6425A_11

7/28/2019 6425A_11

1/21

7/28/2019 6425A_11

2/21

Module 11: Troubleshooting Group

Policy Issues

Course 6425A

7/28/2019 6425A_11

3/21


Policy Issues

Course 6425A

7/28/2019 6425A_11

4/21


Policy Issues

Course 6425A

Explain that there are two main problem areas that can occur with Group Policy processing: either policies are notapplied to the client, or policies are applied, but the results are inconsistent or incorrect.

Discuss that troubleshooting Group Policy issues requires a good understanding of the underlying process thatdelivers Group Policy to clients.

Explain that Group Policy has two distinct phases:

Core Group Policy processing. When a client begins to process Group Policy, the student must determinewhether it can reach a domain controller, whether any Group Policy objects (GPOs) have changed, and whatpolicy settings (based on client-side extension,) must be processed. The core Group Policy engine performs theprocessing of this in the initial phase.

Client-side extension (CSE) processing. Policy settings are grouped into different categories, such asAdministrative Templates, Security Settings, Folder Redirection, Disk Quota, and Software Installation. Thesettings in each category require a specific CSE to process them, and each CSE has its own rules for processingsettings. The core Group Policy engine calls the CSEs that are required to process the settings that apply to theclient. The exception is security policies, which are refreshed every 16 hours regardless of whether they havechanged.

It is important to understand that Group Policy is mainly a client-side event. The client pulls the policies; the serverdoes not push them.

References

Group Policy Troubleshootinghttp://go.microsoft.com/fwlink/?LinkId=101100

7/28/2019 6425A_11

5/21


Policy Issues

Course 6425A

Explain how to use basic diagnostic tools to check for problemcauses other than Group Policy errors:

Netdiag

Ping

NSlookup

DCdiag

Set

Kerbtray

Demonstrate the basic function of these diagnostic tools.

Question: What diagnostic tool could you use to determine lease expiration of a Dynamic Host ConfigurationProtocol (DHCP) address that has been issued to a client computer?

Answer: IPConfig /all will provide DHCP lease information.

References

Troubleshooting Your Systems with Network Diagnosticshttp://go.microsoft.com/fwlink/?LinkId=101101

Using NSlookup.exehttp://go.microsoft.com/fwlink/?LinkId=101102

Unable to access domain controllerhttp://go.microsoft.com/fwlink/?LinkId=101103

Kerbtray.exe: Kerberos Trayhttp://go.microsoft.com/fwlink/?LinkId=101104

7/28/2019 6425A_11

6/21


Policy Issues

Course 6425A

Explain that after checking network connectivity, should verify whether a problem can be traced to core GroupPolicy. Describe the range of troubleshooting tools that are available to assist in resolving policy issues.

Basic troubleshooting steps include:

Use Group Policy reporting to check Group Policy results on the client computer. Explain that this is one of themain troubleshooting tools, and often reveals the problem without having to use any other tools.

Check Group Policy exceptions. Verify that exceptions (scope of management), such as security filtering, WMIfilters, block inheritance, enforcement, loopback processing, and slow link settings, are not affecting normal GPO

processing.

Use tools such as GPResult.exe, GPOTool.exe, and the Group Policy Management Console (GPMC) to ensurethat Group Policy settings that are expected to be delivered actually are delivered, and that Group Policy objectson domain controllers are consistent and available. (Note: GPResult.exe and GPOTool.exe must be downloadedseparately.)

Use Dcgpofix to repair the default domain policy.

Use event, userenv, and CSE logs to analyze the problem and find a solution.

In WindowsVista and later versions, you can use GPOLogView to aggregate events from the Group Policyoperational logs into a single view.

Installing the GPMC also installs a number of scripts to perform basic Group Policy management andmaintenance.

References

Group Policy Modeling and Resultshttp://go.microsoft.com/fwlink/?LinkId=101105

How to manually create Default Domain GPOhttp://go.microsoft.com/fwlink/?LinkId=101106

GPOTool (from Win2K Server Resource Kit)

http://go.microsoft.com/fwlink/?LinkId=101107Refresh Group Policy settings with GPUpdate.exehttp://go.microsoft.com/fwlink/?LinkId=101108

Fixing Group Policy problems by using log fileshttp://go.microsoft.com/fwlink/?LinkId=101109

7/28/2019 6425A_11

7/21


Policy Issues

Course 6425A

To complete this demonstration, you will need to have the 6425A-NYC-DC1 virtual machine running.

