After you have verified that the core configuration and infrastructure required for proper Group Policy processing are functional and available, the next step is to use the Group Policy troubleshooting tools to try to further isolate the problem. The best place to start is with tools that report on RSoP for a given computer and user. The two main tools for doing this are the Group Policy Results Wizard and the Gpresult command-line utility. Other useful tools include Gpotool, which can help you verify the health of the GPC and GPT, and Group Policy Monitor, which allows you to centralize and automate collection of Group Policy Results reports.
Chapter 2 and Chapter 3 introduced RSoP and the Group Policy Results Wizard. The Group Policy Results Wizard (which you access by right-clicking the Group Policy Results node within the GPMC console) allows you to connect to a remote Windows computer to determine what Group Policy processing occurred for a given user on that computer during the last Group Policy processing cycle. This mechanism is known as RSoP logging mode.
Note
RSoP logging uses the WMI-based RSoP infrastructure available in Windows XP and Windows Server 2003 to remotely obtain this RSoP logging data. Group Policy processing, running under the Winlogon process, calls CSEs to perform policy processing. These CSEs send their RSoP data to the WMI CIMOM database. The GPMC then requests the RSoP data from the CIMOM database for reporting in HTML format.
To use the Group Policy Results Wizard to obtain RSoP logging data from a remote user and computer, complete these steps:
In the GPMC, right-click the Group Policy Results node, and then select Group Policy Results Wizard.
When the Group Policy Results Wizard starts, click Next. On the Computer Selection page, select Local Computer to view information for the local computer. If you want to view information for a remote computer, select Another Computer and then click Browse. In the Select Computer dialog box, type the name of the computer, and then click Check Names. Once the correct computer account is selected, click OK.
Tip
If you are unable to connect to the remote computer to run the Group Policy Results Wizard, Windows Firewall running on the remote computer might be preventing the appropriate network traffic from being passed. You can allow this kind of administrative traffic using Remote Administration Exception policy. See "Allowing Remote Administration Exceptions" in Chapter 11 for details.
By default, both user and computer policy settings are logged. If you want to see results only for user policy settings, select Do Not Display Policy Settings For The Selected Computer.
In the wizard, click Next. On the User Selection page, select the user whose policy information you want to view. You can view policy information for any user who has logged on to the computer.
If you want to see results only for computer policy settings, select Do Not Display User Policy Settings.
To complete the modeling, click Next twice, and then click Finish. The wizard generates a report and displays it in the Details pane.
Right-click the report in the left pane to perform additional management of the report. The options include:
Advanced View. Provides a modified view of the policy settings that have been applied in a separate window
Rerun Query. Allows you to rerun your original query, which can update the report to reflect the most current policy processing for a remote user and computer
Save Report. Allows you to save the report for later reference
The information provided by the Group Policy Results Wizard can be very useful for troubleshooting Group Policy processing issues. Every results report has three tabs (Summary, Settings, and Policy Events) as well as an advanced view.
The Summary tab provides information about core Group Policy processing on the target system. Similar information is provided for both computer-specific and user-specific policies. You can click the Show All link to view all of the aspects of this tab.
As Figure 16-4 shows, the summary information is organized into five subcategories:
General. Provides information about the computer that is being queried for RSoP information, the domain the computer resides in, the site the computer was found in (for site-linked Group Policy), and the date and time of the last Group Policy processing cycle (foreground or background).
Group Policy Objects. Provides information as to the computer-specific GPOs that have been applied to this computer or denied. The list of applied GPOs shows the name of the GPO, where it was linked when it was applied, and the number of revisions in both the GPC (referred to as AD) and GPT (referred to as SYSVOL) portions of the GPO. If the GPC and GPT version numbers are different for a given GPO, this might indicate Active Directory or FRS replication problems.
The list of GPOs that have been denied includes the reason for the denial. A GPO might be denied because it’s empty (for example, no policy settings have been made within it), because security group filtering prevents the computer (or user) from processing it, or because of a WMI filter that blocks processing.
