Group Policy Troubleshooting Tools

Group Policy processing typically involves complex sets of actions. These apply the necessary policies to users, user groups, and computers within one or more domains in your organization.

Due to the number and complexity of the various overlapping Group Policy processes, Group Policy can be difficult to troubleshoot. So you need a good
idea of the processes that are involved and the tools you can use for problem solving.

When a client machine begins to process Group Policy with Windows Server 2008, processing takes place in two phases – core processing, followed by client side extension (CSE) processing. Core Group Policy processing occurs each time a user logs onto their computer to determine whether the domain controller can be reached, whether changes have been made to any of the Group Policy objects (GPOs), or to verify which policy settings need to be processed.

Once core processing is complete, the core Group Policy engine – responsible for performing core processing tasks – calls on CSEs to start processing the settings that apply to a client. Each CSE then uses its own set of rules to process the various settings in each of the policy setting categories. These categories include Security Settings, Administrative Templates, and Software Settings.  Because Group Policy applies to both computers and users, Group Policy processes typically repeat. For example, a process may occur once for an individual computer, and again for both the computer and the user currently logged onto the system. Each time a process runs on a computer, the process can have a different set of policies that it refers to.  There are typically a number of overlapping policies for each process that Group Policy performs. So you may need to use various tools to find the cause of a Group Policy-related problem on the network or within a domain.

Group Policy Management Console (GPMC)

You use the GPMC to perform management tasks related to Group Policy. This console is included as a snap-in with Windows Server 2008.You can also use the GPMC to find the cause of problems on your network.

You can use several tools to ensure that your Group Policy settings are consistently available:


You can use the GPOTool if you suspect that Group Policy information is not being replicated correctly within your domain. It is a command-line tool that is part of the Windows Server 2008 Resource Kit and checks your domain controllers for consistency. You can only use this tool if your domain has more than one domain controller.

GPMC reports

You can use GPMC reports to review all the defined settings in a GPO. The IE Maintenance section of reports indicates whether content ratings and
connections are deployed and whether Preference Mode is specified. It also displays the core information for wireless and Internet Protocol Security (IPsec).
You can also use GPMC reports to review Resultant Set of Policy (RSoP) that are being applied on a computer to determine a GPO’s impact.

GPUPDATE command

You can use the gpupdate command to force Windows to refresh local Group Policy settings – including security settings – and Group Policy settings stored in the Active Directory. By using the gpupdate command, you ensure that any changes that were made to GPOs are applied to the network immediately
in order to update clients. This can resolve Group Policy issues, such as security-related GPOs that were causing problems because they weren’t being

The two kinds of reports you can generate by using the GPMC are Group Policy Results reports and Group Policy Modeling reports.

  • Group Policy Modeling reports enable you to determine the policies that Group Policy will apply for a specific client before the policies are actually applied. You require a Windows Server 2008 domain controller if you want to create Group Policy Modeling reports.
  • Group Policy Results reports show the policies that are already in effect for a client. Or you can use these reports to review information regarding key events that has been logged for policies relating to the client.

When using the gpupdate command to update your Group Policy settings, you can use various parameters with the command.

For instance, using the /force parameter ignores all processing optimizations and reapplies all settings. By using the /boot parameter with the gpupdate command, you can restart the computer automatically once the Group Policy settings have been refreshed.

Using the gpresult.exe command

When checking Group Policy for errors, you can use the GPResult tool to gather RSoP data for computers running Windows Server 2008 in your organization. The information you get as a result of using the GPResult tool is similar to using a Group Policy Results report in the GPMC.

Traditionally, running the gpresult command to troubleshoot a specific user or computer’s Group Policy settings redirected the output to a text file. With Group Policy
in Windows Server 2008, you can now run gpresult and display the output in HTML or XML format.

This enables you to generate an RSoP report, similar to GPMC reports, which include headings to make the results easier to review.

