|
|
On Windows 2000 systems, an administrator has only two tools — GPResult and GPOTool — that can help him or her to troubleshoot group policies by analyzing the effect that a group policy object (GPO) produces on a computer and/or user as well as by verifying the "health" of GPOs and their replication between domain controllers in a domain. These tools are included in the Windows 2000 Server Resource Kit or can be downloaded through the Internet.
Windows XP and Windows .NET systems offer GPResult as a standard built-in tool that fulfills some options of the Resultant Set of Policy (RSoP) technology. In addition, these systems include a GUI tool with similar functions — the Resultant Set of Policy snap-in that allows administrators to analyze group policy settings for existing users and computers as well as to simulate (plan) these settings for any user and computer objects stored in Active Directory.
GPResult is a very powerful, and at the same time, a rather simple instrument that allows an administrator to manage and troubleshoot issues related to Change and Configuration Management and implemented through group policies (registry and software settings, disk quotas, folder redirection, IP security, and scripts). The tool's screen output may be enormous and laden with details. (As a rule, you should redirect it to a file for successive analysis, or use the more pipe.) This shouldn't frighten you too much, since the tool is pretty well documented, and its results are, in fact, quite simple to interpret.
The Windows 2000 version of GPResult can only be run on the current computer for the currently logged-on user. (You cannot use the RunAs command with GPResult.) You can also run GPResult on a remote computer by using a telnet session.
The Windows XP/.NET version of GPResult (v2.0) can be targeted to any domain client computer and any domain user. (GPResult works in the logging mode only. This means that the user must log on to the target computer at least once before GPResult will be executed and the computer must be online!). See, for example, the following command:
C: \>gpresult /S xp-pro3.net.dom /SCOPE USER /USER JSmith /V
This command displays detailed information on the group policy settings that are applied (or will be applied) to the user JSmith on the xp-pro3.net.dom computer.
In this chapter, we will discuss GPResult v2.0 — the most powerful and flexible version; however, both versions (Windows 2000 and Windows .NET) are rather similar if one compares their output information.
Note | If a GPO is created and linked to a container, but not yet configured (i.e., has the version 0:0; see the GPOTool's description below), it will be "invisible" to GPResult, even if the group policies linked to that container must affect (directly or by inheritance) the user or computer. |
Note | For Windows 2000 systems, you can download a free copy of GPResult.exe from the Microsoft website (see links in Appendix A). |
Note | You can run the Windows 2000 version of GPResult on Windows XP/.NET-based computers. |
Note | Keep in mind that Windows XP and Windows .NET systems have different versions of GPResult, though they have the same options. |
The best way to get acquainted with GPResult is to view a brief description of sample output from the tool. Let us first look at the general structure of the full test. GPResult displays the following information:
Date and time when the test was run
Information on the operating system where the test was run
Information on the computer for which the RSoP data is displayed (this information is omitted if the /SCOPE USER parameter is specified)
Date and time when the computer policy was last applied
Settings received by the computer
Computer's security group membership
Information on the user for which the RSoP data is displayed (this information is omitted if the /SCOPE COMPUTER parameter is specified)
Date and time when the user policy was last applied
Settings received by the user
User's security group membership
The tool has three operational modes:
Normal — displays general information only (described above). You may use this mode to verify whether or not the user or computer has received settings from a particular GPO that you are interested in, or to find out which GPOs affect the user or computer.
Verbose — the basic mode to view detailed information (for example, exact policy settings assigned in a specific GPO).
Super-verbose — a special mode for thorough analysis (for example, this mode allows you to see whether the same policy was assigned at several levels in the GPO hierarchy; if a policy was assigned in two or more GPOs, then other modes will display only the name of a GPO with the highest precedence).
Let us discuss a sample output, which GPResult has produced in verbose mode. The comments divide the output into logical sections. For presentation purposes, some lines and words are shown in bold. Comments in bold square brackets have also been inserted.
Since the computer account is in another domain, an administrator's credentials are provided in the command.
C:\>gpresult /S xp-pro3.subdom.net.dom /USER JSmith /U SUBDOM\administrator /P admPsw /Z Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0 Copyright (C) Microsoft Corp. 1981-2001
The date when the test was run:
Created On 6/20/2002 at 7:27:21 PM
The target system information:
RSOP data for NET\jsmith on XP-PRO3 : Logging Mode -------------------------------------------------- OS Type: Microsoft Windows XP Professional OS Configuration: Member Workstation OS Version: 5.1.2600 Terminal Server Mode: Remote Administration Site Name: NET-Site Roaming Profile: \\NETDC1\Profiles\JSmith Local Profile: I: \Documents and Settings\jsmith.NET Connected over a slow link?: No
The general information on the computer account:
COMPUTER SETTINGS --------------------- CN=XP-PRO3, OU=Staff, DC=subdom, DC=net, DC=dom Last time Group Policy was applied: 6/20/2002 at 7:24:48 PM Group Policy was applied from: netdc2.subdom.net.dom Group Policy slow link threshold: 500 kbps Domain Name: SUBDOM Domain Type: Windows 2000
Group policies from the following GPOs have been applied to the computer:
Applied Group Policy Objects ---------------------------- Default Domain Policy NET-Site's GPO
The following GPO does not contain any settings for computer accounts, therefore it has not been applied:
The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- Local Group Policy Filtering: Not Applied (Empty)
The computer account's group membership:
The computer is a part of the following security groups: -------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Users XP-PRO3$ Domain Computers NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users
Exact policies applied to the computer account:
Resultant Set Of Policies for Computer: --------------------------------------- Software Installations ---------------------- N/A [this means that the GPOs that affect this computer account do not contain policy settings of that kind Startup Scripts --------------- GPO: Default Domain Policy Name: Up.vbs Parameters: LastExecuted: 2:28:49 PM Shutdown Scripts ---------------- N/A Account Policies ---------------- GPO: Default Domain Policy [account policies can be defined at the domain level only] Policy: MinimumPasswordAge Computer Setting: N/A GPO: Default Domain Policy Policy: PasswordHistorySize Computer Setting: 3 GPO: Default Domain Policy Policy: MinimumPasswordLength Computer Setting: N/A GPO: Default Domain Policy Policy: LockoutBadCount Computer Setting: N/A GPO: Default Domain Policy Policy: MaximumPasswordAge Computer Setting: 42 Audit Policy ------------ N/A User Rights ----------- N/A Security Options ---------------- GPO: Default Domain Policy Policy: RequireLogonToChangePassword Computer Setting: Not Enabled GPO: Default Domain Policy Policy: PasswordComplexity Computer Setting: Not Enabled GPO: Default Domain Policy Policy: ForceLogoffWhenHourExpire Computer Setting: Not Enabled GPO: Default Domain Policy Policy: ClearTextPassword Computer Setting: Not Enabled Event Log Settings ------------------ N/A Restricted Groups ----------------- N/A System Services --------------- N/A Registry Settings ----------------- N/A File System Settings -------------------- N/A Public Key Policies -------------------- N/A
Registry-based policies applied to the computer; as you can see, these policies come from different GPOs. All such policies are located in the HKEY_ LOCAL _ MACHINE registry branch.
