6425A_11 Trouble Shooting GPO

8/14/2019 6425A_11 Trouble Shooting GPO

http://slidepdf.com/reader/full/6425a11-trouble-shooting-gpo 1/21

Module 11:

TroubleshootingGroup Policy Issues



Module Overview

• Introduction to Group Policy Troubleshooting

• Troubleshooting Group Policy Application

• Troubleshooting Group Policy Settings



Scenarios for Group Policy Troubleshooting

Common scenarios that require troubleshooting:

Policies are applied but settings are inconsistent

Polices not applied



Preparing to Troubleshoot Group Policy

Basic troubleshooting steps:

Perform basic checks to test network connectivity: usediagnostic tools such as netdiag or ping

Check Event Viewer entries

Ensure that DNS is functioning by using NSlookup

Check that the domain controller is functioning and reachable:use diagnostic tools such as dcdiag, the set command,or Kerbtray



Tools for Troubleshooting Group Policy

Group Policy troubleshooting tools:

• Group Policy reporting – RSOP

• GPResult

• Gpotool

• Gpupdate

• Dcgpofix

• GPOLogView

• Group Policy log files

• Group Policy Management Scripts



Demonstration: Using Group PolicyDiagnostic Tools

In this demonstration, the instructor will demonstrate theuse of:

•GPResult in regular and verbose mode

•GPOTool

•Gpupdate

•GPLogView



Lesson 2: Troubleshooting GroupPolicy Application

• Troubleshooting Group Policy Inheritance: Block, enforce,Disable, Security, WMI filter(allow/deny)

• Troubleshooting Group Policy Filtering

• Troubleshooting Group Policy Replication: FRS(sysvol), Repadmin

• Troubleshooting Group Policy Refresh

• Discussion: Troubleshooting Group Policy Configuration



Troubleshooting Group Policy Inheritance

Sales

Production

Domain

No GPOsettings apply

No GPOsettings apply

GPOs

Blocked inheritance preventshigh-level policies from applyingto entire OU subtrees



Troubleshooting Group Policy Filtering

Sales

Production

Domain

Mengph

Kimyo

GroupApplyGroupPolicy

ApplyGroupPolicyDeny

Read andApplyGroupPolicy

Read andApplyGroupPolicyAllow

GPO

WMI

filter

Group Policy filteringmay affect only

certain users orcomputers in OUs



GPTGPT

GPCGPC

Troubleshooting Group Policy Replication

• Group Policy objects consist of Group Policy templates

and Group Policy containers

• GUID Partition Table (GPT) and GPOs replicate usingdifferent mechanisms

• Replication issues can cause domain controllers tohave inconsistent versions of Group Policy

• The GPOTool can check for policy consistencyacross all domain controllers

DC1 DC2GPO1

Version 3

GPO1

Version 2

AD DS Replication

File Replication ServiceGPTGPT

GPCGPC



Troubleshooting Group Policy Refresh

If the Group Policy is not refreshing as expected:

Check refresh intervals for users and computers

Verify that the user has logged off and on, or that thecomputer has been restarted

Check if there are cached credentials, because they maydelay the effect of Group Policy: logon/off twice to refresh

Check to see if the Loopback policy is enabled: computer setting predominate

Use gpupdate to:

• Manually refresh updated Group Policy settings• Force refresh of all Group Policy settings

• Force a reboot or logoff, if required, to refreshthe settings



Discussion: Troubleshooting GroupPolicy Configuration

In this discussion, you will create a flow chart fortroubleshooting Group Policy



Lesson 3: Troubleshooting Group Policy Settings

• How Client Side Extension Processing Works

• Troubleshooting Administrative Template Policy Settings

• Troubleshooting Security Policy Settings

• Troubleshooting Script Policy Settings



How Client Side Extension(CSE) Processing Works

• Client side extensions are DLLs that process group

policy settings (not blocked by software restrictions)

• Some CSEs do not process if a slow link is detected

• Some CSEs are always applied and cannot be turned off

List of client side extensions:

• Security settings

• Administrative Templates

• Software installation• Scripts

• Folder redirection

• Internet Explorer maintenance

T bl h ti Ad i i t ti T l t



Troubleshooting Administrative TemplatePolicy Settings

When troubleshooting Administrative Templates,

consider that: Administrative Templates are either true polices(user cannot edit)

or preferences(user can edit)

Settings that are preferences will tattoo the registryand remain in effect until they are specifically reversed

Settings that are true policies are reversed when thepolicy no longer applies

The operating system and service pack level determineif the computer can accept a policy setting



Troubleshooting Security Policy Settings

When troubleshooting security policy settings,consider that:

Account policies are passed to clients from the domain controller

Security settings come from the GPO that have the highest priority

The domain controller receives account policies from a domainlevel policy



Troubleshooting Script Policy Settings: .vvs insidesysvol : replicate by FRS

consider the following: start-up>logon>logoff>shut down

Validate the script

Ensure that Group Policy is configured correctly

Ensure that users and computer have access to the script

Ensure that the script is replicating properly

Use the Group Policy tools to ensure that Group Policyis applied correctly



Lab: Troubleshooting Group Policy Issues

• Exercise 1: Troubleshooting Group Policy Scripts

• Exercise 2: Troubleshooting GPO Lab-11B

• Exercise 3: Troubleshooting GPO Lab-11C

• Exercise 4: Troubleshooting GPO Lab-11D

Logon information

Virtual machine NYC-DC1, NYC-CL1

User name Administrator

Password Pa$$w0rd

Estimated time: 60 minutes



Lab Review

• If a policy at the domain level is set for enforcement whileanother policy at the OU level with a conflicting setting

also is set to be enforced, which policy setting will the OUclients receive?

• If you use group policy to configure the slow-link detectionthreshold to be zero, what does that indicate?



Module Review and Takeaways

• Considerations

• Tools

• Review questions

6425A_11 Trouble Shooting GPO

Documents

Transcript of 6425A_11 Trouble Shooting GPO