Upload
edson-jeancarlo-rueda-socola
View
213
Download
0
Embed Size (px)
Citation preview
7/28/2019 6425A_11
1/21
7/28/2019 6425A_11
2/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
7/28/2019 6425A_11
3/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
7/28/2019 6425A_11
4/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain that there are two main problem areas that can occur with Group Policy processing: either policies are notapplied to the client, or policies are applied, but the results are inconsistent or incorrect.
Discuss that troubleshooting Group Policy issues requires a good understanding of the underlying process thatdelivers Group Policy to clients.
Explain that Group Policy has two distinct phases:
Core Group Policy processing. When a client begins to process Group Policy, the student must determinewhether it can reach a domain controller, whether any Group Policy objects (GPOs) have changed, and whatpolicy settings (based on client-side extension,) must be processed. The core Group Policy engine performs theprocessing of this in the initial phase.
Client-side extension (CSE) processing. Policy settings are grouped into different categories, such asAdministrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. Thesettings in each category require a specific CSE to process them, and each CSE has its own rules for processingsettings. The core Group Policy engine calls the CSEs that are required to process the settings that apply to theclient. The exception is security policies, which are refreshed every 16 hours regardless of whether they havechanged.
It is important to understand that Group Policy is mainly a client-side event. The client pulls the policies; the serverdoes not push them.
References
Group Policy Troubleshootinghttp://go.microsoft.com/fwlink/?LinkId=101100
7/28/2019 6425A_11
5/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain how to use basic diagnostic tools to check for problemcauses other than Group Policy errors:
Netdiag
Ping
NSlookup
DCdiag
Set
Kerbtray
Demonstrate the basic function of these diagnostic tools.
Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host ConfigurationProtocol (DHCP) address that has been issued to a client computer?
Answer: IPConfig /all will provide DHCP lease information.
References
Troubleshooting Your Systems with Network Diagnosticshttp://go.microsoft.com/fwlink/?LinkId=101101
Using NSlookup.exehttp://go.microsoft.com/fwlink/?LinkId=101102
Unable to access domain controllerhttp://go.microsoft.com/fwlink/?LinkId=101103
Kerbtray.exe: Kerberos Trayhttp://go.microsoft.com/fwlink/?LinkId=101104
7/28/2019 6425A_11
6/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain that after checking network connectivity, should verify whether a problem can be traced to core GroupPolicy. Describe the range of troubleshooting tools that are available to assist in resolving policy issues.
Basic troubleshooting steps include:
Use Group Policy reporting to check Group Policy results on the client computer. Explain that this is one of themain troubleshooting tools, and often reveals the problem without having to use any other tools.
Check Group Policy exceptions. Verify that exceptions (scope of management), such as security filtering, WMIfilters, block inheritance, enforcement, loopback processing, and slow link settings, are not affecting normal GPO
processing.
Use tools such as GPResult.exe, GPOTool.exe, and the Group Policy Management Console (GPMC) to ensurethat Group Policy settings that are expected to be delivered actually are delivered, and that Group Policy objectson domain controllers are consistent and available. (Note: GPResult.exe and GPOTool.exe must be downloadedseparately.)
Use Dcgpofix to repair the default domain policy.
Use event, userenv, and CSE logs to analyze the problem and find a solution.
In WindowsVista and later versions, you can use GPOLogView to aggregate events from the Group Policyoperational logs into a single view.
Installing the GPMC also installs a number of scripts to perform basic Group Policy management andmaintenance.
References
Group Policy Modeling and Resultshttp://go.microsoft.com/fwlink/?LinkId=101105
How to manually create Default Domain GPOhttp://go.microsoft.com/fwlink/?LinkId=101106
GPOTool (from Win2K Server Resource Kit)
http://go.microsoft.com/fwlink/?LinkId=101107Refresh Group Policy settings with GPUpdate.exehttp://go.microsoft.com/fwlink/?LinkId=101108
Fixing Group Policy problems by using log fileshttp://go.microsoft.com/fwlink/?LinkId=101109
7/28/2019 6425A_11
7/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
To complete this demonstration, you will need to have the 6425A-NYC-DC1 virtual machine running.