Security Group Membership When Group Policy Was Applied. Lists the members of all groups the computer (or user) was a member of when Group Policy processing last occurred. You can use this information to determine why security group filtering might or might not be working for a particular GPO.
WMI Filters. Shows any WMI filters linked to GPOs that are processed by the computer and the result of the filter as it was evaluated for that computer (or user). WMI filters can affect whether a particular GPO is being processed. If a WMI returns a false value, the GPO that it is linked to will not be processed.
Component Status. Shows whether core Group Policy processing succeeded and whether each CSE that was processed succeeded. It also shows the date and time that core processing and each CSE processing cycle last ran.
Note
The reported run times in the Component Status section will not always be the same, and that is OK. For example, core GP processing runs during every background and foreground processing cycle, but some CSEs might not process any GPOs if none of the GPOs containing those settings has changed since the last processing cycle. Therefore, if each CSE listed in this section has a different time, this does not necessarily indicate a problem.
Tip
What you are looking for in the Component Status section is a failure status on one or more elements of policy processing. For example, if core policy processing fails, this usually indicates a failure of some part of the policy infrastructure or related components. Failure of a particular CSE can mean any number of things, including corrupted policy data for that CSE or a problem reading a GPO containing those policy settings. The next step for drilling into CSE problems is to look at the various logs that are available for that CSE. We’ll examine this in the "Group Policy Logging" section later in this chapter.
The Settings tab provides detailed information about which policy settings have been made on a given computer or for a given user. You can drill down through each section by clicking the Show link, or you can click the Show All link to expand all the sections. Within the subsections, each policy setting that has been applied is listed by name, along with its status (Enabled or Disabled) and the "winning" GPO that delivered that setting (Figure 16-5).
The Settings details are valuable for confirming that a particular policy setting is indeed being made, and also for letting you know whether the right GPO is being applied or whether some issue is preventing the correct GPO from winning for a particular setting. You can use this information in conjunction with the information on the Summary tab to determine why a particular setting is not being applied as expected.
The Policy Events tab lists events retrieved from the computer against which the Group Policy Results Wizard was run. These events are retrieved from the application event log on the remote machine and are specific to Group Policy processing. Figure 16-6 shows an example.
What makes the Policy Events tab so useful is that the events shown represent a filtered view of the remote computer’s application event log—only Group Policy–related events are shown. We’ll look in more detail at application event logs related to Group Policy shortly, but this tab can give you a quick indication of any problems related to both core and CSE-specific Group Policy processing. A quick glance at this tab after running the wizard can point out obvious errors that need to be addressed before policy processing can succeed.
If you right-click a particular Group Policy Results report in the left-hand pane and select Advanced View, you can access a modified view of the policy settings that have been applied in a separate Microsoft Management Console (MMC) window. As Figure 16-7 shows, the advanced view is similar to the view provided in the Group Policy Object Editor. The key difference is that the advanced view shows only the policy settings that have been delivered to the computer and user. The source or origin GPO is also listed for every policy setting.
Tip
You can see the advanced view on a local computer by typing rsop.msc at a command prompt. When run on the local computer, RSoP logging is performed automatically against the local computer and the currently logged-on user. This means you don’t need to generate a report manually for a local computer—the report is generated automatically when you start Rsop.msc. Rsop.msc is only available on computers running Windows XP Professional and later.
If, after running the Group Policy Results Wizard, you want to see whether the next Group Policy processing cycle might fix the problem, you can force a background refresh of Group Policy using Gpupdate. Type the following command:
gpupdate /forceThis command reapplies all Group Policy to the user and computer, regardless of whether the GPO has changed since the last processing cycle. After you refresh policy, you can right-click the Group Policy Results report in the GPMC and select the Rerun option. The GPMC will recollect RSoP logging data from the computer and user in question.
