Understanding and Understanding and Troubleshooting Group Policy Troubleshooting Group Policy FunctionFunction

Darren Mar-EliaDarren Mar-EliaCTO, Infrastructure Management, Quest SoftwareCTO, Infrastructure Management, Quest Software MS-MVP for Group PolicyMS-MVP for Group Policy

Quest

AgendaAgenda

Understanding Group Policy StructureUnderstanding Group Policy Structure

The Mechanics of Group Policy The Mechanics of Group Policy ProcessingProcessing

Leveraging Group Policy LoggingLeveraging Group Policy Logging

The Top Group Policy Problems and The Top Group Policy Problems and Tools for Solving ThemTools for Solving Them

Other ResourcesOther Resources

Q & AQ & A

Understanding Group Policy Understanding Group Policy StructureStructure

Group Policy Objects (GPO) are stored Group Policy Objects (GPO) are stored within a given AD domain in two partswithin a given AD domain in two parts

AD – the Group Policy Container (GPC)AD – the Group Policy Container (GPC)

SYSVOL – the Group Policy Template SYSVOL – the Group Policy Template (GPT)(GPT)

Some policy areas store settings in Some policy areas store settings in both the GPC and GPT; still others use both the GPC and GPT; still others use only the GPC or neither!only the GPC or neither!

The decision is driven by the type of The decision is driven by the type of data needing to be storeddata needing to be stored

Understanding Group Policy Understanding Group Policy Structure - the GPCStructure - the GPC

The GPC stores The GPC stores general information general information about the GPO (e.g. about the GPO (e.g. friendly name, path to friendly name, path to GPT, etc.)GPT, etc.)

The GPC can be found The GPC can be found in each AD domain in each AD domain under the cn=Policies, under the cn=Policies, cn=System containercn=System container

Each GPC is Each GPC is referenced by a GPO referenced by a GPO GUIDGUID

Understanding Group Policy Understanding Group Policy Structure - the GPTStructure - the GPT

The GPT contains The GPT contains folders and files related folders and files related to storage of the GPO to storage of the GPO settings you specifysettings you specify

The GPT is found in The GPT is found in SYSVOL, replicated to SYSVOL, replicated to all DCs under the all DCs under the Policies folderPolicies folder

Like the GPC, the GPT Like the GPC, the GPT is organized by GUID-is organized by GUID-named folders, named folders, corresponding to the corresponding to the GUID of the GPO found GUID of the GPO found in the GPCin the GPC

Understanding Group Policy Understanding Group Policy Structure -GP VersioningStructure -GP Versioning

Version numbers are held within both the GPC and Version numbers are held within both the GPC and GPT GPT

GPC: held in the versionNumber attribute on the GPC GPC: held in the versionNumber attribute on the GPC objectobject

GPT: held in the gpt.ini file in the root of the GPTGPT: held in the gpt.ini file in the root of the GPT

Version numbers are incremented:Version numbers are incremented:1 for each machine-specific change1 for each machine-specific change

65536 for each user-specific change65536 for each user-specific change

In Windows 2000, version numbers must be equal In Windows 2000, version numbers must be equal between GPC & GPT before a client can process a between GPC & GPT before a client can process a GPO — AD or FRS replication problems can affect GPO — AD or FRS replication problems can affect thisthis

XP and Server 2003 no longer require thisXP and Server 2003 no longer require this

Understanding Group Policy Understanding Group Policy Structure -GP StorageStructure -GP Storage

Policy AreaPolicy Area Storage LocationStorage Location

WirelessWireless In the GPC under In the GPC under CN=wireless,CN=Windows, CN=wireless,CN=Windows, CN=Microsoft,CN=MachineCN=Microsoft,CN=Machine within an object of within an object of classclass msieee80211-Policy msieee80211-Policy (Server 2003 only)(Server 2003 only)

Folder RedirectionFolder Redirection In the GPT, in a file called fdeploy.ini, under In the GPT, in a file called fdeploy.ini, under the the User\Documents & SettingsUser\Documents & Settings folder folder

Administrative TemplateAdministrative Template In the GPT, in a file called registry.pol in either In the GPT, in a file called registry.pol in either the the UserUser or or MachineMachine folders folders

Disk QuotaDisk Quota In the GPT, also stored registry.pol but only In the GPT, also stored registry.pol but only under the Machine folderunder the Machine folder

ScriptsScripts In the GPT; Startup & Shutdown scripts are In the GPT; Startup & Shutdown scripts are stored in the following folders:stored in the following folders:

machine\scripts\startupmachine\scripts\startup

machine\scripts\shutdownmachine\scripts\shutdown

Logon & Logoff scripts are stored in the Logon & Logoff scripts are stored in the following foldersfollowing folders

user\scripts\logonuser\scripts\logon

User\scripts\logoffUser\scripts\logoff

Understanding Group Policy Understanding Group Policy Structure -GP StorageStructure -GP Storage

