3. Troubleshooting Group Policy with the Group Policy Results
Wizard and Gpresult.exe
As an administrator, you are likely to encounter scenarios that
require Group Policy troubleshooting. You might need to diagnose and
solve problems, including the following:
The Group Policy Results Wizard and Gpresult.exe often provide
the most valuable insight into Group Policy processing and application
problems. Remember that these tools examine the WMI RSOP provider to
report exactly what happened on a system. Examining the RSOP report
often points you to a GPO that is scoped incorrectly or policy
processing errors that prevented the application of settings in a
GPO.
4. Performing What-If Analyses with the Group Policy Modeling
Wizard
If you move a computer or user between sites, domains, or OUs,
or change its security group membership, the GPOs scoped to that user
or computer change and, therefore, the RSOP for the computer or user
is different. RSOP also changes if slow link or loopback processing
occurs or if there is a change to a system characteristic that is
targeted by a WMI filter.
Before you make any of these changes, you should evaluate the
potential impact to the RSOP of the user or computer. The Group Policy
Results Wizard can perform RSOP analysis only on what has actually
happened. To predict the future and to perform what-if analyses, you
can use the Group Policy Modeling Wizard.
To perform Group Policy modeling, right-click the Group Policy
Modeling node in the Group Policy Management console tree, click Group
Policy Modeling Wizard, and then perform the steps in the
wizard.
Modeling is performed by conducting a simulation on a domain
controller, so you are first asked to select a domain controller that
is running Windows Server 2003 or later. You do not need to be logged
on locally to the domain controller, but the modeling request will be
performed on the domain controller. You are then asked to specify the
settings for the simulation:
-
Select a user or computer object to evaluate, or specify the
OU, site, or domain to evaluate. -
Choose whether slow link processing should be
simulated. -
Specify whether to simulate loopback processing and, if so,
choose Replace or Merge mode. -
Select a site to simulate. -
Select security groups for the user and the computer. -
Choose which WMI filters to apply in the simulation of user
and computer policy processing.
When you have specified the settings for the simulation, you
receive a report that is very similar to the Group Policy Results report discussed earlier. The
Summary tab shows which GPOs will be processed, and the Settings tab
displays the policy settings that will be applied to the user or
computer. You can save this report by right-clicking it and choosing
Save Report.
5. Examining Policy Event Logs
Windows Vista, Windows Server 2008, and later versions of
Windows improve your ability to troubleshoot Group Policy not only with RSOP tools but also with
improved logging of Group Policy events.
The System log provides high-level information about Group
Policy, including errors created by the Group Policy Client when it
cannot connect to a domain controller or locate GPOs. The Application log captures events recorded by CSEs. The
Group Policy Operational Log provides detailed
information about Group Policy processing.
To find these Group Policy logs, open the Event Viewer snap-in or console. The System and Application logs are in the Windows Logs
node. The Group Policy Operational Log is found in Applications And
Services Logs\Microsoft\Windows\GroupPolicy\Operational.
Practice Configuring Group Policy Scope
Practice Configuring Group Policy Scope
In this practice, you follow a scenario that builds upon the
GPOs you created and configured in Lessons 1 and 2. You perform
RSOP results and modeling analysis and examine policy-related
events in the event logs. To perform these exercises, you must
have completed the practices in Lessons 1 and 2.
EXERCISE 1 Use the Group Policy
Results Wizard
In this exercise, you use the Group Policy Results Wizard to examine RSOP on
SERVER01. You confirm that the policies you created in Lessons 1
and 2 have applied.
-
Log on to SERVER01 as Administrator. -
Open Command Prompt and type gpupdate.exe /force /boot to initiate a
Group Policy refresh.
If the system reboots, log on as Administrator. If the
system does not reboot, close Command Prompt.
Make a note of the current system time; you will need to
know the time of the refresh for Exercise 3, “View Policy
Events.” -
Open the Group Policy Management console. -
Expand Forest. -
Right-click Group Policy Results and click Group Policy Results Wizard. -
Click Next. -
On the Computer Selection page, select This Computer and
click Next. -
On the User Selection page, select Display Policy
Settings For, select Select A Specific User, and select
CONTOSO\Administrator. Then click Next. -
On the Summary Of Selections page, review your settings
and click Next. -
Click Finish.
