5 Troubleshooting and Backing Up GPOs

16/11/2014
5 Troubleshooting and Backing Up GPOs

Section Topics
Using Group Policy Troubleshooting Tools
Integration of RSoP Functionality
Using Logging Options
Backing Up, Restoring, Importing, and Copying GPOs
Building Migration Tables
Section Objectives
After completing this section, you will be able to:

Describe the Group Policy troubleshooting tools
Describe the GPMC tools that have RSoP functionality
Describe the GPO logging tools used to obtain more detail about the GPO processing issues
Explain how to back up, restore, import, and copy GPOs using the GPMC
Explain how to build migration tables
Section Overview
This section explains how to use the RSoP tools to determine whether policies are being
processed in the correct manner. It also explains how to use the available tools to troubleshoot
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=
1/51
16/11/2014
policy issues; back up, restore, import, copy, and search for GPOs; and migrate GPOs from
one domain to another.
Using Group Policy Troubleshooting Tools
Figure 104: Using Group Policy Troubleshooting Tools

Finding out where an unwelcome Group Policy setting came from can be hard if you are not
aware of the tools that are available for the various versions of Windows. In Windows Server
2003, you will find some of the Group Policy troubleshooting tools on the Windows operating
system CD in the Support\Tools folder. The Windows 2003 Resource Kit has additional
tools for Group Policy troubleshooting. Many of the Group Policy troubleshooting tools are
now built into the Windows Server 2008 and later operating systems.
Note: The gpotool.exe and replmon.exe tools are considered deprecated and are no
longer supported or enhanced by Microsoft. They are now replaced by other tools and
functionality in newer versions of Windows.
This topic describes some of the more common tools that you can use with Group Policy,
which are listed in Figure 104. This topic also explains how you can use these tools to
troubleshoot Group Policy.
2/51
16/11/2014
Group Policy Results
Figure 105: Group Policy Results

Microsoft supplies several command-line tools that you can use to troubleshoot Group Policy
deployment and the health of the existing GPOs. One of these tools is Gpresult (Group Policy
Results). The Gpresult tool is useful for analyzing many facets of Group Policy. It provides
RSoP details as shown in Figure 105.
Gpresult Tool Options
Figure 106: Gpresult Tool Options

Figure 106 shows some of the Gpresult tool options. The complete list is shown in Figure 107.
GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]

3/51
16/11/2014
[/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]]
Description:
This command line tool displays the Resultant Set of Policy
(RSoP)
information for a target user and computer.
Parameter List:
/S
system
Specifies the remote system to connect
[domain\]user
Specifies the user context under which
to.
/U
the command
should execute.
Can not be used with /X, /H.
/P
[password]
Specifies the password for the
given user
context. Prompts for input if omitted.
Can not be used with /X, /H.
/SCOPE
scope
Specifies whether the user or the
computer
settings needs to be displayed.
Valid values: "USER","COMPUTER".
/USER
[domain\]user
Specifies the user name for which
the RSOP data

is to be displayed.
/X
<filename>
Saves the report in XML format at
the location
and with the file name specified
4/51
16/11/2014
by the <filename> parameter.

(valid in Windows
Vista SP1 and Windows Server 2008)
/H
<filename>
Saves the report in HTML format at
the location
with the file name specified by
the <filename> parameter. (valid
in Windows
Vista SP1 and Windows Server 2008)
/F
Forces gpresult to overwrite the
file name
specified in the /X or /H command.
/R
Displays RSoP summary data.
/V
Specifies that verbose information
should be
displayed. Verbose information provides additional detailed
settings that have
been applied with a precedence of 1.
/Z
Specifies that the super-verbose
information
should be displayed. Super-verbose information provides
additional detailed
settings that have been applied with a precedence of 1 and
higher. This allows
you to see if a setting was set in multiple places. See the Group
Policy
online help topic for more information.
/?
Displays this help message.
5/51
16/11/2014
Examples:
GPRESULT /R
GPRESULT /H GPReport.html
GPRESULT /USER targetusername /V
GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
GPRESULT /S system /U username /P password /SCOPE USER /V
Figure 107: Gpresult Options: Complete List
Note
When you use the super-verbose option (/Z) in the Gpresults tool, the output will
overload the command prompt window. Use the redirect (>) option and direct the output to a
file: C:\gpresult /Z > gpsettings.txt
Group Policy Update
Figure 108: Group Policy Update