Gpresult is essentially identical to the GPMC-based Group Policy Results Wizard. The significant difference is that Gpresult is a command-line tool, which means you can easily incorporate it into automation scripts that perform periodic queries against computers and users to determine Group Policy status. Gpresult.exe is a standard part of Windows XP and Windows Server 2003 and provides a number of command-line options.
Gpresult is pretty straightforward to use. The basic syntax is as follows:
gpresult /s ComputerName /user DomainUserNameComputerName is the name of the remote computer for which you want to log policy results and DomainUserName indicates the remote user. For example, if you want to perform RSoP logging against a remote computer called engpc07 and return RSoP logging information for the user wrstanek in the CPANDL domain, you can type the following command:
gpresult /s engpc07 /user cpandlwrstanekYou will see only the summary information about which GPOs were applied or denied and group membership information. You won’t see the equivalent of the Group Policy Results Wizard Settings tab. To get the same level of detail as the GPMC’s Group Policy Results Wizard, you must use the /v or /z option. The difference between these two verbose options is that if a policy setting has conflicting settings from multiple GPOs, the /v option shows only the setting delivered by the winning GPO and the /z option shows the setting of the winning GPO and any other GPOs that have set that policy.
Tip
If you need to run Gpresult within the context of another user, such as when you use an administrative account, you can use the /u and /p options to provide the account and password for the alternate user context. If you use the /scope user or /scope computer option, you can specify that you want to report on only user or computer policy settings.
As with the Group Policy Results Wizard, Gpresult.exe is useful for viewing the results of Group Policy processing to determine whether certain policies have been applied and if not, why not. In verbose mode, Gpresult provides just about the same information that the Group Policy Results Wizard does, with a few exceptions. Specifically, Gpresult provides some additional useful configuration information about the computer you are querying, such as the computer’s operating system version and whether the computer and user policies were processed over a slow link. As an example, the following listing shows a snippet of the first part of a Gpresult listing with this additional information:
OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Configuration: Primary Domain Controller OS Version: 5.2.3790 Terminal Server Mode: Remote Administration Site Name: Default-First-Site-Name Roaming Profile: Local Profile: C:Documents and SettingsAdministrator Connected over a slow link?: No
Since calling Gpresult using one of the verbose modes can result in a large amount of data, especially in environments with many GPOs, it is easier to redirect the output of this command to a text file, using the syntax shown here:
gpresult /s engpc07 /user cpandlwrstanek /z > gplogging.txtWhen you want to examine the health of Group Policy on your domain controllers, the Group Policy verification tool, Gpotool, is particularly useful. This command-line utility is included in the Windows Server 2003 Resource Kit and is useful for troubleshooting problems with the server-side aspects of Group Policy. It’s a good idea to run this tool early in your troubleshooting process to verify that there are no problems with the GPOs themselves.
You can use Gpotool in two key ways: to scan all GPOs in your domain across all domain controllers or to query specific GPOs on specific domain controllers. The first technique is useful if you are trying to determine whether there is a problem with the server-side health of Group Policy. The second technique is useful if you believe that there are problems with GPOs on specific domain controllers. Gpotool looks at both the GPC and GPT to verify consistency and version numbers between the GPC and GPT. It also reports on any options that have been enabled on a given GPO (for example, disabled or user disabled only).
