOGFILE

and VERBOSE.

ote

The default value is NORMAL|LOGFILE (0x00010001). To disable logging,

select NONE(where the value is 0X00000000).

On the next reboot and logon, the Userenv.logfile is written to:

%SystemRoot%\Debug\UserMode.

ake sure you check these two essential components in the Userenv.logfile:

Verify that the distinguished name of the computer or user is being recognized. If Windows

cannot determine the distinguished name, it will not be able to properly parse Active

Directory to determine which GPOs to apply to the user or computer.

Determine if any GPOs are being skipped because the user does not have the proper

permissions on the GPO. (The user should have read and applied Group Policy

permissions.)

vent Logs


34/51



igure 124: Event Logs

The Application Event Log records all GPO events with a minimum amount of detail. To get

erbose results for troubleshooting, you must edit the registry. After you edit it, the

Application Event Log will provide you with additional details about which GPO is being

applied.

le verbose logging of GPOs, you must add a registry key to the following location:

KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\

CurrentVersion\Diagnostics

nder the Diagnosticssub-key, add a REG_DWORD value named

unDiagnosticsLoggingGlobaland assign it a value of 1.

After a reboot, the diagnostic logging will be enabled. Every major step in processing GPOs

riggers an event log entry.

elpful Hint

Many Group Policy error codes have not been well documented. However, you

can find a reference list on microsoft.com. Search for Troubleshooting Group Policy Using


35/51



vent Logs.

Backing Up, Restoring, Importing, and Copying GPOs

igure 125: Backing Up, Restoring, Importing, and Copying GPOs

n a large, complex environment, it is important to provide the ability to restore GPOs

independent of the full backups of the Active Directory environment. The Group Policy

anagement Console includes the ability to perform backups and restores of individual

olicies, or all policies in the domain.

This topic explains how to back up, restore, import, and copy GPOs.

Backing Up GPOs

igure 126: Backing Up GPOs

Considering the importance of GPOs, having backups is highly desirable. The GPOs do exist

in Active Directory and the Sysvolshares, so if you have multiple domain controllers, you


36/51



already have redundancy. However, without the GPMC, you do not have a convenient way

of restoring individual GPOs and importing GPO settings into other GPOs. Both of these

capabilities are enabled by the GPMC backup facility. When you are backing up GPOs,

emember the following: Backing up refers to the process of copying the contents of a live

GPO into any specified folder location on the computer or network where you have write

ermissions (see Figure 126).

You can back up multiple policy objects to the same folder.

You can back up multiple versions of the same policy object to the same folder.

You can restore or import backed-up GPOs.

The GPMC includes a user interface for managing backed-up policy objects (right-click the

Group Policy Objectsnode and select Manage Backups).

The following topic describes how to back up GPOs.

rocedure for Backing Up GPOs (1)

igure 127: Procedure for Backing Up GPOs

The procedure for backing up a GPO in the console is straightforward:


37/51



1. Navigate to the domain of interest in the console pane.

2. Expand the Group Policy Objectsnode.

3. Right-click the policy object that you want to back up, and select Back Up.

Procedure for Backing Up GPOs (2)

Figure 128: Procedure for Backing Up GPOs (cont.)

. Select a target folder to which you have write access. You can browse to this location,

and you can also create a new folder, if necessary.

5. Create a description for the backup. This description will appear later when you are

managing your backups from within the GPMC.

6. Click the Back Upbutton.

7. Click OKwhen the backup is complete.

An alternative method is available if you wish to back up all the GPOs in a given domain. You

can use this approach to re-create the entire Group Policy structure on another domain.

To back up all the GPOs, navigate to the domain of interest, right-click the Group Policy

Objectsnode, and then select Back Up All. Follow steps 4 through 7 to finish backing up all

he GPOs.


