understanding and troubleshooting group policy function darren mar-elia cto, infrastructure...
TRANSCRIPT
Understanding and Understanding and Troubleshooting Group Policy Troubleshooting Group Policy FunctionFunction
Darren Mar-EliaDarren Mar-EliaCTO, Infrastructure Management, Quest SoftwareCTO, Infrastructure Management, Quest Software MS-MVP for Group PolicyMS-MVP for Group Policy
Quest
AgendaAgenda
Understanding Group Policy StructureUnderstanding Group Policy Structure
The Mechanics of Group Policy The Mechanics of Group Policy ProcessingProcessing
Leveraging Group Policy LoggingLeveraging Group Policy Logging
The Top Group Policy Problems and The Top Group Policy Problems and Tools for Solving ThemTools for Solving Them
Other ResourcesOther Resources
Q & AQ & A
Understanding Group Policy Understanding Group Policy StructureStructure
Group Policy Objects (GPO) are stored Group Policy Objects (GPO) are stored within a given AD domain in two partswithin a given AD domain in two parts
AD – the Group Policy Container (GPC)AD – the Group Policy Container (GPC)
SYSVOL – the Group Policy Template SYSVOL – the Group Policy Template (GPT)(GPT)
Some policy areas store settings in Some policy areas store settings in both the GPC and GPT; still others use both the GPC and GPT; still others use only the GPC or neither!only the GPC or neither!
The decision is driven by the type of The decision is driven by the type of data needing to be storeddata needing to be stored
Understanding Group Policy Understanding Group Policy Structure - the GPCStructure - the GPC
The GPC stores The GPC stores general information general information about the GPO (e.g. about the GPO (e.g. friendly name, path to friendly name, path to GPT, etc.)GPT, etc.)
The GPC can be found The GPC can be found in each AD domain in each AD domain under the cn=Policies, under the cn=Policies, cn=System containercn=System container
Each GPC is Each GPC is referenced by a GPO referenced by a GPO GUIDGUID
Understanding Group Policy Understanding Group Policy Structure - the GPTStructure - the GPT
The GPT contains The GPT contains folders and files related folders and files related to storage of the GPO to storage of the GPO settings you specifysettings you specify
The GPT is found in The GPT is found in SYSVOL, replicated to SYSVOL, replicated to all DCs under the all DCs under the Policies folderPolicies folder
Like the GPC, the GPT Like the GPC, the GPT is organized by GUID-is organized by GUID-named folders, named folders, corresponding to the corresponding to the GUID of the GPO found GUID of the GPO found in the GPCin the GPC
Understanding Group Policy Understanding Group Policy Structure -GP VersioningStructure -GP Versioning
Version numbers are held within both the GPC and Version numbers are held within both the GPC and GPT GPT
GPC: held in the versionNumber attribute on the GPC GPC: held in the versionNumber attribute on the GPC objectobject
GPT: held in the gpt.ini file in the root of the GPTGPT: held in the gpt.ini file in the root of the GPT
Version numbers are incremented:Version numbers are incremented:1 for each machine-specific change1 for each machine-specific change
65536 for each user-specific change65536 for each user-specific change
In Windows 2000, version numbers must be equal In Windows 2000, version numbers must be equal between GPC & GPT before a client can process a between GPC & GPT before a client can process a GPO — AD or FRS replication problems can affect GPO — AD or FRS replication problems can affect thisthis
XP and Server 2003 no longer require thisXP and Server 2003 no longer require this
Understanding Group Policy Understanding Group Policy Structure -GP StorageStructure -GP Storage
Policy AreaPolicy Area Storage LocationStorage Location
WirelessWireless In the GPC under In the GPC under CN=wireless,CN=Windows, CN=wireless,CN=Windows, CN=Microsoft,CN=MachineCN=Microsoft,CN=Machine within an object of within an object of classclass msieee80211-Policy msieee80211-Policy (Server 2003 only)(Server 2003 only)
Folder RedirectionFolder Redirection In the GPT, in a file called fdeploy.ini, under In the GPT, in a file called fdeploy.ini, under the the User\Documents & SettingsUser\Documents & Settings folder folder
Administrative TemplateAdministrative Template In the GPT, in a file called registry.pol in either In the GPT, in a file called registry.pol in either the the UserUser or or MachineMachine folders folders
