Most Group Policy maintenance and troubleshooting tasks have to do with determining when policy is refreshed and applied and then changing the refresh options as appropriate to ensure policy is applied as expected. Thus, maintaining and troubleshooting Group Policy require a keen understanding of how Group Policy refresh works and how it can be changed to meet your needs. You also need tools for modeling and viewing the GPOs that would be or have been applied to users and computers. Group Policy Management Console provides these tools through the Group Policy Modeling and Group Policy Results Wizards,which can be used instead of the running the Resultant Set Of Policy (RSoP) Wizard in logging mode or planning mode.
Computer policies are applied when a computer starts, and user policies are applied when a user logs on. Once applied, Group Policy settings are automatically refreshed to ensure they are current. The default refresh interval for domain controllers is every 5 minutes. For all other computers, the default refresh interval is every 90 minutes with up to a 30-minute variation to avoid overloading the domain controller with numerous client requests at the same time.
Tip
Change the refresh interval through Group Policy
You can change the Group Policy refresh interval if desired. The related policies are stored in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder. To set the refresh interval for domain controllers define the Group Policy Refresh Interval For Domain Controllers policy. Select Enabled, set the refresh interval, and then click OK. To set the refresh interval for all other computers define the Group Policy Refresh Interval For Computers policy. Select Enabled, set the refresh interval and random offset, and then click OK.
During Group Policy refresh, the client contacts an available domain controller in its local site. If one or more of the GPOs defined in the domain have changed, the domain controller provides a list of all the GPOs that apply to the computer and to the user that is currently logged on, as appropriate. The domain controller does so regardless of whether the version numbers on all the listed GPOs have changed.
By default, the computer processes the GPOs only if the version number of at least one of the GPOs has changed. If any one of the related policies has changed, all of the policies have to be processed again. This is required because of inheritance and the interdependencies within policies. Security Settings are a noted exception to the processing rule. By default, Security Settings are refreshed every 16 hours (960 minutes) regardless of whether GPOs contain changes. Additionally, if the client computer detects that it is connecting over a slow network connection, it tells the domain controller this and only the Security Settings and Administrative Templates are transferred over the network, which means only the Security Settings and Administrative Templates are applied.
Group Policy refresh can be changed in several ways. First, client computers determine that they are using a slow network connection by pinging the domain controller to which they are connected with a zero-byte packet. If the response time from the domain controller is more than 10 milliseconds, the computer then pings the domain controller three times with a 2-kilobyte (KB) message packet to determine if it is on a slow network. The computer uses the average response time to determine the network speed. By default, if the connection speed is determined to be less than 500 kilobits per second (Kbps), the computer interprets that as having a slow network connection, and in which case, it notifies the domain controller of this. As a result, only the Security Settings and Administrative Templates in the applicable GPOs are sent by the domain controller.
You can configure slow link detection using the Group Policy Slow Link Detection policy, which is stored in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder. To configure this policy, follow these steps:
Start the Group Policy Object Editor. In the Group Policy Management console, rightclick the group policy you want to modify, and then select Edit.
Double-click the Group Policy Slow Link Detection policy in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder.
Define the policy by selecting Enabled, as shown in Figure 38-17, and then use the Connection Speed combo box to specify the speed that should be used to determine whether a computer is on a slow link. For example, if you want connections less than 128 Kbps to be deemed as "slow connections," you'd type 128. If you want to disable slow link detection, you'd type 0 in the Connection Speed box.
Click OK. This policy is supported by all computers running Windows 2000 or later.
If there is any area of Group Policy for which you want to configure refresh, you can do this in the Group Policy Object Editor. The related policies are stored in the Computer ConfigurationAdministrative TemplatesSystemGroup Policy folder and include the following:
Internet Explorer Maintenance Policy Processing
Software Installation Policy Processing
Folder Redirection Policy Processing
Scripts Policy Processing
Security Policy Processing
IP Security Policy Processing
Wireless Policy Processing
EFS Recovery Policy Processing
Disk Quota Policy Processing
Note
You use Registry Policy Processing to control the processing of all other Registrybased extensions.
To configure refresh of an extension, follow these steps:
Start the Group Policy Object Editor. In Group Policy Management Console, rightclick the group policy you want to modify, and then select Edit.
Double-click the policy in the Computer ConfigurationAdministrative Templates SystemGroup Policy folder.
Define the policy by selecting Enabled, as shown in Figure 38-18. The options you have differ slightly depending on the policy selected and include the following:
Allow Processing Across A Slow Network Connection—Select this option to ensure the extension settings are processed even on a slow network.
Do Not Apply During Periodic Background Processing—Select this option to override refresh when extension settings change after startup or logon.
Process Even If The Group Policy Objects Have Not Changed—Select this option to force the client computer to process the extension settings during refresh even if the settings haven't changed.
Click OK.
In the Group Policy Management console, you can view all of the GPOs that apply to a computer as well as the user logged on to that computer. You can also view the last time the applicable GPOs were processed (refreshed). To do this, you run the Group Policy Results Wizard.