6/51
16/11/2014
Windows 2000 computer systems used the Secedit command-line tool to refresh Group Policy
settings without rebooting. For Windows XP and later versions, the command-line tool,
Gpupdate is used.
Running gpupdate without any switches will ask for a gpupdate of any policies whose
version numbers are not up to date. It will, therefore, only download the policies that have
changed.
Some policy changes do not update with this normal refresh. On other occasions, the version
numbering on the policies may become out of sync. In these situations, it may be necessary to
force a download of all the policies from scratch using the gpupdate /force command.
Unfortunately, in a large environment where many policies are available, the gpupdate /force
command will download all of the policies that could apply to the user or computer.
Therefore, use the /force switch only when it is necessary.
Using the Gpupdate Tool
To use the Gpupdate tool, open a command prompt and type gpupdate.exe. You can use
various switches to control the output of the Gpupdate tool.
The syntax for the Gpupdate.exe command is:
gpupdate [/target:{computer | user}] [/force] [/wait:value] [/logoff] [/boot]
Following are the details for each of the switches:
By default, both user and computer policy settings are updated. Use the following switch to
specify that only the user or computer policy settings are immediately updated.
/target: Computer | User
By default, only the policy settings that have been changed are applied. Use the following
switch to reapply all the policy settings:
/force
7/51
16/11/2014
Use the following switch to set the number of seconds you have to wait for the processing
of the policy to finish:
/wait:value
Use the following switch to log off from the selected computer after the policy settings have
been updated:
/logoff
Some policy settings can be processed only at startup; for example, computer-based policy
settings usually require a reboot. Use the following switch to restart your computer after the
policy settings have been updated:
/boot
Note
The default update cycle for refreshing Group Policy is 90 minutes (with a
random 30-minute offset) on domain members and 5 minutes on domain controllers.
GPMC Remote Update
8/51
16/11/2014
Figure 109: GPMC Remote Update

In Windows Server 2012 and Windows 8 Client, the GPMC now has a GPUpdate option
built-in to the console. Using this option will perform a remote GPUpdate against any
computers in the selected OU.
The remote update is sent out as a scheduled request with a random time interval so that all
systems to not attempt to perform the update simultaneously.
Group Policy Verification Tool
Figure 110: Group Policy Verification Tool

9/51
16/11/2014
Every domain in Active Directory should have more than one domain controller. When you
have multiple domain controllers, you can use the Gpotool command-line tool to ensure that
the contents of all the linked Sysvol folders in the domain contain valid and up-to-date GPOs.
Note
The Gpotool is considered a deprecated tool as of Windows Server 2012 and has
been replaced by greater functionality within the GPMC via the Infrastructure Status tab.
The Gpotool tool can also check for version mismatches between the GPT stored in the
Sysvol folder and the GPC in Active Directory.
If errors occur, check the System and Directory Services event logs on the listed domain
controller showing the problem. For instance, if you want to verify if a GPO called Corporate
Desktop Settings on a certain domain called MyDomain is in sync, type the following in a
command prompt window:
Gpotool/gpo:Corporate Desktop Settings/dc:MyDomain
When you use the Gpotool tool, you can also check the following Group Policy components:
Group Policy object consistency: You can check the GUID of each GPO and all Sysvol
data.
Group Policy object replication: You can check the times and instances of when
replication has occurred.
Friendly-name searching: You can search your GPOs by the given name of each GPO.
Selective search: You can specify which domain controllers the Gpotool tool will query.
Multiple domains: You can check policies in different domains.
Verbose mode: You can display a validation list of each working GPO and a detailed error
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize
10/51
16/11/2014
report of each damaged GPO policy.
Note
You can download the Gpotool tool from www.microsoft.com.
GPMC Infrastructure Status
Figure 111: GPMC Infrastructure Status

The GPMC Infrastructure Status tab allows you to check the replication status of the domain
to make sure Group Policy files and settings are being replicated successfully to other domain
controllers.
This tool is informational only and does not provide an option to perform replication. You can
use the Repadmin command-line tool if you need to manually force replication to occur..
Replication Monitor
11/51
16/11/2014
Figure 112: Replication Monitor

You can use the Active Directory Replication Monitor (Replmon) tool to gather a wide variety
of replication details. You can also use it to monitor the replication status of current GPOs per
domain.
Note
The Replmon tool is considered a deprecated tool as of Windows Server 2008