38/51



anaging the Backups

You can manage the backups that you have created from the Manage Backups dialog box.

ight-click the Group Policy Objectsnode and select Manage Backups. In the Manage

ackups dialog box, you will see the following information:

Backup location

List of backed up GPOs, including domain, name, timestamp, description, and GPO ID

A check box to show only the latest version of each GPO

A Restorebutton, which restores the selected GPO to its original domain

A Deletebutton

A View Settingsbutton, which generates an HTML report listing the settings in the selected

GPO (a convenient feature)

A Closebutton

Restoring GPOs

igure 129: Restoring GPOs

You would generally restore a GPO when you have deleted it and want it back, or when you

ave modified it (either its contents or its ACL) and want to return it to some prior condition.


39/51



n these situations, restoring a GPO is much the same as restoring a file or folder.

hen you are restoring backed up files, remember the following:

Restoring refers to the process of putting a backed-up GPO back into its original location

(that is, domain) with all its original settings intact (including security settings).

Even if you are restoring a deleted GPO, it will have the same GUID that it had originally.

You cannot restore a GPO to a domain other than the one from which it was backed up.

The following topics describe how to restore GPOs and some of the caveats of restoring them.

rocedure for Restoring GPOs

The procedure for restoring a GPO varies depending on whether the GPO exists or has been

deleted.

If the GPO still exists, and you just want to return it to some prior state, right-click the

GPOin the Group Policy Objectscontainer and select Restore from Backup.

Follow the wizard.

To restore a GPO with this procedure, you must have the following permissions on it:

edit settings, delete, and modify security.

If the GPO has been deleted, right-click the Group Policy Objectscontainer, select

Manage Backups, find the backed-up GPO, select it, and click the Restorebutton.

To restore a GPO with this procedure, you must have the right to create GPOs.

Caveats of Restoring GPOs

estoring GPOs has some drawbacks:


40/51



If you restore a deleted GPO, the links it had are not automatically restored. You have to

restore them manually.

If you restore a deleted GPO that includes software deployment settings, and those settings

included the option to uninstall when the application falls outside the scope of

management, users might see those assigned or published applications uninstall and then

reinstall, after the restoration of the GPO. The reason for this is that Windows thinks the

applications are new because they get a new deployment object GUID after the restore

(even though the GUID of the actual GPO remains the same as it was).

If you rename a domain, you cannot restore a GPO that was backed up before the rename

operation.

Importing GPOs

igure 130: Importing GPOs

mporting a GPO transfers the settings in a backed-up GPO to an existing and active GPO.

mporting never creates a new GPO.

An export command for GPOs does not exist. Backing up a GPO is the functional

equivalent of exporting it.

The following topics explain why you might want to import GPOs and how to import them.


41/51



easons for Importing GPOs

n certain situations, you might want to import a GPO rather than simply restore it. For

instance:

You do not want to create a new GPO, but instead, you want to augment the settings

contained in an existing GPO without changing any of the security settings (ACEs) of that

existing GPO.

You want to migrate a GPO from one domain to another, but you do not have connectivity

and trust relationships between the domains. To elaborate:

If you did have connectivity with trusts, you would simply perform a copy operation

(drag-and-drop) instead of a back-up-and-restore cycle.

The restore operation always restores a GPO to the domain from which it was backed

up, so you cannot use it to migrate a GPO from one domain to another.

rocedure for Importing GPOs

To import a backed-up GPO:

1. In the Group Policy Objectsnode of the console, right-click an existing GPO, and

select Import.

2. Specify the backed-up GPO whose settings you would like to import. You can also

specify a migration table.

Copying GPOs


42/51



igure 131: Copying GPOs

You can use the GPMC to copy and paste GPOs, either via the context menu of the GPO or

y dragging and dropping. How is this different from importing GPOs?

A copy operation always creates a new GPO at the destination location; an import operation

never does.

A copy operation always starts with an active GPO; an import operation starts with a

backed-up GPO.

The following topic describes the requirements for copying GPOs.

equirements for Copying GPOs

n order to copy a GPO from one location to another, the source and target locations must

ave physical connectivity and a trust relationship. If you are copying a GPO from one

domain to another within the same forest, these requirements are usually not a problem.

owever, if you are copying a GPO from one domain to another in a different forest, then

ou must either have a forest trust in place (Windows Server 2003 and later only), or you

ust perform a backup-and-import operation rather than a copy operation.

