Configuring Administrative Workstation Settings for Group Policy Troubleshooting

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This topic provides information about the tools you use to troubleshoot Group Policy.

Configuration Tasks for Troubleshooting

To configure your administrative workstation for troubleshooting, you will need to perform one or more of the following tasks:

Install tools

Learn about built-in troubleshooting tools

Install tools for troubleshooting external issues

Enable auditing

Enable logging

Install tools

If you are administering or troubleshooting Group Policy, you should be using the Group Policy Management Console (GPMC) and other tools as necessary.

Group Policy Management Console

Group Policy Management Console is the preferred tool for administering Group Policy and it is an excellent tool for troubleshooting Group Policy. GPMC provides the following reporting functionality:

  • Group Policy Modeling reports are used to predict the policies that will be applied at a specific client. A Windows Server 2003 domain controller is required to generate Group Policy Modeling reports.

  • Group Policy Results reports gather information directly from the client to show the policies in effect, and include key policy events that have been logged at that client.

Both of these reports include valuable troubleshooting information. For example, you can see a list of the GPOs applied, and also the denied GPOs with the reason for denial. You can see which settings are or would be applied, and the winning GPO that supplied the value for the setting.

Sample scripts

GPMC also includes sample scripts that you can use to quickly perform a number of different troubleshooting tasks. If you cannot find a sample script that fits your needs, you can easily modify a sample script, or create your own script. The following sample scripts will help you troubleshoot various issues:

  • List All GPOs in a Domain: ListAllGPOs.wsf

  • List Disabled GPOs: FindDisabledGPOs.wsf

  • List GPO Information: DumpGPOInfo.wsf

  • List GPOs at a Backup Location: QueryBackupLocation.wsf

  • List GPOs by Policy Extension: FindGPOsByPolicyExtension.wsf

  • List GPOs by Security Group: FindGPOsBySecurityGroup.wsf

  • List GPOs Orphaned in SYSVOL: FindOrphanGPOsInSYSVOL.wsf

  • List GPOs With Duplicate Names: FindDuplicateNamedGPOs.wsf

  • List GPOs Without Security Filtering: FindGPOsWithNoSecurityFiltering.wsf

  • List SOM Information: DumpSOMInfo.wsf

  • List SOMs With Links to GPOs in External Domains: FindSOMsWithExternalGPOLinks.wsf

  • List Unlinked GPOs in a Domain: FindUnlinkedGPOs.wsf

  • Print the SOM Policy Tree: ListSOMPolicyTree.wsf

For a complete list of available sample scripts, script documentation, and a list of scripting interfaces exposed by GPMC, please see the Group Policy Management Console SDK located at %programfiles%\gpmc\scripts\gpmc.chm on any computer where GPMC has been installed. (The Group Policy Management Console SDK is available in English only.)

For information about downloading and installing GPMC, see Group Policy Management Console with Service Pack 1 on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=21813).

GPResult.exe

There are two versions of GPresult.exe.

  • The Windows Server 2003 version is included with Windows Server 2003 operating systems. GPresult.exe gathers and reports the RSoP data available from computers running Windows XP or Windows Server 2003. The report is similar to what you would get by generating a Group Policy Results report in GPMC. For more information, see Command-Line Reference for Windows Server 2003 on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=20331).

  • The Windows 2000 version is included with the Microsoft Windows® 2000 Server Resource Kit Tools. To download the Windows 2000 version for free, see Windows 2000 Tools and Utilities at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=12920). GPresult.exe estimates the Group Policy settings that would be applied at a specific computer. This version provides information that is not available in the Windows Server 2003 version: It shows the registry value name set by each policy setting and lets you associate the GPO GUID that appears in Sysvol with the friendly name that was given to the policy setting (for example, Remove Run Command). For this reason, you might want to have both versions of Gpresult available. For more information, see the readme file included with the download.

GPOTool.exe

GPOTool.exe is a command-line tool to be used in replicated domains—domains that contain more than one domain controller. It traverses all of your domain controllers and checks each for consistency between the Group Policy container (that is, information contained in the directory service) and the Group Policy template (that is, information contained in the SYSVOL share on the domain controller). The tool also determines whether the policies are valid and consistent between all of your domain controllers and displays detailed information about the GPOs that have been replicated between your domain controllers.