1. On NYC-DC1, open a command prompt, run Gpresult, and then discuss some of the switches available.
2. Run Gpresult /R, and then discuss the results.
3. Run Gpresul t /R /V, and then show the results of verbose mode.
4. From the C:\Program files\Windows Resource Kits\Tools directory, runGPOTool.exe, and then discuss theresults.
5. Show the switches available for theGPupdate command, and then run the GPupdate /force command.
6. From the C:\Program files\GroupPolicy Logview directory, run thegplogview.exe, and then discuss theswitches available.
7. Output the events to a text filegplogview o gpevents.txt, and then examine the output file.
8. Run gplogview in monitor mode by typing gplogview m n.
9. Launch a second command prompt, rungpupdate /force, and then examine the results in the monitorwindow.
Demonstration question:Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer?
You must ensure that the remote procedure call (RPC) service is available on the remote client. You can do this
by modifying the Windows Firewall manually, or through a Group Policy setting that allows remote
administration.
7/28/2019 6425A_11
8/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
7/28/2019 6425A_11
9/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Review the role of inheritance and the effects of blocking inheritance. Explain that the Group Policy results reportwill list the GPOs that are applied, and those that are blocked. If entire sections of OUs are not receiving policies,it may be due to inheritance blocking.
Question: Are there scenarios in your organization that would benefit from blocking inheritance?
Answers will vary.
Reference
Fixing Core Group Policy problemshttp://go.microsoft.com/fwlink/?LinkId=101110
7/28/2019 6425A_11
10/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain that Group Policy filtering may appear to look like inconsistent policy application in an OU. If some usersor groups have filtering applied, then they will not receive policies that other users in the same OU are receiving.Again, the Group Policy results report will provide information about which policies are being applied.
Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this bysetting the following GPO permissions:
Authenticated Users are denied the Apply Group Policy permission.The Managers group has been granted Read and Apply Group Policy permission.
None of the Managers are receiving the GPO settings. What is the problem?
Answer: Because deny permission overrides any allow permissions, the denial of Authenticated Users is
preventing anyone from getting the GPO settings.
Reference
Group Policy Troubleshooting
http://go.microsoft.com/fwlink/?LinkId=101100
7/28/2019 6425A_11
11/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Replication issues can prevent clients from obtaining new GPO settings. Domain controllers that have replicationproblems will be unaware that a GPOs version number has increased. Therefore, when a client queries andcompares the last GPOs version number it received to the current version number, the client will believe thatthere have not been any GPO changes.
Explain that if you suspect replication issues are causing Group Policy issues, the GPOTool can check forconsistency of policies across all domain controllers.
Mention the replication monitor in the server support tools. Point out that you can use this tool to force replication.
Question: What tool can you use to force replication across all domain controllers in the domain?
Answer: Replication Monitor can force all domain controllers to replicate.
Reference
GPOTool (from Win2K Server Resource Kit:)http://go.microsoft.com/fwlink/?LinkId=101107
7/28/2019 6425A_11
12/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain that if Group Policy is not refreshing on a client as expected, you should check the refresh interval foreach Group Policy. Explain that most settings require a logoff or a restart of the machine to take effect.
Remind students that WindowsXP and Windows Vista clients log on with cached credentials by default.Therefore, many Group Policy settings will take two logons before being applied. Mention that the Always wait fornetwork at computer startup and logon setting will change that behavior.
Explain that you can use GPUpdate.exe to force the refresh of Group Policy. Describe the general use and theswitches available for GPUpdate.
Question: You have implemented folder redirection for a particular OU. Some users report that their folders arenot redirecting to the network share. What is the first step you should take to resolve the problem?
Answer: Folder redirection is applied only at logon, so ensure that users have logged off and logged on twice, to
determine that cached credentials are not the issue.
Reference
Refresh Group Policy settings with GPUpdate.exehttp://go.microsoft.com/fwlink/?LinkId=101108
7/28/2019 6425A_11
13/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Work with the students to create a flow chart for troubleshooting Group Police application, using the one on theslide as an example.
Provide two or three scenario questions. For example: GPO is not being applied to a user in a specific site. Why?
Work through the scenario and create the flowchart with the students. At each step, refer to specific tools that youcan use to identify issues and what tools you can use to verify the configuration.
Use the flowchart as a reference.
Suggested scenarios:
Some users in an OU receive the policy while others do not.Solution: Security or WMI filtering may be in place. RSoP can provide details.