Disk QuotaDisk Quota In the GPT, also stored registry.pol but only In the GPT, also stored registry.pol but only under the Machine folderunder the Machine folder
ScriptsScripts In the GPT; Startup & Shutdown scripts are In the GPT; Startup & Shutdown scripts are stored in the following folders:stored in the following folders:
machine\scripts\startupmachine\scripts\startup
machine\scripts\shutdownmachine\scripts\shutdown
Logon & Logoff scripts are stored in the Logon & Logoff scripts are stored in the following foldersfollowing folders
user\scripts\logonuser\scripts\logon
User\scripts\logoffUser\scripts\logoff
Understanding Group Policy Understanding Group Policy Structure -GP StorageStructure -GP Storage
Policy AreaPolicy Area Storage LocationStorage Location
Internet Explorer MaintenanceInternet Explorer Maintenance In the GPT, under the folder In the GPT, under the folder \\User\User\Microsoft\IEAK Microsoft\IEAK
SecuritySecurity In the GPT, within a file called In the GPT, within a file called gptTmpl.inf gptTmpl.inf under the folder under the folder Machine\Machine\Microsoft\Windows NT\SecEditMicrosoft\Windows NT\SecEdit
Software InstallationSoftware Installation In both the GPT & GPC; In the GPT under In both the GPT & GPC; In the GPT under both the both the User User and and Machine Machine folders in folders in the the Applications Applications folder; In the GPC folder; In the GPC under the under the Machine (or User)\Class Store\Machine (or User)\Class Store\PackagesPackages container as container as packageRegistration packageRegistration objectsobjects
Software Restriction PolicySoftware Restriction Policy In the GPT, also stored registry.polIn the GPT, also stored registry.pol
IP SecurityIP Security Not stored in either GPC or GPT; Stored Not stored in either GPC or GPT; Stored in AD under the in AD under the CN=IP Security, CN=IP Security, CN=System CN=System containercontainer
Understanding Group Policy Understanding Group Policy Structure -Creating vs. LinkingStructure -Creating vs. Linking
When you create a GPO — it’s a two-When you create a GPO — it’s a two-step processstep process
The GPC and GPT are created in the The GPC and GPT are created in the domaindomain
A GP link is created on the container (site, A GP link is created on the container (site, domain or OU) that you’re focused ondomain or OU) that you’re focused on
Thus a single GPO can be linked to Thus a single GPO can be linked to multiple containersmultiple containers
Permissions are set on the GPO but Permissions are set on the GPO but each link can have different each link can have different characteristics (e.g. Enforced)characteristics (e.g. Enforced)
The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing
GP Processing is strictly a client-side GP Processing is strictly a client-side operationoperation
Processing is broken into two parts:Processing is broken into two parts:GP CoreGP Core
Client Side Extensions (CSE)Client Side Extensions (CSE)
GP Core takes care of figuring out GP Core takes care of figuring out which GPOs apply and which (CSEs) which GPOs apply and which (CSEs) need to processneed to process
CSEs do the hard work of implementing CSEs do the hard work of implementing policy settingspolicy settings
The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing
Policy is processed using an order of Policy is processed using an order of precedence:precedence:1.1. Local GPOsLocal GPOs
2.2. Site-linked GPOsSite-linked GPOs
3.3. Domain-linked GPOsDomain-linked GPOs
4.4. OU-linked GPOsOU-linked GPOs
And from bottom to top within a given And from bottom to top within a given containercontainer
The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing
CSEs are provided by default in WindowsCSEs are provided by default in WindowsRegistered under HKLM\Software\Microsoft\Registered under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Windows NT\CurrentVersion\Winlogon\GPExtensionsGPExtensions
GP is extensible by writing your own CSEs —GP is extensible by writing your own CSEs —several third parties have done thisseveral third parties have done this
Quest, Full Armor, DesktopStandardQuest, Full Armor, DesktopStandard
Note that GP processing runs within the Note that GP processing runs within the system Winlogon process — poorly written system Winlogon process — poorly written CSEs can crash WindowsCSEs can crash Windows
This is changing in Windows Vista!This is changing in Windows Vista!