1. On NYC-DC1, open a command prompt, run Gpresult, and then discuss some of the switches available.

2. Run Gpresult /R, and then discuss the results.

3. Run Gpresul t /R /V, and then show the results of verbose mode.

4. From the C:\Program files\Windows Resource Kits\Tools directory, runGPOTool.exe, and then discuss theresults.

5. Show the switches available for theGPupdate command, and then run the GPupdate /force command.

6. From the C:\Program files\GroupPolicy Logview directory, run thegplogview.exe, and then discuss theswitches available.

7. Output the events to a text filegplogview o gpevents.txt, and then examine the output file.

8. Run gplogview in monitor mode by typing gplogview m n.

9. Launch a second command prompt, rungpupdate /force, and then examine the results in the monitorwindow.

Demonstration question:Question: What steps must you take prior to running Group Policy reporting RSoP on a remote computer?

You must ensure that the remote procedure call (RPC) service is available on the remote client. You can do this

by modifying the Windows Firewall manually, or through a Group Policy setting that allows remote

administration.

7/28/2019 6425A_11

8/21


Policy Issues

Course 6425A

7/28/2019 6425A_11

9/21


Policy Issues

Course 6425A

Review the role of inheritance and the effects of blocking inheritance. Explain that the Group Policy results reportwill list the GPOs that are applied, and those that are blocked. If entire sections of OUs are not receiving policies,it may be due to inheritance blocking.

Question: Are there scenarios in your organization that would benefit from blocking inheritance?

Answers will vary.

Reference

Fixing Core Group Policy problemshttp://go.microsoft.com/fwlink/?LinkId=101110

7/28/2019 6425A_11

10/21


Policy Issues

Course 6425A

Explain that Group Policy filtering may appear to look like inconsistent policy application in an OU. If some usersor groups have filtering applied, then they will not receive policies that other users in the same OU are receiving.Again, the Group Policy results report will provide information about which policies are being applied.

Question: You have applied security filtering to limit the GPO to apply only to the Managers group. You did this bysetting the following GPO permissions:

Authenticated Users are denied the Apply Group Policy permission.The Managers group has been granted Read and Apply Group Policy permission.

None of the Managers are receiving the GPO settings. What is the problem?

Answer: Because deny permission overrides any allow permissions, the denial of Authenticated Users is

preventing anyone from getting the GPO settings.

Reference

Group Policy Troubleshooting

http://go.microsoft.com/fwlink/?LinkId=101100

7/28/2019 6425A_11

11/21


Policy Issues

Course 6425A

Replication issues can prevent clients from obtaining new GPO settings. Domain controllers that have replicationproblems will be unaware that a GPOs version number has increased. Therefore, when a client queries andcompares the last GPOs version number it received to the current version number, the client will believe thatthere have not been any GPO changes.

Explain that if you suspect replication issues are causing Group Policy issues, the GPOTool can check forconsistency of policies across all domain controllers.

Mention the replication monitor in the server support tools. Point out that you can use this tool to force replication.

Question: What tool can you use to force replication across all domain controllers in the domain?

Answer: Replication Monitor can force all domain controllers to replicate.

Reference

GPOTool (from Win2K Server Resource Kit:)http://go.microsoft.com/fwlink/?LinkId=101107

7/28/2019 6425A_11

12/21


Policy Issues

Course 6425A

Explain that if Group Policy is not refreshing on a client as expected, you should check the refresh interval foreach Group Policy. Explain that most settings require a logoff or a restart of the machine to take effect.

Remind students that WindowsXP and Windows Vista clients log on with cached credentials by default.Therefore, many Group Policy settings will take two logons before being applied. Mention that the Always wait fornetwork at computer startup and logon setting will change that behavior.

Explain that you can use GPUpdate.exe to force the refresh of Group Policy. Describe the general use and theswitches available for GPUpdate.

Question: You have implemented folder redirection for a particular OU. Some users report that their folders arenot redirecting to the network share. What is the first step you should take to resolve the problem?

Answer: Folder redirection is applied only at logon, so ensure that users have logged off and logged on twice, to

determine that cached credentials are not the issue.

Reference

Refresh Group Policy settings with GPUpdate.exehttp://go.microsoft.com/fwlink/?LinkId=101108

7/28/2019 6425A_11

13/21


Policy Issues

Course 6425A

Work with the students to create a flow chart for troubleshooting Group Police application, using the one on theslide as an example.

Provide two or three scenario questions. For example: GPO is not being applied to a user in a specific site. Why?

Work through the scenario and create the flowchart with the students. At each step, refer to specific tools that youcan use to identify issues and what tools you can use to verify the configuration.

