Lesson 3:Troubleshooting Security Templates

Applying security templates to a single computer is straightforward. However, when you apply security templates by using Group Policy, it gets much more complex, and complexity can lead to problems. To successfully deploy security templates by using Group Policy, you must understand how to isolate and resolve these problems. There are two primary types of problems you might experience when deploying security templates: Group Policy that fails to be applied to a system, and unexpected security settings.

After this lesson, you will be able to

• Manually refresh Group Policy.

• Isolate the cause of a GPO that is not successfully applied.

• Identify the source of an unexpected security policy.

• List the various tools that can be used to isolate the source of problems that can occur when applying GPOs.

• Identify which tool is best for various Group Policy troubleshooting tasks.

Estimated lesson time: 45 minutes

Troubleshooting Problems with Applying Group Policy

When Group Policy fails to be applied to a system, the problem is usually related to network connectivity, incorrect system time, a policy being blocked, or insufficient user permissions. Figure 3.6 shows a flowchart that can be followed to troubleshoot problems relating to a Group Policy object that is not successfully applied to a system.

Figure 3.6: Troubleshooting problems relating to failed Group Policy

The sections that follow describe individual tasks for identifying the source of Group Policy problems.

Refreshing Group Policy

Problems with applying Group Policy can often be quickly resolved by refreshing policies. With Gpupdate, a command-line tool, you can force a computer to immediately re-apply all Group Policy. Gpupdate replaces and improves upon the Windows 2000 command secedit /refreshpolicy. To use Gpupdate to force all policies to be updated, follow these steps:

1. Open a command prompt.

2. Execute the command Gpupdate /force.

Gpresult

Gpresult is a command-line tool that displays detailed information about user and computer policies. Though many administrators shy away from command-line tools, Gpresult is the best way to quickly determine what Group Policy objects were applied, in which order they were applied, and what security group memberships might have influenced which Group Policy objects the computer or user has permissions to access. Unlike other tools, Gpresult displays policies that were filtered, and why they were filtered. This is a common cause of problems relating to GPOs not being applied.

When run with the /Z parameter, Gpresult provides several useful pieces of information that Help And Support Center does not provide. The information Gpresult provides includes the following:

• Operating system

• Computer information, including computer name and location in Active Directory

• Domain and site information

• User information, including user name, location in Active Directory, and profile details

• Group memberships for both the computer and the current user

• Time the Group Policy object was updated

• Group Policy objects that were filtered out

• The last time policy was applied and the domain controller that applied policy, for the user and computer

• The complete list of applied GPOs and their details, including a summary of the extensions that each GPO contains

• Registry settings that were applied and their details

• Folders that are redirected and their details

• Software management information detailing assigned and published applications

• The resultant set of policies

• User security privileges

The following is an excerpt from a sample output from the Gpresult tool:

COMPUTER SETTINGS ------------------     CN=COMPUTER1,OU=Domain Controllers,DC=cohowinery,DC=com     Last time Group Policy was applied: 10/29/2003 at 5:35:50 PM     Group Policy was applied from:      computer1.cohowinery.com     Group Policy slow link threshold:   500 kbps     Domain Name:                        COHOWINERY     Domain Type:                        Windows 2000     Applied Group Policy Objects     -----------------------------         Default Domain Controllers Policy         Default Domain Policy     The following GPOs were not applied because they were filtered out     -------------------------------------------------------------------         Local Group Policy             Filtering:  Not Applied (Empty)     The computer is a part of the following security groups     -------------------------------------------------------         BUILTIN\Administrators         Everyone         BUILTIN\Pre-Windows 2000 Compatible Access         BUILTIN\Users         Windows Authorization Access Group         NT AUTHORITY\NETWORK         NT AUTHORITY\Authenticated Users         This Organization         COMPUTER1$         Dial-up Accessible Computers         Domain Controllers         NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 

To view the output of Gpresult, execute the following commands at a command prompt:

Gpresult /Z > Gpresult.txt Notepad Gpresult.txt

The /Z parameter for Gpresult causes it to output so much information that much of it would be lost if you attempted to view the output in a command prompt.