Policy AreaPolicy Area Storage LocationStorage Location

Internet Explorer MaintenanceInternet Explorer Maintenance In the GPT, under the folder In the GPT, under the folder \\User\User\Microsoft\IEAK Microsoft\IEAK

SecuritySecurity In the GPT, within a file called In the GPT, within a file called gptTmpl.inf gptTmpl.inf under the folder under the folder Machine\Machine\Microsoft\Windows NT\SecEditMicrosoft\Windows NT\SecEdit

Software InstallationSoftware Installation In both the GPT & GPC; In the GPT under In both the GPT & GPC; In the GPT under both the both the User User and and Machine Machine folders in folders in the the Applications Applications folder; In the GPC folder; In the GPC under the under the Machine (or User)\Class Store\Machine (or User)\Class Store\PackagesPackages container as container as packageRegistration packageRegistration objectsobjects

Software Restriction PolicySoftware Restriction Policy In the GPT, also stored registry.polIn the GPT, also stored registry.pol

IP SecurityIP Security Not stored in either GPC or GPT; Stored Not stored in either GPC or GPT; Stored in AD under the in AD under the CN=IP Security, CN=IP Security, CN=System CN=System containercontainer

Understanding Group Policy Understanding Group Policy Structure -Creating vs. LinkingStructure -Creating vs. Linking

When you create a GPO — it’s a two-When you create a GPO — it’s a two-step processstep process

The GPC and GPT are created in the The GPC and GPT are created in the domaindomain

A GP link is created on the container (site, A GP link is created on the container (site, domain or OU) that you’re focused ondomain or OU) that you’re focused on

Thus a single GPO can be linked to Thus a single GPO can be linked to multiple containersmultiple containers

Permissions are set on the GPO but Permissions are set on the GPO but each link can have different each link can have different characteristics (e.g. Enforced)characteristics (e.g. Enforced)

The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing

GP Processing is strictly a client-side GP Processing is strictly a client-side operationoperation

Processing is broken into two parts:Processing is broken into two parts:GP CoreGP Core

Client Side Extensions (CSE)Client Side Extensions (CSE)

GP Core takes care of figuring out GP Core takes care of figuring out which GPOs apply and which (CSEs) which GPOs apply and which (CSEs) need to processneed to process

CSEs do the hard work of implementing CSEs do the hard work of implementing policy settingspolicy settings

The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing

Policy is processed using an order of Policy is processed using an order of precedence:precedence:1.1. Local GPOsLocal GPOs

2.2. Site-linked GPOsSite-linked GPOs

3.3. Domain-linked GPOsDomain-linked GPOs

4.4. OU-linked GPOsOU-linked GPOs

And from bottom to top within a given And from bottom to top within a given containercontainer

The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing

CSEs are provided by default in WindowsCSEs are provided by default in WindowsRegistered under HKLM\Software\Microsoft\Registered under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows NT\CurrentVersion\Winlogon\GPExtensionsGPExtensions

GP is extensible by writing your own CSEs —GP is extensible by writing your own CSEs —several third parties have done thisseveral third parties have done this

Quest, Full Armor, DesktopStandardQuest, Full Armor, DesktopStandard

Note that GP processing runs within the Note that GP processing runs within the system Winlogon process — poorly written system Winlogon process — poorly written CSEs can crash WindowsCSEs can crash Windows

This is changing in Windows Vista!This is changing in Windows Vista!

The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing

Healthy GP Processing relies on Healthy GP Processing relies on several infrastructure pieces working in several infrastructure pieces working in concert:concert:

AD replicationAD replication

DNSDNS

FRS replicationFRS replication

Passing of key network protocols, Passing of key network protocols, including ICMP, LDAP, SMB and RPCincluding ICMP, LDAP, SMB and RPC

The Mechanics of Group The Mechanics of Group Policy Processing — Step-by-Policy Processing — Step-by-StepStep

The Steps of GP processing:The Steps of GP processing:

1.1. Client performs DNS request for LDAP SRV record Client performs DNS request for LDAP SRV record of DC(s) in its siteof DC(s) in its site

2.2. Client binds to DC using normal DC Locator processClient binds to DC using normal DC Locator process

3.3. Client performs ICMP slow link detection to DC to Client performs ICMP slow link detection to DC to determine link speeddetermine link speed