Users in a remote site receive some policies, but not all of them.Solution: Slow link detection may be responsible. Check that it truly is a slow link and not an Internet ControlMessage Policy (ICMP) blocking issue. If you need the policy to apply, you may need to configure the CSEto apply across a slow link.
An entire subtree of OUs is not receiving any domain-level policies.Solution: Inheritance is most likely responsible when entire OUs do not receive any high-level policies.RSoP or the GPMC console can provide information.
One user is getting policy settings that no one else is getting.Solution: Check that loopback or local policy are not in effect. RSoP will provide information.
One user is having settings applied that no one else is receiving. What might be the issue and how would youstart troubleshooting?
Answer: The problem might be a result of a local Group Policy setting on the computer. Local policies are applied
if there are no domain policies that change them. Group Policy reporting (RSoP) reveals these issues.
7/28/2019 6425A_11
14/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
7/28/2019 6425A_11
15/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain that client side extensions (CSEs) are dynamic-link libraries (DLLs) that process Group Policy settings.The core Group Policy process calls the appropriate CSEs to process those settings. Some CSEs behavedifferently under different circumstances. For example, a number of CSEs do not process if a slow link isdetected.
Point out that security settings and Administrative Templates are always applied and cannot be turned off. OtherCSE can have their behavior controlled across slow links.
Question: Users in a branch office log on across a slow modem connection. You want folder redirection to beapplied to them even across the slow link. How would you accomplish this?
Answer: You would configure the folder redirection CSE to be enabled across slow links.
References
Identifying Group Policy Client-Side Extensionshttp://go.microsoft.com/fwlink/?LinkId=101115
Computer Policy for Client-side Extensionshttp://go.microsoft.com/fwlink/?LinkId=101116
Group Policy and Network Bandwidthhttp://go.microsoft.com/fwlink/?LinkId=101117
7/28/2019 6425A_11
16/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain the difference between a true policy and a preference. A true policy is a registry setting that lives eitherunder \Software\Policies, or \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, in the registry (in HKLM formachine policy settings, and HKCU for user policy settings). All other registry values are called preferences.Ordinary users do not have the right to modify these registry areas. True policies apply values to these areas andremove those values when the policy is removed.
In contrast, settings that users can configure or that reflect the default state of the operating system at installationtime, are known as preferences.
Mention that both true policies and preferences contain information that modifies the registry on users computers.True policy settings take precedence over preference settings. Preferences are set by the user or by the operatingsystem at installation time.
Explain that the registry values that store preferences are located outside the approved Group Policy keys. Userstypically can change their preferences at any time. For example, users can decide to set their wallpaper to adifferent bitmap. It is possible for an administrator to write an ADM or ADMX file that sets registry values outsideof the approved Group Policy registry trees. When the GPO goes out of scope, (meaning it is unlinked, disabled,or deleted,) these values are not removed from the registry. For this reason, true policies are considered to bepolicy settings that you can manage fully. By default, the Group Policy Object Editor only shows policy settingsthat you can manage fully.
To view preferences in the Group Policy Object Editor, click theAdminist rative Templates node, clickView,click Filtering, and then clear the Only show pol icy settings that can be fully managed checkbox.
Explain how the GPMC lists the operating systems that are supported for each administrative setting.
Point out that only Windows Vista clients support many of the new settings.
Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured theAdministrative Template to remove the games link from the Start Menu, but only the Windows Vista computersare enforcing the setting. What is the problem?
Answer: This setting applies only to Windows Vista and later operating systems.
Reference
Fixing Administrative Template policy setting problemshttp://go.microsoft.com/fwlink/?LinkId=101118
7/28/2019 6425A_11
17/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Describe how account policies are actually received from the domain controller even though they are set at thedomain level. The domain controller receives the policy from the winning domain-level Group Policy, and thenpasses it to clients.
Other security settings come from the winning GPO in the normal precedence. Remember that for most securitysettings, the highest priority settings reign and are not cumulative.
The Group Policy results reporting tool can solve many of these problems.
Question: You have configured a password policy in a GPO, and linked that policyto the Research OU. The policyis not affecting domain users in the OU. What is the problem?
Answer: You can configure password policies for domain users only at the domain level.