The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing
Healthy GP Processing relies on Healthy GP Processing relies on several infrastructure pieces working in several infrastructure pieces working in concert:concert:
AD replicationAD replication
DNSDNS
FRS replicationFRS replication
Passing of key network protocols, Passing of key network protocols, including ICMP, LDAP, SMB and RPCincluding ICMP, LDAP, SMB and RPC
The Mechanics of Group The Mechanics of Group Policy Processing — Step-by-Policy Processing — Step-by-StepStep
The Steps of GP processing:The Steps of GP processing:
1.1. Client performs DNS request for LDAP SRV record Client performs DNS request for LDAP SRV record of DC(s) in its siteof DC(s) in its site
2.2. Client binds to DC using normal DC Locator processClient binds to DC using normal DC Locator process
3.3. Client performs ICMP slow link detection to DC to Client performs ICMP slow link detection to DC to determine link speeddetermine link speed
4.4. Client uses LDAP to build GPO list at OU, domain Client uses LDAP to build GPO list at OU, domain and then site containers — determines whether it and then site containers — determines whether it has permission to process GPOhas permission to process GPO
The Mechanics of Group The Mechanics of Group Policy Processing — Step-by-Policy Processing — Step-by-StepStep
5.5. Client uses LDAP to query GPC for GPT path, version number Client uses LDAP to query GPC for GPT path, version number and CSEs that have been implemented and CSEs that have been implemented
6.6. Client uses SMB to query GPT path to get GPT version number Client uses SMB to query GPT path to get GPT version number from gpt.inifrom gpt.ini
7.7. Each CSE runs in the order that they’re registered, and Each CSE runs in the order that they’re registered, and processes the GPOs if the GPO has changed since last processes the GPOs if the GPO has changed since last processing cycle (as determined during core processing)processing cycle (as determined during core processing)
8.8. If GPO has changed, CSE processes new settings and then If GPO has changed, CSE processes new settings and then next CSE runs until completionnext CSE runs until completion
9.9. Each CSE logs RSoP data to WMI during each refreshEach CSE logs RSoP data to WMI during each refresh
The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing
There are two kinds of GP processingThere are two kinds of GP processingForeground (e.g. during machine startup or Foreground (e.g. during machine startup or logon)logon)
Background (e.g. periodically based on computer Background (e.g. periodically based on computer role — DCs every 5 min., workstations and role — DCs every 5 min., workstations and member servers every 90 min. with randomizer)member servers every 90 min. with randomizer)
Foreground can run asynchronously or Foreground can run asynchronously or synchronouslysynchronously
Win2K defaults to synchronous foreground; XP Win2K defaults to synchronous foreground; XP to asynchronous (probably want to change this!)to asynchronous (probably want to change this!)