To start the Group Policy Results Wizard and view applicable GPOs and the last refresh, follow these steps:
Start the Group Policy Management console. Right-click Group Policy Results, and then select Group Policy Results Wizard.
When the Group Policy Results Wizard starts, click Next. On the Computer Selection page shown in Figure 38-19, select Local Computer to view information for the local computer. If you want to view information for a remote computer, select Another Computer and then click Browse. In the Select Computer dialog box, type the name of the computer, and then click Check Names. Once the correct computer account is selected, click OK.
In the Group Policy Results Wizard, click Next. On the User Selection page, shown in Figure 38-20, select the user whose policy information you want to view. You can view policy information for any user that has logged on to the computer.
Click Next, and then after the wizard gathers the policy information, click Finish. The wizard then generates a report, the results of which are displayed in the Details pane as shown in Figure 38-21.
On the report, click Show All to display all of the policy information that was gathered.
Computer and user policy information is listed separately. Computer policy information is listed under the Computer Configuration Summary. User policy information is listed under the User Configuration Summary as follows:
To view the last time the computer or user policy was refreshed, look under Computer Configuration Summary, General for the Last Time Group Policy Was Processed entry.
To view all applicable GPOs, look under Computer Configuration Summary, Group Policy Objects.
User policy information is listed under the User Configuration Summary as follows:
To view the last time the computer or user policy was refreshed, look under User Configuration Summary, General for the Last Time Group Policy Was Processed entry.
To view all applicable GPOs, look under User Configuration Summary, Group Policy Objects.
The Applied GPOs entry shows all GPOs that have been applied. The Denied GPOs entry shows all GPOs that should have been applied but weren't processed for some reason such as because they were empty or did not contain any computer policy settings. The GPO also might not have been processed because inheritance was blocked. If so, the Reason Denied is Blocked SOM.
In the Group Policy Management console, you can test different scenarios for modifying Computer Configuration and User Configuration settings. For example, you can model the effect of a slow link or the use of loopback processing. You can also model the effect of moving a user or computer to another container in Active Directory or adding the user or computer to an additional security group. To do this, you run the Group Policy Modeling Wizard.
To start the Group Policy Modeling Wizard and test various scenarios, follow these steps:
Start the Group Policy Management console. Right-click Group Policy Modeling, and then select Group Policy Modeling Wizard.
When the Group Policy Modeling Wizard starts, click Next. On the Domain Controller Selection page, as shown in Figure 38-22, under Show Domain Controllers In This Domain, select the domain for which you want to model results. Next either select Any Available Domain Controller or This Domain Controller, and then choose a specific domain controller. Click Next.
On the User And Computer Selection page, shown in Figure 38-23, select the modeling options for users and computers.
Typically, you'll want to model policy for a specific container using user and computer information. In this case, the following would apply:
Under User Information, select Container, and then click Browse to display the Choose User Container dialog box, which you can use to choose any of the available user containers in the selected domain.
Under Computer Information, select Container, and then click Browse to display the Choose Computer Container dialog box, which you can use to choose any of the available computer containers in the selected domain.
Click Next. On the Advanced User And Computer Selection page, as shown in Figure 38-24, select any advanced options for slow network connections, loopback processing, and sites as necessary, and then click Next.
On the User Security Groups page, shown in Figure 38-25, you can simulate changes to security group membership to model the results on Group Policy. Any changes you make to group membership affect the previously selected user container. For example, if you want to see what would happen if a user in the designated user container is a member of the Domain Admins group, you could add this group to the Security Groups list. Click Next to continue.
On the Computer Security Groups page, you can simulate changes to security group membership to model the results on Group Policy. Any changes you make to group membership affect the previously selected computer container. For example, if you want to see what would happen if a computer in the designated computer container is a member of the Domain Controllers group, you could add this group to the Security Groups list. Click Next to continue.
WMI filters can be linked to GPOs. By default, it is assumed that the selected users and computers meet all the WMI filter requirements, which is what you want in most cases for modeling, so click Next twice to skip past the WMI Filters For Users and WMI Filters For Computers pages.
To complete the modeling, click Next, and then click Finish. The wizard then generates a report, the results of which are displayed in the Details pane.
The name of the modeling report is generated based on the containers you chose and highlighted for editing, as shown in Figure 38-26. Type a new name as required, and then press Tab. On the report, click Show All to display all of the policy information that was modeled.
You can refresh Group Policy manually using the Gpupdate command-line utility. Gpupdate replaces the SECEDIT /refreshpolicy tool provided in Windows 2000. If you type gpupdate at a command prompt, both the Computer Configuration settings and the User Configuration settings in Group Policy are refreshed on the local computer.
You can also selectively refresh Group Policy. If you want to refresh only Computer Configuration settings, you type gpupdate /target:computer at the command prompt. If you want to refresh only User Configuration settings, you type gpupdate /target:user at the command prompt. By default, only policy settings that have changed are processed and applied. You can change this behavior using the /Force parameter. This parameter forces a refresh of all policy settings.
