Common GPO Troubleshooting Tools
Following tools are either built in to the operating system or can be downloaded and installed from the Microsoft Web site:
If you need to archive Group Policy logs or troubleshoot a computer in a remote location.
If you want to generate and view Group Policy logs in text, HTML, or XML format, you can use
the GPLogView utility. You can use GPLogView to export Group Policy event data from the
system and Group Policy operational log.
The Group Policy Management Console (GPMC) provides numerous tools and features that
help with the troubleshooting of Group Policy.
Restores the default Group Policy objects to their original state (the default state after initial installation).
If you are having problems with the default GPOs that are created on every new domain, this
tool can help you. The two default GPOs, Default Domain Policy and Default Domain
Controller Policy, are essential for configuring account policies, security settings, and domain
controller user rights in the enterprise. Dcgpofix is an easy-to-use default tool for that reports the results of the
GPOs that were recovered. You can restore the Default Domain Policy or the Default Domain
Controller Policy individually, or you can restore both to the original settings.
If you have made any changes to these two GPOs after the initial installation of
the domain, the changes that you made will be lost.
GPMonitor is designed to help centralize reports created from the GPOs on a computer.
GPMonitor is part of the Microsoft Windows Server 2003 Resource Kit Tools.
GPMonitor sends information back to the centralized share when a refresh or a forced update to a GPO occurs on the target computer. When the information is sent back to the centralized share,it is stored in files that can then be queried. GPMonitor works by running on the computers that will store their information in the centralized share.
Reports the final settings applied from the GPOs on the local computer and from
Active Directory. GPResult is a built-in tool for Windows XP, Windows Vista, Windows Server 2003, and
Windows Server 2008. If you are running Windows 2000, you must obtain the tool from the
Microsoft Windows 2000 Resource Kit. The two versions are not compatible.
GPResult is a pure command-line tool, but it can provide invaluable information regarding the
GPOs for a target system. The tool reports on both user and computer policies.
GPUpdate will automatically cause a refresh of the GPOs from the local computer and all of
the GPOs at the Active Directory level. A valuable feature of this tool is the option to force the application of the GPOs from Active Directory, even if the GPO version number has not changed.This is ideal for ensuring that any local settings that have been altered manually are changed back to what the GPO indicates they should be.
GPOTool helps locate inconsistencies with the GPO versions stored in Active Directory and in
SYSVOL. GPOTool checks for inconsistency between Active Directory and SYSVOL versions of the
same GPO across peer domain controllers. This information can help you determine whether
replication latency is causing failure of computers or users to receive updates to new GPO
settings that have not yet converged between domain controllers.