Building Migration Tables


43/51



igure 132: Building Migration Tables

Active Directory was not created to enable administrators to copy a large number of objects

etween domains. Therefore, the process for copying a GPO from one domain to another is a

little complex. If all you have in a particular GPO are Administrative Templatessettings, that

is, registry-based policies, then you can use a simple drag-and-drop method to copy GPOs.

owever, if your GPO contains more settings, then you should expect some migration

conflicts.

This topic explains how to use migration tables to resolve SID and UNC path conflicts and

ow to build a migration table.

Using Migration Tables to Resolve SID and UNC Path

Conflicts

igration tables can help resolve the SID and UNC path conflicts that can arise from moving

GPOs from one domain to another.

SID Conflicts

GPOs tend to contain domain-specific SIDs. For example, user rights (part of the Security

Settings node of a Group Policy Object) typically include references to domain groups, such

as Backup Operators.

The SID for the Backup Operators group in Domain A is not the same as the SID for the

ackup Operators group in Domain B. This mismatch is a problem, so you would need, inhis case, the ability to map the migration of SIDs. In addition, explicit, user-specific access

controls might have been set forth in the origin domain; these, too, would need to map over to


44/51



different SIDs in the destination domain.

The types of policies that could include SID information and, therefore, possibly need

emapping, include the following:

File system permissions (NTFS)

Folder redirection

Software settings (specifically, ACLs on software deployment objects)

User rights assignments

UNC Path Conflicts

Another potential migration problem arises from the fact that some GPOs contain settings

that use UNC notation to reference specific network paths. For example, an assigned

software package might specify a distribution point within the domain; in fact, it is likely to

do so. When that policy moves to a new domain, the distribution point might no longer be

available due to permissions issues. Even if it is available, there might be performance (and

administrative) problems associated with the cross-domain traffic.

The types of policies that could include UNC information, and therefore possibly need

emapping, include the following:

Folder redirection

Software settings

Logon, logoff, startup, and shutdown scripts

Building a Migration Table


45/51



igure 133: Building a Migration Table

The solution to the problem of moving GPOs from one domain to another is to build a

igration table for security principals and UNC paths that require translation. Put the old

setting on the left and the new setting on the right.

After you create the migration table, you can specify the migration table during the GPO copy

operation, and it will act much like a global search-and-replace facility for all occurrences ofhe specified SIDs and paths.

You can build migration tables with the Mtedit tool. You can either run the tool or invoke it

rom within the GPMC by right-clicking the Domainsnode and selecting Open Migration

Table Editor. (You can also right-click the Group Policy Objectsnode to get to this menu

choice.) The XML data files associated with the Mtedit tool have the extension .migtable.

The sample migration table included by Microsoft with the GPMC appears in Figure 133 and

illustrates many of the possible combinations of format for each of the three columns.

ote the entry in the Destination Namecolumn. This is

shorthand for Replace the original domain name with the destination domain name, but keep

everything else the same. That is, testdomain1\Group02would become

estdomain2\Group02.

ote also the entry in the Destination Namecolumn. This is shorthand


46/51



or Dont change a thing; in fact, this entry doesnt even need to be here except perhaps to

clarify that we know this entry doesnt need to change.

elpful Hint

You can use migration tables both for copying and for importing GPOs.

cronyms

The following acronyms are used in this section:

ACE access control entry

ACL access control list

CD compact disc

RS File Replication Service

GPC Group Policy container

GPMC Group Policy Management Console

GPO Group Policy object

GPT Group Policy template

GUID globally unique identifier

TML Hypertext Markup Language

D identification or identifier PSec IP Security

T Information Technology

MC Microsoft Management Console

TFS New Technology File System

OU organizational unit

DC Primary domain controller

SoP Resultant Set of Policy

SID security identifier

SP1 Service Pack 1


47/51



NC Universal Naming Convention

AN wide area network

MI Windows Management

Instrumentation

ML Extensible Markup Language

Section Review

Summary

A few of the command-line tools that you can use to troubleshoot Group Policy

deployment and the health of the existing GPOs are:

Group Policy Results: This tool provides RSoP details.

Group Policy Update: This tool refreshes Group Policy settings without rebooting.

