Chapter 15: Group Policy Tools

On Windows 2000 systems, an administrator has only two tools — GPResult and GPOTool — that can help him or her to troubleshoot group policies by analyzing the effect that a group policy object (GPO) produces on a computer and/or user as well as by verifying the "health" of GPOs and their replication between domain controllers in a domain. These tools are included in the Windows 2000 Server Resource Kit or can be downloaded through the Internet.

Windows XP and Windows .NET systems offer GPResult as a standard built-in tool that fulfills some options of the Resultant Set of Policy (RSoP) technology. In addition, these systems include a GUI tool with similar functions — the Resultant Set of Policy snap-in that allows administrators to analyze group policy settings for existing users and computers as well as to simulate (plan) these settings for any user and computer objects stored in Active Directory.

Group Policy Results (GPResult.exe) (SYS)

GPResult is a very powerful, and at the same time, a rather simple instrument that allows an administrator to manage and troubleshoot issues related to Change and Configuration Management and implemented through group policies (registry and software settings, disk quotas, folder redirection, IP security, and scripts). The tool's screen output may be enormous and laden with details. (As a rule, you should redirect it to a file for successive analysis, or use the more pipe.) This shouldn't frighten you too much, since the tool is pretty well documented, and its results are, in fact, quite simple to interpret.

The Windows 2000 version of GPResult can only be run on the current computer for the currently logged-on user. (You cannot use the RunAs command with GPResult.) You can also run GPResult on a remote computer by using a telnet session.

The Windows XP/.NET version of GPResult (v2.0) can be targeted to any domain client computer and any domain user. (GPResult works in the logging mode only. This means that the user must log on to the target computer at least once before GPResult will be executed and the computer must be online!). See, for example, the following command:

    C: \>gpresult /S xp-pro3.net.dom /SCOPE USER /USER JSmith /V 

This command displays detailed information on the group policy settings that are applied (or will be applied) to the user JSmith on the xp-pro3.net.dom computer.

In this chapter, we will discuss GPResult v2.0 — the most powerful and flexible version; however, both versions (Windows 2000 and Windows .NET) are rather similar if one compares their output information.

Note 

If a GPO is created and linked to a container, but not yet configured (i.e., has the version 0:0; see the GPOTool's description below), it will be "invisible" to GPResult, even if the group policies linked to that container must affect (directly or by inheritance) the user or computer.

Note 

For Windows 2000 systems, you can download a free copy of GPResult.exe from the Microsoft website (see links in Appendix A).

Note 

You can run the Windows 2000 version of GPResult on Windows XP/.NET-based computers.

Note 

Keep in mind that Windows XP and Windows .NET systems have different versions of GPResult, though they have the same options.

General Structure of the Tests

The best way to get acquainted with GPResult is to view a brief description of sample output from the tool. Let us first look at the general structure of the full test. GPResult displays the following information:

  • Date and time when the test was run

  • Information on the operating system where the test was run

  • Information on the computer for which the RSoP data is displayed (this information is omitted if the /SCOPE USER parameter is specified)

    • Date and time when the computer policy was last applied

    • Settings received by the computer

    • Computer's security group membership

  • Information on the user for which the RSoP data is displayed (this information is omitted if the /SCOPE COMPUTER parameter is specified)

    • Date and time when the user policy was last applied

    • Settings received by the user

    • User's security group membership

The tool has three operational modes:

  • Normal — displays general information only (described above). You may use this mode to verify whether or not the user or computer has received settings from a particular GPO that you are interested in, or to find out which GPOs affect the user or computer.

  • Verbose — the basic mode to view detailed information (for example, exact policy settings assigned in a specific GPO).

  • Super-verbose — a special mode for thorough analysis (for example, this mode allows you to see whether the same policy was assigned at several levels in the GPO hierarchy; if a policy was assigned in two or more GPOs, then other modes will display only the name of a GPO with the highest precedence).

Description of Tests

Let us discuss a sample output, which GPResult has produced in verbose mode. The comments divide the output into logical sections. For presentation purposes, some lines and words are shown in bold. Comments in bold square brackets have also been inserted.

Since the computer account is in another domain, an administrator's credentials are provided in the command.