You can run the gpresult command on any computer to which you have access. And by default the command will display results for all the Group Policy settings that are being applied for the computer on which you run the command.

You can use parameters, such as /F, /H, and /X, with the gpresult command to create an RSoP report.

/F You add the /F parameter if you want to force Group Policy to overwrite any files that exist as a result of previous instances in which the gpresult.exe command had been used.

/H You use the /H parameter to instruct Group Policy to display the results of running the gpresult command in HTML format. This automatically changes the file extension of the resulting file to .html.

/X  You use the /X parameter to ensure that the results of running the gpresult command display in XML format. This automatically changes the file extension to .xml.


Unable to Open/View Roles in Server Manager (Windows Server 2008)

If you’re unable to open/view roles in Server Manager (Windows Server 2008) , the problem might be with a patch which was not installed properly Or the server is not rebooted for long time after patches installation. Here are the steps to be followed to resolve the error.

Problem Description

a. In server manager you can not see any roles or features that are installed and in the bottom of the screen there is an error that says:

Last refresh: Failed Enable Error Details

b. When you click on Error Details you’ll see the following error :
Unexpected error refreshing Server Manager: No signature was present in the subject. (Exception from HRESULT: 0x800B0100)
Problem Resolution
Step 1. Determine Update state of system

a. This step can be done by using a new tool developed by Microsoft to resolve these kind of issues :
WS08 ·
b. When you install this “Update” a logfile will be generated at c:\windows\logs\CBS with the name CheckSUR.log
The content of this log :
Checking System Update Readiness.Version 6.0.6001.222752008-10-18 09:38
Checking Deployment Packages
Checking Package Manifests and catalogs.
Checking package watchlist.
Checking component watchlist.
Checking packages.(f) CBS MUM Missing 0x00000002 servicing\packages\Package_for_KB951978_server_0~31bf3856ad364e35~amd64~~ (f) CBS MUM Missing 0x00000002 servicing\packages\Package_for_KB951978_server~31bf3856ad364e35~amd64~~ (f) CBS MUM Missing 0x00000002 servicing\packages\Package_for_KB951978~31bf3856ad364e35~amd64~~
Checking component store Checking SMI StoreSummary:Milliseconds: 197278Found 3 errors CBS MUM Missing Total Count: 3
Checking component store

c. This means that from the KB951978 *.MUM files are missing in the packages store (located at c:\windows\servicing\packages)
Step 2. Retrieve the missing files

a. Download the KB Update as we need to extract files from it. In your Update History you can find this update fast as it is listed as the first failed update that happened :


b. Now double click this update.

c. Click on the link to the KB Article, this link will open internet explorer and just scroll down to the download links on the page :
d. Download the related package, rename the extension of the file from MSU to CAB
e. Open the file

f. Extract the CAB file to another location for example c:\temp
g. Open the cab file and search for the files that are listed in the checksur.log, extract those files to another lcoation (C:\temp)
h. Most of the time 1 of the files can not be found : Here it is
i. Extract the update.mum instead and rename it to the missing name.
j.Now we have a collection of files that need to be copied to a protected location (C:\Windows\servicing\packages)
Step 3. Install the missing files

a. First we need to unprotect the packages directory so we can copy files to it
right click “Packages” Folder and choose properties, select tab security, click advanced and click on the tab “Owner”


b. As you can see the correct owner (trusted installer) is listed, for now you need to change the ownership to your own account. When done, you will be returned to the security overview, add yourself with full control permission to the folder

c. Now we can copy the missing files to the packages directory.
d. Most of the times you need to rerun the update to determine which files are missing and it will list *.CAT files as missing so you need to repeat the steps for extracting and copying the missing files.
e. If Still the check says that one package is missing, rename & update.mum to that missing package name and copy those files to c:\windows\servicing\packages.
f.Rerun the update detection until the log file does not report any missing files.
g.When all is well, the error’s in server manager are gone :

And the Roles can be viewed again :

Don’t forget to set the rights of the Packages folder back to how they were.