Understanding and Troubleshooting Group Policy Function

Understanding and
Troubleshooting Group Policy
Darren Mar-Elia
CTO, Infrastructure Management, Quest Software
MS-MVP for Group Policy
Understanding Group Policy Structure
The Mechanics of Group Policy
Leveraging Group Policy Logging
The Top Group Policy Problems and
Tools for Solving Them
Other Resources
Understanding Group Policy
Group Policy Objects (GPO) are stored
within a given AD domain in two parts
AD – the Group Policy Container (GPC)
SYSVOL – the Group Policy Template
Some policy areas store settings in
both the GPC and GPT; still others use
only the GPC or neither!
The decision is driven by the type of
data needing to be stored
Understanding Group Policy
Structure - the GPC
The GPC stores
general information
about the GPO (e.g.
friendly name, path to
GPT, etc.)
The GPC can be found
in each AD domain
under the cn=Policies,
cn=System container
Each GPC is
referenced by a GPO
Understanding Group Policy
Structure - the GPT
The GPT contains
folders and files related
to storage of the GPO
settings you specify
The GPT is found in
SYSVOL, replicated to
all DCs under the
Policies folder
Like the GPC, the GPT
is organized by GUIDnamed folders,
corresponding to the
GUID of the GPO found
in the GPC
Understanding Group Policy
Structure -GP Versioning
Version numbers are held within both the GPC and
GPC: held in the versionNumber attribute on the GPC
GPT: held in the gpt.ini file in the root of the GPT
Version numbers are incremented:
1 for each machine-specific change
65536 for each user-specific change
In Windows 2000, version numbers must be equal
between GPC & GPT before a client can process a
GPO — AD or FRS replication problems can affect
XP and Server 2003 no longer require this
Understanding Group Policy
Structure -GP Storage
Policy Area
Storage Location
In the GPC under CN=wireless,CN=Windows,
CN=Microsoft,CN=Machine within an object of
class msieee80211-Policy (Server 2003 only)
Folder Redirection
In the GPT, in a file called fdeploy.ini, under
the User\Documents & Settings folder
Administrative Template
In the GPT, in a file called registry.pol in either
the User or Machine folders
Disk Quota
In the GPT, also stored registry.pol but only
under the Machine folder
In the GPT; Startup & Shutdown scripts are
stored in the following folders:
Logon & Logoff scripts are stored in the
following folders
Understanding Group Policy
Structure -GP Storage
Policy Area
Storage Location
Internet Explorer Maintenance
In the GPT, under the folder
In the GPT, within a file called
gptTmpl.inf under the folder
Machine\Microsoft\Windows NT\SecEdit
Software Installation
In both the GPT & GPC; In the GPT
under both the User and Machine
folders in the Applications folder; In the
GPC under the Machine (or User)\Class
Store\Packages container as
packageRegistration objects
Software Restriction Policy
In the GPT, also stored registry.pol
IP Security
Not stored in either GPC or GPT; Stored
in AD under the CN=IP Security,
CN=System container
Understanding Group Policy
Structure -Creating vs. Linking
When you create a GPO — it’s a twostep process
The GPC and GPT are created in the
A GP link is created on the container (site,
domain or OU) that you’re focused on
Thus a single GPO can be linked to
multiple containers
Permissions are set on the GPO but
each link can have different
characteristics (e.g. Enforced)
The Mechanics of Group
Policy Processing
GP Processing is strictly a client-side
Processing is broken into two parts:
GP Core
Client Side Extensions (CSE)
GP Core takes care of figuring out
which GPOs apply and which (CSEs)
need to process
CSEs do the hard work of implementing
policy settings
The Mechanics of Group
Policy Processing
Policy is processed using an order of
1. Local GPOs
2. Site-linked GPOs
3. Domain-linked GPOs
4. OU-linked GPOs
And from bottom to top within a given
The Mechanics of Group
Policy Processing
CSEs are provided by default in Windows
Registered under
GP is extensible by writing your own CSEs —
several third parties have done this
Quest, Full Armor, DesktopStandard
Note that GP processing runs within the
system Winlogon process — poorly written
CSEs can crash Windows
This is changing in Windows Vista!
The Mechanics of Group
Policy Processing
Healthy GP Processing relies on
several infrastructure pieces working in
AD replication
FRS replication
Passing of key network protocols,
including ICMP, LDAP, SMB and RPC
The Mechanics of Group
Policy Processing — Step-byStep
The Steps of GP processing:
Client performs DNS request for LDAP SRV record
of DC(s) in its site
Client binds to DC using normal DC Locator process
Client performs ICMP slow link detection to DC to
determine link speed
Client uses LDAP to build GPO list at OU, domain
and then site containers — determines whether it
has permission to process GPO
The Mechanics of Group
Policy Processing — Step-byStep
Client uses LDAP to query GPC for GPT path, version number
and CSEs that have been implemented
Client uses SMB to query GPT path to get GPT version number
from gpt.ini
Each CSE runs in the order that they’re registered, and
processes the GPOs if the GPO has changed since last
processing cycle (as determined during core processing)
If GPO has changed, CSE processes new settings and then
next CSE runs until completion
Each CSE logs RSoP data to WMI during each refresh
The Mechanics of Group
Policy Processing
There are two kinds of GP processing
Foreground (e.g. during machine startup or
Background (e.g. periodically based on computer
role — DCs every 5 min., workstations and
member servers every 90 min. with randomizer)
Foreground can run asynchronously or
Win2K defaults to synchronous foreground; XP to
asynchronous (probably want to change this!)