4.4. Client uses LDAP to build GPO list at OU, domain Client uses LDAP to build GPO list at OU, domain and then site containers — determines whether it and then site containers — determines whether it has permission to process GPOhas permission to process GPO

The Mechanics of Group The Mechanics of Group Policy Processing — Step-by-Policy Processing — Step-by-StepStep

5.5. Client uses LDAP to query GPC for GPT path, version number Client uses LDAP to query GPC for GPT path, version number and CSEs that have been implemented and CSEs that have been implemented

6.6. Client uses SMB to query GPT path to get GPT version number Client uses SMB to query GPT path to get GPT version number from gpt.inifrom gpt.ini

7.7. Each CSE runs in the order that they’re registered, and Each CSE runs in the order that they’re registered, and processes the GPOs if the GPO has changed since last processes the GPOs if the GPO has changed since last processing cycle (as determined during core processing)processing cycle (as determined during core processing)

8.8. If GPO has changed, CSE processes new settings and then If GPO has changed, CSE processes new settings and then next CSE runs until completionnext CSE runs until completion

9.9. Each CSE logs RSoP data to WMI during each refreshEach CSE logs RSoP data to WMI during each refresh

The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing

There are two kinds of GP processingThere are two kinds of GP processingForeground (e.g. during machine startup or Foreground (e.g. during machine startup or logon)logon)

Background (e.g. periodically based on computer Background (e.g. periodically based on computer role — DCs every 5 min., workstations and role — DCs every 5 min., workstations and member servers every 90 min. with randomizer)member servers every 90 min. with randomizer)

Foreground can run asynchronously or Foreground can run asynchronously or synchronouslysynchronously

Win2K defaults to synchronous foreground; XP Win2K defaults to synchronous foreground; XP to asynchronous (probably want to change this!)to asynchronous (probably want to change this!)

Background is asynchronous by definitionBackground is asynchronous by definition

The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing

Certain CSEs won’t process normally for a variety of Certain CSEs won’t process normally for a variety of reasonsreasons

Some don’t process if a slow link is detected (e.g. Some don’t process if a slow link is detected (e.g. software installation, folder redirection)software installation, folder redirection)

Some don’t process asynchronously (e.g. software Some don’t process asynchronously (e.g. software installation)installation)

Some process asynchronously but don’t actually do Some process asynchronously but don’t actually do anything until the next synchronous event (e.g. scripts)anything until the next synchronous event (e.g. scripts)

And of course, no CSE will process if the GPO has And of course, no CSE will process if the GPO has not changed since the last processing cyclenot changed since the last processing cycle

This is determined by comparing the GPO version This is determined by comparing the GPO version number to a version number held on the client in its number to a version number held on the client in its registryregistry

The Mechanics of Group The Mechanics of Group Policy Processing-Slow Link Policy Processing-Slow Link DetectionDetection

CSE Processes on Slow Link?

Security Yes (and can’t be disabled)

IP Security Yes

EFS Recovery Yes

Wireless Network Yes

Administrative Templates Yes (and can’t be disabled)

Scripts No

Folder Redirection No

Software Installation No

IE Maintenance Yes

Leveraging Group Policy Leveraging Group Policy LoggingLogging

GP-related Logging is your best tool for GP-related Logging is your best tool for understanding & troubleshooting GP understanding & troubleshooting GP operationoperation

There are basically two types of There are basically two types of logging eventslogging events

Application Event Log on each clientApplication Event Log on each client

CSE-specific loggingCSE-specific logging

Leveraging Group Policy Leveraging Group Policy Logging —Application EventsLogging —Application Events

Application Events related to Group Policy come Application Events related to Group Policy come from the following event sources:from the following event sources:

Userenv: most GP core events generate this sourceUserenv: most GP core events generate this source

Scecli: Security CSE related eventsScecli: Security CSE related events

Appmgmt or Application Manager: Software Installation Appmgmt or Application Manager: Software Installation related eventsrelated events

UserInit: Scripts related eventsUserInit: Scripts related events

Folder Redirection: Folder Redirection eventsFolder Redirection: Folder Redirection events

GPMC does a good job of exposing Application GPMC does a good job of exposing Application events related to GPevents related to GP

Available through the GP Results wizardAvailable through the GP Results wizard

Leveraging Group Policy Leveraging Group Policy Logging —GPMC Application Logging —GPMC Application Event ReportingEvent Reporting

Leveraging Group Policy Leveraging Group Policy Logging —Enabling Verbose Logging —Enabling Verbose LoggingLogging

All GP related-logging must be explicitly enabledAll GP related-logging must be explicitly enabledApplication event logging is enabled by default but can be Application event logging is enabled by default but can be made more verbosemade more verbose