Background is asynchronous by definitionBackground is asynchronous by definition
The Mechanics of Group The Mechanics of Group Policy ProcessingPolicy Processing
Certain CSEs won’t process normally for a variety of Certain CSEs won’t process normally for a variety of reasonsreasons
Some don’t process if a slow link is detected (e.g. Some don’t process if a slow link is detected (e.g. software installation, folder redirection)software installation, folder redirection)
Some don’t process asynchronously (e.g. software Some don’t process asynchronously (e.g. software installation)installation)
Some process asynchronously but don’t actually do Some process asynchronously but don’t actually do anything until the next synchronous event (e.g. scripts)anything until the next synchronous event (e.g. scripts)
And of course, no CSE will process if the GPO has And of course, no CSE will process if the GPO has not changed since the last processing cyclenot changed since the last processing cycle
This is determined by comparing the GPO version This is determined by comparing the GPO version number to a version number held on the client in its number to a version number held on the client in its registryregistry
The Mechanics of Group The Mechanics of Group Policy Processing-Slow Link Policy Processing-Slow Link DetectionDetection
CSE Processes on Slow Link?
Security Yes (and can’t be disabled)
IP Security Yes
EFS Recovery Yes
Wireless Network Yes
Administrative Templates Yes (and can’t be disabled)
Scripts No
Folder Redirection No
Software Installation No
IE Maintenance Yes
Leveraging Group Policy Leveraging Group Policy LoggingLogging
GP-related Logging is your best tool for GP-related Logging is your best tool for understanding & troubleshooting GP understanding & troubleshooting GP operationoperation
There are basically two types of There are basically two types of logging eventslogging events
Application Event Log on each clientApplication Event Log on each client
CSE-specific loggingCSE-specific logging
Leveraging Group Policy Leveraging Group Policy Logging —Application EventsLogging —Application Events
Application Events related to Group Policy come Application Events related to Group Policy come from the following event sources:from the following event sources:
Userenv: most GP core events generate this sourceUserenv: most GP core events generate this source
Scecli: Security CSE related eventsScecli: Security CSE related events
Appmgmt or Application Manager: Software Installation Appmgmt or Application Manager: Software Installation related eventsrelated events
UserInit: Scripts related eventsUserInit: Scripts related events
Folder Redirection: Folder Redirection eventsFolder Redirection: Folder Redirection events
GPMC does a good job of exposing Application GPMC does a good job of exposing Application events related to GPevents related to GP
Available through the GP Results wizardAvailable through the GP Results wizard
Leveraging Group Policy Leveraging Group Policy Logging —GPMC Application Logging —GPMC Application Event ReportingEvent Reporting
Leveraging Group Policy Leveraging Group Policy Logging —Enabling Verbose Logging —Enabling Verbose LoggingLogging
All GP related-logging must be explicitly enabledAll GP related-logging must be explicitly enabledApplication event logging is enabled by default but can be Application event logging is enabled by default but can be made more verbosemade more verbose
To enable verbose logging, you’ll need to make To enable verbose logging, you’ll need to make registry changes on each clientregistry changes on each client
I have a custom .ADM that enables all of the available GP-I have a custom .ADM that enables all of the available GP-related logging at related logging at http://www.gpoguy.com/tools.htmhttp://www.gpoguy.com/tools.htm
Keep in mind that verbose logging has a Keep in mind that verbose logging has a performance overhead - disable when not in useperformance overhead - disable when not in use
Leveraging Group Policy Leveraging Group Policy Logging —Userenv loggingLogging —Userenv logging
Userenv logging is the most verbose but also the Userenv logging is the most verbose but also the most instructive for investigating problemsmost instructive for investigating problems
Log is written to %windir%\debug\usermode\userenv.logLog is written to %windir%\debug\usermode\userenv.log
Logs both policy and user profile processingLogs both policy and user profile processing
Can be somewhat arcane to understand but details Can be somewhat arcane to understand but details each step of the GP processing cycleeach step of the GP processing cycle
If you’re troubleshooting a problem, rename the file If you’re troubleshooting a problem, rename the file to get a fresh log and then force a GP refreshto get a fresh log and then force a GP refresh
Use gpupdate on XP and Server 2003; secedit on Win2KUse gpupdate on XP and Server 2003; secedit on Win2K
Leveraging Group Policy Leveraging Group Policy Logging —Userenv.logLogging —Userenv.log
Process and thread ID and timestamp
Slow link test
GP Problems and Their GP Problems and Their SolutionsSolutions
Many GP-related problems can be Many GP-related problems can be broken into these categories:broken into these categories:
Infrastructure problems (e.g. DNS, FRS, Infrastructure problems (e.g. DNS, FRS, AD, network)AD, network)
Misconfiguration problems (incorrect Misconfiguration problems (incorrect security filtering, enforced or block security filtering, enforced or block inheritance set, etc.)inheritance set, etc.)
