Troubleshooting Group Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting

An important part of troubleshooting Group Policy problems is to consider dependencies between components. For example, Group Policy Software Installation relies on Group Policy, and Group Policy relies on Active Directory. Active Directory relies on proper configuration of network services. When trying to fix problems that appear in one component, it is generally helpful to check whether components, services, and resources on which the component relies are working correctly. Event logs are useful for tracking problems that are caused by this type of hierarchical dependency.

What problem are you having?

  • I need to know what policy settings are in effect.

  • I want to refresh policy.

  • I want to check basic network connectivity.

  • I want to enable logging.

  • I need help with the individual Group Policy settings that are included in Administrative Templates.

  • I cannot open a Group Policy object in Group Policy Object Editor even though I have Read access to it.

  • When I try to edit a Group Policy object, I get the "Failed to open the Group Policy object" error.

  • When I try to edit a Group Policy object, I get the "Missing Active Directory Container" error.

  • When I try to edit a Group Policy object, I get the "Snap-in failed to initialize" error.

  • Group Policy is not being applied to users and computers in a security group that contains those users and computers, even though a Group Policy object is linked to an organizational unit that contains that security group.

  • Group Policy is not affecting users and computers in a site, domain, or organizational unit.

  • Group Policy is not affecting users and computers in an Active Directory container.

  • Group Policy is not taking effect on the local computer.

  • Software that you assigned to a computer is not available on the computer.

  • Software that you assigned or published to a user is not available on the user's computer.

  • Published applications do not appear in Add or Remove Programs in Control Panel.

  • Document activation of a published application does not cause the application to install.

  • The user receives an error message such as "The feature you are trying to install cannot be found in the source directory."

  • The user receives an error message such as "This product is not installed" or "Feature ID not registered."

  • After removal of an application, the shortcuts for the application continue to appear on the user's desktop.

  • A user receives an error message such as "Another installation is already in progress."

  • The user opens an already installed application, and Windows Installer starts.

  • A user receives error messages such as "Active Directory will not allow the package to be deployed" or "Cannot prepare package for deployment."

  • When I click one of the Group Policy Software Installation icons in the console tree of Group Policy Object Editor, I get the error message "Snap-in failed to initialize."

  • I accidentally deleted default Group Policy objects.

  • I accidentally deleted the domain controllers Sysvol directory or parts of the Sysvol directory that contain default Group Policy objects.

  • I configured policies and I am now being denied access.

I need to know what policy settings are in effect.

Solution:  To see what policy is in effect, use Resultant Set of Policy (RSoP) or gpresult.

You can also get a report on policy from Help and Support Center by following these steps:

  1. Click the Start button, and then click Help and Support.

  2. Click Support.

  3. Under See Also, click Advanced System Information.

  4. Under Advanced System Information, click View Group Policy settings applied.

The report includes the following:

  • User name and domain

  • Computer name and domain

  • When User Settings and Computer Settings were last applied

  • Folder redirection details

  • Logon, logoff, startup and shutdown scripts

  • Installed software

  • Administrative Templates

  • Security Settings

  • Connection and proxy settings for IE Maintenance

See also:  Resultant Set of Policy; Gpresult

I want to refresh policy.

Solution:  Use gpupdate to refresh policy immediately. With Gpupdate you can specify certain options at the command line. Gpupdate replaces and improves on the Windows 2000 command secedit /refreshpolicy. Some policy items, such as computer-assigned software, require a reboot to take effect, however. User-assigned software requires the user to log on and log off.

See also:  Gpupdate; Refresh Group Policy immediately

I want to check basic network connectivity.

Solution:  Try to ping a domain controller.

Verify that DNS is working properly.

See also:  Ping; DNS; About Network Connections; Configure a connection to a remote network; Using local area connections; Test a TCP/IP configuration by using the ping command

I want to enable logging.

Solution:  Set a registry key that causes Group Policy diagnostic logging to be written to a file named Userenv.log on the client computer.

You can also set a registry key that enables verbose logging to the event log so that you can see it with Event Viewer.