Gpupdate can also be used to log off a user or restart a computer after Group Policy is refreshed. This is useful because some group policies are applied only when a user logs on or when a computer starts up. To log off a user after a refresh, add the /Logoff parameter. To restart a computer after a refresh, add the /Boot parameter.
In the Group Policy Management console, you can back up GPOs so that you can restore them at a later time to recover Group Policy to the state it was in when the backup was performed. The ability to backup and restore GPOs is one of the reasons why the Group Policy Management console is more useful than the older Group Policy tools that come with Windows Server 2003. It is also important to add that you can backup and restore GPOs only when you have installed the Group Policy Management console.
You can either back up an individual GPO in a domain or all GPOs in a domain by completing the following steps:
Start the Group Policy Management console. Expand the forest, the Domains node, and the Group Policy Objects node.
If you want to back up all GPOs in the domain, right-click the Group Policy Objects node, and then select Back Up All.
If you want to back up a specific GPO in the domain, right-click the GPO, and then select Back Up.
In the Back Up Group Policy Object dialog box, shown in Figure 38-27, click Browse, and then use the Browse For Folder dialog box to set the location in which the GPO backup should be stored.
In the Description field, type a clear description of the contents of the backup.
Click Backup to start the backup process. The Backup dialog box, shown in Figure 38-28, shows the progress and status of the backup. If a backup fails, check the permissions on the GPO and the folder to which you are writing the backup. You need Read permission on a GPO and Write permission on the backup folder to create a backup. By Default, members of the Domain Admins and Enterprise Admins groups should have these permissions.
Using the Group Policy Management console, you can restore a GPO to the state it was in when it was backed up. The Group Policy Management console tracks the backup of each GPO separately, even if you back up all GPOs at once. Because version information is also tracked according to the backup time stamp and description, you can restore the last version of each GPO or a particular version of any GPO.
You can restore a GPO by completing the following steps:
Start the Group Policy Management console. Expand the forest, the Domains node, and the Group Policy Objects node.
If you want to back up all GPOs in the domain, right-click the Group Policy Objects node, and then select Manage Backups. This displays the Manage Backups dialog box (see Figure 38-29).
In the Backup Location field, type the folder path to the backup or click Browse to use the Browse For Folder dialog box to find the folder.
All GPO backups in the designated folder are listed under Backup GPOs. To show only the latest version of the GPOs according to the time stamp, select Show Only The Latest Version Of Each GPO.
Select the GPO you want to restore. If you want to confirm its settings, click View Settings, and then verify the settings are as expected using Internet Explorer. When you are ready to continue, click Restore. Confirm that you want to restore the selected GPO by clicking OK.
The Restore dialog box, shown in Figure 38-30, shows the progress and status of the restore. If a restore fails, check the permissions on the GPO and the folder from which you are reading the backup. To restore a GPO, you need Edit, Delete, and Modify permissions on the GPO and Read permission on the folder containing the GPO backup. By default, members of the Domain Admins and Enterprise Admins groups should have these permissions.
Click OK, and then either restore additional GPOs as necessary or click Close.
The Default Domain Policy and Default Domain Controller Policy GPOs are vital to the health of Active Directory in a domain. If for some reason these policies become corrupted, Group Policy will not function properly. To resolve this, you must run the Dcgpofix utility. This utility restores the default GPOs to their original, default state, meaning the state they are in when you first install Active Directory in a new domain. You must be a member of Domain Admins or Enterprise Admins to run Dcgpofix.
By default, when you run Dcgpofix, both the Default Domain Policy and Default Domain Controller Policy GPOs are restored and you will lose any base changes made to these GPOs. The only exceptions are for the following extension settings: Remote Installation Services (RIS), Security Settings, and Encrypting File System (EFS). These extension settings are maintained separately and will not be lost. Nondefault Security Settings are not maintained, however, which means Security Settings configured by Microsoft Exchange Server 2000, migrated during an upgrade from Windows NT to Windows 2000, as well as policy object changes made through Systems Management Server (SMS) are lost as well. All other extensions settings are restored to their default postinstallation state, and any changes you've made are lost.
To run Dcgpofix, log on to a domain controller in the domain in which you want to fix default Group Policy, and then type dcgpofix at the command prompt. Dcgpofix checks the Active Directory schema version number to ensure compatibility between the version of Dcgpofix you are using and the Active Directory schema configuration. If the versions are not compatible, Dcgpofix exits without fixing the default Group Policy. By specifying the /Ignoreschema parameter, you can enable Dcgpofix to work with different versions of Active Directory. However, default policy objects might not be restored to their original state. Because of this, you should always be sure to use the version of Dcgpofix that is installed with the current operating system.
You also have the option of fixing only the Default Domain Policy or the Default Domain Controller Policy GPO. If you want to fix only the Default Domain Policy, type dcgpofix /target: domain. If you want to fix only the Default Domain Controller Policy, type dcgpofix /target: dc.