Quest

Understanding and
Troubleshooting Group Policy
Function

Darren Mar-Elia
CTO, Infrastructure Management, Quest Software
MS-MVP for Group Policy
Agenda
Understanding Group Policy Structure
The Mechanics of Group Policy
Processing
Leveraging Group Policy Logging
The Top Group Policy Problems and
Tools for Solving Them
Other Resources
Q&A
Understanding Group Policy
Structure
Group Policy Objects (GPO) are stored
within a given AD domain in two parts
AD – the Group Policy Container (GPC)
SYSVOL – the Group Policy Template
(GPT)
Some policy areas store settings in
both the GPC and GPT; still others use
only the GPC or neither!
The decision is driven by the type of
data needing to be stored
Understanding Group Policy
Structure - the GPC
The GPC stores
general information
about the GPO (e.g.
friendly name, path to
GPT, etc.)
The GPC can be found
in each AD domain
under the cn=Policies,
cn=System container
Each GPC is
referenced by a GPO
GUID
Understanding Group Policy
Structure - the GPT
The GPT contains
folders and files related
to storage of the GPO
settings you specify
The GPT is found in
SYSVOL, replicated to
all DCs under the
Policies folder
Like the GPC, the GPT
is organized by GUID-
named folders,
corresponding to the
GUID of the GPO found
in the GPC
Understanding Group Policy
Structure -GP Versioning
Version numbers are held within both the GPC and
GPT
GPC: held in the versionNumber attribute on the GPC
object
GPT: held in the gpt.ini file in the root of the GPT
Version numbers are incremented:
1 for each machine-specific change
65536 for each user-specific change
In Windows 2000, version numbers must be equal
between GPC & GPT before a client can process a
GPO — AD or FRS replication problems can affect
this
XP and Server 2003 no longer require this
Understanding Group Policy
Structure -GP Storage
Policy Area Storage Location
Wireless In the GPC under CN=wireless,CN=Windows,
CN=Microsoft,CN=Machine within an object of
class msieee80211-Policy (Server 2003 only)

Folder Redirection In the GPT, in a file called fdeploy.ini, under

the User\Documents & Settings folder
Administrative Template In the GPT, in a file called registry.pol in either
the User or Machine folders
Disk Quota In the GPT, also stored registry.pol but only
under the Machine folder
Scripts In the GPT; Startup & Shutdown scripts are
stored in the following folders:
machine\scripts\startup
machine\scripts\shutdown
Logon & Logoff scripts are stored in the
following folders
user\scripts\logon
User\scripts\logoff
Understanding Group Policy
Structure -GP Storage
Policy Area Storage Location
Internet Explorer Maintenance In the GPT, under the folder \User\
Microsoft\IEAK

Security In the GPT, within a file called

gptTmpl.inf under the folder Machine\
Microsoft\Windows NT\SecEdit

Software Installation In both the GPT & GPC; In the GPT under
both the User and Machine folders in
the Applications folder; In the GPC
under the Machine (or User)\Class Store\
Packages container as
packageRegistration objects
Software Restriction Policy In the GPT, also stored registry.pol

IP Security Not stored in either GPC or GPT; Stored

in AD under the CN=IP Security,
CN=System container
Understanding Group Policy
Structure -Creating vs. Linking
When you create a GPO — it’s a two-
step process
The GPC and GPT are created in the
domain
A GP link is created on the container (site,
domain or OU) that you’re focused on
Thus a single GPO can be linked to
multiple containers
Permissions are set on the GPO but
each link can have different
characteristics (e.g. Enforced)
The Mechanics of Group
Policy Processing
GP Processing is strictly a client-side
operation
Processing is broken into two parts:
GP Core
Client Side Extensions (CSE)
GP Core takes care of figuring out
which GPOs apply and which (CSEs)
need to process
CSEs do the hard work of implementing
policy settings
The Mechanics of Group
Policy Processing
Policy is processed using an order of
precedence:
1. Local GPOs
2. Site-linked GPOs
3. Domain-linked GPOs
4. OU-linked GPOs

