Leveraging Other Useful Tools for Managing Group Policies

Leveraging Other Useful Tools for Managing Group Policies

Microsoft provides additional tools for managing group policies and the File Replication Service, above and beyond ADUC and GPMC. Some are loaded automatically with Windows 2003 Server and others can be found on the Microsoft Web site or with the Windows 2003 Resource kit.

Using the GPupdate Tool

The GPUpdate utility comes with Windows 2003 and replaces Windows 2000 Server secedit/ refreshpolicy command line utility. When run, it refreshes the Computer Policy or User Policy, both locally and AD-based, including security settings. This eliminates the need to have the user reboot or log out/in to receive the new policy changes immediately. The syntax is as follows :

 Gpupdate [/target:{computer  user}] [/force] [/wait:Value] [/ logoff ] [/boot] 

For more information on the syntax commands, type the following at the command prompt to access help.

Gpudate /?

Using the GPresult Tool

GPresult is a free utility from Microsoft that comes with the Server Resource Kit. It's a small program that has to be installed before use. It must be run via a command line on the machine that is being investigated. The GPresult.exe tool will discover where the computer and the logged in user are receiving their Group Policy and what policies are applied to them. Although a great deal of the information output by the gpresult.exe tool is available in other areas and using other tools, it is convenient to have it all displayed in one place.

Using the GPmonitor.exe Tool

GPmonitor.exe is the Group Policy Monitor tool. It is used to gather information collected during GP refresh intervals and send the data to a specified central location. There, the tool can be used to analyze the data, as well. The gpmonitor.exe is available in the Windows Server 2003 Deployment Kit.

Using the GPOTool Tool

The GPOTool should be used for troubleshooting Group Policy issues in domains with more than one domain controller or across domains. The tool scours all the domain controllers in a domain or across domains and checks for consistency between the group policies located in the SYSVOL share on each domain controller and reports on what it finds. It also checks the validity of the group policies on all domain controllers, checks on object replication, and displays detailed information about the GPOs. The GPOTool.exe is available with the Microsoft Windows 2000 Server Resource Kit and is also available for downloading on Microsoft's Web site.

Using the FRSDiag.exe Tool

FRS replication is the replication service that is used to replicate Group Policy Objects between domain controllers. It can be very difficult to troubleshoot, due in no small part to the troubleshooting tools that were available for use up to this time. However, Microsoft now has an excellent new tool called FRSDiag that provides a GUI interface through which an you run tests easily to analyze FRS replication. You can choose to look at single or multiple domain controllers at a time, check their event logs for errors, run NTFRSUTL options, run REPADMIN /showreps and REPADMIN /showconn, and run many other of the previously available FRS tools. However, the results are much clearer and easier to understand when output to the GUI interface. When the tool is configured to output the results to a screen, it lists any DCs with failures in red and any successes in green. The output can also be put into cab files. FRSDiag.exe can be downloaded from http://www.microsoft.com/downloads.

A highly useful test available within FRSDiag is the Canary File Tracer. The Canary File Tracer can be configured to check the SYSVOL\domain name \policies directory (or any directory specified in the Share Root text area) for the correct number of folders or files. For example, if domain controllers cannot replicate Group Policies successfully and have a different number of policy folders present in their SYSVOL\domain_name\policies folder, this tool will, in minutes, check the number of folders on each domain controller across the domain to see if they match across the domain controllers and output this data to the screen. It even tells how many policies above or below the target number the domain controller is off by. To do this, follow these steps:

1. On the main screen, in the Target Server area, choose all the domain controllers in the domain.

2. In File Output, choose None.

3. Choose Tools, Canary File Tracer.

4. In the share root area, type the following: domain_name\policies\*.*

5. In the Expected Number of Hits box, type the number of folders in the policies container (for example, 135).

6. Click the Go button.

The Canary File Tracer will then output the data to the screen, showing the results of the tests. Obviously, the Canary File Tracer can be used to troubleshoot other issues and search for other files and folders as well. It's not just limited to the search capabilities listed previously.

Figure 6.9 shows the configuration options for the Canary File Tracer.

Using the Sonar.exe Tool

Sonar.exe can be downloaded from http://www.microsoft.com/downloads. It provides a GUI interface that enables you to check the FRS replication health of all domain controllers in the domain, which can help with troubleshooting Group Policy replication problems. Sonar can be configured to poll the domain controllers at different intervals for FRS health and will output the results such as backlogged files waiting to be replicated, down FRS services, and other error states to the GUI screen. Sonar is also a useful tool for monitoring DFS health because it uses FRS as well.