Lesson 2: Troubleshooting Group Policy
Sometimes the application of Group Policy doesn't occur as expected. For example, a Group Policy object might apply unexpected restrictions to a computer or user. This lesson outlines a methodology you can use to troubleshoot Group Policy application and locate the undesired Group Policy object.
After this lesson, you will be able to
- Troubleshoot Group Policy application to find the Group Policy object that's applying the undesired setting
Estimated lesson time: 30 minutes
Assessing Group Policy Troubleshooting
One common reason that Group Policy application doesn't always work as expected is that there's been a misapplication of the Block Policy Inheritance or No Override attributes to Group Policy. Take the following steps to troubleshoot Group Policy application:
- Inspect the Active Directory hierarchy. Because there's a default inheritance order for Group Policies, you can inspect the Active Directory hierarchy to determine the location of Group Policy objects that affect the user or computer.
- Inspect applied Group Policies by using Gpresult. The Gpresult utility from the Microsoft Windows 2000 Server Resource Kit shows which Group Policies were applied to the computer or user.
Using Gpresult
The Gpresult utility shows which Group Policy objects were applied to a user or a computer. The Gpresult utility uses the following parameters:
gpresult [/V] [/S] [/C | /U] [/?]where:
/V runs Gpresult in verbose mode
/S runs Gpresult in super verbose mode
/C displays only the Group Policy objects applied to the computer
/U displays only the Group Policy objects applied to the user
In addition to showing which Group Policy objects were applied, the Gpresult utility also lists all group memberships of the user or computer being analyzed. The group membership information is useful in troubleshooting security group filtering, as demonstrated in Figure 7.10.
Figure 7.10 Gpresult output for a user named Michael
Making the Decision
Use the decision matrix shown in Table 7.3 to troubleshoot Group Policy application.
Table 7.3 Troubleshooting Group Policy Application
| To | Do the Following |
|---|---|
| Determine all possible locations where Group Policy objects may be defined | Inspect the Active Directory structure to determine the site, domain, and OUs that could have Group Policy applied to the user or computer. |
| Determine whether the Group Policy that was applied is a user or computer configuration setting | Use the Gpresult utility from the Microsoft Windows 2000 Server Resource Kit to determine which Group Policies were applied to the computer or user. |
| Determine why a higher-level Group Policy isn't applied | Look for Block Policy Inheritance settings or conflicting settings at an OU closer to the user or computer object than where the higher-level Group Policy is defined. Alternatively, determine if any Group Policy filtering has been configured. If the affected computer or user isn't a member of a security group that has the Read and Apply Group Policy permissions assigned, the Group Policy object won't be applied. |
| Determine why a lower-level Group Policy isn't applied | Look for a Group Policy object with the No Override attribute set at an OU, domain, or site higher in the hierarchy. As an alternative, determine if any Group Policy filtering has been configured. If the affected computer or user isn't a member of a security group that has the Read and Apply Group Policy permissions assigned, the Group Policy object won't be applied. |
| Determine why a Group Policy doesn't apply to all computers or users within a site, domain, or OU | Inspect the Group Policy object's Security tab to determine which security groups have been assigned the Read Group Policy and Apply Group Policy permissions. To apply Group Policy, you must assign both permissions. |
Applying the Decision
As a member of the Accounting department, Don Funk should have the accounting software assigned to his computer and should have had Office assigned to his user account. Because the accounting software is working as expected, there's no reason to troubleshoot the associated Group Policy objects. Assuming that Don is now a member of the Accounting department in Toronto, perform the following tasks:
- Verify the location of Don's user account in Active Directory. Don's user account should be located in the following container in Active Directory: OU=Users, OU=Accounting, OU=Toronto, DC=Wideworldimporters, DC=tld.
- Determine where Group Policies may exist that could affect Don's user account for application of Group Policy. Group Policy could be applied to Don's user account from the following locations: the Toronto site, the wideworldimporters.tld domain, the Toronto OU, the Accounting OU, or the Users OU. Assume that your inspection finds no additional Group Policy objects (other than the Office and accounting software Group Policy objects).
- Run Gpresult to determine all user Group Policies that were applied to Don's user account at logon. To determine which user Group Policy objects were applied when Don logged on to the network, run Gpresult /u /s at Don's computer. The results would show that the Office Group Policy object wasn't applied.
- Determine if filtering is affecting the Group Policy application. The Office Group Policy object is applied only to full-time employees in the wideworldimporters.tld domain. The most likely reason that Don doesn't have Office assigned to his user account is that his account wasn't made a member of the FullTimeEmployees global group and is still a member of the ContingentStaff global group. Until he's made a member of the FullTimeEmployees global group and then logs off and back onto the network to repopulate his Access Token, Don won't have the Office Group Policy applied to his user account.
Lesson Summary
When Group Policy application doesn't take place as expected, you must have a methodology for determining the reason. Using the Gpresult utility and inspecting the Active Directory hierarchy allows you to determine where Group Policy objects have been applied to a user or computer. Once you identify where Group Policy objects can be applied, you can identify which Group Policy objects are applied.
EAN: 2147483647
Pages: 172
- Structures, Processes and Relational Mechanisms for IT Governance
- Assessing Business-IT Alignment Maturity
- A View on Knowledge Management: Utilizing a Balanced Scorecard Methodology for Analyzing Knowledge Metrics
- Measuring ROI in E-Commerce Applications: Analysis to Action
- Technical Issues Related to IT Governance Tactics: Product Metrics, Measurements and Process Control