Group Policy Troubleshooting

If you have problems with Group Policy not working as it should,begin by verifying that Group Policy is applied by checking the Event Viewer and see if there are any warning or error messages there. If nothing shows then begin to check the following: GPO Must Be Linked: When a new GPO is created, it may not be linked to any node within Active Directory. Even though the GPO can be edited and modified, it will not affect any objects until it is linked to a node.

GPO Must Target Correct Object: Group Policy must target the correct objects in Active Directory. (User or computer)

GPOs Do not Apply to Groups

Target Object Must Be in the Path of the GPO: When you notice that a GPO setting is not affecting an object as it should, there is one more important setting-the object must be in the Scope of Management (SOM) of the GPO. This means that the object must be located under the node where the GPO is linked .

Needs To Be Enabled:When you are troubleshooting a GPO that will not apply, it is a good idea to check to see if some or all of the GPO is disabled.

Check the required infrastructure: Make sure that required services and components are running and configured as expected.

Check computer core configuration: Verify that the computer is connected to the network, is joined to the domain, is authenticated to a domain controller, and has the correct system time.

Verify that default GPO processing has not been altered: Blocking policy inheritance, enforcing a GPO, security filtering, WMI filtering, and Group Policy Preferences item-level targeting alter default policy processing.

Group policy and DNS

Many GPO problems are associated with DNS. So when you have a Group Policy problem check the DNS settings. Ensure that the client has the correct IP address configurations. If the client cannot contact DNS, GPOs will not apply. Make sure that the DHCP server has all of the IP configurations correct and,make sure that the client is receiving IP information Make sure that the correct records are listed in DNS, for both client and server even on domain controllers.There must be a CNAME entry for all computers on the network and the correct SRV records for the domain controllers must be running the domain. Some GPO settings do not process in the background.If the setting is under a CSE such as software installation, folder redirection, Group Policy drive maps, scripts, deployed printer connections, Microsoft Internet Explorer branding,Group Policy printers, or offline files. All these settings under CSEs update only on a foreground refresh.

Unavailable PDC Emulator

When the domain controller that controls the PDC emulator role is not available, editing of GPOs will fail. This is because the system relies on the PDC emulator to make changes to all GPOs by default.

Using Event Logging for Troubleshooting

A new addition in Windows Vista and Windows Server 2008 is the updated Event Viewer features and logs. One of the most significant additions is a log dedicated to Group Policy. The Userenv logs are no longer available with Windows Vista and Windows Server 2008.

Common GPO Troubleshooting Tools

Following tools are either built in to the operating system or can be downloaded and installed from the Microsoft Web site:

GPLogView If you need to archive Group Policy logs or troubleshoot a computer in a remote location. If you want to generate and view Group Policy logs in text, HTML, or XML format, you can use the GPLogView utility. You can use GPLogView to export Group Policy event data from the system and Group Policy operational log.

GPMC The Group Policy Management Console (GPMC) provides numerous tools and features that help with the troubleshooting of Group Policy.

Dcgpofix.exe Restores the default Group Policy objects to their original state (the default state after initial installation). If you are having problems with the default GPOs that are created on every new domain, this tool can help you. The two default GPOs, Default Domain Policy and Default Domain Controller Policy, are essential for configuring account policies, security settings, and domain controller user rights in the enterprise. Dcgpofix is an easy-to-use default tool for that reports the results of the GPOs that were recovered. You can restore the Default Domain Policy or the Default Domain Controller Policy individually, or you can restore both to the original settings. If you have made any changes to these two GPOs after the initial installation of the domain, the changes that you made will be lost.

GPMonitor.exe GPMonitor is designed to help centralize reports created from the GPOs on a computer. GPMonitor is part of the Microsoft Windows Server 2003 Resource Kit Tools. GPMonitor sends information back to the centralized share when a refresh or a forced update to a GPO occurs on the target computer. When the information is sent back to the centralized share,it is stored in files that can then be queried. GPMonitor works by running on the computers that will store their information in the centralized share.

GPResult Reports the final settings applied from the GPOs on the local computer and from Active Directory. GPResult is a built-in tool for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. If you are running Windows 2000, you must obtain the tool from the Microsoft Windows 2000 Resource Kit. The two versions are not compatible. GPResult is a pure command-line tool, but it can provide invaluable information regarding the GPOs for a target system. The tool reports on both user and computer policies.

GPUpdate GPUpdate will automatically cause a refresh of the GPOs from the local computer and all of the GPOs at the Active Directory level. A valuable feature of this tool is the option to force the application of the GPOs from Active Directory, even if the GPO version number has not changed.This is ideal for ensuring that any local settings that have been altered manually are changed back to what the GPO indicates they should be.

GPOTool GPOTool helps locate inconsistencies with the GPO versions stored in Active Directory and in SYSVOL. GPOTool checks for inconsistency between Active Directory and SYSVOL versions of the same GPO across peer domain controllers. This information can help you determine whether replication latency is causing failure of computers or users to receive updates to new GPO settings that have not yet converged between domain controllers.

Synchronous and Asynchronous Application of Settings

Within a GPO you can configure how policy application occurs at boot time and logon. The changes that you can make will either provide immediate access to the desktop while policies are still applying, or ensure all policies apply before the user has access to the desktop. Most administrators prefer to have a synchronous application of policy, to ensure that all policies are applied before the user can access the desktop. This ensures that all security and configuration settings are applied before any work can be done by the user. This is not the default state in Windows XP Professional, which was optimized for enhanced logon speed.

ADM Template Issues

When you are configuring settings in a GPO under the Administrative Templates section,the code in the ADM template creates the folders and policies in the Group Policy Editor under the Administrative Templates node. If the ADM template is corrupt, missing, or not configured properly, it is possible that you won't see some or all of the settings in the editor.
Missing ADM Templates: When you edit a GPO and find that there are settings in a custom ADM template that are not showing up in the editor, you need to import the ADM template into the GPO.
Missing Preferences: There are two types of settings that can be created in a custom GPO: Preferences and Policies. Policies are the default Microsoft settings that all fall into one of four subkeys in the registry, each ending with the text "Policies". Preferences are registry modifications that don't fall under one of the four subkeys. These preferences don't show up in the editor by default. You must enable them to show up. You can do this when you go under the View menu on the toolbar, select Filtering, then check the "Only show policy settings that can be fully managed" checkbox.