Using Gpotool to check all GPOs in the current (logon) domain is fairly straightforward. You simply type gpotool at a command prompt. Gpotool then verifies the consistency of the GPC and GPT, checks permissions on the GPT, and checks the GPC and GPT version numbers to ensure that there are no problems. If there are no problems with the GPOs, the report looks similar to the following:
Validating DCs... Available DCs: corpsvr04.cpandl.com ... corpsvr25.cpandl.com Searching for policies... Found 14 policies ============================================================ Policy {0BF0F7D6-0245-4133-BC78-B98AFBA21F48} Friendly name: Engineering Policy Policy OK ============================================================ Policy {0C5F4FAF-8749-4EDC-9BC9-9B729DB5DD4F} Friendly name: General Sites Policy Policy OK ============================================================ ... ============================================================ Policy {F9D36F52-E28D-4D54-87DB-9DFFBE9EAB73} Friendly name: Support Policy Policy OK ============================================================ Policies OK
If consistency problems are found, a verbose listing of the GPO in question is provided, along with the specific issues and errors. In the following example, the Engineering Policy GPO has a version discrepancy between the GPT and GPC:
Validating DCs... Available DCs: corpsvr04.cpandl.com Searching for policies... Found 14 policies ============================================================ Policy {0BF0F7D6-0245-4133-BC78-B98AFBA21F48} Error: Version mismatch on corpsvr04.cpandl.com, DS=1, sysvol=889 Friendly name: Engineering Policy Details: ------------------------------------------------------------ DC: corpsvr04.cpandl.com Friendly name: Engineering Policy Created: 12/10/2004 8:08:46 PM Changed: 12/10/2004 8:18:11 PM DS version: 16384000(user) 720(machine) Sysvol version: 16384000 (user) 889(machine) Flags: 0 (user side enabled; machine side enabled) User extensions: not found Machine extensions: [{0ACDD40C-75AC-47AB-BAA0-BF6DE7E7FE63}{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64}] Functionality version: 2 ------------------------------------------------------------ ============================================================ Policy {0C5F4FAF-8749-4EDC-9BC9-9B729DB5DD4F} Friendly name: General Sites Policy Policy OK ============================================================ ... ============================================================ Policy {F9D36F52-E28D-4D54-87DB-9DFFBE9EAB73} Friendly name: Support Policy Policy OK ============================================================ Errors found
The version discrepancy tells you there is something wrong and that you should dig deeper to find out what it is. It might indicate a problem with replicating GPT changes or a problem with the file system itself. Because SYSVOL changes are replicated using the File Replication Service (FRS), the FRS is a likely suspect. However, your troubleshooting should start with a look at the GPT itself and the required services. For example, permissions on the GPT might be incorrect, the disk might be full, or there might be corruption on the disk. The File Replication Service or the Distributed File System service might also have stopped.
By default, Gpotool doesn’t check the permissions on the SYSVOL. You can check permissions on the SYSVOL by adding the /CHECKACL option, as shown here:
gpotool /checkaclUnfortunately, Gpotool checks permissions only on the SYSVOL. The permissions on subfolders within the SYSVOL are not checked. Still, if SYSVOL permissions were accidentally changed, this check would reveal the problem.
You can also use Gpotool to check the state of a specific GPO with regard to specific domain controllers. For example, say you want to check the Default Domain Policy GPO on the domain controllers corpsvr01 and corpsvr02. You can use the following syntax with Gpotool to get the desired results:
gpotool /gpo:"Default Domain Policy" /domain:cpandl.com /dc:corpsvr01,corpsvr02 /verboseWhen the tool runs, it returns an OK status if the GPO is found with no problems and returns an error if problems are found.
While the verbose information is provided automatically if there is a problem with a GPO, you can specify that you want verbose output for all GPOs by using the /verbose option. Some of the most important additional details you’ll find in the verbose output relate to which user and machine extensions have settings configured for a particular GPO. Each CSE that has configured settings is listed according to its GUID.