Administrative Templates ------------------------ GPO: Default Domain Policy KeyName: Software\Policies\Microsoft\Windows NT\ Printers\PublishPrinters Value: 1, 0, 0, 0 State: Enabled GPO: NET-Site's GPO KeyName: Software\Policies\Microsoft\Windows\ System\DeleteRoamingCache Value: 1, 0, 0, 0 State: Enabled GPO: NET-Site's GPO KeyName: Software\Policies\Microsoft\Netlogon\ Parameters\SiteName Value: 78, 0, 69, 0, 84, 0, 45, 0, 83, 0, 105, 0, 116, 0, 101, 0, 0, 0 State: Enabled GPO: Default Domain Policy KeyName: Software\Policies\Microsoft\Windows NT\ Reliability\ShutsownReasonUI State: disabled
The information for the user account is structured in the same way as for the computer; general information for the user account:
USER SETTINGS ------------- Last time Group Policy was applied: 6/20/2002 at 6:45:00 PM Group Policy was applied from: N/A Group Policy slow link threshold: 500 kbps Domain Name: NET Domain Type: Windows 2000
Notice that the user account is located in one domain (NET), whereas the computer account belongs to another domain (SUBDOM). Therefore, the user and computer get policies from different domain controllers. However, since both domains are placed in the same site (NET-Site), both the user and computer receive the settings from a GPO linked to that site.
The list of applied and non-applied GPOs:
Applied Group Policy Objects ---------------------------- Marketing's GPO Staff's GPO Default Domain Policy NET-Site's GPO The following GPOs were not applied because they were filtered out ------------------------------------------------------------------ Local Group Policy Filtering: Not Applied (Empty) The user is a part of the following security groups: ---------------------------------------------------- Everyone BUILTIN\Users GlobalGroup LOCAL NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users The user has the following security privileges: ----------------------------------------------- Bypass traverse checking Shut down the system Remove computer from docking station
Below, all settings (divided by type) that the user has been received are listed in detail.
Resultant Set Of Policies for User: ----------------------------------- Software Installations ---------------------- N/A
The scripts defined are followed below. Notice that if the script is located in the default folder (…\policyGUIDName\USER\Scripts\Logon), only the script's name is displayed. However, if a script is stored in a shared folder, you can specify a UNC name for that script.
Logon Scripts ------------- GPO: Default Domain Policy Name: Welcome.vbs Parameters: LastExecuted: 3:26:45 PM Logoff Scripts -------------- Public Key Policies ------------------- N/A
For each policy applied, a corresponding registry value and data are specified. You can see all these values by using Regedit.exe; they are placed in the HKEY_CURRENT_USER branch.
Administrative Templates ------------------------ GPO: NET-Site's GPO KeyName: Software\Policies\Microsoft\Windows NT\ SharedFolders\PublishSharedFolders Value: 1, 0, 0, 0 State: Enabled GPO: Marketing's GPO KeyName: Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoSMMyDocs Value: 1, 0, 0, 0 State: Enabled GPO: Default Domain Policy KeyName: Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoRun Value: 1, 0, 0, 0 State: Enabled GPO: Marketing's GPO KeyName: Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoWindowsUpdate Value: 1, 0, 0, 0 State: Enabled GPO: Staff's GPO KeyName: Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoDesktop Value: 1, 0, 0, 0 State: Enabled GPO: Marketing's GPO KeyName: Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\NoStartMenuSubFo lders Value: 1, 0, 0, 0 State: Enabled Folder Redirection ------------------ N/A Internet Explorer Browser User Interface ---------------------------------------- N/A Internet Explorer Connection ----------------------------- N/A Internet Explorer URLs ---------------------- N/A Internet Explorer Security -------------------------- N/A Internet Explorer Programs -------------------------- N/A
In order to find policies' names settled in the Group Policy snap-in that correspond registry settings displayed in GPResult output data, an administrator can use the Group Policy Reference from the Windows 2000 Server Resource Kit documentation or follow the web link http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/GPRef.asp?frame=true.
You can find additional information on GPResult in the Help and Support Center or in the Windows 2000 Resource Kit Tools documentation.
|
|