Use the flowchart as a reference.

Suggested scenarios:

Some users in an OU receive the policy while others do not.Solution: Security or WMI filtering may be in place. RSoP can provide details.

Users in a remote site receive some policies, but not all of them.Solution: Slow link detection may be responsible. Check that it truly is a slow link and not an Internet ControlMessage Policy (ICMP) blocking issue. If you need the policy to apply, you may need to configure the CSEto apply across a slow link.

An entire subtree of OUs is not receiving any domain-level policies.Solution: Inheritance is most likely responsible when entire OUs do not receive any high-level policies.RSoP or the GPMC console can provide information.

One user is getting policy settings that no one else is getting.Solution: Check that loopback or local policy are not in effect. RSoP will provide information.

One user is having settings applied that no one else is receiving. What might be the issue and how would youstart troubleshooting?

Answer: The problem might be a result of a local Group Policy setting on the computer. Local policies are applied

if there are no domain policies that change them. Group Policy reporting (RSoP) reveals these issues.

7/28/2019 6425A_11

14/21


Policy Issues

Course 6425A

7/28/2019 6425A_11

15/21


Policy Issues

Course 6425A

Explain that client side extensions (CSEs) are dynamic-link libraries (DLLs) that process Group Policy settings.The core Group Policy process calls the appropriate CSEs to process those settings. Some CSEs behavedifferently under different circumstances. For example, a number of CSEs do not process if a slow link isdetected.

Point out that security settings and Administrative Templates are always applied and cannot be turned off. OtherCSE can have their behavior controlled across slow links.

Question: Users in a branch office log on across a slow modem connection. You want folder redirection to beapplied to them even across the slow link. How would you accomplish this?

Answer: You would configure the folder redirection CSE to be enabled across slow links.

References

Identifying Group Policy Client-Side Extensionshttp://go.microsoft.com/fwlink/?LinkId=101115

Computer Policy for Client-side Extensionshttp://go.microsoft.com/fwlink/?LinkId=101116

Group Policy and Network Bandwidthhttp://go.microsoft.com/fwlink/?LinkId=101117

7/28/2019 6425A_11

16/21


Policy Issues

Course 6425A

Explain the difference between a true policy and a preference. A true policy is a registry setting that lives eitherunder \Software\Policies, or \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies, in the registry (in HKLM formachine policy settings, and HKCU for user policy settings). All other registry values are called preferences.Ordinary users do not have the right to modify these registry areas. True policies apply values to these areas andremove those values when the policy is removed.

In contrast, settings that users can configure or that reflect the default state of the operating system at installationtime, are known as preferences.

Mention that both true policies and preferences contain information that modifies the registry on users computers.True policy settings take precedence over preference settings. Preferences are set by the user or by the operatingsystem at installation time.

Explain that the registry values that store preferences are located outside the approved Group Policy keys. Userstypically can change their preferences at any time. For example, users can decide to set their wallpaper to adifferent bitmap. It is possible for an administrator to write an ADM or ADMX file that sets registry values outsideof the approved Group Policy registry trees. When the GPO goes out of scope, (meaning it is unlinked, disabled,or deleted,) these values are not removed from the registry. For this reason, true policies are considered to bepolicy settings that you can manage fully. By default, the Group Policy Object Editor only shows policy settingsthat you can manage fully.

To view preferences in the Group Policy Object Editor, click theAdminist rative Templates node, clickView,click Filtering, and then clear the Only show pol icy settings that can be fully managed checkbox.

Explain how the GPMC lists the operating systems that are supported for each administrative setting.

Point out that only Windows Vista clients support many of the new settings.

Question: Your network has a mixture of Windows XP and Windows Vista computers. You have configured theAdministrative Template to remove the games link from the Start Menu, but only the Windows Vista computersare enforcing the setting. What is the problem?

Answer: This setting applies only to Windows Vista and later operating systems.

Reference

Fixing Administrative Template policy setting problemshttp://go.microsoft.com/fwlink/?LinkId=101118

7/28/2019 6425A_11

17/21


Policy Issues

Course 6425A

Describe how account policies are actually received from the domain controller even though they are set at thedomain level. The domain controller receives the policy from the winning domain-level Group Policy, and thenpasses it to clients.

Other security settings come from the winning GPO in the normal precedence. Remember that for most securitysettings, the highest priority settings reign and are not cumulative.

The Group Policy results reporting tool can solve many of these problems.

Question: You have configured a password policy in a GPO, and linked that policyto the Research OU. The policyis not affecting domain users in the OU. What is the problem?

