1 / 35

Troubleshooting Group Policy

Troubleshooting Group Policy. Jeremy Moskowitz, Group Policy MVP Chief Propeller-Head: GPanswers.com Founder: PolicyPak Software (policypak.com) Twitter: @ jeremymoskowitz. Our Trouble Spot Road Map. New Areas – New potential problems Updated “under the hood” changes

luke
Download Presentation

Troubleshooting Group Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Troubleshooting Group Policy Jeremy Moskowitz, Group Policy MVP Chief Propeller-Head: GPanswers.com Founder: PolicyPak Software (policypak.com) Twitter: @jeremymoskowitz

  2. Our Trouble Spot Road Map • New Areas – New potential problems • Updated “under the hood” changes • The Central Store. The “Why” and “Problems” • Updated logging model • RSoP differences for Windows XP vs. Windows Vista+ clients • Troubleshooting Group Policy Preference Extensions

  3. Under the hood changes • “No Brain energy required” • Group Policy runs as a “hardened” service • 3rd party CSEs are isolated • Changes in behavior when clients are offline for a while… (next slide)

  4. Network Location Awareness: NLA 2.0 • Offline for a while? Get Group Policy next time you connect. • No more “ping”/ ICMP requirement • Key takeaway: • Group Policy refreshes only if you missed your last refresh cycle

  5. NLA / Reporting • Look for NLA events with slow ? fast link transitions

  6. Group Policy Internals • Group Policy has two “halves” • GPC: Group Policy Container • Record in Active Directory • GPT: Group Policy Template • “Downloadable” bits from SYSVOL

  7. Group Policy Troubleshooting (for the GPO iteself) • GPOtool • Determines general GPO health • Litmus Tests: • Creating new user in Active Directory Users & Computers • Creating new .txt file in SYSVOL • Deeper SYSVOL / DFS problems • Sonar • Ultrasound • “Troublehsooting FRS” • www.tinyurl.com/7lt5

  8. Why did Microsoft move away from ADM files? • ADM files • Conf.adm • Inetres.adm • System.adm • Wmplayer.adm • Wuau.adm • Simple • But … problems (next page)

  9. Problems to Solve • 1: How do we prevent burning 4MB within each Group Policy Object? • 2A: How do we deal with multiple languages and • 2B: …preventing “write overlaps”? • 3: How do we distribute new definitions updates to all admins?

  10. Central Store Success / Problems • Central Store not created properly • ADML language files not in precise place • SYSVOL replication is damaged • Older clients are used to manage/edit GPOs

  11. Why you need a Windows 7 management machine

  12. Our Trouble Spot Road Map • New Areas – New potential problems • Updated “under the hood” changes • The Central Store. The “Why” and “Problems” • Updated logging model • RSoP differences for Windows XP vs. Windows Vista+ clients • Troubleshooting Group Policy Preference Extensions

  13. Quick Review of XP Troubleshooting • Major events in the Event log • Step-by-step events in the \windows\debug\usermode\Userenv.log • Tip: Use SysProSoftPolicyReporter to make more “meaningful” • http://www.sysprosoft.com/policyreporter.shtml

  14. Breakdown of Stuff in Userenv.log Red Herrings Clues Different Thread ID Different Thread ID Timestamp Same Process

  15. Windows 7 Group Policy Troubleshooting • Userenv.log—going away… (Next slide) • “Basic news”—in System log

  16. Windows 7 Group Policy Troubleshooting “Micro-news” in the GroupPolicy Operational Log Replaces UserEnv log

  17. Making Lemonade from Logs • Focus in on ONE “Group Policy Event Cycle” • Use the Operational logs • Get ActivityID • and…

  18. Make an Event Filter <QueryList><Query Id="0" Path="Application"><Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System/Correlation/@ActivityID='{INSERT ACTIVITY ID HERE}']</Select></Query></QueryList>

  19. GPlogview Tool • Download: • http://go.microsoft.com/fwlink/?LinkId=75004 • Log one cycle • Gplogview -a <activityID> -o output.txt • Gplogview -a 9A867233-04FF-4625-B7D1-6DEB763E2DCA -o output.txt • Monitor incoming cycle (two windows) • Gplogview –m • Caveats • Must be run in “admin” command shell

  20. Eventing and GPlogview

  21. Our Trouble Spot Road Map • New Areas – New potential problems • Updated “under the hood” changes • The Central Store. The “Why” and “Problems” • Updated logging model • RSoP differences for Windows XP vs. Windows Vista+ clients • Troubleshooting Group Policy Preference Extensions

  22. GPresult on Windows 7

  23. Gpresult Wackiness • Why can’t I see computer-side RSOP? • Totally frustrating (as the error is about the user, not the computer)

  24. Permissions Delegation for Seeing Own Computer RSOP • Domain Level or OU level

  25. Our Trouble Spot Road Map • New Areas – New potential problems • Updated “under the hood” changes • The Central Store. The “Why” and “Problems” • Updated logging model • RSoP differences for Windows XP vs. Windows Vista+ clients • Troubleshooting Group Policy Preference Extensions

  26. Troubleshooting Group Policy Prefs • Reporting… • Eventing… • Tracing…

  27. Reporting • GPRESULT: /H shows GPPrefs output • GPMC: Multiple items at a level can be tricky • Rename your pref items for clarity

  28. Events • App Log on all platforms shows the bad news • Windows 7 has own “source” • So you can filter “bad news” based on just the problem area • Windows 7 Operational log: • Not for GPPEs • Rather, just for GPOs overall

  29. Tracing • Used for final troubleshooting • Planning (RSoP.msc) logging is not used Logs go to %COMMONAPPDATA%\GroupPolicy\Preference\Trace\Computer.log and User.log (usually c:\ProgramData\...)

  30. Group Policy Prefs Tracing Example

  31. Tracing Gotchas • Win7 RSAT doesn’t contain the ADMX settings. • Option 1: • Copy the WS08 or R2 “GroupPolicyPreferences.admx/adml” to central store • Option 2: • Install the ADMX/ADML from MSI • http://tinyurl.com/ll22cf • Installs to C:\Program Files\Microsoft Group Policy\Preferences\ • Move up to Central Store

  32. Stay up to date with TechNet Belux Register for our newsletters and stay up to date:http://www.technet-newsletters.be • Technical updates • Event announcements and registration • Top downloads Join us on Facebook http://www.facebook.com/technetbehttp://www.facebook.com/technetbelux LinkedIn: http://linkd.in/technetbelux/ Twitter: @technetbelux DownloadMSDN/TechNet Desktop Gadgethttp://bit.ly/msdntngadget

  33. TechDays 2011 On-Demand • Watchthis session on-demand via TechNet Edge http://technet.microsoft.com/fr-be/edge/http://technet.microsoft.com/nl-be/edge/ • Download to your favorite MP3 or video player • Get access to slides and recommended resources by the speakers

  34. Do MORE with Group Policy

  35. THANK YOU

More Related