and has been replaced by the more functional command-line Repadmin.exe tool.
The following topics explain how to use the Replmon tool to check the current GPO
replication status and to check the GPO version numbers.
Using the Replmon Tool to Check Replication Status
To check the current GPO replication status, follow these steps:
1.
Open the Replmon tool from the Support Tools menu.
2.
Right-click Add Monitored Server and enter the FQDN of the server.
12/51
16/11/2014
3.
On the View menu, select Options.
4.
Click the Status Logging tab, select GPO Policy Objects under Monitored Servers,
and then click OK.
5.
Click the Update Manually button and type 1 for the refresh monitor cycle.
After 1 minute, and for every minute thereafter, the current GPOs display an updated status
as shown in Figure 112.
Note
To install the support tools, on the Windows 2000 and Windows 2003 Server CDs, click
rktools.msi in the Support\Tools folder.
The Replmon tool is not included in any toolset specific to Windows
Server 2008 or later. However, you can install the rktools.exe package from Windows Server
2003 on Windows Vista or later operating systems to obtain these tools.
Using the Replmon Tool to Check GPO Version Numbers
13/51
16/11/2014
Figure 113: Using the Replmon Tool to Check GPO Version Numbers
To find additional details on the replication status, right-click the server icon and, from the
context menu, select Show Group Policy Replication.
Any differences between the GPC and the GPT will result in different version numbers: the
Version column corresponds to the GPC status, and the Sysvol version represents the GPT.
You can add additional domain controllers to the view of the Replmon tool for comparison
purposes.
Repadmin
14/51
16/11/2014
Figure 114: Repadmin

The Repadmin.exe command-line tool can be used to perform all of the functions that are
found within the graphical Replmon tool and more.
Some operations are certainly more visual in the Replmon tool, but the Repadmin.exe tool has
the advantage of being scriptable and less cumbersome when performing multiple operations.
Since Replmon is deprecated, Repadmin should be used in most situations today.
The syntax for Repadmin is as follows:
C:\>repadmin
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:
{password|*}]
[/retry[:<retries>][:<delay>]]
[/csv]
Use these commands to see the help:
/?
Displays a list of commands available for use
in repadmin and
their
description.
/help
Same as /?
/?:<cmd>
Displays the list of possible arguments <args>,
appropriate
syntaxes and examples for the specified command
<cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced
users only.
/listhelp
Displays the variations of syntax available for
the DSA_NAME,
15/51
16/11/2014
DSA_LIST, NCNAME and OBJ_LIST strings.

/oldhelp
Displays a list of deprecated commands that
still work but

are no longer supported by Microsoft.
Supported <cmd> commands (use /?<cmd> for detailed help):

/kcc
Forces the KCC on targeted domain controller(s) to
immediately
recalculate its inbound replication topology.
/prp
This command allows an admin to view or modify the

password replication policy for RODCs.
/queue
Displays inbound replication requests that the
DC
needs to issue
to become consistent with its source
replication partners.
/replicate
Triggers the immediate replication of the
specified directory
partition to the destination domain controller
from the
source DC.
/replsingleobj Replicates a single object between any two
domain
controllers that have common directory
partitions.
/replsummary The replsummary operation quickly and

concisely summarizes
the replication state and relative health of a
forest.
16/51
16/11/2014
/rodcpwdrepl Triggers replication of passwords for the

specified user(s)
from the source (Hub DC) to one or more Read
Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a

specified object
stored in Active Directory, such as attribute
ID, version
number, originating and local Update Sequence
Number (USN),
and
originating server's GUID and Date and Time
stamp.
/showrepl Displays the replication status when specified
domain
controller
last attempted to inbound replicate Active
Directory
partitions.
/showutdvec displays the highest committed Update Sequence

Number (USN)
that the targeted DC's copy of Active
Directory shows as
committed for itself and its transitive
partners.
/syncall Synchronizes a specified domain controller with

all replication
17/51
16/11/2014
partners.
Supported additional parameters:
/u:
Specifies the domain and user name separated by a
backslash
{domain\user} that has permissions to perform
operations in
Active Directory. UPN logons not supported.
/pw:
Specifies the password for the user name entered
with the /u
parameter.
/retry This parameter will cause repadmin to repeat its

attempt to bind
to the target dc should the first attempt fail
with one of
the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"

1753 / 0x6d9 : "There are no more endpoints
available from
the
endpoint mapper"
/csv
Used with /showrepl to output results in comma
separated
value format. See /csvhelp
Note: Most commands take their parameters in the order of

"Destination or
Target DSA_LIST", then a "Source DSA_NAME" if
18/51
16/11/2014
required, and finally

the
NC or Object DN if required.
<DSA_NAME> (or <DSA_LIST>) is a Directory Service
Agent binding
string. For Active Directory Domain Services, this
is simply a
network
label (such as a DNS, NetBios, or IP address) of a
Domain
Controller.
For Active Directory Lightweight Directory
Services, this must be
a
network label of the AD LDS server followed by a
colon and the
LDAP
port of the AD LDS instance
Examples (AD DS):
dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000

ad-am-01.microsoft.com:2000
<Naming Context> is the Distinguished Name of the

root of the NC
Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with
International
or
Unicode characters will only display correctly if
appropriate fonts
and
language support are loaded.
19/51
16/11/2014
Get-GPResultantSetOfPolicy
Figure 115: Get-GPResultantSetOfPolicy