Background is asynchronous by definition
The Mechanics of Group
Policy Processing
Certain CSEs won’t process normally for a variety of
Some don’t process if a slow link is detected (e.g.
software installation, folder redirection)
Some don’t process asynchronously (e.g. software
Some process asynchronously but don’t actually do
anything until the next synchronous event (e.g. scripts)
And of course, no CSE will process if the GPO has
not changed since the last processing cycle
This is determined by comparing the GPO version
number to a version number held on the client in its
The Mechanics of Group
Policy Processing-Slow Link
Processes on Slow Link?
Yes (and can’t be disabled)
IP Security
EFS Recovery
Wireless Network
Administrative Templates
Yes (and can’t be disabled)
Folder Redirection
Software Installation
IE Maintenance
Leveraging Group Policy
GP-related Logging is your best tool for
understanding & troubleshooting GP
There are basically two types of logging
Application Event Log on each client
CSE-specific logging
Leveraging Group Policy
Logging —Application Events
Application Events related to Group Policy come
from the following event sources:
Userenv: most GP core events generate this source
Scecli: Security CSE related events
Appmgmt or Application Manager: Software Installation
related events
UserInit: Scripts related events
Folder Redirection: Folder Redirection events
GPMC does a good job of exposing Application
events related to GP
Available through the GP Results wizard
Leveraging Group Policy
Logging —GPMC Application
Event Reporting
Leveraging Group Policy
Logging —Enabling Verbose
All GP related-logging must be explicitly enabled
Application event logging is enabled by default but can be
made more verbose
To enable verbose logging, you’ll need to make
registry changes on each client
I have a custom .ADM that enables all of the available GPrelated logging at http://www.gpoguy.com/tools.htm
Keep in mind that verbose logging has a
performance overhead - disable when not in use
Leveraging Group Policy
Logging —Userenv logging
Userenv logging is the most verbose but also the
most instructive for investigating problems
Log is written to %windir%\debug\usermode\userenv.log
Logs both policy and user profile processing
Can be somewhat arcane to understand but details
each step of the GP processing cycle
If you’re troubleshooting a problem, rename the file
to get a fresh log and then force a GP refresh
Use gpupdate on XP and Server 2003; secedit on Win2K
Leveraging Group Policy
Logging —Userenv.log
Process and thread ID and
Slow link test
GP Logging
GP Problems and Their
Many GP-related problems can be
broken into these categories:
Infrastructure problems (e.g. DNS, FRS,
AD, network)
Misconfiguration problems (incorrect
security filtering, enforced or block
inheritance set, etc.)
Client problems
GP Problems and Their
Solutions —
Infrastructure Problems
ICMP: Slow link detection (SLD) fails — all GP processing fails
as a result
ICMP is required for GP processing. If disabled, or restricted
(SLD requires minimum 2048 byte ICMP packets) then disable
slow link detection via policy at:
“Computer (and User) Configuration|Administrative
Templates|System|Group Policy|Group Policy Slow Link
*Note that this must be disabled for both computer and user
GP Problems and Their
Solutions —
Infrastructure Problems
FRS & SYSVOL: FRS not replicating GPT content to all SYSVOL
shares — files are missing or permissions are wrong across
replicas; GPOs don’t process because version numbers are
wrong (Win2k) or process incorrectly
Make sure problem DC has DFS service running; make sure
SYSVOL is shared — refer to KB articles 257338 and 315457 for
fixing SYSVOL problems; use GPOTool to compare GPTs
across DCs; GPMC can fix permission problems if detected; In
a pinch you can manually copy files between GPTs on DCs; use
Ultrasound to monitor FRS
GP Problems and Their
Solutions —Misconfiguration
GPO permissioned incorrectly or linked to a
container that targets a group rather than
user or computer
Use GPMC GP Results or gpresult commandline tool to see if a GPO is denied or if the
correct GPOs apply; GPOs apply to only
users and computers
GP Problems and Their
Solutions —Misconfiguration
GPOs aren’t applying because Block
Inheritance or Enforced flag is set
Use GPMC to visually see where flags
are set on containers or GP links.
Using GPMC for
GP Problems and Their
Solutions —Client Problems
No GPOs are being processed; errors show unable
to read gpt.ini or other GPT files (specifically
application event log error 1058: “Windows cannot
access the file gpt.ini for GPO” and usually for
computer policy only)
Verify that client computer has TCP/IP Netbios
Helper service running — required to resolve UNC
path to GPT; see KB# 840669 to tell GP processing to
wait for the network stack to initialize
GP Problems and Their
Solutions —Client Problems
Folder Redirection is not working — files
aren’t being redirected for users
Make sure users have proper permission to
create folders if you’re using FR policy to
create the folders on the fly. See KB article #
274443 for required permissions
GP Problems and Their
Solutions —Client Problems
Applications don’t deploy correctly via Software Installation
policy or require multiple restarts or user logons to apply
Make sure you entered a UNC path to the package; Use
addiag.exe (Win2k Reskit) to troubleshoot SI deployment; Make
sure a slow link wasn’t detected; If multiple restarts or user
logons are required, disable Fast Logon Optimization (XP only)
by enabling the following policy:
Computer Configuration|Administrative
Templates|System|Logon|Always wait for the network at
computer startup and logon
Enable verbose Windows Installer and Application Management
“Group Policy
Guide” book
written by myself,
Derek Melber and
William Stanek—
available as part of
the Windows 2003
Resource Kit, 2nd
Edition and
My website: www.gpoguy.com for tools,
FAQs and additional troubleshooting tips
Jeremy Moskowitz’s website:
www.gpanswers.com for a community forum
on GP as well as FAQs and other resources
Microsoft’s GP Wiki site:
Mark Minasi’s Forum (I moderate the GP
forum there) at x220.minasi.com/forum
Technet Group Policy Center:
We invite you to participate in our
online evaluation on CommNet,
accessible Friday only
If you choose to complete the evaluation online,
there is no need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.