Group Policy Verification Tool (GPOTool.exe) (RK) | Windows .NET Server 2003 Domains & Active Directory

Group Policy Verification Tool allows you to:

Check the internal consistency of the specified or all group policy objects that are stored on the selected domain controller or all DCs. These DCs can be located in the current or specified domain. The tool verifies both the directory service and SYSVOL parts of each GPO.
Check replication of GPOs by comparing replicas (instances) of each GPO on different domain controllers.

The tool can be run with any credentials on any domain computer.

Note

The policy and group policy object (GPO) terms are used as synonyms in this section. Remember that each GPO has a directory service part that is stored in Active Directory and a SYSVOL part that is stored in the system volume (SYSVOL) on the disk.

Note

The /new and /del parameters described in the Windows 2000 Resource Kit Tools help file are not realized in the released version of the tool.

Note

You can download a free copy of GPOTool.exe from the Microsoft website (see links in Appendix A).

General Tests

By default, all policies on all domain controllers in the current user's domain are tested. If some DCs are offline, their names will not be listed in the "Available DCs" section (they will be shown as "down" only in verbose mode). Here is an example of the tool's resulting output:

    C:\>gpotool    Validating DCs...    Available DCs:    netdc1.net.dom    netdc4.net.dom    Searching for policies...    Found 5 policies    =============================================    Policy {31B2F340-016D-11D2-945F-00C04FB984F9}    Policy OK    =============================================    Policy {64C49D93-BBB7-410E-B999-837B5B90422B}    Policy OK    ...    Policies OK

If a corrupted policy is found, it is displayed in verbose mode (see below) and the "Errors found" line appears at the end of the tool's output.

Note

A unique name (e.g., {31B2F340-016D-11D2-945F-00C04FB984F9}) is displayed for each policy (and extension) in the tool's output. This name is the policy's cn attribute rather than the GUID of the object that stores the directory part of the policy in Active Directory. (The braces are included in the policy name.) Remember that you can bind to a directory object only by using its GUID or distinguished name, not a "naming" attribute (cn, displayName, etc.).

It is possible to specify a testing domain different from the user's logon domain by using the /domain parameter. Also, you can specify one or more domain controllers that will be tested with the /dc parameter. To test only one or a certain set of policies, use the /gpo parameter with the policies' unique names (cn) or friendly names. Note that all names must be separated with comma (,) and specified without spaces.

Detailed Information about the Policies

More detailed information can be obtained from the tool by using the /verbose parameter. Since the output can be very large, redirect it into a file for subsequent lookup. An example of the resulting output in verbose mode is shown below (the comments are in bold square brackets).

    C:\>gpotool /verbose    Domain: net.dom    Validating DCs...    netdc1.net.dom: OK    netdc4.net.dom: down                         [one DC in the domain is down]    Available DCs:    netdc1.net.dom    Searching for policies...    Found 6 policies    =======================================================    Policy {31B2F340-016D-11D2-945F-00C04FB984F9}    Policy OK    Details:    --------------------------------------------------------    DC: netdc1.net.dom      [information on the policy is displayed    individually for each DC that stores this policy (GPO)]    Friendly name:Default Domain Policy   [this is the value of the    displayName attribute of the policy's object in Active Directory]    Created: 5/12/2002 1:22:08 PM    Changed: 6/15/2002 6:09:41 PM    DS version:     15 (user) 28 (machine)    Sysvol version: 15 (user) 28 (machine)   [SYSVOL version must correspond to                                             directory service (DS) version]    Flags: 0                                 [see Notes below]    User extensions: [{3060E8D0-7020-11D2-842D-00C04FA372D4} {3060E8CE-7020-    11D2-842D-00C04FA372D4}]    Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2} {0F6B957D-    509E-11D1-A7CC-0000F87571E3} {53D6AB1B-2488-11D1-A28C-    00C04FB94F17}] [{827D319E-6EAC-11D2-A4EA-00C04F79F83A} {803E14A0-B4FB-    11D0-A0D0-00A0C90F574B}] [{B1BE8D72-6EAC-11D2-A4EA-    00C04F79F83A} {53D6AB1B-2488-11D1-A28C-00C04FB94F17}] [The extension    name is enclosed in square brackets. Here are three extension names displayed]    Functionality version: 2                   [must be 2 or higher]    ------------------------------------------------------------    ------------------------------------------------------------    DC: netdc4.net.dom    Friendly name: Default Domain Policy   [the same GPO stored on another DC]    ...    =============================================================    ...    ...    =============================================================    Policy {D6ECB136-92B4-484C-AF84-5697050BA978}    Policy OK    Details:    -------------------------------------------------------------    DC: netdc1.net.dom    Friendly name: NET-Site's GPO    Created: 5/19/2002 12:53:31 PM    Changed: 6/19/2002 12:54:22 PM    DS version: 0 (user) 2 (machine)                [see Notes below    Sysvol version: 0 (user) 2 (machine)    Flags: 0    User extensions: not found          [this means that user policies has    not been set in that GPO]    Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2} {0F6B957D-    509E-11D1-A7CC-0000F87571E3}]    Functionality version: 2    -------------------------------------------------------------    ...    -------------------------------------------------------------    Policies OK

