Lesson 4: Troubleshooting Group Policy

This lesson describes problems you may encounter that relate to Group Policy. It also describes some best practices you should employ to keep Group Policy troubleshooting activities to a minimum.

After this lesson, you will be able to

  • Troubleshoot Group Policy
  • Employ best practices for Group Policy

Estimated lesson time: 10 minutes

Troubleshooting Group Policy

An important part of troubleshooting Group Policy problems is to consider dependencies between components. For example, Software Installation relies on Group Policy, and Group Policy relies on Active Directory directory services. Active Directory relies on proper configuration of network services. When trying to fix problems that appear in one component, it is generally helpful to check whether components, services, and resources on which it relies are working correctly. Event logs are useful for tracking down problems caused by this type of hierarchical dependency.

Table 20.8 describes scenarios in which there are problems that might occur with Group Policy snap-in.

Table 20.8 Group Policy Snap-In Problems and Solutions

Symptom: The user cannot open a GPO even though he or she has Read access to it
Cause Solution
An administrator must have both Read permission and Write permission for the GPO to open it in the Group Policy snap-inBe a member of a security group with Read and Write permission for the GPO. For example, a domain administrator can manage nonlocal GPOs. An administrator for a computer can edit the local GPO on that computer.
Symptom: When the user tries to edit a GPO, the "Failed To Open The Group Policy Object" message appears
Cause Solution
A networking problem, specifically a problem with the Domain Name System (DNS) configurationMake sure DNS is working properly.

Table 20.9 describes scenarios where Group Policy settings are not taking effect.

Table 20.9 Group Policy Settings Problems and Solutions

Symptom: Group Policy is not being applied to users and computers in a security group that contains those users and computers, even though a GPO is linked to an OU containing that security group
Cause Solution
This is correct behavior. Group Policy affects only users and computers contained in sites, domains, and OUs.GPOs are not applied to security groups.Link GPOs to sites, domains, and OUs only. Keep in mind that the location of a security group in Active Directory is unrelated to whether Group Policy applies to the users and computers in that security group.
Symptom: Group Policy is not affecting users and computers in a site, domain, or OU
Cause Solution
Group Policy settings can be prevented,intentionally or inadvertently, from taking effect on users and computers in several ways. A GPO can be disabled from affecting users, computers, or both. It also needs to be linked either directly to an OU containing the users and computers or linked to a parent domain or OU so that the Group Policy settings apply through inheritance. When multiple GPOs apply, they are processed in this order: local, site, domain, OU. By default, settings applied later have precedence. In addition, Group Policy can be blocked at the level of any OU, or enforced through a setting of No Override applied to a particular GPO link.Finally, the user or computer must belong to one or more security groups with appropriate permissions set. Make sure that the intended policy is not being blocked. Make sure no policy set at a higher level of Active Directory has been set to No Override. If Block Policy Inheritance and No Override are both used, keep in mind that No Override takes precedence. Verify that the user or computer is not a member of any security group for which the Accelerated Graphics Port (AGP) permission is set to Deny.Verify that the user or computer is a mem ber of at least one security group for which the AGP permission is set to Allow.Verify that the user or computer is a member of at least one security group for which the Read permission is set to Allow.
Symptom: Group Policy is not affecting users and computers in an Active Directory container
GPOs cannot be linked to Active Directory containers other than sites, domains, and OUs.Link a GPO to an OU that is a parent to the Active Directory container. Then, by default, those settings are applied to the users and computers in the container through inheritance.
Symptom: Group Policy is not taking effect on the local computer
Local policies are the weakest. Any nonlocal GPO can overwrite them.Check to see what GPOs are being applied through Active Directory and if those GPOs have settings that are in conflict with the local settings.

Table 20.10 describes scenarios in which there are problems using the Software Installation extension.