GPO Verification tool: This tool ensures that the contents of all the linked Sysvol

folders in the domain contain valid and up-to-date GPOs. It also checks for version

mismatches between the GPT stored in the Sysvolfolder and the GPC in Active

Directory.

Replication Monitor: This tool gathers a wide variety of replication details. It also

monitors the replication status of current GPOs per domain.

The RSoP helps to trace how the policy links are applied for a specified user and a

specified computer. It also identifies effective settings and winning policy objects.

Some of the RSoP tools that you can use to troubleshoot GPO processing are:

Group Policy Results: This tool presents real information that reflects how the policy

is applied.

Group Policy Modeling: This tool permits you to perform a simulation before actuallyapplying the policy.

HTML file for reporting: Both the GPMC and the Gpresult command-line tools can


48/51



produce reports in the form of HTML file output. Using these reports, you can view and

analyze the policies that are configured and determine where the policies came from.

The GPO logging tools that you can use to obtain more detail about the GPO processing

issues are:

The Userenv.log: This log contains a detailed verbose log of the logon process.

Event logs: These logs record all GPO events with a minimum amount of detail.

You can back up, restore, import, and copy GPOs. The purpose of these functions are:

Back Up: This function copies the contents of a live GPO into any specified folder

location on the computer or network where you have write permissions.

Restore: This function restores a GPO when you have deleted it and want it back, or

when you have modified it (either its contents or its ACL) and want to return it to some

prior condition.

Import: This function transfers the settings in a backed-up GPO to an existing and active

GPO. (The import process does not create a new GPO.)

Copy: This function creates a new GPO at the destination location. It starts with anactive GPO.

Use the Mtedit tool to build migration tables. You can either run the tool or invoke it from

within the GPMC (right-click the Domainsnode and select Open Migration Table

Editor).

nowledge Check

1. Name and describe the two GPO logging tools.

2. Describe the following tools:


Replication Monitor

3. Which tool is used to build migration tables?


49/51



a. Userenv

b. GPO Migration

c. Mtedit

d. Event log

. Match each GPO process with its correct description. Write the letter of the description

in the Answer column.

Answer GPO

Process

Description

1.________

Restore A.Creates a new GPO at the destination location. It starts with an active

GPO.

2.________

Back up B.Restores a GPO when you have deleted it and want it back, or when

you have modified it (either its contents or its ACL) and want to return it

to some prior condition.

3.________ Copy C.Transfers the settings in a backed-up GPO to an existing and ac tive

GPO.

4.________

Import D.Copies the contents of a live GPO into any specified folder location on

the computer or network where you have write permissions.

5. Which RSoP tool does the following text describe?

This tool presents real information that reflects how the policy is applied.

a. Group Policy Results

b. HTLM file for reporting

c. Group Policy Modeling

d. Group Policy Verification

Knowledge Check Answer Key


50/51



The correct answers to the Knowledge Check questions are bolded.

1. Name and describe the two GPO logging tools.

The Userenv.log: Contains a detailed verbose log of the logon process.

Event logs: Record all GPO events with a minimum amount of detail.

2. Describe the following tools:

Group Policy Results: This tool provides RSoP details.

Replication Monitor: This toolgathers a wide variety of replication details. It also

monitors the replication status of current GPOs per domain.

3. Which tool is used to build migration tables?

a. Userenv

b. GPO Migration

c. Mtedit

d. Event log

. Match each GPO process with its correct description.

Answer Group

Policy

Feature

Description

1. BRestore A.Creates a new GPO at the destination location. It starts with an active GPO.

2. DBack up B.Restores a GPO when you have deleted it and want it back, or when you

have modified it (either its contents or its ACL) and want to return it to some

prior condition.

3. ACopy C.Transfers the settings in a backed-up GPO to an existing and active GPO.

4. CImport D.Copies the contents of a live GPO into any specified folder location on the

computer or network where you have write permissions.


51/51


5. Which RSoP tool does the following text describe?

This tool presents real information that reflects how the policy is applied.

a. Group Policy Results

b. HTLM file for reporting

c. Group Policy Modeling

d. Group Policy Verification

Documents

5 Troubleshooting and Backing Up GPOs