The RSOP report appears in the details pane of the
console. -
On the Summary tab, click the Show All link at the top
of the report. -
Review the Group Policy Summary results. For both user
and computer configuration, identify the time of the last
policy refresh and the list of allowed and denied GPOs.
Identify the components that were used to process policy
settings. -
Click the Settings tab and click the Show All link at
the top of the page. Review the settings that were applied
during user and computer policy application and identify the
GPO from which the settings were obtained. -
Click the Policy Events tab and locate the event that
logs the policy refresh you triggered with the Gpupdate.exe
command in step 2. -
Click the Summary tab, right-click the page, and choose
Save Report. Save the report as an HTML file to your Documents
folder with a name of your choice. -
Open the saved RSOP report from your Documents
folder.
EXERCISE 2 Use the Gpresult.exe
Command
In this exercise, you perform RSOP analysis in Command
Prompt, using Gpresult.exe.
-
Open Command Prompt. -
Type gpresult /r and
press Enter.
RSOP summary results are displayed. The information is
very similar to the Summary tab of the RSOP report produced by
the Group Policy Results Wizard. -
Type gpresult /v and
press Enter.
A more detailed RSOP report is produced. Notice many of
the Group Policy settings applied by the client are
listed in this report. -
Type gpresult /z and
press Enter.
The most detailed RSOP report is produced. -
Type gpresult
/h:“%userprofile%\Documents\RSOP.html” and press
Enter.
An RSOP report is saved as an HTML file to your
Documents folder. -
Open the saved RSOP report from your documents folder.
Compare the report, its information, and its formatting to the
RSOP report you saved in the previous exercise.
EXERCISE 3 View Policy
Events
As a client performs a policy refresh, Group Policy
components log entries to the Windows event logs. In this
exercise, you locate and examine Group Policy–related
events.
-
Open the Event Viewer console from the Administrative
Tools folder. -
Expand Windows Logs and click System. -
Locate events with GroupPolicy as the Source. You can
even click the Filter Current Log link in the Actions pane and
then select GroupPolicy in the Event Sources drop-down
list. -
Review the information associated with GroupPolicy
events. -
Click the Application node in the console tree under
Windows Logs. -
Sort the Application log by the Source column. -
Review the logs by Source and identify the Group Policy
events that have been entered in this log.
Which events are related to Group Policy application,
and which are related to the activities you have been
performing to manage Group Policy? -
In the console tree, expand Applications And Services
Logs\Microsoft\Windows \GroupPolicy and click
Operational. -
Locate the first event related to the Group Policy
refresh that you initiated in Exercise 1, “Use the Group
Policy Results Wizard,” with the Gpupdate.exe command. Review
that event and the events that followed it.
EXERCISE 4 Perform Group Policy
Modeling
In this exercise, you use Group Policy modeling to evaluate
the potential effect of your policy settings on users who log on
to sales laptops.
-
Open the Active Directory Users And Computers
snap-in. -
Create a user account for Mike Danseglio in the User
Accounts OU.
-
Create a computer account in the Clients OU called
LAPTOP101.
-
Add LAPTOP101 to the Sales Laptops group. -
In the Group Policy Management console, expand
Forest. -
Right-click Group Policy Modeling and choose Group
Policy Modeling Wizard. -
Click Next. -
On the Domain Controller Selection page, click
Next. -
On the User And Computer Selection page, in the User
Information section, click User, click Browse, and then select
Mike Danseglio. -
In the Computer Information section, click Computer,
click Browse, and select LAPTOP101 as the computer. -
Click Next. -
On the Advanced Simulation Options page, select the
Loopback Processing check box and select Merge.
Even though the Sales Laptop Configuration GPO specifies
the loopback processing, you must instruct the Group Policy
Modeling Wizard to consider loopback processing in its
simulation. -
Click Next. -
On the Alternate Active Directory Paths page, click
Next. -
On the User Security Groups page, click Next. -
On the Computer Security Groups page, click Next. -
On the WMI Filters For Users page, click Next. -
On the WMI Filters For Computers page, click.
Next. -
Review your settings on the Summary Of Selections page.
Click Next, and then click Finish. -
Review the information in the Group Policy Modeling report. Confirm that the
following policy settings will be applied to Mike when he logs
on to LAPTOP101:
-
The laptop will wait for the network at startup, so
that any changes to policy settings are applied before a
user is allowed to log on. -
A password-protected screensaver will launch after
10 minutes. -
The standard wallpaper will be used.
|