Win2003 group strategy troubleshooting six tips


The power of group strategy is well known, but it's also well known that when its results are often not what you expect. Group Policy is very important for system administrators, but it is also a headache for system administrators when Group Policy is in trouble. The following is a detailed introduction to Group Policy troubleshooting methods. 1. Unexpected results when applying policies to specific users and computers

Suppose you have created a new Set Group Policy object. However, the settings have not yet been applied to the target object. Group policy issues like this are harder to capture. However, Microsoft has adopted a new Group Policy Management Console, which you can download for free. The tool includes a wizard that allows you to quickly view the same policy-related Resultant Set of Policy (RSoP) information. Figure A shows the RsoP information for a specific user on a particular computer

Figure A: Administrator RSoP on a server named RAS

As you can see, the default domain policy is managed by Windows. The architecture (WMI, Windows Management Instrumentation) filter rejected because of a WMI error. This gives an important first step in determining where the group strategy problem lies. In this case, the policy is not applied because the WMI filter believes that the policy will only be applied to the user when they log in to Windows XP Professional. This particular user is now logged into a Windows Server 2003 computer, causing filtering to fail. Figure B shows the failure of the GPO application caused by the WMI filter on Windows Server 2003.

Figure B: WMI filter indicates windows xp Pro

As an option, you can use the gpresult.exe Windows Server 2003 Resource Kit command line tool to view the details of RsoP operations. Because GPMC is so powerful and easy to use, I won't discuss gpresult.exe in this article.

2. Even if you have not passed the WMI filter test, the strategy is applied to the Windows 2000 computer

This is an easy problem to solve. WMI filters are only supported under Windows XP and Windows Server 2003 clients. Windows 2000 does not support WMI filters, so policies will be applied anyway.

3. The policy has not been applied to Windows NT or Windows 9x computers

Only computers running Windows 2000 or newer operating systems can use Group Policy. Early systems did not support Group Policy.

4. Unable to manage GPOs

Similar to most other objects, Group Policy objects have security permissions associated with them. If you are having trouble dealing with GPOs, it may be because you don't have the proper permissions to manage it. To check who has the authority to manage GPOs, take the following steps. Start the Group Policy Management Console and select the GPO under your working domain. Then select the Delegation tab to see the users and groups that are allowed to operate on the GPO.

As shown in Figure C, Authenticated User can read GPOs. This information is useful because it will not be applied elsewhere. Otherwise, various other objects will have permission to edit, delete, and perform other operations on the GPO.

Figure C: GPO Security Information

To resolve this issue, you need to log in as a user with the ability to modify the GPO. Once logged in, you can modify the GPO to do what you need, or give the original user object the right to change the GPO. In theory, an admin user object that does not have a GPO privilege added should be added to a group that has permission to modify the GPO so that the user object has the relevant privilege instead of assigning the privilege directly to the user object.

5. GPO updates have been applied, but customers have not received updates

Suppose you have determined that your computer has passed the RsoP test and that the customer has obtained policy settings. If this problem occurs, there are several possibilities:

First, if you have multiple domain controllers, you should wait for a while, which will ensure that the policy has enough time to be copied to the network. On all domain controllers. If the time is too short, this can cause problems.

If it has been around for a while, but the new policy settings have not yet taken effect, you can use GPOTool to check the replication status. GPOTool will read and compare all Group Policy information from each domain controller. GPOTool can be downloaded from the Microsoft site as part of the Windows Server 2003 Resource Kit. You can use this tool by typing gpotool at the command prompt. After entering the command, you can see similar text:

C:\\Documents and Settings\\Administrator>gpotool

Validating DCs...

Available DCs:< Br>

Searching for policies...

Found 2 policies

============= ===================================== Policy Policy {31B2F340-016D-11D2-945F-00C04FB984F9}

Friendly Name: Default Domain Policy

Policy OK

================================ =======

Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}

Friendly name: Default Domain Controllers Policy

Policy OK

======================================================= >

In this example, there is a separate domain controller and all policy tests are passed. GPOTool has some command line options:

/gpo:GPO[,GPO]…— GPO to check; GUID or GPO name can be specified; default is all GPOs of the current domain;

/domain:name— the domain name of the domain where the GPO is located;

/dc:{domain controller}[,{domain controller}—a list of domain controller names for processing GPOs;

/checkacl&mdash ; verify ACL on sysvol on each server;

/verbose— show details during processing;

If there is a problem with replication between domain controllers, then this should be fixed Problem and try to re-do domain policy operations. You can try to force replication to determine if this resolves the GPO problem, but since this can be a long process, this method is not recommended.

More information about replication and group policies

Group Policy relies on both Active Directory replication and file system replication. Active Directory replication is responsible for replicating the Directory Group Policy container, including information about which policies are applied to which users and computers. File system replication is used to copy the SYSVOL share, which contains a template for each GPO. Only Active Directory replication can be enforced.

Customer Group Policy Updates

The second potential cause of the problem is the customer side, the Group Policy update cycle. This period defines the time interval for the group policy change to take effect. The default setting is to update the Group Policy information every 90 minutes (plus or minus 30 minutes) on the client computer. If you need to get the settings to take effect immediately, you need to know that there are some events that can trigger Group Policy updates:

There are users logging in to the computer;

System startup;

Client Run the gpupdata command line.

6.GPO is displayed as Empty

If the GPO is displayed as Empty, it means that no policy is set in the GPO. In this case, the following steps can be taken. First, you can be prepared to add some settings. Second, you can delete the link between the domain and the GPO. The method is to use GPMC, then right click on the GPO, remove the Link Enabled option, as shown in Figure D:

Figure D: Remove GPO and Domain Connections

As a complex but very useful service, Group Policy sometimes requires some steps to troubleshoot. Fortunately, there are some off-the-shelf tools that can be used to quickly find most errors, especially with Microsoft's new Group Policy Management Console.

Copyright © Windows knowledge All Rights Reserved