A Smattering of Group Policy and Modicum of AD

Hey Everyone, I’ve been doing a lot of risk assessments and knowledge transfer sessions recently for Group Policy and AD for UK Premier customers. I’ve been finding that a lot of customers have the same issues or want more information on the same concepts. I normally follow up individually with each customer to send them further reading or extra info, so I’ve decided to put all of these handy links into one blog post so I have one reference point to then send on to customers. I will carry on updating this list over time if and when I want to share more reference material, so check back! If you have any other suggestions, then feel free to pop them into the comments.

So here it is, loads of Group Policy and AD goodness here for your reference:

Stale Groups and Group Memberships

Use these scripts to identify groups with common members and also where these groups are assigned permissions on file shares.




AD ACL Scanner

This PowerShell script is written by Robin Granberg, a Swedish PFE, who is the king when it comes to all things AD permission related and custom AD delegation. He is also one of the architects of the Premier POP–AD Delegation offering where we can help you implement a role based access control model in your environment, if you’re interested and are a Premier customer speak to you TAM!



GPO Debug Logging

Enabling GPO Debug Logging:


Parsing the GPSvc log:


Enabling CSE Debug Logging



Use this tool to parse the event viewer for Group Policy related events:



List of Client Side Extensions

Group Policy Client Side Extensions can be a bit of a mystery because they are not very well documented. There isn’t one list in Microsoft where we can refer to each GPO setting and the CSE that is responsible for configuring it at the client side. The reason for this is because each product group is responsible for providing the Group Policy team with the settings and the client code to implement them in the form of a CSE. Group Policy is just the vessel for distributing these settings, it is not necessarily responsible for each of the settings, hence we don’t have a definitive list. However, never fear as Mark Empson, also known as Captain GPO, has documented some of the CSEs for us and what their GUIDs are:



Slow Boot Slow Logon – are GPOs to Blame?

This isn’t technically related to AD and GPOs, however a lot of the time Group Policy gets blamed for slow booting and login times for user’s machines which is why I’ve included it here. If you read the Ask PFE Platforms blog, you are probably familiar with the series they did on SBSL, if not then you should be reading it! They talk through using Xperf and then Windows Performance Analyser for assessing boot times in Windows, this is mandatory reading for any client admins out there:


Folder redirection and roaming user profiles can eat up the seconds during logon for users, especially if you have slow storage or latency on the network. Can you replace folder redirection and RUP in your environment? Maybe. If you are licensed for MDOP then check out UE-V, it may fit your requirements:


Start-up scripts are also another culprit of slow boot times, check out this post to see if you can replace your scripts:


If you can replace the old login script which performs drive maps using Group Policy Preferences, then check out this post which will help you configure it:


Further to above posts see some general guidance on group policy and logon times:



Consolidate Policies

The following PowerShell script can be used to merge policies where you are trying to consolidate:



Central Store

Have you implemented the Group Policy Central Store? If not check out this article:


If you have implemented it, are you having issues due to inconsistencies with ADMX versions and deprecated settings? If so, check out this hotfix which allows you to override the Central Store on a particular machine:


Execute those legacy ADM files from your SYSVOL using this article and script:



Backup, Backup, Backup!!!

Do you backup your AD, probably yes. Do you have a full forest recovery and disaster recovery plan, probably not. So many customers neglect the need to have a fully tested and robust disaster recovery plan in place for AD and GPOs. AD usually underpins your whole environment; you MUST create a DR plan for it! Go through the Forest Recovery whitepaper on TechNet and create one if you haven’t got one already:


With regards to GPOs, these will be included in your DR plan when you have it but most customers don’t take backups of their GPOs properly. Our very own PoSH Chap Ian Farr can help us out here: http://blogs.technet.com/b/poshchap/archive/2014/04/25/comprehensive-gpo-backup-script.aspx

Again, if you are Premier customer we have an engagement which can help you create your DR plan, ask your TAM about an AD Recovery Execution Service (ADRES).



So many customer do not enable scavenging on their DNS zones, or have it miss-configured, please see this article for information on how to configure DNS scavenging: http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

Have you upgraded your environment from Windows 2000 to 2003 to 2008 onwards? If so, did you migrate your _msdcs zone into the application partition? If you didn’t then you should, this still gets picked up in some customer environments today. Please see this article for information on how to configure the _msdcs zone to be in the forestdnszones app partition: https://support.microsoft.com/en-us/kb/817470

Have you configured secure dynamic updates on your DNS zone? This is another one which comes up on the risk assessments quite a lot, see the following article for info on secure updates:



AD Replication

Lingering objects are an issue in many environments, you need to remove these and fix your replication for a healthy directory:


A nice tool to monitor AD replication:


If you’re feeling conflicted, then check out another post from PoSH Chap:



Time Configuration

Many customers do not consistently configure their Root PDCe to point to an external time source. Follow this article to do this automatically with Group Policy:


Stop devastating time drifts in your directory by configuring the max negative and positive phase correction values, again this is missed by many customers:



Post 2003 Eradication

Have you finally got rid of that last 2003 domain controller in your environment? If so, then make sure you perform the post upgrade tasks and don’t just close the project down:

Raise the DFL and FFL:


Migrate SYSVOL to DFSr


Make use of the AD Recycle Bin:


Enable the GPO Central Store as discussed above.


Sites and Subnets:

Pretty much every single risk assessment I run the issue of missing subnets gets flagged, use this script to collect missing subnets in AD:




Having problems with Kerberos? It could be down to duplicate SPNs and UPNs, check this script to find those duplicates:


Are you suffering from token bloat? If so removing sIDHistory data may help, use this script: