Windows Server 2008 and Windows Vista : Common GPO Troubleshooting Tools (part 2) - GPMC

GPMC

The Group Policy Management Console (GPMC) provides numerous tools and features that help with the troubleshooting of Group Policy.Table 1 lists many issues that arise with Group Policy.

Table 1. GPMC Troubleshooting Features

Group Policy Issue	Feature	Chapter
You need to select a different domain controller for Group Policy management.	Change Domain Controller menu option	6
You need to restore a GPO from Backup.	Group Policy Backup menu option	6
A GPO from the domain or high-level organizational unit is not applying to computer or user objects located in a lower-level organizational unit.	Block Inheritance menu option	6
Settings in a GPO linked to a lower-level organizational unit are being overwritten by settings in a GPO linked to the domain or a higher-level organizational unit.	Enforce menu option	6
Settings in a GPO are not applying to all user and computer objects that fall under the scope of management of the GPO.	Security filtering and WMI filtering	6
You want to determine the current final GPO settings for a computer or user.	Group Policy Results	7
You want to determine the potential GPO settings for a computer or user if moved to different location in Active Directory.	Group Policy Modeling	7
You want to determine only the configured Administrative Template settings in a GPO.	Filtering Administrative Templates	7
A GPO from one domain must be used in a different domain, but user accounts, group accounts, and UNC paths are not working properly.	Migration tables	7

Dcgpofix.exe

If you are having problems with the default GPOs that are created on every new domain, this tool might be helpful. The two default GPOs, Default Domain Policy and Default Domain Controller Policy, are essential for configuring account policies, security settings, and domain controller user rights in the enterprise. If these GPOs get corrupt or misconfigured, they can be set back to the default settings by using the Dcgpofix tool.

Dcgpofix is an easy-to-use default tool for Windows Server 2008 that reports the results of the GPOs that were recovered. You can restore the Default Domain Policy or the Default Domain Controller Policy individually, or you can restore both to the original settings.

Warning

If you have made any changes to these two GPOs after the initial installation of the domain, the changes that you made will be lost.

One potential concern with running this tool is the version of the Active Directory schema. Microsoft Windows Server 2003 and Windows Server 2008 domains have a different schema, and these versions are meticulously watched by the Active Directory when anything that interfaces with Active Directory is not working with the correct schema version. By specifying the /ignoreschema parameter, you can enable Dcgpofix.exe to work with different versions of Active Directory. However, default policy objects might not be restored to their original state. To ensure compatibility, use the version of Dcgpofix.exe that is installed with the current operating system and service pack.

The tool syntax is very simple and straightforward:

dcgpofix [/ignoreschema][/target: {domain | dc | both}]

The parameters for the command are as follows:

/ignoreschema

This is an optional switch that ignores the Active Directory schema version number:

/target: {domain | dc | both}

This is an optional switch that specifies the target domain, domain controller, or both. If you do not specify /target, dcgpofix uses both by default.

You can find Dcgpofix.exe in the C:\Windows\System32 folder of a domain controller running Windows Server 2008. Before the tool runs, it checks the schema version to ensure compatibility of the operating system with the GPOs that you want to replace. You must be a domain administrator or an enterprise administrator to use this tool.

The following extension settings are maintained in a default Group Policy object: Remote Installation Services (RIS), security settings, and Encrypting File System (EFS).

The following extension settings are not maintained or restored in a default Group Policy object: software installation, Internet Explorer maintenance, scripts, folder redirection, and administrative templates.

The following changes are not maintained or restored in a default Group Policy object: Security settings made by Microsoft Exchange 2000 Setup, security settings migrated to default Group Policy during an upgrade from Microsoft Windows NT to Windows 2000, and policy object changes made through Systems Management Server (SMS).

GPMonitor.exe

By far one of the most complex and sophisticated mechanisms in Active Directory is a GPO. Possibly the only thing more complex than a GPO is the logging associated with the GPOs. GPMonitor is designed to help centralize reports created from the GPOs on a computer.

GPMonitor is part of the Microsoft Windows Server 2003 Resource Kit Tools and can be downloaded free from Microsoft at http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96eeb18c4790cffd&displaylang=en.

GPMonitor sends information back to the centralized share when a refresh or a forced update to a GPO occurs on the target computer. When the information is sent back to the centralized share, it is stored in files that can then be queried. The querying occurs with the GPMonitor interface.

GPMonitor works by running on the computers that will store their information in the centralized share. The configuration of the GPMonitor service and settings is controlled by a GPO. When you install the GPMonitor service, you are provided with a GPMonitor.adm template. This template is imported into a GPO at the Active Directory level to target computers in the domain. The GPMonitor.adm template configures the following settings:

• UNC path to centralized share . This is the server and share where all of the GPO information is stored. You can have different paths for different types of computers on the network, or they can all share the same shared folder.

• Refresh interval . This indicates how often the GPMonitor service will update the information stored in the share. By default, this is set to every eight refreshes. You can adjust the frequency down to every refresh if the server holding the share can store all of the information from all members.