Note

You can disable the unused parts of a GPO — Computer Configuration and User Configuration — in its Properties window.Flags: 1 corresponds to a disabled User Configuration, and Flags: 2 corresponds to a disabled Computer Configuration.

Note

Version numbers 0:0 correspond to a new GPO that may even be linked to a container, but is not configured yet.

Note

GUIDs for client-side extensions are listed in the article Q216357 in the Microsoft Knowledge Base. For example, GUID 35378EAC-683F-11 D2-A89A-00C04FBBCFA2 belongs to the Registry Settings component, and GUID 25537BA6-77A8-11D2-9B6C-0000F8080861 is assigned to the Folder Redirection component. These and other GUIDs are the same in each Windows 2000 system.

Notice that this output does not contain any information on policies' options (whether a policy is disabled or not) and on the state of inheritance (blocking and overriding). Also, you cannot see whether the policy is linked to a container or not.

To obtain information on one or more policies, use the /gpo parameter. You can specify either a unique policy name or a friendly name. Several policy names — if specified — must be separated by a comma; spaces between names are not allowed. For example:

    C:\>gpotool /gpo: {31B2F340-016D-11D2-945F-00C04FB984F9}, {64C49D93-BBB7-    410E-B999-837B5B90422B}   or    C:\>gpotool /gpo: "Staff's GPO", "Marketing's GPO"

Corrupted Policies

The tool returns quite informative messages on the corrupted GPOs; therefore, you can locate a problem and find the missed components of the failed GPO. Look below at a few examples of error messages.

The following message indicates that a replication problem existed, and that two replicas of a GPO on different domain controllers are not consistent:

    Error: netdc1.net.dom - netdc4.net.dom sysvol mismatch

This means that the GPO has been corrupted on a DC and has not been repaired by the File Replication Service (FRS) that should have copied correct information from another domain controller but did not.

The message shown below indicates that the SYSVOL part of a GPO is not complete (the gpt.ini file is missing):

    Error: Cannot access \\netdc1.net.dom\sysvol\net.dom\policies\{64C49D93-    BBB7-410E-B999-837B5B90422B}\gpt.ini, error 2

In this case, again, check the FRS replication between domain controllers.

Here is an example of a GPO's problem related to the information stored in Active Directory (notice the comments in bold):

    C:\>gpotool /gpo: "Marketing's GPO"    Validating DCs...    Available DCs:    netdc1.net.dom    netdc4.net.dom    Searching for policies...    Found 1 policies    =============================================================    Policy {E327A07E-0482-4223-BBSO-4BFAD097E406)    Error: Version mismatch on netdc4.net.dom, DS=65540, sysvol=131076    Details:    -------------------------------------------------------------    DC: netdc1.net.dom    Friendly name: Marketing's GPO    ...    Changed: 6/19/2002 1:35:55 PM    DS version:     2(user)  4(machine)   [versions are not coincided]    Sysvol version: 2(user)  4(machine)    ...    --------------------------------------------------------------    --------------------------------------------------------------    DC: netdc4.net.dom    Friendly name: Marketing's GPO    ...    Changed: 6/19/2002 12:55:54 PM       [time stamps are not coincided]    DS version:    1(user)  4(machine)    Sysvol version: 2(user)  4(machine)    ...    ---------------------------------------------------------------    Errors found

This means that the GPO has been changed on the netdc1.net.dom DC and these changes were not copied to the netdc4.net.dom DC due to some problems with Active Directory replication (as you can see, the SYSVOL information is correct on both DCs). In such a case, you should verify directory object replication from the first DC to the second DC.