See also:  Registry Editor; Event Viewer; "Monitoring Group Policy with Log Files" and "Verbose Logging to Event Log" sections in "Troubleshooting Group Policy" at the Microsoft Web site

I need help with the individual Group Policy settings that are included in Administrative Templates.

Solution:  This information is included in Help.

See also:  Administrative Templates included with this version of Windows

I cannot open a Group Policy object in Group Policy Object Editor even though I have Read access to it.

Cause:  As an administrator, you must have Full Control of the Group Policy object to open it in Group Policy Object Editor.

Solution:  Verify that you are a member of a security group with Full Control on the Group Policy object. For example, a domain administrator can manage Active Directory-based Group Policy. An administrator on a computer can edit the local Group Policy object on that computer.

When I try to edit a Group Policy object, I get the "Failed to open the Group Policy object" error.

Cause:  This usually is due to a networking problem, specifically, a problem with the domain name system (DNS) configuration.

Solution:  Verify that DNS is working properly.

See also:  DNS

When I try to edit a Group Policy object, I get the "Missing Active Directory Container" error.

Cause:  This is caused by Group Policy attempting to link a Group Policy object to an organizational unit that it cannot find. The organizational unit might be deleted, or it might be created on another domain controller but not replicated to the domain controller that you are using.

Solution:  Limit the number of administrators who can make structural changes to Active Directory, or who can edit a Group Policy object, at any one time. Allow changes to replicate before making changes that affect the same organizational unit or Group Policy object.

When I try to edit a Group Policy object, I get the "Snap-in failed to initialize" error.

Cause:  This may be happen if Group Policy cannot find framedyn.dll.

Solution:  If you use installation scripts, verify that your scripts place the systemroot\system32\wbem directory in the system path. By default, systemroot\system32\wbem is in the system path already; therefore, you are not likely to encounter this issue if you do not use installation scripts.

Group Policy is not being applied to users and computers in a security group that contains those users and computers, even though a Group Policy object is linked to an organizational unit that contains that security group.

Cause:  This is correct behavior. Group Policy affects only the users and computers that are contained in sites, domains, and organizational units. Group Policy objects are not applied to security groups.

Solution:  Link Group Policy objects to sites, domains, and organizational units only. The location of a security group in Active Directory is unrelated to whether Group Policy applies to the users and computers in that security group.

See also:  Filter the scope of Group Policy according to security group membership

Group Policy is not affecting users and computers in a site, domain, or organizational unit.

Cause:  Group Policy settings can be prevented, intentionally or inadvertently, from affecting users and computers in several ways. A Group Policy object can be disabled so that it does not affect users, computers, or both. It also must be linked directly to an organizational unit that contains the users and computers, or it must be linked to a parent domain or organizational unit, so that the Group Policy settings apply through inheritance.

When multiple Group Policy objects apply, they are processed in this order: local, site, domain, organizational unit. By default, settings that are applied later have precedence. In addition, Group Policy can be blocked at the level of any organizational unit, or it can be enforced through a setting of No Override that is applied to a particular Group Policy object link.

Finally, the user or computer must belong to one or more security groups that have the appropriate permissions set.

Solution:  Do the following:

  • Verify that the intended policy is not being blocked.

  • Verify that no overriding policy that is set at a higher level of Active Directory has been set to No Override.

  • If Block and No Override are both used, No Override takes precedence.

  • Verify that the user or computer is not a member of any security group for which the Apply Group Policy access control entry (ACE) is set to Deny.

  • Verify that the user or computer is a member of at least one security group for which the Apply Group Policy access control entry (ACE) is set to Allow.

  • Verify that the user or computer is a member of at least one security group for which the Read access control entry (ACE) is set to Allow.

See also:  Policy inheritance; Filter the scope of Group Policy according to security group membership

Group Policy is not affecting users and computers in an Active Directory container.

Cause:  Group Policy objects cannot be linked to Active Directory containers other than sites, domains, and organizational units.

Solution:  Link a Group Policy object to an organizational unit that is a parent to the Active Directory container. Then, by default, those settings are applied to the users and computers in the container through inheritance.