Table 20.10 Software Installation Extension Problems and Solutions

Symptom: Published applications do not appear in Add/Remove Programs in Control Panel
Cause Solution
Several causes are possible: Group Policy was not applied; Active Directory cannot be accessed;user does not have any published applications in the GPOs that apply to him or her; Client is running Terminal Server.Investigate each possibility. Note that Software Installation is not supported for Terminal Server clients.
Symptom: Document activation of a published application does not cause the application to install.
The administrator did not set auto-install. Ensure that Auto-Install This Application By File Extension Activation is checked in the Deployment tab in the application's properties sheet.
Symptom: The user receives an error message such as "The feature you are trying to install cannot be found in the source directory"
There are Network or permissions problems.Make sure the network is working correctly. Ensure that the user has Read and AGP permission for the GPO. Ensure that the user has Read permission for the SDP. Ensure that the user has Read permission for the application.
Symptom: After removal of an application, the shortcuts for the application still appear on the user's desktop
The user has created shortcuts and Windows Installer has no knowledge of them.The user must remove the shortcuts manually.
Symptom: The user receives an error message such as "Another Installation Is Already In Progress"
Cause Solution
An uninstallation might be taking place in the background with no user interface presented, or the user might have inadvertently triggered two installations simultaneously (which is not supported).The user can try again later.
Symptom: The user opens an already installed application, and the Windows Installer starts
Cause Solution
An application might be undergoing automatic repair, or a user-required feature is being added.No action is required.
Symptom: The user receives error messages such as "Active Directory Will Not Allow The Package To Be Deployed" or "Cannot Prepare Package For Deployment"
Cause Solution
The package might be corrupted or there might be a networking problem.Investigate and take appropriate action

Group Policy Best Practices

The following best practices should minimize your need to troubleshoot Group Policy.

General Group Policy Practices

  • Disable unused parts of a GPO. If a GPO only has settings, under the User Configuration or Computer Configuration node of the console, that are Not Configured, you can avoid processing those settings by disabling the node. This expedites startup and logon for those users and computers subject to the GPO.
  • Use the Block Policy Inheritance and No Override features sparingly. Routine use of these features makes it difficult to troubleshoot Group Policy.
  • Minimize the number of GPOs associated with users or computers in domains or OUs.The more GPOs applied to a user, the longer it takes to start up and log on.
  • Filter policy based on security group membership. Users who do not have permissions directing that a particular GPO be applied to them can avoid the associated logon delay, because the GPO will not be processed for those users.
  • Use loopback only when necessary. Use loopback only if you need the desktop configuration to be the same regardless of who logs on.
  • Avoid cross-domain GPO assignments. The processing of GPOs will slow logon and startup if Group Policy is obtained from another domain.

Software Installation Practices

  • Specify application categories for your organization. Using categories makes it easier for users to find an application in Add/Remove Programs in Control Panel. For example, you could define categories such as Sales Applications, Accounting Applications, and so on.
  • Make sure Windows Installer packages include modifications before they are published or assigned. Remember that modifications are applied to packages at the time of assignment or publication. In practical terms, this means that you should make sure the Modifications tab of the package Properties dialog box is set up as you intend before you click OK. If you neglect to do this, and assign or publish a modified package before you have completely configured it, you can either remove the software and republish or reassign it or upgrade the software with a completely modified version.
  • Assign or publish just once per GPO. A Windows Installer package should be assigned or published no more than once in the same GPO. For example, if you assign Microsoft Office to the computers affected by a GPO, do not assign or publish it to users affected by the GPO.
  • Take advantage of authoring tools. Developers familiar with the files, registry entries, and other requirements for an application to work properly can author native Windows Installer packages using tools available from various software vendors.
  • Repackage existing software. You can use commercially available tools to create Windows Installer packages for software that does not include natively authored .msi files. These tools work by comparing a computer's state before and after installation. For best results, install the software onto a computer free of other application software (perform a clean installation).
  • Use SMS and Dfs. Microsoft Systems Management Server (SMS) and the Windows 2000 Distributed File System (Dfs) are helpful in managing the SDPs (the network shares from which users install their managed software).
  • Assign or publish close to the root in the Active Directory hierarchy. Because Group Policy settings apply by default to child Active Directory containers, it is efficient to assign or publish by linking a GPO to a parent OU or domain. Use security descriptors (such as Access Control Entries [ACEs]) on the GPO for finer control over who receives the software.
  • Use Software Installation properties for widely scoped control. This spares administrative keystrokes when assigning or publishing a large number of packages with similar properties in a single GPO—for example, when all the software is published and it all comes from the same SDP.
  • Use Windows Installer package properties for fine control. Use the package properties for assigning or publishing a single package.

Folder Redirection Practices

  • Incorporate %username% into fully qualified UNC paths. This allows users to have their own folders. For example, the user could specify \\server\share\%username%\My Documents and the username would be included in the path.
  • Have My Pictures follow My Documents. This is advisable unless there is a compelling reason not to, such as file share scalability.
  • Consider effects of policy removal. Keep in mind the behavior your Folder Redirection policies will have upon policy removal, as described in "Policy Removal Considerations."
  • Accept defaults. In general, accept the default Folder Redirection settings.

Lesson Summary

In this lesson you examined some Group Policy problems that you may encounter and possible solutions. You also learned some best practices for handling Group Policy.

MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
MCSE Training Kit(c) Microsoft Windows 2000 Accelerated 2000
Year: 2004
Pages: 244

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net