To see how this works, consider the following sample output:
============================================================ Policy {31B2F340-016D-11D2-945F-00C04FB984F9} Friendly name: Sales Policy Policy OK Details: ------------------------------------------------------------ DC: corpsvr04.cpandl.com Friendly name: Sales Policy Created: 5/11/2004 11:05:05 PM Changed: 1/14/2005 1:37:13 AM DS version: 71(user) 128(machine) Sysvol version: 71(user) 128(machine) Flags: 0 (user side enabled; machine side enabled) User extensions: [{25537BA6-77A8-11D2-9B6C-0000F8080861}{88E729D6-BDC1-11D1-BD2A- 00C04FB9603F}][{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-11D2-842D- 00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC- 0000F87571E3}][{C6DC5466-785A-11D2-84D0-00C04FB169F7}{BACF5C8A-A3C7-11D1-A760- 00C04FB9603F}] Machine extensions: [{0ACDD40C-75AC-47AB-BAA0-BF6DE7E7FE63}{2DA6AA7F-8C88-4194-A558- 0D36E7FD3E64}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A7CC- 0000F87571E3}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA- 00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA- 00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{C6DC5466-785A-11D2-84D0- 00C04FB169F7}{942A8E4F-A261-11D1-A760-00C04FB9603F}] Functionality version: 2 ------------------------------------------------------------ ============================================================
From this output, you know that quite a few CSEs are active in this GPO. The extensions are identified by their GUID. So, for example, {25537BA6-77A8-11D2-9B6C-0000F8080861} is the GUID for the Folder Redirection CSE. Chapter 13 includes a list of the GUIDs of all of the CSEs that are installed by default on Windows Server 2003.
Both the standard and verbose details offer a lot of helpful information. Here are the pieces of information the tool provides:
GPO GUID The unique identifier that each GPO is known by.
Friendly Name The name you entered for the GPO when you created it. This need not be unique.
Policy OK If Gpotool.exe finds no problems with the GPO, it lists the status as OK.
Created and Changed The date and time that the GPO was created and when it was last changed. This information can be useful if you are trying to determine whether a change you made to a GPO has propagated to the domain controller that the tool is focused on.
DS Version and SYSVOL Version The number of revisions made to the GPC and GPT portions of the GPO. The numbers should be identical if the GPO has fully replicated to the domain controller that the tool is focused on.
Flags Indicates the state of the GPO—whether it is disabled, whether the user side only is disabled, or whether the computer side only is disabled.
User Extensions and Machine Extensions The GUIDs of the CSEs that have been implemented within this GPO.
Functionality Version The functional version, which is always listed as 2.
Group Policy Monitor (GPMonitor.exe) is another Windows Server 2003 Resource Kit tool that can help with troubleshooting. Group Policy Monitor allows you to centrally manage and automate the collection of Group Policy Results reports. You can use Group Policy Monitor to closely track GPO processing for troubleshooting.
Group Policy Monitor has three main components:
Group Policy Monitor service. A service that runs on each computer from which you want to collect RSoP data
Group Policy Monitor console. A UI that provides the administrator with a way of viewing the collected RSoP logs from multiple machines
Group Policy Monitor Administrative Template. A file that lets you configure the server share used for logging data sent from the Group Policy Monitor service
When Group Policy Monitor is configured, a log report can be generated each time a GPO is refreshed or at a specific interval that is configurable through the Administrative Templates of GPOs you are monitoring.
Before you can use Group Policy Monitor, you must prepare the installation by extracting the monitoring components from the Gpmonitor.exe file in the Windows Server 2003 Resource Kit Tools. To prepare the installation, complete the following steps:
Create a folder to store the extracted Group Policy Monitor components.
Type gpmonitor at a command prompt.
When prompted for a location to place the extracted files, click Browse and then browse to the folder you previously created.
The following files are extracted to the specified location:
GPMonitor.adm. An administrative template file
GPMonitor.chm. A help file
GPMonitor.msi. A Windows Installer package that can be deployed via Group Policy
GPMon.cab. A .cab file containing the executables for the Group Policy Monitor service and the Group Policy Monitor console
Group Policy Monitor is provided as an .msi file so that you can install this tool and its components on target computers using the Group Policy Software Installation feature. When you deploy the GPMonitor.msi file via Group Policy, you must also include the Gpmon.cab file in the installation folder because it is used by the .msi file to complete the installation. The installation process configures and starts the Group Policy Monitor service. It also installs the Group Policy Monitor console.
You can, of course, install Group Policy Monitor by completing the following steps:
Copy the Group Policy Monitor files to the domain controller(s) you want to configure.