See also:  Filter the scope of Group Policy according to security group membership

Group Policy is not taking effect on the local computer.

Cause:  Local policies are the weakest. Any Active Directory-based policy can overwrite them.

Solution:  Check to see what Group Policy objects are being applied through Active Directory and if those Group Policy objects have settings that are in conflict with the local settings.

Software that you assigned to a computer is not available on the computer.

Cause:  The client computer has not been restarted.

Solution:   Restart the client computer.

Software that you assigned or published to a user is not available on the user's computer.

Cause:  The user has not logged off and then logged on.

Solution:   Have the user log off and then log on.

Published applications do not appear in Add or Remove Programs in Control Panel.

Cause:  Several causes are possible:

  • Group Policy is not applied.

  • Active Directory cannot be accessed.

  • Users do not have any published applications in the Group Policy objects that apply to them.

  • The client is running Terminal Server.

Solution:  Investigate each possibility in turn. Note that Group Policy Software Installation is not supported for Terminal Server clients.

Document activation of a published application does not cause the application to install.

Cause:  As an administrator, you did not set autoinstall.

Solution:  Set autoinstall.

See also:  Set the autoinstall option for an application

The user receives an error message such as "The feature you are trying to install cannot be found in the source directory."

Cause:  This could be caused by network or permissions problems.

Solution:  Verify that the network is working correctly.

See also:  Set permissions for Group Policy Software Installation

The user receives an error message such as "This product is not installed" or "Feature ID not registered."

Cause:  This could be caused by a user with a roaming user profile logging on to two computers simultaneously, which is an unsupported use of roaming user profiles.

Solution:  Have the user log off one computer before logging on to another. That way, the application shortcuts will be updated and valid on the second computer, and they will not give error messages.

After removal of an application, the shortcuts for the application continue to appear on the user's desktop.

Cause:  The user has created shortcuts, and Windows Installer does not recognize them.

Solution:  The user must remove the shortcuts manually.

A user receives an error message such as "Another installation is already in progress."

Cause: An uninstallation might be taking place in the background, with no user interface presented to the user, or perhaps the user has inadvertently triggered two installations simultaneously, which is not supported.

Solution:  The user can try again later.

The user opens an already installed application, and Windows Installer starts.

Cause:  An application might be undergoing automatic repair, or a user-required feature is being added.

Solution:  No action is required.

A user receives error messages such as "Active Directory will not allow the package to be deployed" or "Cannot prepare package for deployment."

Cause:  The package might be corrupted, or there might be a networking problem.

Solution:  Use an uncorrupted package. Investigate the possibility of network problems and take appropriate action.

When I click one of the Group Policy Software Installation icons in the console tree of Group Policy Object Editor, I get the error message "Snap-in failed to initialize."

Cause:  This may be happen if Group Policy Software Installation cannot find framedyn.dll.

Solution:  If you use installation scripts, verify that your scripts place the systemroot\system32\wbem directory in the system path. By default, systemroot\system32\wbem is in the system path already; therefore, you are not likely to encounter this issue if you do not use installation scripts.

I accidentally deleted default Group Policy objects.

Cause:   This can happen when you delete Group Policy objects from Active Directory Users and Computers.

Solution:   Use dcgpofix to restore default Group Policy objects to their original state.

See also:  Dcgpofix

I accidentally deleted the domain controllers Sysvol directory or parts of the Sysvol directory that contain default Group Policy objects.

Cause:   This can happen when you delete directories from the system root.

Solution:   Restore the Sysvol directory. Use the Dcgpofix command-line tool to restore default Group Policy objects to their original state. It is very important to backup the Sysvol directory with a regularly scheduled backup procedure.

See also:  Dcgpofix

I configured policies and I am now being denied access.

Cause:   This can happen in default Group Policy objects when setting File system security policy on the Sysvol directory or setting excessive security for domain administrator policies.

Solution:  Logon as Administrator and use the Dcgpofix command-line tool to restore default domain and domain controller Group Policy objects to their original state.

See also:  Dcgpofix