To enable verbose logging, you’ll need to make To enable verbose logging, you’ll need to make registry changes on each clientregistry changes on each client

I have a custom .ADM that enables all of the available GP-I have a custom .ADM that enables all of the available GP-related logging at related logging at http://www.gpoguy.com/tools.htmhttp://www.gpoguy.com/tools.htm

Keep in mind that verbose logging has a Keep in mind that verbose logging has a performance overhead - disable when not in useperformance overhead - disable when not in use

Leveraging Group Policy Leveraging Group Policy Logging —Userenv loggingLogging —Userenv logging

Userenv logging is the most verbose but also the Userenv logging is the most verbose but also the most instructive for investigating problemsmost instructive for investigating problems

Log is written to %windir%\debug\usermode\userenv.logLog is written to %windir%\debug\usermode\userenv.log

Logs both policy and user profile processingLogs both policy and user profile processing

Can be somewhat arcane to understand but details Can be somewhat arcane to understand but details each step of the GP processing cycleeach step of the GP processing cycle

If you’re troubleshooting a problem, rename the file If you’re troubleshooting a problem, rename the file to get a fresh log and then force a GP refreshto get a fresh log and then force a GP refresh

Use gpupdate on XP and Server 2003; secedit on Win2KUse gpupdate on XP and Server 2003; secedit on Win2K

Leveraging Group Policy Leveraging Group Policy Logging —Userenv.logLogging —Userenv.log

Process and thread ID and timestamp

Slow link test

GP Logging GP Logging WalkthroughWalkthrough

GP Problems and Their GP Problems and Their SolutionsSolutions

Many GP-related problems can be Many GP-related problems can be broken into these categories:broken into these categories:

Infrastructure problems (e.g. DNS, FRS, Infrastructure problems (e.g. DNS, FRS, AD, network)AD, network)

Misconfiguration problems (incorrect Misconfiguration problems (incorrect security filtering, enforced or block security filtering, enforced or block inheritance set, etc.)inheritance set, etc.)

Client problemsClient problems

GP Problems and Their GP Problems and Their Solutions —Solutions —Infrastructure ProblemsInfrastructure Problems

ProblemProblem

ICMP: Slow link detection (SLD) fails — all GP processing fails ICMP: Slow link detection (SLD) fails — all GP processing fails as a resultas a result

SolutionSolution

ICMP is required for GP processing. If disabled, or restricted ICMP is required for GP processing. If disabled, or restricted (SLD requires minimum 2048 byte ICMP packets) then disable (SLD requires minimum 2048 byte ICMP packets) then disable slow link detection via policy at:slow link detection via policy at:

““Computer (and User) Configuration|Administrative Templates|Computer (and User) Configuration|Administrative Templates|System|Group Policy|Group Policy Slow Link Detection”*System|Group Policy|Group Policy Slow Link Detection”*

*Note that this must be disabled for both computer and user*Note that this must be disabled for both computer and user

GP Problems and Their GP Problems and Their Solutions —Solutions —Infrastructure ProblemsInfrastructure Problems

ProblemProblem

FRS & SYSVOL: FRS not replicating GPT content to all SYSVOL FRS & SYSVOL: FRS not replicating GPT content to all SYSVOL shares — files are missing or permissions are wrong across shares — files are missing or permissions are wrong across replicas; GPOs don’t process because version numbers are replicas; GPOs don’t process because version numbers are wrong (Win2k) or process incorrectlywrong (Win2k) or process incorrectly

SolutionSolution

Make sure problem DC has DFS service running; make sure Make sure problem DC has DFS service running; make sure SYSVOL is shared — refer to KB articles 257338 and 315457 for SYSVOL is shared — refer to KB articles 257338 and 315457 for fixing SYSVOL problems; use GPOTool to compare GPTs fixing SYSVOL problems; use GPOTool to compare GPTs across DCs; GPMC can fix permission problems if detected; In across DCs; GPMC can fix permission problems if detected; In a pinch you can manually copy files between GPTs on DCs; use a pinch you can manually copy files between GPTs on DCs; use Ultrasound Ultrasound to monitor FRSto monitor FRS

GP Problems and Their GP Problems and Their Solutions —Misconfiguration Solutions —Misconfiguration ProblemsProblems

ProblemProblem

GPO permissioned incorrectly or linked to a GPO permissioned incorrectly or linked to a container that targets a group rather than container that targets a group rather than user or computeruser or computer

SolutionSolution

Use GPMC GP Results or gpresult command-Use GPMC GP Results or gpresult command-line tool to see if a GPO is denied or if the line tool to see if a GPO is denied or if the correct GPOs apply; GPOs apply to only correct GPOs apply; GPOs apply to only users and computersusers and computers

GP Problems and Their GP Problems and Their Solutions —Misconfiguration Solutions —Misconfiguration ProblemsProblems

ProblemProblem

GPOs aren’t applying because Block GPOs aren’t applying because Block Inheritance or Enforced flag is setInheritance or Enforced flag is set

SolutionSolution

Use GPMC to visually see where flags Use GPMC to visually see where flags are set on containers or GP links. are set on containers or GP links.

