section 5: troubleshooting and backing up gpos using group policy troubleshooting tools integration...

Section 5: Troubleshooting and Backing Up GPOs

Using Group Policy Troubleshooting Tools Integration of RSoP Functionality Using Logging Options Backing Up, Restoring, Importing, and

Copying GPOs Building Migration Tables

Managing Windows Environments with Group Policy

© 2013 Global Knowledge Training LLC. All rights reserved.

Section Objectives

After completing this section, you will be able to:Describe the Group Policy troubleshooting toolsDescribe the GPMC tools that have RSoP functionalityDescribe the GPO logging tools used to obtain more

detail about the GPO processing issuesExplain how to back up, restore, import, and copy

GPOs using the GPMCExplain how to build migration tables

5-2


Using Group Policy Troubleshooting Tools

5-3

Client-Side Tools Group Policy Results (gpresult.exe) Group Policy Update (gpupdate.exe) GPMC Remote Update

Group Policy Replication Tools GPO Verification tool (gpotool.exe) deprecated GPMC Infrastructure Status Replication Monitor (replmon.exe) deprecated Repadmin

PowerShell Tools Get-GPResultantSetOfPolicy Invoke-GPUpdate

Note: Deprecated tools may still

function, but are no longer supported

by Microsoft.


Group Policy Results

Gpresult is a built-in tool for Windows XP and later operating systems.

You can use it to display RSoP data in a command-line interface.

5-4


Gpresult Tool Options

gpresult /R provides basic GPO information listing the GPO names that have been processed.

gpresult /V displays verbose output that details the actual policy settings.

gpresult /Hsends output to an HTML file.

5-5


Group Policy Update

You can use the Gpupdate tool to refresh policies ahead of the 90 to 120 minute default update interval.

The /force switch forces an update even if the GPO service thinks it is up to date.

5-7


GPMC Remote Update

You can use the GPMC tool to refresh policies against multiple remote machines

5-8


Group Policy Verification Tool

The Gpotool tool can help ensure that all domain controllers have an up-to-date copy of the GPOs in the domain.

5-9

Note: This is considered a

deprecated tool. Use the GPMC Infrastructure

Status tab instead.


GPMC Infrastructure Status

The GPMC Infrastructure Status tab can determine if domain controllers have an up-to-date copy of the GPOs in the domain.

5-10


Replication Monitor

You can use the Replmon tool to monitor and force replication of Active Directory and Sysvol.

5-11

Note: This is considered a

deprecated tool. Use the RepAdmin command-line tool

instead.


Using the Replmon Tool to Check GPO Version Numbers

You can use the GPO version numbers to compare policy versions between two domain controllers to see if they are consistent.

5-12


Repadmin

Use Repadmin to assist in synchronizing AD DS

5-13


Get-GPResultantSetOfPolicy

PowerShell-based RSOP

Run against local or remote computers

Generates results in HTML or XML format

5-17


Invoke-GPUpdate

PowerShell-based GPUpdate

Run against local or remote computers

Schedule an update up to 31 days in the future

5-19


Integration of RSoP Functionality

5-21

Group Policy Results Group Policy Modeling Creating an HTML File for Reporting New Error Reporting Details


Group Policy Results

Group Policy Results display can be useful in troubleshooting policy application.

It displays the actual policies that are applied.

5-22


Group Policy Modeling

The Modeling option simulates policies that would be applied.

A user or computer account does not need to exist in order to calculate the RSoP.

The Modeling wizard asks which OUs the user and computer accounts would be in.

The RSoP calculation is based upon the policies applied at those OU levels.

5-23


Save the Group Policy Results output to a file for later viewing.

Creating an HTML File for Reporting

5-25


New Error Reporting Details

5-26

The HTML reports now contain additional error reporting information.


Using Logging Options

5-27

The Userenv.log File Event Logs


The Userenv.log File

You can enable more detailed logging for Group Policy activity with a registry edit.

Output will be sent to the Userenv.log file.

5-27


Event Logs

You can enable detailed diagnostic logging for Group Policy information sent to the Event Viewer.

This should be a temporary setting.

5-28


Backing Up, Restoring, Importing, and Copying GPOs

5-30

Backing Up GPOs Restoring GPOs Importing GPOs Copying GPOs


Live GPO

Domain B

Live GPO

Domain A

Backing Up GPOs

Restore

Copy (Creates new GPO)

Import

Back up

Folder

5-31


Procedure for Backing Up GPOs (1)

You can back up individual policies without going through a full backup of the system state.