Help And Support Center Advanced System Information

The Advanced System Information tool in Help And Support Center displays information about the result Group Policy has had on the current computer and logged-on user. It provides information that is similar to that provided by Gpresult, but it provides a friendlier, graphical interface. Generally, Gpresult is more useful because it provides more information, but you should be familiar with Help And Support Center’s functionality.

The Advanced System Information tool provides the following information:

• Operating system

• Domain

• Site

• Time the Group Policy object was updated

• Group memberships for both the computer and the current user

• Startup, shutdown, logon, and logoff scripts

• Security settings applied from the Group Policy object, including restricted groups and file system and registry permissions

You can access the Advanced System Information report from Help And Support Center by following these steps:

1. Click Start, and then click Help And Support.

2. Click Support.

3. Under See Also, click Advanced System Information.

4. Under Advanced System Information, click View Group Policy Settings Applied.

   Help And Support Center displays Group Policy results, as shown in Figure 3.7.

   
   Figure 3.7: Help And Support Center Group Policy information

Analyzing permissions

As discussed earlier, a computer or user must have permission to apply a Group Policy object. By default, Group Policy objects allow the Authenticated Users special group to read and apply a Group Policy object. However, this default permission can be overridden or changed, which can lead to a complex troubleshooting situation.

When analyzing Group Policy permissions, start by identifying which security groups the computer or user is a member of. The quickest way to list these groups is to use the Gpresult command-line tool. After you have determined the group memberships, check for the presence of these in the list of permissions for the Group Policy object that you expected to be applied.

Analyzing WMI filtering

Another potential cause of a Group Policy object not being applied to a system is WMI filtering. You can quickly diagnose such a problem by examining the complete output of Gpresult. Specifically, look for lines in the output that include the word filtering. The following excerpt from a sample Gpresult output shows that the GPO named East Coast Computer Policy was not applied because of a WMI filter named XP Only:

COMPUTER SETTINGS ------------------     CN=COMPUTER1,OU=Domain Controllers,DC=cohowinery,DC=com     Last time Group Policy was applied: 10/30/2003 at 2:34:08 PM     Group Policy was applied from:      computer1.cohowinery.com     Group Policy slow link threshold:   500 kbps     Domain Name:                        COHOWINERY     Domain Type:                        Windows 2000     Applied Group Policy Objects     -----------------------------         Default Domain Controllers Policy         Default Domain Policy     The following GPOs were not applied because they were filtered out     -------------------------------------------------------------------         East Coast Computer Policy             Filtering:  Denied (WMI Filter)             WMI Filter: XP Only

If you determine that Group Policy is being incorrectly filtered because of a WMI filter, edit the WMI filter by following these steps:

1. Open a blank MMC console and add the Group Policy Object Editor snap-in.

2. When the Group Policy Wizard appears, specify the GPO that you identified as being filtered because of WMI filtering.

3. After you open the Group Policy Object Editor snap-in, right-click the Group Policy node, and then click Properties.

4. Click the WMI Filter tab.

5. Click Browse/Manage. In the Manage WMI Filters window, click Advanced.

6. Click the WMI filter named in the Gpresult output.

7. Edit the Queries field as necessary to correct your problem, and then click Save.

8. Click OK twice to return to the Group Policy Object Editor snap-in.

   Caution

   A single WMI filter can be associated with multiple GPOs. Be careful when editing them—you can affect the filtering of Group Policy objects you didn’t intend to modify!

Analyzing events in Event Viewer

When a Group Policy object is applied or when a problem occurs, Windows Server 2003 adds an event to the Application event log, as shown in Figure 3.8. All events will have the source ID SceCli, which enables you to use event filtering to display only those events relating to the application of Group Policy. When troubleshooting Group Policy problems, check the Application event log for related warning events. The informational events signify that Group Policy was applied, but they are not useful for troubleshooting because they do not provide much information about the policies.