    C:\>gpresult /S xp-pro3.subdom.net.dom /USER JSmith       /U SUBDOM\administrator /P admPsw /Z    Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0    Copyright (C) Microsoft Corp. 1981-2001 

The date when the test was run:

    Created On 6/20/2002 at 7:27:21 PM 

The target system information:

    RSOP data for NET\jsmith on XP-PRO3 : Logging Mode    --------------------------------------------------    OS Type:                      Microsoft Windows XP Professional    OS Configuration:             Member Workstation    OS Version:                   5.1.2600    Terminal Server Mode:         Remote Administration    Site Name:                    NET-Site    Roaming Profile:              \\NETDC1\Profiles\JSmith    Local Profile:                I: \Documents and Settings\jsmith.NET    Connected over a slow link?:  No 

The general information on the computer account:

    COMPUTER SETTINGS    ---------------------    CN=XP-PRO3, OU=Staff, DC=subdom, DC=net, DC=dom    Last time Group Policy was applied: 6/20/2002 at 7:24:48 PM    Group Policy was applied from:      netdc2.subdom.net.dom    Group Policy slow link threshold:   500 kbps    Domain Name:                        SUBDOM    Domain Type:                        Windows 2000 

Group policies from the following GPOs have been applied to the computer:

     Applied Group Policy Objects     ----------------------------        Default Domain Policy        NET-Site's GPO 

The following GPO does not contain any settings for computer accounts, therefore it has not been applied:

     The following GPOs were not applied because they were filtered out     -------------------------------------------------------------------         Local Group Policy             Filtering: Not Applied (Empty) 

The computer account's group membership:

     The computer is a part of the following security groups:     --------------------------------------------------------          BUILTIN\Administrators          Everyone          BUILTIN\Users          XP-PRO3$          Domain Computers          NT AUTHORITY\NETWORK          NT AUTHORITY\Authenticated Users 

Exact policies applied to the computer account:

     Resultant Set Of Policies for Computer:     ---------------------------------------             Software Installations             ----------------------                  N/A [this means that the GPOs that affect this computer                          account do not contain policy settings of that kind              Startup Scripts            ---------------                  GPO: Default Domain Policy                      Name:               Up.vbs                      Parameters:                      LastExecuted: 2:28:49 PM              Shutdown Scripts              ----------------                   N/A              Account Policies              ----------------                     GPO: Default Domain Policy  [account policies can be defined                                                      at the domain level only]                         Policy:              MinimumPasswordAge                          Computer Setting: N/A                     GPO: Default Domain Policy                         Policy:              PasswordHistorySize                         Computer Setting: 3                     GPO: Default Domain Policy                         Policy:              MinimumPasswordLength                         Computer Setting: N/A                     GPO: Default Domain Policy                         Policy:             LockoutBadCount                         Computer Setting: N/A                     GPO: Default Domain Policy                         Policy:             MaximumPasswordAge                         Computer Setting: 42               Audit Policy               ------------                   N/A               User Rights               -----------                   N/A               Security Options               ----------------                     GPO: Default Domain Policy                         Policy: RequireLogonToChangePassword                         Computer Setting: Not Enabled                     GPO: Default Domain Policy                         Policy: PasswordComplexity                         Computer Setting: Not Enabled                     GPO: Default Domain Policy                         Policy: ForceLogoffWhenHourExpire                         Computer Setting: Not Enabled                     GPO: Default Domain Policy                         Policy:             ClearTextPassword                         Computer Setting: Not Enabled                 Event Log Settings                 ------------------                      N/A                 Restricted Groups                 -----------------                      N/A                 System Services                 ---------------                      N/A                 Registry Settings                 -----------------                      N/A                 File System Settings                 --------------------                      N/A                 Public Key Policies                 --------------------                      N/A 

Registry-based policies applied to the computer; as you can see, these policies come from different GPOs. All such policies are located in the HKEY_ LOCAL _ MACHINE registry branch.