Client problemsClient problems
GP Problems and Their GP Problems and Their Solutions —Solutions —Infrastructure ProblemsInfrastructure Problems
ProblemProblem
ICMP: Slow link detection (SLD) fails — all GP processing fails ICMP: Slow link detection (SLD) fails — all GP processing fails as a resultas a result
SolutionSolution
ICMP is required for GP processing. If disabled, or restricted ICMP is required for GP processing. If disabled, or restricted (SLD requires minimum 2048 byte ICMP packets) then disable (SLD requires minimum 2048 byte ICMP packets) then disable slow link detection via policy at:slow link detection via policy at:
““Computer (and User) Configuration|Administrative Templates|Computer (and User) Configuration|Administrative Templates|System|Group Policy|Group Policy Slow Link Detection”*System|Group Policy|Group Policy Slow Link Detection”*
*Note that this must be disabled for both computer and user*Note that this must be disabled for both computer and user
GP Problems and Their GP Problems and Their Solutions —Solutions —Infrastructure ProblemsInfrastructure Problems
ProblemProblem
FRS & SYSVOL: FRS not replicating GPT content to all SYSVOL FRS & SYSVOL: FRS not replicating GPT content to all SYSVOL shares — files are missing or permissions are wrong across shares — files are missing or permissions are wrong across replicas; GPOs don’t process because version numbers are replicas; GPOs don’t process because version numbers are wrong (Win2k) or process incorrectlywrong (Win2k) or process incorrectly
SolutionSolution
Make sure problem DC has DFS service running; make sure Make sure problem DC has DFS service running; make sure SYSVOL is shared — refer to KB articles 257338 and 315457 for SYSVOL is shared — refer to KB articles 257338 and 315457 for fixing SYSVOL problems; use GPOTool to compare GPTs fixing SYSVOL problems; use GPOTool to compare GPTs across DCs; GPMC can fix permission problems if detected; In across DCs; GPMC can fix permission problems if detected; In a pinch you can manually copy files between GPTs on DCs; use a pinch you can manually copy files between GPTs on DCs; use Ultrasound Ultrasound to monitor FRSto monitor FRS
GP Problems and Their GP Problems and Their Solutions —Misconfiguration Solutions —Misconfiguration ProblemsProblems
ProblemProblem
GPO permissioned incorrectly or linked to a GPO permissioned incorrectly or linked to a container that targets a group rather than container that targets a group rather than user or computeruser or computer
SolutionSolution
Use GPMC GP Results or gpresult command-Use GPMC GP Results or gpresult command-line tool to see if a GPO is denied or if the line tool to see if a GPO is denied or if the correct GPOs apply; GPOs apply to only correct GPOs apply; GPOs apply to only users and computersusers and computers
GP Problems and Their GP Problems and Their Solutions —Misconfiguration Solutions —Misconfiguration ProblemsProblems
ProblemProblem
GPOs aren’t applying because Block GPOs aren’t applying because Block Inheritance or Enforced flag is setInheritance or Enforced flag is set
SolutionSolution
Use GPMC to visually see where flags Use GPMC to visually see where flags are set on containers or GP links. are set on containers or GP links.