Figure 3.8: A Group Policy event

Troubleshooting Unexpected Security Settings

Unexpected security settings can result when multiple templates are applied to a system using multiple GPOs. In these cases, the GPOs might not be prioritized as you expect, another administrator might have caused inheritance to be blocked or overridden, or changes, such as removing a GPO, might not have reached a system yet. Figure 3.9 shows a flowchart that can be followed to troubleshoot problems relating to unexpected Group Policy inheritance.

Figure 3.9: Troubleshooting problems related to unexpected inheritance

Resultant Set Of Policy snap-in

The Resultant Set Of Policy (RSoP) snap-in provides a familiar user interface that shows you the effective setting for each of the security template policies. It is an excellent way to verify that the settings you’ve configured in your security templates are applied to target systems as you expected. If a policy setting is not what you expected, RSoP identifies the Group Policy object responsible for defining the policy. Figure 3.10 shows RSoP displaying password policies.

Figure 3.10: Resultant Set Of Policy

To run RSoP, follow these steps:

1. Open a blank MMC console, and add the Resultant Set Of Policy snap-in.

2. Right-click Resultant Set Of Policy, and click Generate RSoP Data.

   The Resultant Set Of Policy Wizard appears.

3. Click Next.

4. On the Mode Selection page, click Logging Mode, and then click Next.

5. To analyze the local computer, click This Computer. Otherwise, click Another Computer, and specify the remote computer to analyze. Click Next.

6. To analyze the current user, click Current User. Otherwise, click Select A Specific User, and specify the user to analyze. Click Next.

7. On the Summary Of Selections page, click Next, and then click Finish.

8. To view computer security configuration, expand Computer Configuration, Windows Settings, and then Security Settings.

Analyzing Group Policy using the registry

When Group Policy objects are applied to a computer, the computer stores important information about the Group Policy objects it is applying in the last place you’d look: the registry. Information about computer policies is stored under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History key. Information about user policies (relating to the currently logged on user) is stored under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History key.

To view this information, follow these steps:

1. Click Start, and then click Run. Type Regedit, and then click OK.

2. In the Registry Editor, navigate to one of the following two keys:

   • If you are troubleshooting problems relating to a computer policy, navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History.

   • If you are troubleshooting problems relating to a user policy, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy\History.

3. Expand the History key to reveal one or more subkeys relating to Group Policy Extensions.

4. Expand each of the Group Policy Extension keys. You will find one or more subkeys, numbered starting at 0.

   The numbers indicate the order in which the policies were applied to the system. Lower numbers were applied first.

5. As shown in Figure 3.11, click each of the keys and examine the values contained within.

   
   Figure 3.11: Group Policy information stored in the registry

An explanation of each of the registry values that can be used follows:

• DisplayName. DisplayName is the friendly name of the GPO.

• DSPath. DSPath is the distinguished name of the path to the GPO stored in Active Directory. This attribute will not be present for Local GPOs.

• FileSysPath. FileSysPath is the path to the Group Policy template, or file-based policy, contained in a Group Policy object. If this is a GPO from the domain, the path will be a Universal Naming Convention (UNC) path to the SYSVOL share on the domain controllers. If this is a Local GPO, the path will be a local path that points to the structure beginning with the path %SystemRoot%\system32\GroupPolicy.

• GPOLink. The GPOLink value identifies what scope the GPO was applied to, therefore affecting the computer or user. The following values are valid:

  • 0= No link information

  • 1= The GPO is linked to a machine (local)

  • 2= The GPO is linked to a site

  • 3= The GPO is linked to a domain

  • 4= The GPO is linked to an organizational unit

• GPOName. The GPOName value contains the name of the GPO as it is referenced. For GPOs associated with computers, this name will be the friendly name of the GPO. For GPOs stored in Active Directory, this will be the globally unique identifier (GUID) of the GPO.

• lParam. The lParam value is used to perform various functions on GPOs.

• Options. The Options value represents the options selected by the administrator when configuring the GPO link, such as whether to disable the GPO or to force the settings defined in the GPO on subcontainers.

• Version. The Version registry value specifies the version number of the GPO when it was applied last. The number is used to determine if the GPO has changed since it was last applied.