Answer: You can configure password policies for domain users only at the domain level.

Reference

Troubleshooting Group Policy application problemshttp://go.microsoft.com/fwlink/?LinkId=101119

7/28/2019 6425A_11

18/21


Policy Issues

Course 6425A

Explain that by default, logon scripts run asynchronously, and startup scripts run synchronously, but that you canchange that behavior. Mention that if scripts are set to run synchronously, then a failed script can cause acomputer to hang.

Check that the script is valid. Can it be run successfully outside of Group Policy?

Check share-level and NTFS permissions on the script locations. Read access is required.

Is Group Policy configured correctly? Is the script path entered correctly?

Check that the script is replicating to all the required locations. Point out that placing the script in Sysvol helpsensure that permissions will be correct, and that the script will be replicated properly.

Use Group Policy results to ensure that Group Policy is being applied correctly.

Question: A logon script is assigned to an OU. The script executes properly for all users, but some users reportthat they get an access-denied message when they try to access the mapped drive. What is the problem?

Answer: The permissions set on the network share to which the users map are the most likely problem. The drive

mapping itself succeeds, even if the user does not have permission to the location.

References

Troubleshooting Group Policy application problemshttp://go.microsoft.com/fwlink/?LinkId=101119

7/28/2019 6425A_11

19/21


Policy Issues

Course 6425A

Lab objectives:

Troubleshoot Group Policy scripts.

Troubleshoot GPO Lab-11B.

Troubleshoot GPO Lab-11C.

Troubleshoot GPO Lab-11D.

Scenario:

Woodgrove Bank has completed its deployment of Windows Server 2008. As the AD DS administrator, one ofyour primary tasks is troubleshooting AD DS issues that have been escalated to you from the companys helpdesk. You are responsible for resolving issues related to Group Policy application and configuration.

This lab consists of four exercises.

Exercise 1: Troubleshooting Group Policy Scripts

The student will troubleshoot the application of GPOs for client computers and user accounts. Specific issuescould include troubleshooting GPO links, security group or WMI filtering, or inheritance settings. Students willreceive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.

Exercise 2: Troub leshooting GPO Lab-11B

The student will troubleshoot Group Policy settings for client computers and user accounts. Specific issues couldinclude missing settings, conflicting settings, or settings related to any of the GPO categories. Students willreceive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.

Exercise 3: Troub leshooting GPO Lab-11C

The student will troubleshoot Group Policy settings for client computers and user accounts. Specific issues couldinclude missing settings, conflicting settings, or settings related to any of the GPO categories. Students willreceive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.

Exercise 4: Troub leshooting GPO Lab-11D

The student will troubleshoot Group Policy settings for client computers and user accounts. Specific issues couldinclude missing settings, conflicting settings, or settings related to any of the GPO categories. Students will

receive several troubleshooting tickets describing the issues, and then must resolve the issue and verify itsresolution.

Inputs:

Troubleshooting tickets that have been escalated to the server team from the help desk.

Outputs:

All errors have been resolved.

7/28/2019 6425A_11

20/21


Policy Issues

Course 6425A

Question: If a policy at the domain level is set for enforcement while another policy at the OU level with aconflicting setting also is set to be enforced, which policy setting will the OU clients receive?

Answer: Clients in the OU will receive the first enforced policy settings at the domain level. The conflicting policy

setting at the lower level will be ignored, even though the policy is set to be enforced.Any other settings in the OUpolicy will be applied and enforced, as long as those settings do not conflict with the domain-enforced policy.

Question: If you use group policy to configure the slow-link detection threshold to be zero, what does thatindicate?

Answer: A slow-link threshold of zero indicates that all connections are considered fast.

7/28/2019 6425A_11

21/21


Policy Issues

Course 6425A

Review Questions and Answers:

What tool can test DNS name resolution?

A. NSlookup

B. DCdiag

C. GPResult

D. Ping

Answer: A: NSlookup will test DNS name resolution.

What log will give folder redirection details?

Answer: You can enable the FDdeploy.log to provide information about folder redirection.

What visual indicator in the GPMC designates that inheritance has been blocked?

Answer: The visual indicator is a blue exclamation mark on the OU where inheritance is being blocked.

What GPO settings are applied across slow links by default? Choose all that apply:

A. Scripts policies

B. Security settings

C. Administrative settings

D. Internet Explorer Maintenance

E. EFS Recovery Policy

F. IPSec Policy

Answer: B, C, and E -- security settings, administrative settings, and recovery policy.

Documents

6425A_11