Professor Windows - May 2002

Troubleshooting Group Policy Issues in Windows 2000

By Yossi Saharon

Reviewed By:

Eyal Doron, Technology Specialist Group Lead, Microsoft Israel

Introduction

Group Policy, part of the Intellimirror technologies suite, is one of the significant management improvements that were introduced with Windows 2000. You can use Group Policy to centrally set options for local, domain, and network security, define your startup, shutdown, logon, and logoff scripts, store users' folders on the network, as well as centrally manage software installations (up to a certain extent, e.g. not like SMS does). It also includes a suite of registry-based policy settings (450+ settings) that can be edited and added to your organization's needs.

Although Group Policies is obviously a powerful tool, by its nature it will be affected by issues such as slow links or WAN links, issues in Replication, etc.

Understanding Group Policy's architecture is key, yet there are many useful tips and tools that can help you with your daily maintenance, as well as "bailing you out" in advanced or critical issues.

Before you go on, it's important that you understand how Group Policies work.

To read more on how Group Policies technologies work, see:

https://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

A Common Troubleshooting Walkthrough

Let's assume the following: You are trying to apply the Default Domain Policy to a remote machine, and it fails. The client only gets a very limited portion of the settings that you defined. The following is suggested to resolve this issue:

1. Which DC applied the GPO to your client? - Run Gpresult.exe (available from the Windows 2000 Resource Kit or from https://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp). The results give you some valuable information, yet in this specific walkthrough, pay attention to the following line from the tool's output: "Group Policy was applied from servername.domain.com". This will tell you what the name (FQDN) is of the Domain Controllers that served your request and applied the GPO to your client. Note: Gpresult v2.0 in Windows XP shows some additional information not available with the Windows 2000's gpresult. Use this version of the tool for a richer output.

2. Do the actual policy files exist on the DC? – Check the SysVol policies folder on the DC that applied the GPO to your client and make sure you have the policy folder and files for the policy you're troubleshooting. Policies are represented as GUIDs in the SysVol folder. There are more than a few ways to determine the GUID of the policy you're troubleshooting. One of the easier ways is to check the Group Policy's properties from the Active Directory users & computers MMC snap-in, and check the policy's GUID there. Then go to the DC, and check under \WINNT\SYSVOL\sysvol\domain.com\Policies\{GUID} for the existence of your policy files. For example, in our walkthrough, the Default Domain Policy GUID is {31B2F340-016D-11D2-945F-00C04FB984F9}. We should look for the existence of \WINNT\SYSVOL\sysvol\yosdom.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} and the appropriate folders and files inside this folder.

3. Verify the "health" of your Group Policy files – Run GPOTool.exe (available from Windows 2000 Resource Kit or from https://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpotool-o.asp). Once you know that the policy files DO exist on the DC that applied them, you can check for their validity. The output of GPOTool.exe should include an OK status for every policy. In our walkthrough, you'd be specifically interested to see the following line in the output:

   ================================================

   Policy {31B2F340-016D-11D2-945F-00C04FB984F9}

   Policy OK

   ================================================

   This line means that your Default Domain Policy files are "healthy".

4. Turn on Replication events – You might need to go into the DC's registry and turn on the Replication events to start populating into your event viewer for additional information and troubleshooting. In order to do so, start the registry-editor and go to HKLM\System\CurrentControlSet\Services\NTDS \Diagnostics\Replication Events. The value should be 0. Change it to 1 to start populating the basic information on Replication events into your event viewer.

5. Force Replication – In order to get the appropriate events, you must force a replication sequence, either by right clicking the appropriate connection object from the AD Sites & Services MMC snap-in and choosing "Replicate Now", or by running the RepAdmin.exe tool from the command-line with the appropriate switches (RepAdmin is available is the Windows 2000 Support Tools pack, which can be installed from the \SUPPORT\TOOLS folder on a Windows 2000 CD).

6. Check your subscriptions information – Use NTFRSUtl.exe to check for subscriptions information. If no relevant errors were found, or you find some information but want to continue your troubleshooting, Check for your replication subscriptions information using NTFRSUtl.exe DS Servername (were Servername is your DC's name).

7. Check for the NTFRS database file – The FRS database file is located under winnt\ntfrs\jet\ntfrs.jdb. Look for the existence of this file. If it's not there, or you believe it might be defective, rename it. On the next Service restart the FRS service should recreate the file again.

Tips & Tools

Following is a list of tips and tools you should know when conducting group policy troubleshooting operations:

• Remember the sequence in which policies are applied. Understand that the legacy system policies (ntconfig.pol) always run first for down-level clients (pre-Windows 2000). Windows 2000 and above clients process Local policies first, then Site, Domain and OU policies. A possible way to remember this sequence is the LSD-O acronym.
• The last policy that runs always wins. Policies are cumulative, and the last one that runs (typically the OU policy) will win, unless you use the No Override switch on top-level policies.
• There are 3^rd party tools in Windows 2000 that give you the Resultant Set Of Policies, or RSOP, meaning "effective policy". Since GPOs are cumulative, you might need to see the effective policy in place when calculating the different permissions, group membership etc at the bottom line. Full Armor has a tool called FAZAM that does this functionality. In Windows XP and Windows Server 2003, the RSOP capability is built into the OS from the MMC Snap-ins and the Help & Support screens.
• Try to avoid creating too many policies. It's always better to have a few complex policies than many policies that contain few changes each.
• Try to avoid using the No Override and Block Inheritance options.
• Use *.ADM files to create your own custom Registry-Based policies. ADM files are a great way to spread Registry settings across your organizations and integrate your custom registry-related management tasks into the Group Policies technology. A detailed guide on how to create and manipulate ADM files can be found at: https://www.microsoft.com/Windows2000/techinfo/howitworks/management/rbppaper.asp
• If you have decided to add a new policy to an existing ADM , define first whether it is a MACHINE (HKLM) policy or a USER policy (HKCU).
• Closely read the exact description of every policy you wish to use. The title of a policy might not always be to what it really applies. Reading through the explanation tab clears things up for many settings.
• Remember that policies for Domain Controllers are refreshed, by default, every 5 minutes, and every 90 minutes for workstations. These intervals are configurable via Group Policy itself.
• Use command-line tools to refresh your policies when needed. Windows 2000 uses the secedit.exe tool to refresh machine and user policies. Windows XP and above use gpupdate.exe to perform Group Policy refresh operations.
• Be careful when applying Group Policies over slow WAN links. Remember that the order of settings that are applied is not equal for every component. For example:

• Registry and Security settings are always applied.
• EFS and IP Security Settings are applied by default.
• Application Deployment, Scripts, Folder Redirection, and Disk Quotas are Not applied by default over slow links.

Summary

Understanding Group Policies client extensions along with the server-side mechanism are key to help you in troubleshooting your issues. I tried here to present some useful tips and walkthroughs from my personal experiences which I hope you'll find useful. There's a lot more information out there that you can read on this topic (check out the related links).

Related Links

• Troubleshooting Group Policy in Windows 2000
• Troubleshooting Group Policy Application Problems (Q250842)
• Troubleshooting Group Policy Client-Side Extension Behavior (Q216358)
• Group Policy Reference

For any questions or feedback regarding the content of this column, please write to Microsoft TechNet.