Computer Performance, Windows Server 2003

Guy recommends :
Free Permissions
Analyzer Tool

Solarwinds Free Download of Permissions Analyzer

 

View the effective permissions for a folder or shared drive. Free download try it now!
Custom Search

Guy's Review of Computer Tools

 1) Belarc Advisor
 2) Engineers Toolset
 3) Freeping
 4) PuTTY
 5) Permission Analyzer
 6) Secunia
 7) Net-SNMP
 8) Mobile IT Admin App
 9) DNS Stuff
10) WinDiff Compare

Troubleshooting Group Policy in Windows Server 2003

Troubleshooting Group Policy Tips

I have distilled my troubleshooting tips for solving problems with Group Policy on Windows Server 2003.  My advice ranges from the obvious, gpupdate, to the obscure, spaces in policy names.

  1. Refresh the Policy with Gpupdate
  2. Check User and Computer are in the Correct OU
  3. Synchronization check FSMO, check FRS
  4. Which Group Policies are in force? - GPMC
  5. Do I need to reboot?
  6. Why can't I open the Group Policy Editor?
  7. What causes 'Failed to open the Group Policy object'
  8. Why do I get the 'Missing Active Directory Container' message?
  9. Error: 'The Feature you are trying to install cannot be found'?
  10. My VBScript Policy does not execute via Group Policy?
  11. Spaces in Script names?
  12. Where do I start creating a Group Policy?
  13. If all else fails - check the event viewer
  14. I have made a terrible foul up.  My policies are a disaster
  15. Group Policy Block Inheritance
  16. Group Policy Troubleshooting Tools

  ‡

Get Into the Troubleshooting State of Mindtroubleshooting group policy

My first tip for troubleshooting Microsoft's Group Policy is this: Put yourself in the right frame of mind.  Get into 'State' as Anthony Robbins would say.  Believe that you are going to solve this problem.

80% of all computer problems are caused by a simple fault.  In the case of Group Policies, check that the user or computer is in the OU that you are testing.  By default, all computers are in the Computer folder.  That means that if you set a policy at an OU, the computer settings will have no effect on any computers still in the original computers folder.

A variation of this problem is, that people do not realize that Windows Server 2003 Domain Controllers have their own special policy, again find the Domain Controller container and configure that default policy.  I would advise against moving the Domain Controllers into an OU.

So, if you logon as a user and none of your policy settings apply - check to see that the user account is in the same OU as the policy you are testing.  Incidentally, when troubleshooting, this is why I always include one or two trivial computer settings along with main user setting that I am testing.  If the trivial computer settings work, but the one I am testing fails, then that pin points where the fault lies.

Now for specific and practical Group Policy advice:

Guy's Troubleshooting Advice

 When troubleshooting, ask your self what was the last thing I did?  Now undo those settings and see if that cures your problem.
Q1) Have you refreshed the Group Policy settings? Run Gpupdate /force
Q2) Why is my Group Policy not working?

a) Is the user and the computer in the correct OU?  Check which OU the user and the computer is located.

b) Check Block Inheritance.

c) Possibly a No Override policy is preventing your settings.

d) Has the user 'Apply Policy' Permission?  Or have they 'Deny Policy' Permission?
Q3) Could it be a synchronization problem?

There are two factors in Group Policy synchronization. Active directory replication from the FSMO master to the other DCs.  Also FRS (file replication services) replicating the very group policies under the sysvol\sysvol folder.

Be ruthless, logon an as an administrator at the Windows 2003 server, which holds the FSMO PDC Emulator master and see if that cures the problem.
Q4) You want to know which Policies are in force
Q5) Can I refresh the policy without a reboot? That depends!  Most do.  Gpupdate /force refreshes the policy instantly, however some policies require a reboot or a user to logon again.  For example, Software policies.
Q6) Why can't I open the policy editor? Perhaps you only have 'Read only' permission.  Full control is needed to open the GPO.

Monitor Your Network with the Real-time Traffic AnalyzerSolarwinds Real-time Traffic Analyzer

The main reason to monitor your network is to check that your all your servers are available.  If there is a network problem you want an interface to show the scope of the problem at a glance.

Even when all servers and routers are available, sooner or later you will be curious to know who, or what, is hogging your precious network's bandwidth.  A GUI showing the top 10 users makes interesting reading.