And from bottom to top within a given

container
The Mechanics of Group
Policy Processing
CSEs are provided by default in Windows
Registered under HKLM\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon\
GPExtensions
GP is extensible by writing your own CSEs —
several third parties have done this
Quest, Full Armor, DesktopStandard
Note that GP processing runs within the
system Winlogon process — poorly written
CSEs can crash Windows
This is changing in Windows Vista!
The Mechanics of Group
Policy Processing
Healthy GP Processing relies on
several infrastructure pieces working in
concert:
AD replication
DNS
FRS replication
Passing of key network protocols,
including ICMP, LDAP, SMB and RPC
The Mechanics of Group
Policy Processing — Step-by-
Step
The Steps of GP processing:
1. Client performs DNS request for LDAP SRV record
of DC(s) in its site
2. Client binds to DC using normal DC Locator process
3. Client performs ICMP slow link detection to DC to
determine link speed
4. Client uses LDAP to build GPO list at OU, domain
and then site containers — determines whether it
has permission to process GPO
The Mechanics of Group
Policy Processing — Step-by-
Step
5. Client uses LDAP to query GPC for GPT path, version number
and CSEs that have been implemented
6. Client uses SMB to query GPT path to get GPT version number
from gpt.ini
7. Each CSE runs in the order that they’re registered, and
processes the GPOs if the GPO has changed since last
processing cycle (as determined during core processing)
8. If GPO has changed, CSE processes new settings and then
next CSE runs until completion
9. Each CSE logs RSoP data to WMI during each refresh
The Mechanics of Group
Policy Processing
There are two kinds of GP processing
Foreground (e.g. during machine startup or
logon)
Background (e.g. periodically based on computer
role — DCs every 5 min., workstations and
member servers every 90 min. with randomizer)
Foreground can run asynchronously or
synchronously
Win2K defaults to synchronous foreground; XP
to asynchronous (probably want to change this!)
Background is asynchronous by definition
The Mechanics of Group
Policy Processing
Certain CSEs won’t process normally for a variety of
reasons
Some don’t process if a slow link is detected (e.g.
software installation, folder redirection)
Some don’t process asynchronously (e.g. software
installation)
Some process asynchronously but don’t actually do
anything until the next synchronous event (e.g. scripts)
And of course, no CSE will process if the GPO has
not changed since the last processing cycle
This is determined by comparing the GPO version
number to a version number held on the client in its
registry
The Mechanics of Group
Policy Processing-Slow Link
Detection
CSE Processes on Slow Link?
Security Yes (and can’t be disabled)

IP Security Yes

EFS Recovery Yes

Wireless Network Yes

Administrative Templates Yes (and can’t be disabled)

Scripts No

Folder Redirection No

Software Installation No

IE Maintenance Yes
Leveraging Group Policy
Logging
GP-related Logging is your best tool for
understanding & troubleshooting GP
operation
There are basically two types of
logging events
Application Event Log on each client
CSE-specific logging
Leveraging Group Policy
Logging —Application Events
Application Events related to Group Policy come
from the following event sources:
Userenv: most GP core events generate this source
Scecli: Security CSE related events
Appmgmt or Application Manager: Software Installation
related events
UserInit: Scripts related events
Folder Redirection: Folder Redirection events
GPMC does a good job of exposing Application
events related to GP
Available through the GP Results wizard
Leveraging Group Policy
Logging —GPMC Application
Event Reporting
Leveraging Group Policy
Logging —Enabling Verbose
Logging

All GP related-logging must be explicitly enabled

Application event logging is enabled by default but can be
made more verbose
To enable verbose logging, you’ll need to make
registry changes on each client
I have a custom .ADM that enables all of the available GP-
related logging at http://www.gpoguy.com/tools.htm
Keep in mind that verbose logging has a
performance overhead - disable when not in use
Leveraging Group Policy
Logging —Userenv logging
Userenv logging is the most verbose but also the
most instructive for investigating problems
Log is written to %windir%\debug\usermode\userenv.log
Logs both policy and user profile processing
Can be somewhat arcane to understand but details
each step of the GP processing cycle
If you’re troubleshooting a problem, rename the file
to get a fresh log and then force a GP refresh
Use gpupdate on XP and Server 2003; secedit on Win2K
Leveraging Group Policy
Logging —Userenv.log