Reference
Troubleshooting Group Policy application problemshttp://go.microsoft.com/fwlink/?LinkId=101119
7/28/2019 6425A_11
18/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Explain that by default, logon scripts run asynchronously, and startup scripts run synchronously, but that you canchange that behavior. Mention that if scripts are set to run synchronously, then a failed script can cause acomputer to hang.
Check that the script is valid. Can it be run successfully outside of Group Policy?
Check share-level and NTFS permissions on the script locations. Read access is required.
Is Group Policy configured correctly? Is the script path entered correctly?
Check that the script is replicating to all the required locations. Point out that placing the script in Sysvol helpsensure that permissions will be correct, and that the script will be replicated properly.
Use Group Policy results to ensure that Group Policy is being applied correctly.
Question: A logon script is assigned to an OU. The script executes properly for all users, but some users reportthat they get an access-denied message when they try to access the mapped drive. What is the problem?
Answer: The permissions set on the network share to which the users map are the most likely problem. The drive
mapping itself succeeds, even if the user does not have permission to the location.
References
Troubleshooting Group Policy application problemshttp://go.microsoft.com/fwlink/?LinkId=101119
7/28/2019 6425A_11
19/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Lab objectives:
Troubleshoot Group Policy scripts.
Troubleshoot GPO Lab-11B.
Troubleshoot GPO Lab-11C.
Troubleshoot GPO Lab-11D.
Scenario:
Woodgrove Bank has completed its deployment of Windows Server 2008. As the AD DS administrator, one ofyour primary tasks is troubleshooting AD DS issues that have been escalated to you from the companys helpdesk. You are responsible for resolving issues related to Group Policy application and configuration.
This lab consists of four exercises.
Exercise 1: Troubleshooting Group Policy Scripts
The student will troubleshoot the application of GPOs for client computers and user accounts. Specific issuescould include troubleshooting GPO links, security group or WMI filtering, or inheritance settings. Students willreceive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.
Exercise 2: Troub leshooting GPO Lab-11B
The student will troubleshoot Group Policy settings for client computers and user accounts. Specific issues couldinclude missing settings, conflicting settings, or settings related to any of the GPO categories. Students willreceive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.
Exercise 3: Troub leshooting GPO Lab-11C
The student will troubleshoot Group Policy settings for client computers and user accounts. Specific issues couldinclude missing settings, conflicting settings, or settings related to any of the GPO categories. Students willreceive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.
Exercise 4: Troub leshooting GPO Lab-11D
The student will troubleshoot Group Policy settings for client computers and user accounts. Specific issues couldinclude missing settings, conflicting settings, or settings related to any of the GPO categories. Students will
receive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.
Inputs:
Troubleshooting tickets that have been escalated to the server team from the help desk.
Outputs:
All errors have been resolved.
7/28/2019 6425A_11
20/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Question: If a policy at the domain level is set for enforcement while another policy at the OU level with aconflicting setting also is set to be enforced, which policy setting will the OU clients receive?
Answer: Clients in the OU will receive the first enforced policy settings at the domain level. The conflicting policy
setting at the lower level will be ignored, even though the policy is set to be enforced.Any other settings in the OUpolicy will be applied and enforced, as long as those settings do not conflict with the domain-enforced policy.
Question: If you use group policy to configure the slow-link detection threshold to be zero, what does thatindicate?
Answer: A slow-link threshold of zero indicates that all connections are considered fast.
7/28/2019 6425A_11
21/21
Module 11: Troubleshooting Group
Policy Issues
Course 6425A
Review Questions and Answers:
What tool can test DNS name resolution?
A. NSlookup
B. DCdiag
C. GPResult
D. Ping
Answer: A: NSlookup will test DNS name resolution.
What log will give folder redirection details?
Answer: You can enable the FDdeploy.log to provide information about folder redirection.
What visual indicator in the GPMC designates that inheritance has been blocked?
Answer: The visual indicator is a blue exclamation mark on the OU where inheritance is being blocked.
What GPO settings are applied across slow links by default? Choose all that apply:
A. Scripts policies
B. Security settings
C. Administrative settings
D. Internet Explorer Maintenance
E. EFS Recovery Policy
F. IPSec Policy
Answer: B, C, and E -- security settings, administrative settings, and recovery policy.