Another reason to monitor network traffic is to learn more about your server's response times and the use of resources.  To take the pain out of capturing frames and analysing the raw data, Guy recommends that you download a copy of the SolarWinds free Real-time NetFlow Analyzer.
Q7) What causes 'Failed to open the Group Policy object' Most likely a DNS problem.  Try NSLookup, Ping, Ipconfig to confirm or deny the diagnosis.
Q8) Why do I get the 'Missing Active Directory Container' message? Hopefully, the problem is just a delayed DC replication.  Try and force domain replication in Active Directory Sites and Services, drill down trough Server to  NTDS and synchronise.
Q9) How can I stop this error:  'The Feature you are trying to install cannot be found'? Check the share and NTFS permission on the .MSI package folder.
Q9) My Script Policy does not work For specific help with logon scripts, Check out this section
Q10) My VBScript Policy does not execute via Group Policy? The script runs perfectly as a console user, but not as a logon script on a Workstation.  Solution: make sure that on the Workstation, the primary DNS server = Domain controller.

If necessary set the DNS server manually rather than relying on DHCP

I thank Bob Phillips for this tip.
Q11) Spaces in Script names? Beware spaces in logon script names.  E.g. Head Quarters.vbs .  Try Head_Quarters.vbs. 

Thanks again to Bob Phillips for this tip.
Q12) Where do I start creating a Group Policy?
  • On Windows Server 2003, navigate to the Active Directory Users and Computers.
  • right-click the Domain object, Properties, Group Policy (Tab)
  • Next 'click' the Edit (button) and you will see the policy settings.
Q13) If all else fails Check the Event Viewer.  Filter the Application Log for Source = SceCli.  Really we should have checked here FIRST!

If you find a suspicious entry, then check the ID numbers and details in TechNet.
Q14) I have made a terrible foul up.  My policies are a disaster Run DcGpoFix to return the default Group Policies to their original state.

 
Q15) Would Block Inheritance help? Judicious use of Block Inheritance can isolate a probem.

Group Policy Troubleshooting Tools

  • Resultant Set Of Policy (RSOP) Wizard
  • Gpresult
  • Gpupdate
  • DcGpoFix
  • Dsacls
  • WinPolicies
  • GPOTool
  • Event Viewer and Application Log

Solarwinds Config GeneratorGuy Recommends: The Free Config Generator

SolarWinds' Config Generator is a free tool, which puts you in charge of controlling changes to network routers and other SNMP devices.  Boost your network performance by activating network device features you've already paid for.

Guy says that for newbies the biggest benefit of this free tool is that it will provide the impetus for you to learn more about configuring the SNMP service with its 'Traps' and 'Communities'. Try Config Generator now - it's free!

Download your free copy of Config Generator

Group Policy Drive MapsGroup Policy Map Drive

The modern group policy method of drive mapping does not require any knowledge of either VBScript or PowerShell.  In Windows Server 2008 you can launch the GPMC and configure Drive Maps in the Preferences section.  See more on Group Policy Drive Maps.

Summary of Troubleshooting Group Policy Settings

While it has some risks, I would logon to a Domain Contoller then get a very simple, innocuous policy working for an administrator.  It's amazing what a little success can do.  From there create a test OU with a test user and experiment.

If you have just set a policy and it does not work, check what refresh settings are necessary, logoff --> logon, or reboot.  The next level of troubleshooting is to see if it's a latency problem, you applied the Policy, but the setting has not reached the client machine.  Hence my tip of trying the policies on the domain controller.

See more Group Policies for Windows Users

Group Policies   • GPO Internet Explorer   • Group Policy Block Inheritance   • Logon Script Policies

Start Menu Group Policies   • Network Policies  • GPMC   • Troubleshooting Group Policies

Group Policy Overview  • Group Policy Results  • System Group Policies   • Software Installation

If you like this page then please share it with your friends

 

 *

Custom Search

Site Home

Guy Recommends: SolarWinds' NPM - Review of Orion NPM
Network Performance Monitor

SolarWinds' performance monitor is designed for detecting network outages, making it easy to see what's working, and what needs your attention.

This utility guides you through creating network maps; it also helps identifying whether the root cause is faulty equipment, or resource overload. Give NPM a try.

Download a free trial of Network Performance Monitor

Author: Guy Thomas Copyright © 1999-2013 Computer Performance LTD All rights reserved.

Please report a broken link, or an error to: