Verifying Administrative Workstation Settings for Troubleshooting Group Policy
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This topic provides information about ensuring you have the appropriate permissions to administer and troubleshoot Group Policy and provides other tips for setting up your administrative workstation. Before you begin troubleshooting, verify that your computer is configured properly and that Group Policy is set up and running properly.
Settings to Verify Before You Troubleshoot
Verify all of the following items:
Security permissions are configured for administering Group Policy
In order to administer Group Policy, you must have the necessary privileges to use GPMC and the Group Policy Object Editor. You also need privileges to create GPOs or to manage links from a specific site, domain, or OU to GPOs. Control of existing GPOs can be delegated to specific users or groups, so it is possible for an administrator to be able to use GPMC to view GPOs, but not be able to modify, delete, or link them. Use the following guidelines to help ensure that permissions are configured appropriately:
Use Active Directory Users and Computers to verify that the account you are using is a member of a group that has these privileges. (Check the group memberships for the user account, and also verify that the privileges for the group have not been changed.)
Avoid adding the privileges to an individual user account. If necessary, create a new group with a name that clearly indicates its purpose.
Changes to security groups’ memberships or privileges, or to the permissions on Group Policy objects or actions, need to be replicated to domain controllers throughout the system. Until this replication is completed the changes might be applied unevenly. In rare cases you might want to force replication.
To see or change the access control lists that affect management of a GPO, open the GPO in GPMC and look at the Delegation tab. The GPO can only be applied by members of groups that have Read permissions. To change the security filters, click Advanced.
The correct domain controller is selected in the Group Policy Object Editor and GPMC
Each domain controller has a copy of every GPO in the domain. The default and best practice is to edit GPOs on the primary domain controller (the PDC Emulator), and allow the changes to replicate to other domain controllers.
If that is not practical due to bandwidth or other issues, administrators can change the domain controller focus for the instances of GPMC that they are using.
If administrators in your organization edit GPOs on different domain controllers, set up processes to avoid this sort of conflict. For example, you might delegate editing permissions on individual GPOs to specific users, or to a group that focuses on the same domain controller.