     Administrative Templates     ------------------------         GPO: Default Domain Policy             KeyName:     Software\Policies\Microsoft\Windows NT\                          Printers\PublishPrinters             Value:       1, 0, 0, 0             State:       Enabled         GPO: NET-Site's GPO             KeyName:     Software\Policies\Microsoft\Windows\                          System\DeleteRoamingCache             Value:       1, 0, 0, 0             State:       Enabled         GPO: NET-Site's GPO            KeyName:      Software\Policies\Microsoft\Netlogon\                          Parameters\SiteName             Value:       78, 0, 69, 0, 84, 0, 45, 0, 83, 0, 105, 0,                          116, 0, 101, 0, 0, 0             State:       Enabled         GPO: Default Domain Policy            KeyName:      Software\Policies\Microsoft\Windows NT\                          Reliability\ShutsownReasonUI             State:       disabled 

The information for the user account is structured in the same way as for the computer; general information for the user account:

    USER SETTINGS    -------------        Last time Group Policy was applied:  6/20/2002 at 6:45:00 PM        Group Policy was applied from:       N/A        Group Policy slow link threshold:    500 kbps        Domain Name:                         NET        Domain Type:                         Windows 2000 

Notice that the user account is located in one domain (NET), whereas the computer account belongs to another domain (SUBDOM). Therefore, the user and computer get policies from different domain controllers. However, since both domains are placed in the same site (NET-Site), both the user and computer receive the settings from a GPO linked to that site.

The list of applied and non-applied GPOs:

    Applied Group Policy Objects    ----------------------------        Marketing's GPO        Staff's GPO        Default Domain Policy        NET-Site's GPO    The following GPOs were not applied because they were filtered out    ------------------------------------------------------------------        Local Group Policy            Filtering: Not Applied (Empty)    The user is a part of the following security groups:    ----------------------------------------------------        Everyone        BUILTIN\Users        GlobalGroup        LOCAL        NT AUTHORITY\INTERACTIVE        NT AUTHORITY\Authenticated Users    The user has the following security privileges:    -----------------------------------------------        Bypass traverse checking        Shut down the system        Remove computer from docking station 

Below, all settings (divided by type) that the user has been received are listed in detail.

    Resultant Set Of Policies for User:    -----------------------------------        Software Installations        ----------------------            N/A 

The scripts defined are followed below. Notice that if the script is located in the default folder (\policyGUIDName\USER\Scripts\Logon), only the script's name is displayed. However, if a script is stored in a shared folder, you can specify a UNC name for that script.

        Logon Scripts        -------------            GPO: Default Domain Policy                Name:         Welcome.vbs                Parameters:                LastExecuted: 3:26:45 PM        Logoff Scripts        --------------        Public Key Policies        -------------------             N/A 

For each policy applied, a corresponding registry value and data are specified. You can see all these values by using Regedit.exe; they are placed in the HKEY_CURRENT_USER branch.

         Administrative Templates         ------------------------             GPO: NET-Site's GPO                 KeyName:     Software\Policies\Microsoft\Windows NT\                              SharedFolders\PublishSharedFolders                 Value:       1, 0, 0, 0                 State:       Enabled             GPO: Marketing's GPO                 KeyName:     Software\Microsoft\Windows\CurrentVersion\                              Policies\Explorer\NoSMMyDocs                 Value:       1, 0, 0, 0                 State:       Enabled             GPO: Default Domain Policy                 KeyName:     Software\Microsoft\Windows\CurrentVersion\                              Policies\Explorer\NoRun                 Value:       1, 0, 0, 0                 State:       Enabled             GPO: Marketing's GPO                 KeyName:     Software\Microsoft\Windows\CurrentVersion\                              Policies\Explorer\NoWindowsUpdate                 Value:       1, 0, 0, 0                 State:       Enabled             GPO: Staff's GPO                 KeyName:     Software\Microsoft\Windows\CurrentVersion\                              Policies\Explorer\NoDesktop                 Value:       1, 0, 0, 0                 State:       Enabled             GPO: Marketing's GPO                 KeyName:     Software\Microsoft\Windows\CurrentVersion\                              Policies\Explorer\NoStartMenuSubFo lders                 Value:       1, 0, 0, 0                 State:       Enabled         Folder Redirection         ------------------             N/A         Internet Explorer Browser User Interface         ----------------------------------------             N/A         Internet Explorer Connection         -----------------------------             N/A         Internet Explorer URLs         ----------------------             N/A         Internet Explorer Security         --------------------------             N/A         Internet Explorer Programs         --------------------------             N/A 

In order to find policies' names settled in the Group Policy snap-in that correspond registry settings displayed in GPResult output data, an administrator can use the Group Policy Reference from the Windows 2000 Server Resource Kit documentation or follow the web link http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/GPRef.asp?frame=true.

You can find additional information on GPResult in the Help and Support Center or in the Windows 2000 Resource Kit Tools documentation.



Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net