Computer Performance, Windows Server 2003

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

 

Troubleshooting Group Policy in Windows Server2003

Guy RecommendsGFi Events Manager

A solution to monitor, manage and archive thousands of events that are generated by devices across the entire network. 
Download FREE trial

Troubleshooting Group Policy Tips

I have distilled my troubleshooting tips for solving problems with Group Policy on Windows Server 2003.  My advice ranges from the obvious, gpupdate, to the obscure, spaces in policy names.

  1. Refresh the Policy with Gpupdate
  2. Check User and Computer are in the Correct OU
  3. Synchronization check FSMO, check FRS
  4. Which Group Policies are in force? - GPMC
  5. Do I need to reboot?
  6. Why can't I open the Group Policy Editor?
  7. What causes 'Failed to open the Group Policy object'
  8. Why do I get the 'Missing Active Directory Container' message?
  9. Error: 'The Feature you are trying to install cannot be found'?
  10.  My VBScript Policy does not execute via Group Policy?
  11. Spaces in Script names?
  12. Where do I start creating a Group Policy?
  13. If all else fails - check the event viewer
  14. I have made a terrible foul up.  My policies are a disaster

    Specific practical advice

TrainSignal - Recommended Training VideosTroubleshooting Group Policies is tricky

As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Group Policy or go for a combination of modules.  See more about Group Policy training here

Get into the troubleshooting state of mindtroubleshooting group policy

My first tip for troubleshooting Microsoft's Group Policy is this: Put yourself in the right frame of mind.  Get into 'State' as Anthony Robbins would say.  Believe that you are going to solve this problem.

80% of all computer problems are caused by a simple fault.  In the case of Group Policies, check that the user or computer is in the OU that you are testing.  By default, all computers are in the Computer folder.  That means that if you set a policy at an OU, the computer settings will have no effect on any computers still in the original computers folder.

A variation of this problem is, that people do not realize that Windows Server 2003 Domain Controllers have their own special policy, again find the Domain Controller container and configure that default policy.  I would advise against moving the Domain Controllers into an OU.

So, if you logon as a user and none of your policy settings apply - check to see that the user account is in the same OU as the policy you are testing.  Incidentally, when troubleshooting, this is why I always include one or two trivial computer settings along with main user setting that I am testing.  If the trivial computer settings work, but the one I am testing fails, then that pin points where the fault lies.

Now for specific and practical Group Policy advice:

Guy's Troubleshooting Advice

 When troubleshooting, ask your self what was the last thing I did?  Now undo those settings and see if that cures your problem.
Q1) Have you refreshed the Group Policy settings? Run Gpupdate /force
Q2) Why is my Group Policy not working?

a) Is the user and the computer in the correct OU?  Check which OU the user and the computer is located.

b) Check Block Inheritance.

c) Possibly a No Override policy is preventing your settings.

d) Has the user 'Apply Policy' Permission?  Or have they 'Deny Policy' Permission?
Q3) Could it be a synchronization problem?

There are two factors in Group Policy synchronization. Active directory replication from the FSMO master to the other DCs.  Also FRS (file replication services) replicating the very group policies under the sysvol\sysvol folder.

Be ruthless, logon an as an administrator at the Windows 2003 server, which holds the FSMO PDC Emulator master and see if that cures the problem.
Q4) You want to know which Policies are in force

  • GPMC - Run the results Wizard

  • RSoP - Useful for Microsoft's Windows 2000

  • Gpresult - Improved Switch /user
Q5) Can I refresh the policy without a reboot? That depends!  Most do.  Gpupdate /force refreshes the policy instantly, however some policies require a reboot or a user to logon again.  For example, Software policies.
Q6) Why can't I open the policy editor? Perhaps you only have read only permission.  Full control is needed to open the GPO.
Q7) What causes 'Failed to open the Group Policy object' Most likely a DNS problem.  Try NSLookup, Ping, Ipconfig to confirm or deny the diagnosis.
Q8) Why do I get the 'Missing Active Directory Container' message? Hopefully, its just a DC replication delay.  Try and force domain replication in Active Directory Sites and Services, drill down trough Server to  NTDS and synchronise.
Q9) How can I stop this error:  'The Feature you are trying to install cannot be found'? Check the share and NTFS permission on the .MSI package folder.
Q9) My Script Policy does not work For specific help with logon scripts, Check out this section
Q10) My VBScript Policy does not execute via Group Policy? The script runs perfectly as a console user, but not as a logon script on a Workstation.  Solution make sure that on the Workstation, the primary DNS server = Domain controller.

If necessary set the DNS server manually rather than relying on DHCP

I thank Bob Phillips for this tip.
Q11) Spaces in Script names? Beware spaces in logon script names.  E.g. Head Quarters.vbs .  Try Head_Quarters.vbs. 

Thanks again to Bob Phillips for this tip.
Thanks again to Bob Phillips for this tim
Q12) Where do I start creating a Group Policy?

  • On Windows Server 2003, navigate to the Active Directory Users and Computers.

  • Right click the Domain object, Properties, Group Policy (Tab)

  • Next 'click' the Edit (button) and you will see the policy settings.
Q13) If all else fails Check the Event Viewer.  Filter the Application Log for Source = SceCli.  Really we should have checked here FIRST!

If you find a suspicious entry, then check the ID numbers and details in TechNet.
Q14) I have made a terrible foul up.  My policies are a disaster Run DcGpoFix to return the default Group Policies to their original state.

 

°

TrainSignal - Recommended Training VideosTroubleshooting Group Policies is tricky

As an MCT trainer, I can thoroughly recommend TrainSignal because they provide practical hands on training.  In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material.  You can either take one module, for example Group Policy or go for a combination of modules.  See more about Group Policy training here

 

 


 Group Policy ebook Windows 2003 Download my 'Master Group Policies' ebook only $6.25

The extra features you get in your eBook include: Spreadsheet with over 850 policies.  Printer friendly version over Word A4 pages in Word.

 *

Google

Web  This website

Solarwinds IpMonitorIs Your Server Running Slowly?

Check with SolarWinds ipMonitor

Analyze your network with ipMonitor.  Get a free evaluation copy, and monitor the performance of the servers on your network.
Free Download of SolarWinds ipMonitor

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.