Section 5: Troubleshooting and Backing Up GPOs Using Group Policy Troubleshooting Tools Integration...
-
Upload
shonda-hart -
Category
Documents
-
view
234 -
download
0
Transcript of Section 5: Troubleshooting and Backing Up GPOs Using Group Policy Troubleshooting Tools Integration...
Section 5: Troubleshooting and Backing Up GPOs
Using Group Policy Troubleshooting Tools Integration of RSoP Functionality Using Logging Options Backing Up, Restoring, Importing, and
Copying GPOs Building Migration Tables
Managing Windows Environments with Group Policy
© 2013 Global Knowledge Training LLC. All rights reserved.
Section Objectives
After completing this section, you will be able to:Describe the Group Policy troubleshooting toolsDescribe the GPMC tools that have RSoP functionalityDescribe the GPO logging tools used to obtain more
detail about the GPO processing issuesExplain how to back up, restore, import, and copy
GPOs using the GPMCExplain how to build migration tables
5-2
© 2013 Global Knowledge Training LLC. All rights reserved.
Using Group Policy Troubleshooting Tools
5-3
Client-Side Tools Group Policy Results (gpresult.exe) Group Policy Update (gpupdate.exe) GPMC Remote Update
Group Policy Replication Tools GPO Verification tool (gpotool.exe) deprecated GPMC Infrastructure Status Replication Monitor (replmon.exe) deprecated Repadmin
PowerShell Tools Get-GPResultantSetOfPolicy Invoke-GPUpdate
Note: Deprecated tools may still
function, but are no longer supported
by Microsoft.
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Results
Gpresult is a built-in tool for Windows XP and later operating systems.
You can use it to display RSoP data in a command-line interface.
5-4
© 2013 Global Knowledge Training LLC. All rights reserved.
Gpresult Tool Options
gpresult /R provides basic GPO information listing the GPO names that have been processed.
gpresult /V displays verbose output that details the actual policy settings.
gpresult /Hsends output to an HTML file.
5-5
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Update
You can use the Gpupdate tool to refresh policies ahead of the 90 to 120 minute default update interval.
The /force switch forces an update even if the GPO service thinks it is up to date.
5-7
© 2013 Global Knowledge Training LLC. All rights reserved.
GPMC Remote Update
You can use the GPMC tool to refresh policies against multiple remote machines
5-8
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Verification Tool
The Gpotool tool can help ensure that all domain controllers have an up-to-date copy of the GPOs in the domain.
5-9
Note: This is considered a
deprecated tool. Use the GPMC Infrastructure
Status tab instead.
© 2013 Global Knowledge Training LLC. All rights reserved.
GPMC Infrastructure Status
The GPMC Infrastructure Status tab can determine if domain controllers have an up-to-date copy of the GPOs in the domain.
5-10
© 2013 Global Knowledge Training LLC. All rights reserved.
Replication Monitor
You can use the Replmon tool to monitor and force replication of Active Directory and Sysvol.
5-11
Note: This is considered a
deprecated tool. Use the RepAdmin command-line tool
instead.
© 2013 Global Knowledge Training LLC. All rights reserved.
Using the Replmon Tool to Check GPO Version Numbers
You can use the GPO version numbers to compare policy versions between two domain controllers to see if they are consistent.
5-12
© 2013 Global Knowledge Training LLC. All rights reserved.
Repadmin
Use Repadmin to assist in synchronizing AD DS
5-13
© 2013 Global Knowledge Training LLC. All rights reserved.
Get-GPResultantSetOfPolicy
PowerShell-based RSOP
Run against local or remote computers
Generates results in HTML or XML format
5-17
© 2013 Global Knowledge Training LLC. All rights reserved.
Invoke-GPUpdate
PowerShell-based GPUpdate
Run against local or remote computers
Schedule an update up to 31 days in the future
5-19
© 2013 Global Knowledge Training LLC. All rights reserved.
Integration of RSoP Functionality
5-21
Group Policy Results Group Policy Modeling Creating an HTML File for Reporting New Error Reporting Details
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Results
Group Policy Results display can be useful in troubleshooting policy application.
It displays the actual policies that are applied.
5-22
© 2013 Global Knowledge Training LLC. All rights reserved.
Group Policy Modeling
The Modeling option simulates policies that would be applied.
A user or computer account does not need to exist in order to calculate the RSoP.
The Modeling wizard asks which OUs the user and computer accounts would be in.
The RSoP calculation is based upon the policies applied at those OU levels.
5-23
© 2013 Global Knowledge Training LLC. All rights reserved.
Save the Group Policy Results output to a file for later viewing.
Creating an HTML File for Reporting
5-25
© 2013 Global Knowledge Training LLC. All rights reserved.
New Error Reporting Details
5-26
The HTML reports now contain additional error reporting information.
© 2013 Global Knowledge Training LLC. All rights reserved.
Using Logging Options
5-27
The Userenv.log File Event Logs
© 2013 Global Knowledge Training LLC. All rights reserved.
The Userenv.log File
You can enable more detailed logging for Group Policy activity with a registry edit.
Output will be sent to the Userenv.log file.
5-27
© 2013 Global Knowledge Training LLC. All rights reserved.
Event Logs
You can enable detailed diagnostic logging for Group Policy information sent to the Event Viewer.
This should be a temporary setting.
