Quest Understanding and Troubleshooting Group Policy Function Darren Mar-Elia CTO, Infrastructure Management, Quest Software MS-MVP for Group Policy Agenda Understanding Group Policy Structure The Mechanics of Group Policy Processing Leveraging Group Policy Logging The Top Group Policy Problems and Tools for Solving Them Other Resources Q&A Understanding Group Policy Structure Group Policy Objects (GPO) are stored within a given AD domain in two parts AD – the Group Policy Container (GPC) SYSVOL – the Group Policy Template (GPT) Some policy areas store settings in both the GPC and GPT; still others use only the GPC or neither! The decision is driven by the type of data needing to be stored Understanding Group Policy Structure - the GPC The GPC stores general information about the GPO (e.g. friendly name, path to GPT, etc.) The GPC can be found in each AD domain under the cn=Policies, cn=System container Each GPC is referenced by a GPO GUID Understanding Group Policy Structure - the GPT The GPT contains folders and files related to storage of the GPO settings you specify The GPT is found in SYSVOL, replicated to all DCs under the Policies folder Like the GPC, the GPT is organized by GUIDnamed folders, corresponding to the GUID of the GPO found in the GPC Understanding Group Policy Structure -GP Versioning Version numbers are held within both the GPC and GPT GPC: held in the versionNumber attribute on the GPC object GPT: held in the gpt.ini file in the root of the GPT Version numbers are incremented: 1 for each machine-specific change 65536 for each user-specific change In Windows 2000, version numbers must be equal between GPC & GPT before a client can process a GPO — AD or FRS replication problems can affect this XP and Server 2003 no longer require this Understanding Group Policy Structure -GP Storage Policy Area Storage Location Wireless In the GPC under CN=wireless,CN=Windows, CN=Microsoft,CN=Machine within an object of class msieee80211-Policy (Server 2003 only) Folder Redirection In the GPT, in a file called fdeploy.ini, under the User\Documents & Settings folder Administrative Template In the GPT, in a file called registry.pol in either the User or Machine folders Disk Quota In the GPT, also stored registry.pol but only under the Machine folder Scripts In the GPT; Startup & Shutdown scripts are stored in the following folders: machine\scripts\startup machine\scripts\shutdown Logon & Logoff scripts are stored in the following folders user\scripts\logon User\scripts\logoff Understanding Group Policy Structure -GP Storage Policy Area Storage Location Internet Explorer Maintenance In the GPT, under the folder \User\Microsoft\IEAK Security In the GPT, within a file called gptTmpl.inf under the folder Machine\Microsoft\Windows NT\SecEdit Software Installation In both the GPT & GPC; In the GPT under both the User and Machine folders in the Applications folder; In the GPC under the Machine (or User)\Class Store\Packages container as packageRegistration objects Software Restriction Policy In the GPT, also stored registry.pol IP Security Not stored in either GPC or GPT; Stored in AD under the CN=IP Security, CN=System container Understanding Group Policy Structure -Creating vs. Linking When you create a GPO — it’s a twostep process The GPC and GPT are created in the domain A GP link is created on the container (site, domain or OU) that you’re focused on Thus a single GPO can be linked to multiple containers Permissions are set on the GPO but each link can have different characteristics (e.g. Enforced) The Mechanics of Group Policy Processing GP Processing is strictly a client-side operation Processing is broken into two parts: GP Core Client Side Extensions (CSE) GP Core takes care of figuring out which GPOs apply and which (CSEs) need to process CSEs do the hard work of implementing policy settings The Mechanics of Group Policy Processing Policy is processed using an order of precedence: 1. Local GPOs 2. Site-linked GPOs 3. Domain-linked GPOs 4. OU-linked GPOs And from bottom to top within a given container The Mechanics of Group Policy Processing CSEs are provided by default in Windows Registered under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions GP is extensible by writing your own CSEs — several third parties have done this Quest, Full Armor, DesktopStandard Note that GP processing runs within the system Winlogon process — poorly written CSEs can crash Windows This is changing in Windows Vista! The Mechanics of Group Policy Processing Healthy GP Processing relies on several infrastructure pieces working in concert: AD replication DNS FRS replication Passing of key network protocols, including ICMP, LDAP, SMB and RPC The Mechanics of Group Policy Processing — Step-byStep 1. 2. 3. 4. The Steps of GP processing: Client performs DNS request for LDAP SRV record of DC(s) in its site Client binds to DC using normal DC Locator process Client performs ICMP slow link detection to DC to determine link speed Client uses LDAP to build GPO list at OU, domain and then site containers — determines whether it has permission to process GPO The Mechanics of Group Policy Processing — Step-byStep 5. 6. 7. 8. 9. Client uses LDAP to query GPC for GPT path, version number and CSEs that have been implemented Client uses SMB to query GPT path to get GPT version number from gpt.ini Each CSE runs in the order that they’re registered, and processes the GPOs if the GPO has changed since last processing cycle (as determined during core processing) If GPO has changed, CSE processes new settings and then next CSE runs until completion Each CSE logs RSoP data to WMI during each refresh The Mechanics of Group Policy Processing There are two kinds of GP processing Foreground (e.g. during machine startup or logon) Background (e.g. periodically based on computer role — DCs every 5 min., workstations and member servers every 90 min. with randomizer) Foreground can run asynchronously or synchronously Win2K defaults to synchronous foreground; XP to asynchronous (probably want to change this!) Background is asynchronous by definition The Mechanics of Group Policy Processing Certain CSEs won’t process normally for a variety of reasons Some don’t process if a slow link is detected (e.g. software installation, folder redirection) Some don’t process asynchronously (e.g. software installation) Some process asynchronously but don’t actually do anything until the next synchronous event (e.g. scripts) And of course, no CSE will process