Start the installation process by double-clicking Gpmonitor.msi.
When the installation wizard starts, click Next, accept the license agreement, and then click Next again.
Provide your customer information, and then click Next.
Click Complete Installation, and then click Finish. The Group Policy Monitor service is installed and started. The Group Policy Monitor console is also installed and is available on the Administrative Tools menu.
Once the service is installed on target machines, you must create a new GPO or edit an existing GPO, add the Gpmonitor.adm file, and then configure the monitoring options. You can perform these procedures by completing the following steps:
Access the GPO you want to work with. Right-click Administrative Templates under User Configuration, and then choose Add/Remove Templates to view the currently loaded .adm files.
Click Add to open the Policy Templates dialog box. The default folder location opened is %SystemRoot%Inf, which is where any installed template files are normally located.
Navigate to the location where you extracted the Group Policy Monitor setup files, and then choose the Gpmonitor.adm template file.
Note
The Gpmonitor.adm file is copied to the SYSVOL portion of that GPO and is replicated to all domain controllers in the domain. (See Chapter 13 for more information about Group Policy storage.)
Click Open, and then click Close. The Administrative Templates namespace changes to include a new node for Group Policy Monitor, as shown in Figure 16-8.
Expand Computer Configuration, Administrative Templates, Group Policy Monitor node, and then double-click Group Policy Monitor.
To enable monitoring, select Enabled (as shown in Figure 16-9) and then set the share point where you want the domain controllers running the monitoring service to copy the RSoP log file.
Configure the interval of Group Policy refresh for sending a new report to the server share. By default, the service sends a new report every eighth Group Policy refresh (foreground or background), but you can increase or decrease this interval.
Click OK.
Once Group Policy Monitor is installed and configured, computers running the service will send RSoP data to the designated logging share. The data will be organized into folders based on the computer name of the system sending the report. You can then use the Group Policy Monitor console to view the reports collected from each machine. Complete these steps to view report data from the Group Policy Monitor console:
Start Group Policy Monitor by clicking Start, Programs or All Programs, Administrative Tools, Group Policy Monitor.
Choose New Query from the File menu.
In the Query dialog box, type the UNC path to the server share where you are storing your Group Policy Monitor logs.
Type the names of the machines you want to report on. Machine names should be separated by a comma (for example, corpsvr01,corpsvr02,corpsvr03). You can also specify * to return all machines that have reported to the share.
Choose the number of refreshes to report on. The default is 4. The more refreshes you return, the more the query returns.
When you click OK, a new node is created in the Group Policy Monitor console for each computer that returns data.
Under the computer node, you will see nodes for ComputerPolicyRefreshes and UserPolicyRefreshes. Under each of these nodes will be a series of date/time stamps that indicate individual Group Policy refresh events on these computers, as shown in Figure 16-10.
To get RSoP details from a given refresh interval, you can right-click that interval and choose from one of two options: Choose Generate RSOP Report to create the familiar HTML-based RSoP report that GPMC provides, or choose Generate Detailed RSOP View to get the equivalent of the Group Policy Results advanced view.
Another interesting Group Policy Monitor feature is its ability to show differences between two refresh intervals. You can use this to compare how Group Policy results might have changed from one interval to the next. To use this feature, complete the following steps:
Select an entry within any node under any query, hold down the Ctrl key, and select a select a second entry.
Right-click the two selected refreshes, and then choose Show XML Diff.
An instance of the WinDiff utility is launched, showing where the results files differ.
Figure 16-11 shows that one file contains a setting that the other does not. This indicates that a policy that was once enabled or disabled was set to Not Configured during the second interval.
If you want to manage deletion of the files stored on the Group Policy Monitor share that you’ve specified, you can use the Delete Refresh Info From GPMON Share option on the File menu. This option lets you choose the share, computer names, and number of the last refreshes to keep. For example, if you choose to keep the last four refreshes, any refresh reports stored before that for the chosen computers will be deleted from the designated share.