Вы находитесь на странице: 1из 21

Module 11:

Troubleshooting Group
Policy Issues
Module Overview
• Introduction to Group Policy Troubleshooting

• Troubleshooting Group Policy Application

• Troubleshooting Group Policy Settings


Lesson 1: Introduction to Group Policy
Troubleshooting
• Scenarios for Group Policy Troubleshooting

• Preparing to Troubleshoot Group Policy

• Tools for Troubleshooting Group Policy

• Demonstration: Using Group Policy Diagnostic Tools


Scenarios for Group Policy Troubleshooting

Common scenarios that require troubleshooting:

 Polices not applied

 Policies are applied but settings are inconsistent


Preparing to Troubleshoot Group Policy

Basic troubleshooting steps:

 Check Event Viewer entries

 Perform basic checks to test network connectivity: use


diagnostic tools such as netdiag or ping

 Ensure that DNS is functioning by using NSlookup

Check that the domain controller is functioning and reachable:


 use diagnostic tools such as dcdiag, the set command,
or Kerbtray
Tools for Troubleshooting Group Policy

Group Policy troubleshooting tools:


 Group Policy reporting – RSOP
 GPResult
 Gpotool
• Gpupdate
• Dcgpofix
• GPOLogView
• Group Policy log files
• Group Policy Management Scripts
Demonstration: Using Group Policy
Diagnostic Tools
In this demonstration, the instructor will demonstrate the
use of:
•GPResult in regular and verbose mode

•GPOTool

•Gpupdate

•GPLogView
Lesson 2: Troubleshooting Group
Policy Application
• Troubleshooting Group Policy Inheritance: Block, enforce,
Disable, Security, WMI filter(allow/deny)

• Troubleshooting Group Policy Filtering


• Troubleshooting Group Policy Replication: FRS(sysvol), Rep
admin

• Troubleshooting Group Policy Refresh

• Discussion: Troubleshooting Group Policy Configuration


Troubleshooting Group Policy Inheritance

Domain

Production
GPOs

Blocked inheritance prevents


high-level policies from applying
to entire OU subtrees
Sales

No GPO
settings
apply
Troubleshooting Group Policy Filtering

Domain

Production
GPO
Group Policy filtering
WMI may affect only
filter certain users or
computers in OUs
Sales

Read and
Mengph Apply
Allow
Group Policy
Kimyo

Group Apply
Deny
Group Policy
Troubleshooting Group Policy Replication

• Group Policy objects consist of Group Policy templates


and Group Policy containers
• GUID Partition Table (GPT) and GPOs replicate using
different mechanisms
• Replication issues can cause domain controllers to
have inconsistent versions of Group Policy
• The GPOTool can check for policy consistency
across all domain controllers

File Replication Service


GPT GPT

GPC GPC
AD DS Replication

DC1 GPO1 GPO1 DC2


Version 3 Version 2
Troubleshooting Group Policy Refresh

If the Group Policy is not refreshing as expected:

• Check refresh intervals for users and computers


• Verify that the user has logged off and on, or that the
computer has been restarted
• Check if there are cached credentials, because they may
delay the effect of Group Policy: logon/off twice to refresh
• Check to see if the Loopback policy is enabled: computer setting pred

Use gpupdate to:

• Manually refresh updated Group Policy settings


• Force refresh of all Group Policy settings
• Force a reboot or logoff, if required, to refresh
the settings
Discussion: Troubleshooting Group
Policy Configuration
In this discussion, you will create a flow chart for
troubleshooting Group Policy
Lesson 3: Troubleshooting Group Policy Settings
• How Client Side Extension Processing Works

• Troubleshooting Administrative Template Policy Settings

• Troubleshooting Security Policy Settings

• Troubleshooting Script Policy Settings


How Client Side Extension(CSE) Processing Works

• Client side extensions are DLLs that process group


policy settings (not blocked by software restrictions)
• Some CSEs do not process if a slow link is detected
• Some CSEs are always applied and cannot be turned off

List of client side extensions:

• Security settings
• Administrative Templates
• Software installation
• Scripts
• Folder redirection
• Internet Explorer maintenance
Troubleshooting Administrative Template
Policy Settings

When troubleshooting Administrative Templates,


consider that:
Administrative Templates are either true polices(user cannot edit)
 or preferences(user can edit)
Settings that are true policies are reversed when the
 policy no longer applies

Settings that are preferences will tattoo the registry


 and remain in effect until they are specifically reversed

The operating system and service pack level determine


 if the computer can accept a policy setting
Troubleshooting Security Policy Settings

When troubleshooting security policy settings,


consider that:
 Account policies are passed to clients from the domain controller

 The domain controller receives account policies from a domain


level policy

 Security settings come from the GPO that have the highest priority
Troubleshooting Script Policy Settings: .vvs inside
sysvol : replicate by FRS

consider the following: start-up>logon>logoff>shut down

 Validate the script

 Ensure that users and computer have access to the script

 Ensure that Group Policy is configured correctly

 Ensure that the script is replicating properly

Use the Group Policy tools to ensure that Group Policy


 is applied correctly
Lab: Troubleshooting Group Policy Issues
• Exercise 1: Troubleshooting Group Policy Scripts

• Exercise 2: Troubleshooting GPO Lab-11B

• Exercise 3: Troubleshooting GPO Lab-11C

• Exercise 4: Troubleshooting GPO Lab-11D

Logon information
Virtual machine NYC-DC1, NYC-CL1

User name Administrator


Password Pa$$w0rd

Estimated time: 60 minutes


Lab Review
• If a policy at the domain level is set for enforcement while
another policy at the OU level with a conflicting setting
also is set to be enforced, which policy setting will the OU
clients receive?
• If you use group policy to configure the slow-link detection
threshold to be zero, what does that indicate?
Module Review and Takeaways
• Considerations

• Tools

• Review questions

Вам также может понравиться