Group Policy Quick Fixes
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This topic provides tips for quickly addressing common Group Policy problems. Problems with the application of Group Policy often involve the technologies on which Group Policy depends, or implementation errors.
This section provides a summary of the most common Group Policy problems and the solutions to those problems. You can use the information in this section to resolve problems in the same way you would use a FAQ to find answers to common questions. Read this section before you begin any advanced troubleshooting.
Common Group Policy Problems
Listed below are common Group Policy problems and quick fixes:
I want Group Policy changes to be applied immediately.
Sometimes you may want to see the effect of a Group Policy change without having to wait for the default refresh intervals (90 minutes for domain members and 5 minutes for domain controllers). To see the effect of Group Policy immediately, open a command prompt and run GPUPdate. To force GPOs to reapply even if they have not changed, at a command prompt type gpupdate /force. To see other parameters, type gpupdate /?.
To run gpupdate /force automatically, click the Fix this problem link. Then, click Run in the File Download dialog box.
|This wizard may be in English only; however, the automatic fix also works for other language versions of Windows.|
|If you are not on the computer that has the problem, save the automatic fix to a flash drive or to a CD so that you can run it on the computer that has the problem. If you do not want to use the automatic fix, you can do it yourself by performing the steps in the procedure above.|
Some policy areas are missing when I open up the Group Policy Object Editor.
Each area of Group Policy functionality is implemented by a Microsoft Management Console snap-in DLL that is registered by default. For example, Administrative Templates and Scripts use gptext.dll, folder redirection uses fde.dll, and Security Settings uses wsecedit.dll. If these DLLs are un-registered or removed, the underlying Group Policy editing functionality that they implement will not appear in the Group Policy Object Editor.
To resolve this issue, you need to re-register the appropriate MMC snap-in DLL that implements the missing functionality.To reregister MMC snap-in DLLs
Open a command prompt.
Type the following command: regsvr32 snap-inDLLname
By default, you can find all of the MMC snap-in DLLs related to Group Policy in %systemroot%\system32.
Some settings are missing in the Group Policy Object Editor.
Administrative Templates can contain both true policies and preferences, but by default the Group Policy Object Editor exposes only true policies. To show all possible settings, you need to expose preferences in the Group Policy Object Editor.To expose preferences in the Group Policy Object Editor
Highlight the Administrative Templates node for which you want to see preferences.
On the View menu, click Filtering, and then clear the Only show policy settings that can be fully managed check box.
Some policies are not applied over dial-up connections.
By default, certain Group Policies are not applied to users who connect to your network over dial-up connections. If you want to make sure that users receive all Group Policies regardless of the speed of their connection, you can change the definition of what counts as a slow link. The default setting for this is 500 Kbps or less, which means that anybody who accesses your network with a connection that is 500 Kbps or slower might not receive all GPOs intended for them. To change the Group Policy settings that define a slow link, modify the following settings:
For users: Click User Configuration, click Administrative Templates, click System, click Group Policy, and then click Group Policy Slow Link Detection.
For computers: Click Computer Configuration, click Administrative Templates, click System, click Group Policy, and then click Group Policy Slow Link Detection.
|If a user connects to the network with cached credentials, Group Policy is not processed. To ensure that Group Policy is applied over a slow link, the user must select the Logon using dialup connection check box in the Windows Logon dialog box.|
Security Options are not applied.
The following Security options are only processed if they are applied at the domain level:
Network Security: Force logoff when logon hours expire
Accounts: Administrator account status
Accounts: Guest account status
Accounts: Rename administrator account
Accounts: Rename guest account
If these Security Options are configured at the site or OU level they are ignored. You need to configure these Security Options at the domain level.
Account Policies are not applied for domain users.
Account Policies are only processed for domain user accounts if they are applied at the Domain level. Account Policies configured elsewhere, such as at the Site or OU level, are ignored. All settings found under Account Policies under Security Settings in Group Policy should only be configured at the domain level. If you are having trouble applying a Security Setting that is found under Account Policies, ensure that you have configured the setting only at the domain level.