Using GPMC for Using GPMC for TroubleshootingTroubleshooting

GP Problems and Their GP Problems and Their Solutions —Client ProblemsSolutions —Client Problems

ProblemProblem

No GPOs are being processed; errors show unable No GPOs are being processed; errors show unable to read gpt.ini or other GPT files (specifically to read gpt.ini or other GPT files (specifically application event log error 1058: “Windows cannot application event log error 1058: “Windows cannot access the file gpt.ini for GPO” and usually for access the file gpt.ini for GPO” and usually for computer policy only)computer policy only)

SolutionSolution

Verify that client computer has TCP/IP Netbios Verify that client computer has TCP/IP Netbios Helper service running — required to resolve UNC Helper service running — required to resolve UNC path to GPT; see KB# 840669 to tell GP processing path to GPT; see KB# 840669 to tell GP processing to wait for the network stack to initializeto wait for the network stack to initialize

GP Problems and Their GP Problems and Their Solutions —Client ProblemsSolutions —Client Problems

ProblemProblem

Folder Redirection is not working — files Folder Redirection is not working — files aren’t being redirected for usersaren’t being redirected for users

SolutionSolution

Make sure users have proper permission to Make sure users have proper permission to create folders if you’re using FR policy to create folders if you’re using FR policy to create the folders on the fly. See KB article # create the folders on the fly. See KB article # 274443 for required permissions274443 for required permissions

GP Problems and Their GP Problems and Their Solutions —Client ProblemsSolutions —Client Problems

ProblemProblem

Applications don’t deploy correctly via Software Installation Applications don’t deploy correctly via Software Installation policy or require multiple restarts or user logons to applypolicy or require multiple restarts or user logons to apply

SolutionSolution

Make sure you entered a UNC path to the package; Use Make sure you entered a UNC path to the package; Use addiag.exe (Win2k Reskit) to troubleshoot SI deployment; Make addiag.exe (Win2k Reskit) to troubleshoot SI deployment; Make sure a slow link wasn’t detected; If multiple restarts or user sure a slow link wasn’t detected; If multiple restarts or user logons are required, disable Fast Logon Optimization (XP only) logons are required, disable Fast Logon Optimization (XP only) by enabling the following policy:by enabling the following policy:

Computer Configuration|Administrative Templates|System|Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and Logon|Always wait for the network at computer startup and logonlogon

Enable verbose Windows Installer and Application Management Enable verbose Windows Installer and Application Management logginglogging

Resources Resources

““Group Policy Group Policy Guide” book Guide” book written by myself, written by myself, Derek Melber and Derek Melber and William Stanek— William Stanek— available as part of available as part of the Windows 2003 the Windows 2003 Resource Kit, 2Resource Kit, 2ndnd Edition and Edition and standalonestandalonehttp://www.microsoft.chttp://www.microsoft.com/mspress/books/87om/mspress/books/8763.asp63.asp

ResourcesResourcesMy website: My website: www.gpoguy.comwww.gpoguy.com for tools, for tools, FAQs and additional troubleshooting tipsFAQs and additional troubleshooting tips

Jeremy Moskowitz’s website: Jeremy Moskowitz’s website: www.gpanswers.comwww.gpanswers.com for a community forum for a community forum on GP as well as FAQs and other resourceson GP as well as FAQs and other resources

Microsoft’s GP Wiki site: Microsoft’s GP Wiki site: www.grouppolicywiki.comwww.grouppolicywiki.com

Mark Minasi’s Forum (I moderate the GP Mark Minasi’s Forum (I moderate the GP forum there) at x220.minasi.com/forumforum there) at x220.minasi.com/forum

Technet Group Policy Center: Technet Group Policy Center: http://www.microsoft.com/technet/prodtechnhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ol/windowsserver2003/technologies/management/gp/default.mspxmanagement/gp/default.mspx

We invite you to participate in ourWe invite you to participate in our online evaluationonline evaluation on CommNet,on CommNet,

accessible Friday onlyaccessible Friday only

If you choose to complete the evaluation online, If you choose to complete the evaluation online, there isthere is no need to complete the paper evaluationno need to complete the paper evaluation

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.