GP Problems and Their GP Problems and Their Solutions —Client ProblemsSolutions —Client Problems
ProblemProblem
No GPOs are being processed; errors show unable No GPOs are being processed; errors show unable to read gpt.ini or other GPT files (specifically to read gpt.ini or other GPT files (specifically application event log error 1058: “Windows cannot application event log error 1058: “Windows cannot access the file gpt.ini for GPO” and usually for access the file gpt.ini for GPO” and usually for computer policy only)computer policy only)
SolutionSolution
Verify that client computer has TCP/IP Netbios Verify that client computer has TCP/IP Netbios Helper service running — required to resolve UNC Helper service running — required to resolve UNC path to GPT; see KB# 840669 to tell GP processing path to GPT; see KB# 840669 to tell GP processing to wait for the network stack to initializeto wait for the network stack to initialize
GP Problems and Their GP Problems and Their Solutions —Client ProblemsSolutions —Client Problems
ProblemProblem
Folder Redirection is not working — files Folder Redirection is not working — files aren’t being redirected for usersaren’t being redirected for users
SolutionSolution
Make sure users have proper permission to Make sure users have proper permission to create folders if you’re using FR policy to create folders if you’re using FR policy to create the folders on the fly. See KB article # create the folders on the fly. See KB article # 274443 for required permissions274443 for required permissions
GP Problems and Their GP Problems and Their Solutions —Client ProblemsSolutions —Client Problems
ProblemProblem
Applications don’t deploy correctly via Software Installation Applications don’t deploy correctly via Software Installation policy or require multiple restarts or user logons to applypolicy or require multiple restarts or user logons to apply
SolutionSolution
Make sure you entered a UNC path to the package; Use Make sure you entered a UNC path to the package; Use addiag.exe (Win2k Reskit) to troubleshoot SI deployment; Make addiag.exe (Win2k Reskit) to troubleshoot SI deployment; Make sure a slow link wasn’t detected; If multiple restarts or user sure a slow link wasn’t detected; If multiple restarts or user logons are required, disable Fast Logon Optimization (XP only) logons are required, disable Fast Logon Optimization (XP only) by enabling the following policy:by enabling the following policy:
Computer Configuration|Administrative Templates|System|Computer Configuration|Administrative Templates|System|Logon|Always wait for the network at computer startup and Logon|Always wait for the network at computer startup and logonlogon
Enable verbose Windows Installer and Application Management Enable verbose Windows Installer and Application Management logginglogging
Resources Resources
““Group Policy Group Policy Guide” book Guide” book written by myself, written by myself, Derek Melber and Derek Melber and William Stanek— William Stanek— available as part of available as part of the Windows 2003 the Windows 2003 Resource Kit, 2Resource Kit, 2ndnd Edition and Edition and standalonestandalonehttp://www.microsoft.chttp://www.microsoft.com/mspress/books/87om/mspress/books/8763.asp63.asp
ResourcesResourcesMy website: My website: www.gpoguy.comwww.gpoguy.com for tools, for tools, FAQs and additional troubleshooting tipsFAQs and additional troubleshooting tips
Jeremy Moskowitz’s website: Jeremy Moskowitz’s website: www.gpanswers.comwww.gpanswers.com for a community forum for a community forum on GP as well as FAQs and other resourceson GP as well as FAQs and other resources
Microsoft’s GP Wiki site: Microsoft’s GP Wiki site: www.grouppolicywiki.comwww.grouppolicywiki.com
Mark Minasi’s Forum (I moderate the GP Mark Minasi’s Forum (I moderate the GP forum there) at x220.minasi.com/forumforum there) at x220.minasi.com/forum
Technet Group Policy Center: Technet Group Policy Center: http://www.microsoft.com/technet/prodtechnhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ol/windowsserver2003/technologies/management/gp/default.mspxmanagement/gp/default.mspx
We invite you to participate in ourWe invite you to participate in our online evaluationonline evaluation on CommNet,on CommNet,
accessible Friday onlyaccessible Friday only
If you choose to complete the evaluation online, If you choose to complete the evaluation online, there isthere is no need to complete the paper evaluationno need to complete the paper evaluation
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.