Software Installation Diagnostics Tool (Addiag.exe)

Windows Server 2003 includes an advanced troubleshooting tool, Software Installation Diagnostics (Addiag.exe) that you can use to gather additional diagnostic information when troubleshooting Software Installation policy issues.

The binary executable for this tool is Addiag.exe. Running addiag.exe /? from a command prompt provides the usage syntax.

This tool displays detailed information about the applications visible in Active Directory and installed for the current user, as well as general diagnostic information and related Event Log entries.

Addiag.exe is included in the Windows Server 2003 Support Tools. Support tools not installed with the Windows operating system; you must install them separately from the \Support\Tools folder of the Windows operating system CD.

For more information, see Addiag.exe: Application Deployment Diagnosis on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=43037).

Learn about built-in troubleshooting tools

This section provides information about using Group Policy Modeling and Group Policy Results in GPMC to generate reports.

Group Policy Results

GPMC leverages the Resultant Set of Policy (RsoP) functionality in Windows Server 2003 and Windows XP to provide reports on the way Group Policy is applied at individual clients. Because these reports rely on functionality that is new with Windows XP and Windows Server 2003, the clients for which you generate the reports must be running one of these operating systems.

Note

Group Policy Results depends on Windows Management Instrumentation (WMI). If WMI is not working, you will not be able to use RSoP or Group Policy Results. In this case, viewing the userenv log file in verbose mode provides you with information you will need to troubleshoot, for example, by showing you which GPOs did not apply. For more information about userenv, see Fixing Group Policy problems by using log files.

To generate a Group Policy Results report

  1. In the Group Policy Management console, right-click Group Policy Results, and then at the bottom of the navigation pane click Group Policy Results Wizard.

  2. In the wizard, specify the computer or computer/user combination you want to investigate. The report that appears in the details pane provides information about Group Policy application on the client.

Group Policy Modeling

Before you implement a GPO, use Group Policy Modeling to validate the effect it will have. The Group Policy Modeling report has the information about the Summary and Settings tabs similar to what you would see for a Group Policy Results report. Group Policy Modeling reports do not collect policy events from the client. Instead of the Policy Events tab, a list of the conditions that were applied when creating the model appears on the Query tab.

To generate a Group Policy Modeling report

  1. In the Group Policy Management console, right-click Group Policy Modeling, near the bottom of the navigation pane, and select Group Policy Modeling Wizard.

  2. In the Group Policy Modeling Wizard, specify the computer or computer/user combination you want to investigate. The report that appears in the details pane provides information about the anticipated Group Policy application on that client.

Summary Tab

On the Summary tab, the sections that appear under both Computer Configuration and User Configuration headings are listed and described in the following table.

Table 1    Summary Tab of Group Policy Results Reports

Section Information

General

Computer name

The domain and site of which the computer is a member

The last time Group Policy from the computer’s Active Directory hierarchy was applied

User name (if any)

The domain and site of which the user is a member

The last time Group Policy from the user’s Active Directory hierarchy was applied

Group Policy Objects
Applied

List of GPOs that were applied

Group Policy Objects
Denied

List of GPOs that were denied, with the reason for the failure.

Security Group Membership when Group Policy was applied

Security group memberships in effect when group policies were evaluated

WMI Filters

WMI filters that were applied, whether they evaluated as True or False, and what GPO called them

Component Status

Success or failure, including errors, of core client Group Policy functionality and client side extensions (CSEs)

Settings Tab

The Settings tab lists the actual settings applied. These are sorted by the source of the setting (for example Computer Configuration/Windows Settings or User Configuration/Administrative Templates). The report includes the winning GPO for each setting.

With this information, you can locate the GPO in the navigation pane. The information that is exposed when you click the GPO depends on the privileges granted to your user account. If you have sufficient privileges, you can review or edit the settings and also get a list of the sites, domains, and OUs that link to that GPO.