if the GPO has not changed since the last processing cycle This is determined by comparing the GPO version number to a version number held on the client in its registry The Mechanics of Group Policy Processing-Slow Link Detection CSE Processes on Slow Link? Security Yes (and can’t be disabled) IP Security Yes EFS Recovery Yes Wireless Network Yes Administrative Templates Yes (and can’t be disabled) Scripts No Folder Redirection No Software Installation No IE Maintenance Yes Leveraging Group Policy Logging GP-related Logging is your best tool for understanding & troubleshooting GP operation There are basically two types of logging events Application Event Log on each client CSE-specific logging Leveraging Group Policy Logging —Application Events Application Events related to Group Policy come from the following event sources: Userenv: most GP core events generate this source Scecli: Security CSE related events Appmgmt or Application Manager: Software Installation related events UserInit: Scripts related events Folder Redirection: Folder Redirection events GPMC does a good job of exposing Application events related to GP Available through the GP Results wizard Leveraging Group Policy Logging —GPMC Application Event Reporting Leveraging Group Policy Logging —Enabling Verbose Logging All GP related-logging must be explicitly enabled Application event logging is enabled by default but can be made more verbose To enable verbose logging, you’ll need to make registry changes on each client I have a custom .ADM that enables all of the available GPrelated logging at http://www.gpoguy.com/tools.htm Keep in mind that verbose logging has a performance overhead - disable when not in use Leveraging Group Policy Logging —Userenv logging Userenv logging is the most verbose but also the most instructive for investigating problems Log is written to %windir%\debug\usermode\userenv.log Logs both policy and user profile processing Can be somewhat arcane to understand but details each step of the GP processing cycle If you’re troubleshooting a problem, rename the file to get a fresh log and then force a GP refresh Use gpupdate on XP and Server 2003; secedit on Win2K Leveraging Group Policy Logging —Userenv.log Process and thread ID and timestamp Slow link test GP Logging Walkthrough GP Problems and Their Solutions Many GP-related problems can be broken into these categories: Infrastructure problems (e.g. DNS, FRS, AD, network) Misconfiguration problems (incorrect security filtering, enforced or block inheritance set, etc.) Client problems GP Problems and Their Solutions — Infrastructure Problems Problem ICMP: Slow link detection (SLD) fails — all GP processing fails as a result Solution ICMP is required for GP processing. If disabled, or restricted (SLD requires minimum 2048 byte ICMP packets) then disable slow link detection via policy at: “Computer (and User) Configuration|Administrative Templates|System|Group Policy|Group Policy Slow Link Detection”* *Note that this must be disabled for both computer and user GP Problems and Their Solutions — Infrastructure Problems Problem FRS & SYSVOL: FRS not replicating GPT content to all SYSVOL shares — files are missing or permissions are wrong across replicas; GPOs don’t process because version numbers are wrong (Win2k) or process incorrectly Solution Make sure problem DC has DFS service running; make sure SYSVOL is shared — refer to KB articles 257338 and 315457 for fixing SYSVOL problems; use GPOTool to compare GPTs across DCs; GPMC can fix permission problems if detected; In a pinch you can manually copy files between GPTs on DCs; use Ultrasound to monitor FRS GP Problems and Their Solutions —Misconfiguration Problems Problem GPO permissioned incorrectly or linked to a container that targets a group rather than user or computer Solution Use GPMC GP Results or gpresult commandline tool to see if a GPO is denied or if the correct GPOs apply; GPOs apply to only users and computers GP Problems and Their Solutions —Misconfiguration Problems Problem GPOs aren’t applying because Block Inheritance or Enforced flag is set Solution Use GPMC to visually see where flags are set on containers or GP links. Using GPMC for Troubleshooting GP Problems and Their Solutions —Client Problems Problem No GPOs are being processed; errors show unable to read gpt.ini or other GPT files (specifically application event log error 1058: “Windows cannot access the file gpt.ini for GPO” and usually for computer policy only) Solution Verify that client computer has TCP/IP Netbios Helper service running — required to resolve UNC path to GPT; see KB# 840669 to tell GP processing to wait for the network stack to initialize GP Problems and Their Solutions —Client Problems Problem Folder Redirection is not working — files aren’t being redirected for users Solution Make sure users have proper permission to create folders if you’re using FR policy to create the folders on the fly. See KB article # 274443 for required permissions GP Problems and Their Solutions —Client Problems Problem Applications don’t deploy correctly via Software Installation policy or require multiple restarts or user logons to apply Solution Make sure you entered a UNC path to the package; Use addiag.exe (Win2k Reskit) to troubleshoot SI deployment; Make sure a slow link wasn’t detected; If multiple restarts or user logons are required, disable Fast Logon Optimization (XP only) by enabling the following policy: Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and logon Enable verbose Windows Installer and Application Management logging Resources “Group Policy Guide” book written by myself, Derek Melber and William Stanek— available as part of the Windows 2003 Resource Kit, 2nd Edition and standalone http://www.microsoft.c om/mspress/books/ 8763.asp Resources My website: www.gpoguy.com for tools, FAQs and additional troubleshooting tips Jeremy Moskowitz’s website: www.gpanswers.com for a community forum on GP as well as FAQs and other resources Microsoft’s GP Wiki site: www.grouppolicywiki.com Mark Minasi’s Forum (I moderate the GP forum there) at x220.minasi.com/forum Technet Group Policy Center: http://www.microsoft.com/technet/prodtechn ol/windowsserver2003/technologies/manage ment/gp/default.mspx We invite you to participate in our online evaluation on CommNet, accessible Friday only If you choose to complete the evaluation online, there is no need to complete the paper evaluation © 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.