You can also usebackups tocopy a policyfrom one domainto another.

5-32


Procedure for Backing Up GPOs (2)

The description you provide here will also show when you manage your backups.

5-33


Live GPO

Domain B

Live GPO

Domain A

Restoring GPOs

Restore


Import

Back up

Folder

5-34


Live GPO

Domain B

Live GPO

Domain A

Importing GPOs

Restore


Back up

Import

Folder

5-35


Live GPO

Domain B

Live GPO

Domain A

Copying GPOs


Back up

Restore

Import

Folder

5-37


Building Migration Tables

Migration tables help resolve: SID conflicts UNC path conflicts

Migration Table Editor tool can help with this process.

5-38


Building a Migration Table

The Migration Table Editor helps to translate SIDs and paths when migrating policies from one domain to another.

5-39


Summary

A few of the command-line tools that you can use to troubleshoot Group Policy deployment and the health of the existing GPOs are:

Group Policy Results: This tool provides RSoP details.

Group Policy Update: This tool refreshes Group Policy settings

without rebooting.

GPO Verification tool: This tool ensures that the contents of all

the linked Sysvol folders in the domain contain valid and up-to-

date GPOs. It also checks for version mismatches between the

GPT stored in the Sysvol folder and the GPC in Active Directory.

Replication Monitor: This tool gathers a wide variety of replication

details. It also monitors the replication status of current GPOs per

domain.5-42


Summary (cont.)

The RSoP helps to trace how the policy links are applied

for a specified user and a specified computer. It also

identifies effective settings and “winning” policy objects.

Some of the RSoP tools that you can use to troubleshoot

GPO processing are: Group Policy Results: This tool presents “real” information that

reflects how the policy is applied.

Group Policy Modeling: This tool permits you to perform a simulation

before actually applying the policy.

HTML file for reporting: Both the GPMC and the Gpresult command-

line tools can produce reports in the form of HTML file output. Using

these reports, you can view and analyze the policies that are

configured and determine where the policies came from.

5-42


Summary (cont.)

The GPO logging tools that you can use to obtain more detail about the GPO processing issues are:The Userenv.log: This log contains a detailed verbose

log of the logon process.Event logs: These logs record all GPO events with a

minimum amount of detail.

5-42


Summary (cont.)

You can back up, restore, import, and copy GPOs. The purpose of these functions are:

Back Up: This function copies the contents of a live GPO into any specified folder location on the computer or network where you have write permissions.

Restore: This function restores a GPO when you have deleted it and want it back, or when you have modified it (either its contents or its ACL) and want to return it to some prior condition.

Import: This function transfers the settings in a backed-up GPO to an existing and active GPO. (The import process does not create a new GPO.)

Copy: This function creates a new GPO at the destination location. It starts with an active GPO.

5-42


Summary (cont.)

Use the Mtedit tool to build migration tables. You can either run the tool or invoke it from within the GPMC (right-click the Domains node and select Open Migration Table Editor).

5-42


Knowledge Check

1. Name and describe the two GPO logging tools. The Userenv.log: Contains a detailed verbose log of

the logon process. Event logs: Record all GPO events with a minimum

amount of detail.

5-43


Knowledge Check (cont.)

2. Describe the following tools: Group Policy Results

This tool provides RSoP details. Replication Monitor

This tool gathers a wide variety of replication details. It also monitors the replication status of current GPOs per domain.

5-43



3. Which tool is used to build migration tables?a. Userenv

b. GPO Migration

c. Mtedit

d. Event log

5-43



4. Match each GPO process with its correct description.

5-43

GPO Process Description

Restore A. Creates a new GPO at the destination location. It starts with an active GPO.

Back up B. Restores a GPO when you have deleted it and want it back, or when you have modified it (either its contents or its ACL) and want to return it to some prior condition.

Copy C. Transfers the settings in a backed-up GPO to an existing and active GPO.

Import D. Copies the contents of a live GPO into any specified folder location on the computer or network where you have write permissions.

D

B

A

C



5. Which RSoP tool does the following text describe?

This tool presents “real” information that reflects how the policy is applied.a. Group Policy Results

b. HTLM file for reporting

c. Group Policy Modeling

d. Group Policy Verification

5-44

section 5: troubleshooting and backing up gpos using group policy troubleshooting tools integration...

Documents