1.
Group
Policy troubleshooting tools
Group Policy processing typically involves complex sets of
actions. These apply the necessary policies to users, user groups, and
computers within one or more domains in your organization.
Due to the number and complexity of the various overlapping Group Policy processes, Group Policy can be difficult to troubleshoot. So you need a good idea of the processes that are involved and the tools you can use for problem solving.
When checking
Group Policy for errors, you can use the GPResult tool to gather RSoP data for
computers running Windows Server 2008 in your organization. The information you
get as a result of using the GPResult tool is similar to using a Group Policy
Results report in the GPMC.
This enables you to generate an RSoP report, similar to GPMC reports, which include headings to make the results easier to review.
You can run the gpresult command on any computer to which you have access. And by default the command will display results for all the Group Policy settings that are being applied for the computer on which you run the command.
Due to the number and complexity of the various overlapping Group Policy processes, Group Policy can be difficult to troubleshoot. So you need a good idea of the processes that are involved and the tools you can use for problem solving.
When a client machine begins to process Group Policy with
Windows Server 2008, processing takes place in two phases – core
processing, followed by client side extension (CSE)
processing.
Core Group Policy processing occurs each time a user logs onto their computer to determine whether the domain controller can be reached, whether changes have been made to any of the Group Policy objects (GPOs), or to verify which policy settings need to be processed.
Core Group Policy processing occurs each time a user logs onto their computer to determine whether the domain controller can be reached, whether changes have been made to any of the Group Policy objects (GPOs), or to verify which policy settings need to be processed.
Once core processing is complete, the core Group Policy
engine – responsible for performing core processing tasks – calls on CSEs to
start processing the settings that apply to a client. Each CSE then uses its
own set of rules to process the various settings in each of the policy setting
categories. These categories include Security Settings, Administrative
Templates, and Software Settings.
Because Group Policy applies to both computers and users,
Group Policy processes typically repeat. For example, a process may occur once
for an individual computer, and again for both the computer and the user
currently logged onto the system. Each time a process runs on a computer, the
process can have a different set of policies that it refers to.
There are typically a number of overlapping policies for
each process that Group Policy performs. So you may need to use various tools
to find the cause of a Group Policy-related problem on the network or within a
domain.
Group Policy
Management Console (GPMC)
You use the GPMC to perform management tasks related to
Group Policy. This console is included as a snap-in with Windows Server
2008.You can also use the GPMC to find the cause of problems on your network.
You can use several tools to ensure that your Group Policy
settings are consistently available:
GPOTool
You
can use the GPOTool if you suspect that Group Policy information is not being
replicated correctly within your domain. It is a command-line tool that is part
of the Windows Server 2008 Resource Kit and checks your domain controllers for
consistency. You can only use this tool if your domain has more than one domain
controller.
GPMC reports
You
can use GPMC reports to review all the defined settings in a GPO. The IE
Maintenance section of reports indicates whether content ratings and
connections are deployed and whether Preference Mode is specified. It also
displays the core information for wireless and Internet Protocol Security (IPsec).
You can also use GPMC reports to review Resultant Set of Policy (RSoP) that are
being applied on a computer to determine a GPO's impact.
You can use the gpupdate
command to force Windows to refresh local Group Policy settings – including
security settings – and Group Policy settings stored in the Active Directory.
By using the gpupdate command, you ensure
that any changes that were made to GPOs are applied to the network immediately
in order to update clients. This can resolve Group Policy issues, such as
security-related GPOs that were causing problems because they weren't being
applied.
The two kinds of reports you can generate by using the GPMC
are Group Policy Results reports and Group Policy Modeling reports.
- Group Policy Modeling reports enable you to determine the policies that Group Policy will apply for a specific client before the policies are actually applied. You require a Windows Server 2008 domain controller if you want to create Group Policy Modeling reports.
- Group Policy Results reports show the policies that are already in effect for a client. Or you can use these reports to review information regarding key events that has been logged for policies relating to the client.
When using the gpupdate command to update your Group Policy
settings, you can use various parameters with the command.
For instance, using the /force parameter ignores all
processing optimizations and reapplies all settings. By using the /boot
parameter with the gpupdate command, you can restart the computer automatically
once the Group Policy settings have been refreshed.
2.
Using
the gpresult.exe commandThis enables you to generate an RSoP report, similar to GPMC reports, which include headings to make the results easier to review.
You can run the gpresult command on any computer to which you have access. And by default the command will display results for all the Group Policy settings that are being applied for the computer on which you run the command.
You can use
parameters, such as /F, /H, and /X, with the gpresult command to create an RSoP
report.
/F You
add the /F parameter if you want to force Group Policy to overwrite any files
that exist as a result of previous instances in which the gpresult.exe command
had been used.
/H You
use the /H parameter to instruct Group Policy to display the results of running
the gpresult command in HTML format. This automatically changes the file
extension of the resulting file to .html.
/X You
use the /X parameter to ensure that the results of running the gpresult command
display in XML format. This automatically changes the file extension to .xml.
