Group Policy processing typically involves complex sets of actions. These apply the necessary policies to users, user groups, and computers within one or more domains in your organization.
Due to the number and complexity of the various overlapping Group Policy processes, Group Policy can be difficult to troubleshoot. So you need a good
idea of the processes that are involved and the tools you can use for problem solving.
When a client machine begins to process Group Policy with Windows Server 2008, processing takes place in two phases – core processing, followed by client side extension (CSE) processing. Core Group Policy processing occurs each time a user logs onto their computer to determine whether the domain controller can be reached, whether changes have been made to any of the Group Policy objects (GPOs), or to verify which policy settings need to be processed.
Once core processing is complete, the core Group Policy engine – responsible for performing core processing tasks – calls on CSEs to start processing the settings that apply to a client. Each CSE then uses its own set of rules to process the various settings in each of the policy setting categories. These categories include Security Settings, Administrative Templates, and Software Settings. Because Group Policy applies to both computers and users, Group Policy processes typically repeat. For example, a process may occur once for an individual computer, and again for both the computer and the user currently logged onto the system. Each time a process runs on a computer, the process can have a different set of policies that it refers to. There are typically a number of overlapping policies for each process that Group Policy performs. So you may need to use various tools to find the cause of a Group Policy-related problem on the network or within a domain.
Group Policy Management Console (GPMC)
You use the GPMC to perform management tasks related to Group Policy. This console is included as a snap-in with Windows Server 2008.You can also use the GPMC to find the cause of problems on your network.
You can use several tools to ensure that your Group Policy settings are consistently available:
You can use the GPOTool if you suspect that Group Policy information is not being replicated correctly within your domain. It is a command-line tool that is part of the Windows Server 2008 Resource Kit and checks your domain controllers for consistency. You can only use this tool if your domain has more than one domain controller.
You can use GPMC reports to review all the defined settings in a GPO. The IE Maintenance section of reports indicates whether content ratings and
connections are deployed and whether Preference Mode is specified. It also displays the core information for wireless and Internet Protocol Security (IPsec).
You can also use GPMC reports to review Resultant Set of Policy (RSoP) that are being applied on a computer to determine a GPO’s impact.
You can use the gpupdate command to force Windows to refresh local Group Policy settings – including security settings – and Group Policy settings stored in the Active Directory. By using the gpupdate command, you ensure that any changes that were made to GPOs are applied to the network immediately
in order to update clients. This can resolve Group Policy issues, such as security-related GPOs that were causing problems because they weren’t being
The two kinds of reports you can generate by using the GPMC are Group Policy Results reports and Group Policy Modeling reports.
- Group Policy Modeling reports enable you to determine the policies that Group Policy will apply for a specific client before the policies are actually applied. You require a Windows Server 2008 domain controller if you want to create Group Policy Modeling reports.
- Group Policy Results reports show the policies that are already in effect for a client. Or you can use these reports to review information regarding key events that has been logged for policies relating to the client.
When using the gpupdate command to update your Group Policy settings, you can use various parameters with the command.
For instance, using the /force parameter ignores all processing optimizations and reapplies all settings. By using the /boot parameter with the gpupdate command, you can restart the computer automatically once the Group Policy settings have been refreshed.
Using the gpresult.exe command
When checking Group Policy for errors, you can use the GPResult tool to gather RSoP data for computers running Windows Server 2008 in your organization. The information you get as a result of using the GPResult tool is similar to using a Group Policy Results report in the GPMC.
Traditionally, running the gpresult command to troubleshoot a specific user or computer’s Group Policy settings redirected the output to a text file. With Group Policy
in Windows Server 2008, you can now run gpresult and display the output in HTML or XML format.
This enables you to generate an RSoP report, similar to GPMC reports, which include headings to make the results easier to review.
You can run the gpresult command on any computer to which you have access. And by default the command will display results for all the Group Policy settings that are being applied for the computer on which you run the command.
You can use parameters, such as /F, /H, and /X, with the gpresult command to create an RSoP report.
/F You add the /F parameter if you want to force Group Policy to overwrite any files that exist as a result of previous instances in which the gpresult.exe command had been used.
/H You use the /H parameter to instruct Group Policy to display the results of running the gpresult command in HTML format. This automatically changes the file extension of the resulting file to .html.
/X You use the /X parameter to ensure that the results of running the gpresult command display in XML format. This automatically changes the file extension to .xml.