Process and thread ID and

timestamp

Slow link test

GP Logging
Walkthrough
GP Problems and Their
Solutions
Many GP-related problems can be
broken into these categories:
Infrastructure problems (e.g. DNS, FRS,
AD, network)
Misconfiguration problems (incorrect
security filtering, enforced or block
inheritance set, etc.)
Client problems
GP Problems and Their
Solutions —
Infrastructure Problems
Problem
ICMP: Slow link detection (SLD) fails — all GP processing fails
as a result

Solution
ICMP is required for GP processing. If disabled, or restricted
(SLD requires minimum 2048 byte ICMP packets) then disable
slow link detection via policy at:
“Computer (and User) Configuration|Administrative Templates|
System|Group Policy|Group Policy Slow Link Detection”*

*Note that this must be disabled for both computer and user
GP Problems and Their
Solutions —
Infrastructure Problems
Problem
FRS & SYSVOL: FRS not replicating GPT content to all SYSVOL
shares — files are missing or permissions are wrong across
replicas; GPOs don’t process because version numbers are
wrong (Win2k) or process incorrectly
Solution
Make sure problem DC has DFS service running; make sure
SYSVOL is shared — refer to KB articles 257338 and 315457 for
fixing SYSVOL problems; use GPOTool to compare GPTs
across DCs; GPMC can fix permission problems if detected; In
a pinch you can manually copy files between GPTs on DCs; use
Ultrasound to monitor FRS
GP Problems and Their
Solutions —Misconfiguration
Problems
Problem
GPO permissioned incorrectly or linked to a
container that targets a group rather than
user or computer

Solution
Use GPMC GP Results or gpresult command-
line tool to see if a GPO is denied or if the
correct GPOs apply; GPOs apply to only
users and computers
GP Problems and Their
Solutions —Misconfiguration
Problems
Problem
GPOs aren’t applying because Block
Inheritance or Enforced flag is set

Solution
Use GPMC to visually see where flags
are set on containers or GP links.
Using GPMC for
Troubleshooting
GP Problems and Their
Solutions —Client Problems
Problem
No GPOs are being processed; errors show unable
to read gpt.ini or other GPT files (specifically
application event log error 1058: “Windows cannot
access the file gpt.ini for GPO” and usually for
computer policy only)

Solution
Verify that client computer has TCP/IP Netbios
Helper service running — required to resolve UNC
path to GPT; see KB# 840669 to tell GP processing
to wait for the network stack to initialize
GP Problems and Their
Solutions —Client Problems
Problem
Folder Redirection is not working — files
aren’t being redirected for users

Solution
Make sure users have proper permission to
create folders if you’re using FR policy to
create the folders on the fly. See KB article #
274443 for required permissions
GP Problems and Their
Solutions —Client Problems
Problem
Applications don’t deploy correctly via Software Installation
policy or require multiple restarts or user logons to apply

Solution
Make sure you entered a UNC path to the package; Use
addiag.exe (Win2k Reskit) to troubleshoot SI deployment; Make
sure a slow link wasn’t detected; If multiple restarts or user
logons are required, disable Fast Logon Optimization (XP only)
by enabling the following policy:
Computer Configuration|Administrative Templates|System|
Logon|Always wait for the network at computer startup and
logon
Enable verbose Windows Installer and Application Management
logging
Resources
“Group Policy
Guide” book
written by myself,
Derek Melber and
William Stanek—
available as part of
the Windows 2003
Resource Kit, 2nd
Edition and
standalone
http://www.microsoft.c
om/mspress/books/87
63.asp
Resources
My website: www.gpoguy.com for tools,
FAQs and additional troubleshooting tips
Jeremy Moskowitz’s website:
www.gpanswers.com for a community forum
on GP as well as FAQs and other resources
Microsoft’s GP Wiki site:
www.grouppolicywiki.com
Mark Minasi’s Forum (I moderate the GP
forum there) at x220.minasi.com/forum
Technet Group Policy Center:
http://www.microsoft.com/technet/prodtechn
ol/windowsserver2003/technologies/
management/gp/default.mspx
We invite you to participate in our
online evaluation on CommNet,
accessible Friday only
If you choose to complete the evaluation online,
there is no need to complete the paper evaluation
 © 2005 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.