Policy Events Tab

When you use GPMC to generate a report of the resulting set of policy on a client, events that were logged at that client and pertain to Group Policy are listed on the Policy Events tab. Sources for these events include the core Group Policy engine on the client (the Userenv process) and the CSEs for Group Policy.

The display on the Policy Events tab is similar to the Event Viewer display. This is an especially useful troubleshooting feature of GPMC because it filters only the Group Policy events from the Event Viewer. Table 2 lists and defines the sources.

Note

To view the Group Policy events on computers running Windows XP SP1 or Windows Server 2003 you must be a local administrator on that computer. If you have the necessary privileges to generate a Group Policy Results report but you do not have the privileges to view Group Policy events on the client, the Policy tab displays the message “Unable to open event log: Access is Denied” instead of the list of events.

Table 2    Policy Events Tab of Group Policy Results Reports

Source name in Policy Events log Full name of source Functionality

UserEnv

User Environment (Group Policy core engine)

Locates and applies GPOs at start up, log on, or the configured Policy Refresh Interval

SceCli

Security CSE

Reads all GPOs that reach the client and determines which policy settings are applied

Application Management

Software Installation CSE

Processes Software Installation settings, including installation, upgrades, and removal

Folder Redirection

Folder Redirection CSE

Processes Folder Redirection

UserInit

Scripts CSE

Implements logon, logoff, startup, and shutdown scripts

To avoid flooding the client log file, some logging is blocked in certain situations. For example, if a computer is not connected to the network and a user logs on with cached credentials, the Component Status entries on the Summary tab of the Group Policy Results report show the failure to access and apply Group Policies. However, the list of associated failure events do not appear in the Application event log on the client or on the Policy Events tab.

Note

By default, UserEnv logging is not verbose — only errors and warnings are reported, and appear on the Policy Events tab. For more information, see Fixing Group Policy problems by using log files.

Install tools for troubleshooting external issues

Group Policy has dependencies on several operating system technologies such as Active Directory, Domain Name System (DNS), and File Replication Service (FRS). The following tools can help you troubleshoot problems related to these dependent technologies.

Sonar.exe

Sonar is a command-line tool that allows administrators to monitor key statistics and status about members of a file replication service (FRS) replica set. Use Sonar to watch key statistics on a replica set in order to monitor traffic levels, backlogs, and free space. To download Sonar for free, see Sonar.exe: FRS Status Viewer on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=16719).

Active Directory Support Tools

Help and Support Center in Windows Server 2003 provides a list of Active Directory support tools in the topic "Active Directory support tools." Use these tools to troubleshoot Active Directory issues.

Other Windows Server 2003 Command-Line Tools

Windows Server 2003 includes a number of command line tools including ping.exe, netdiag.exe, and dcdiag.exe. For a complete reference of the tools included with Windows Server 2003, see Windows Server 2003 Technical Reference: Tools and Settings Collection on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=4972).

Enable auditing

Administrators can use Group Policy to enable auditing of Windows registry keys, or they can use a Security Template to Audit Registry Keys, or they can use Registry Editor for this purpose. Administrators must also configure SACLs on the registry keys that are being audited.

To enable auditing for the Windows registry, you can use the Audit object access policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policies.

The Audit object access policy setting determines whether to audit the event of a user accessing an object (for example, a file, folder, registry key, printer, and so on) that has its own system access control list (SACL) specified. Default: No auditing.

To configure permissions for auditing the registry keys, in Group Policy Object Editor console, in Computer Configuration\Windows Settings\Security Settings, right-click Registry, click Add Key, select the registry key for which you want to allow auditing, and then click Advanced. In the Database Security dialog box, click the Auditing tab, and then specify the users or groups that you want to give permissions to and set the permissions you want to use.

For more information about enabling auditing of registry keys, see article ID 324739 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=35275).

Enable logging

To troubleshoot problems with Group Policy administration or application, you can enable logging based on the functionality you are investigating.

For more information about enabling logging for client-side extensions and server-side logging, see the subsections or Fixing Group Policy problems by using log files.

See Also

Other Resources

Windows Server 2003 Technical Reference: Tools and Settings Collection