In the context of troubleshooting, you can use this information to trace GPOs back to their source in Active Directory. You can also determine the order in which Group Policy objects were applied. If the order is not the order you expected, use the Active Directory Users And Computers console to modify the order in which Group Policy objects are applied.

Troubleshooting checklist

Use the following checklist to identify the source of unexpected Group Policy inheritance:

• Verify that the intended policy is not being blocked.

• Verify that no overriding policy that is set at a higher level of Active Directory has been set to No Override. If Block and No Override are both used, No Override takes precedence.

• Verify that the user or computer is not a member of any security group for which the Apply Group Policy permission is set to Deny.

• Verify that the user or computer is a member of at least one security group for which the Apply Group Policy permission is set to Allow.

• Verify that the user or computer is a member of at least one security group for which the Read permission is set to Allow.

Troubleshooting System Policy

You can experience the same problems applying system policies to earlier Windows operating systems as you can experience applying Group Policy objects to Windows 2000, Windows XP, and Windows Server 2003 computers. However, you must use completely different tools and procedures to troubleshoot the problems.

If you experience a problem with a system policy that is not applied to a system successfully, first verify that the policy file is correctly named. For Windows NT 4.0 clients, the policy file must be named Ntconfig.pol. For computers running Windows 95 and Windows 98, you must name the policy file Config.pol.

Next, verify that the .pol file is located in the correct folder. It should be located in the Netlogon share on a domain controller. Technically, it must be located in the Netlogon share of the domain controller to which it authenticates; however, after you place the .pol file on one domain controller, it should automatically replicate to other domain controllers. If you copy the .pol file to the correct folder on a domain controller and it fails to replicate, troubleshoot the problem as an issue with file synchronization between domain controllers.

System policies can experience problems similar to the inheritance problems Group Policy can experience. System Policy can be associated with security groups, and if a user is a member of multiple groups, then multiple security policies will be applied. The system policy itself determines the order in which the policies associated with the various groups are applied. If the wrong security setting is being applied, reorder the group priority:

1. Start System Policy Editor.

2. On the File menu, click Open Policy.

3. Open the policy that you want. For computers running Windows Millennium Edition and Windows 98, open Config.pol. For computers running Windows NT 4.0, open Ntconfig.pol.

4. On the Options menu, click Group Priority.

5. Click a group in the Group Order list, as shown in Figure 3.12, and then click either Move Up or Move Down.

   
   Figure 3.12: Group order for system policies

6. After you configure the groups in order of priority, click OK.

7. On the File menu, click Save.

8. Quit System Policy Editor.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson materials and try the question again. You can find answers to the questions in the “Questions and Answers” section at the end of this chapter.

1. Which of the following tools can be used to identify which GPOs were applied to a computer? (Choose all that apply.)

   1. Resultant Set Of Policy

   2. Help And Support Center

   3. Gpresult

   4. Gpupdate

   5. Active Directory Users And Computers

   6. Group Policy Object Editor

   7. Registry Editor

2. Which of the following tools can be used to identify the current Minimum Password Length setting and the responsible GPO? (Choose all that apply.)

   1. Resultant Set Of Policy

   2. Help And Support Center

   3. Gpresult

   4. Gpupdate

   5. Active Directory Users And Computers

   6. Group Policy Object Editor

   7. Registry Editor

3. Which of the following tools can be used to force a computer to refresh all Group Policy objects?

   1. Resultant Set Of Policy

   2. Help And Support Center

   3. Gpresult

   4. Gpupdate

   5. Active Directory Users And Computers

   6. Group Policy Object Editor

   7. Registry Editor

Lesson Summary

• Use Gpupdate to refresh policy before you begin troubleshooting and after each change you make to Group Policy.

• The Advanced System Information tool in Help And Support Center is a graphical tool that provides a thorough description of GPOs applied to a user and computer.

• Gpresult displays the most complete set of information about GPOs applied to a user and computer.

• Windows Server 2003 records information about applied GPOs in the registry.