5-28
© 2013 Global Knowledge Training LLC. All rights reserved.
Backing Up, Restoring, Importing, and Copying GPOs
5-30
Backing Up GPOs Restoring GPOs Importing GPOs Copying GPOs
© 2013 Global Knowledge Training LLC. All rights reserved.
Live GPO
Domain B
Live GPO
Domain A
Backing Up GPOs
Restore
Copy (Creates new GPO)
Import
Back up
Folder
5-31
© 2013 Global Knowledge Training LLC. All rights reserved.
Procedure for Backing Up GPOs (1)
You can back up individual policies without going through a full backup of the system state.
You can also usebackups tocopy a policyfrom one domainto another.
5-32
© 2013 Global Knowledge Training LLC. All rights reserved.
Procedure for Backing Up GPOs (2)
The description you provide here will also show when you manage your backups.
5-33
© 2013 Global Knowledge Training LLC. All rights reserved.
Live GPO
Domain B
Live GPO
Domain A
Restoring GPOs
Restore
Copy (Creates new GPO)
Import
Back up
Folder
5-34
© 2013 Global Knowledge Training LLC. All rights reserved.
Live GPO
Domain B
Live GPO
Domain A
Importing GPOs
Restore
Copy (Creates new GPO)
Back up
Import
Folder
5-35
© 2013 Global Knowledge Training LLC. All rights reserved.
Live GPO
Domain B
Live GPO
Domain A
Copying GPOs
Copy (Creates new GPO)
Back up
Restore
Import
Folder
5-37
© 2013 Global Knowledge Training LLC. All rights reserved.
Building Migration Tables
Migration tables help resolve: SID conflicts UNC path conflicts
Migration Table Editor tool can help with this process.
5-38
© 2013 Global Knowledge Training LLC. All rights reserved.
Building a Migration Table
The Migration Table Editor helps to translate SIDs and paths when migrating policies from one domain to another.
5-39
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary
A few of the command-line tools that you can use to troubleshoot Group Policy deployment and the health of the existing GPOs are:
Group Policy Results: This tool provides RSoP details.
Group Policy Update: This tool refreshes Group Policy settings
without rebooting.
GPO Verification tool: This tool ensures that the contents of all
the linked Sysvol folders in the domain contain valid and up-to-
date GPOs. It also checks for version mismatches between the
GPT stored in the Sysvol folder and the GPC in Active Directory.
Replication Monitor: This tool gathers a wide variety of replication
details. It also monitors the replication status of current GPOs per
domain.5-42
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
The RSoP helps to trace how the policy links are applied
for a specified user and a specified computer. It also
identifies effective settings and “winning” policy objects.
Some of the RSoP tools that you can use to troubleshoot
GPO processing are: Group Policy Results: This tool presents “real” information that
reflects how the policy is applied.
Group Policy Modeling: This tool permits you to perform a simulation
before actually applying the policy.
HTML file for reporting: Both the GPMC and the Gpresult command-
line tools can produce reports in the form of HTML file output. Using
these reports, you can view and analyze the policies that are
configured and determine where the policies came from.
5-42
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
The GPO logging tools that you can use to obtain more detail about the GPO processing issues are:The Userenv.log: This log contains a detailed verbose
log of the logon process.Event logs: These logs record all GPO events with a
minimum amount of detail.
5-42
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
You can back up, restore, import, and copy GPOs. The purpose of these functions are:
Back Up: This function copies the contents of a live GPO into any specified folder location on the computer or network where you have write permissions.
Restore: This function restores a GPO when you have deleted it and want it back, or when you have modified it (either its contents or its ACL) and want to return it to some prior condition.
Import: This function transfers the settings in a backed-up GPO to an existing and active GPO. (The import process does not create a new GPO.)
Copy: This function creates a new GPO at the destination location. It starts with an active GPO.
5-42
© 2013 Global Knowledge Training LLC. All rights reserved.
Summary (cont.)
Use the Mtedit tool to build migration tables. You can either run the tool or invoke it from within the GPMC (right-click the Domains node and select Open Migration Table Editor).
5-42
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check
1. Name and describe the two GPO logging tools. The Userenv.log: Contains a detailed verbose log of
the logon process. Event logs: Record all GPO events with a minimum
amount of detail.
5-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
2. Describe the following tools: Group Policy Results
This tool provides RSoP details. Replication Monitor
This tool gathers a wide variety of replication details. It also monitors the replication status of current GPOs per domain.
5-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
3. Which tool is used to build migration tables?a. Userenv
b. GPO Migration
c. Mtedit
d. Event log
5-43
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
4. Match each GPO process with its correct description.
5-43
GPO Process Description
Restore A. Creates a new GPO at the destination location. It starts with an active GPO.
Back up B. Restores a GPO when you have deleted it and want it back, or when you have modified it (either its contents or its ACL) and want to return it to some prior condition.
Copy C. Transfers the settings in a backed-up GPO to an existing and active GPO.
Import D. Copies the contents of a live GPO into any specified folder location on the computer or network where you have write permissions.
D
B
A
C
© 2013 Global Knowledge Training LLC. All rights reserved.
Knowledge Check (cont.)
5. Which RSoP tool does the following text describe?
This tool presents “real” information that reflects how the policy is applied.a. Group Policy Results
b. HTLM file for reporting
c. Group Policy Modeling
d. Group Policy Verification
5-44