Get-GPResultantSetOfPolicy is a PowerShell cmdlet that can perform the same type of
operations as the Gpresult.exe comand. However, this tool is more powerful since it is able to
fully utilize the PowerShell pipeline and object structure.
The Get-GPResultantSetOfPolicy cmdlet can output the RSOP data in either an HTML or
XML format. The HTML output will be identical to that produced by GPresult or the Policy
Results output in the GPMC.
Get-GPResultantSetOfPolicy syntax:
PS C:\test> help Get-GPResultantSetOfPolicy -full
NAME
Get-GPResultantSetOfPolicy
SYNOPSIS
Outputs the Resultant Set of Policy (RSoP) information
for a user, a
computer, or both to a file.
SYNTAX
20/51
16/11/2014
Get-GPResultantSetOfPolicy [-Computer <String>] [-User

<String>] -Path
<String> -ReportType <ReportType> [<CommonParameters>]
DESCRIPTION
The Get-GPResultantSetofPolicy cmdlet outputs the
Resultant Set of Policy
(RSoP) information for a user, a computer, or both to a
file.
-Computer
Specifies the name of the computer for
which to generate
the report.
-Path
Specifies the path to the report file.
-ReportType
Specifies the report type in either HTML
or XML.
-User
The name of the use for which to
generate the report.

-------------------------- EXAMPLE 1 -------------------------
C:\PS>get-gpresultantsetofpolicy -reporttype xml

-path c:\reports\LocalUserAndComputerReport.xml
-------------------------- EXAMPLE 2 ------------------------C:\PS>Get-GPResultantSetOfPolicy -reporttype xml -computer
computer08.contso.com
21/51
16/11/2014
-path c:\reports\computer-08.xml
Invoke-GPUpdate
Figure 116: Invoke-GPUpdate

Invoke-GPUpdate is a new PowerShell cmdlet that can perform more powerful GPUpdate
operations. It can be used to update the local or a remote machine or users settings. It can
also be used to schedule a GPUpdate in the future, up to 31 days later. The refresh is
automatically offset by a random delay.
Invoke-GPUpdate syntax:
NAME
Invoke-GPUpdate
SYNOPSIS
Schedule a remote Group Policy refresh (gpupdate) on the
specified
computer.
SYNTAX
Invoke-GPUpdate [[-Computer] <String>] [[https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize
22/51
16/11/2014
RandomDelayInMinutes] <Int32>]
[-AsJob
[<SwitchParameter>]] [-Boot [<SwitchParameter>]] [-
Force
[<SwitchParameter>]] [-LogOff
[<SwitchParameter>]] [-Target
<String>]
[<CommonParameters>]
Invoke-GPUpdate [[-Computer] <String>] [[RandomDelayInMinutes] <Int32>]

[-AsJob
[<SwitchParameter>]] [-Boot [<SwitchParameter>]] [-
LogOff
[<SwitchParameter>]] [-Sync
[<SwitchParameter>]] [-Target
<String>]
[<CommonParameters>]
-AsJob
Runs the cmdlet as a background job.
-Boot
Causes a computer restart after
policies are applied

for CSEs that require a restart.
-Computer
The name of the remote computer to
schedule a refresh
for.
-Force
Reapplies all policy settings instead
of only
updating changes.
-Logoff
Causes a logoff after policies are
applied for CSEs

that require a logoff / logon to be applied.
23/51
16/11/2014
-ReandomDelayInMinutes
The amount of time that the Task
Scheduler will wait

before running the refresh.
-Sync
Causes user policies applied at logon
to be performed
Synchronously instead of the default Asynchronous processing.
-Target
Refresh only the User or Computer
policy settings.
-------------------------- EXAMPLE 1 --------------------------
PS C:\> Invoke-GPUpdate
This command schedules a Group Policy refresh on the computer on

which you are
running theInvoke-GPUpdate cmdlet.
-------------------------- EXAMPLE 2 --------------------------
PS C:\> Invoke-GPUpdate -computer COMPUTER-02 -Target user -Sync
This command schedules a Group Policy refresh on a remote

computer
(CONTOSO\COMPUTER-02) which will only schedule to update the user
policy
settings in synchronous mode.
Integration of RSoP Functionality

24/51
16/11/2014
Figure 117: Integration of RSoP Functionality

You can troubleshoot Group Policy via the RSoP (Resultant Set of Policy) snap-in to the
MMC (Rsop tool [rsop.msc]). When you are planning and testing or troubleshooting Group
Policy, RSoP helps to trace how the policy links are applied for a specified user and a
specified computer. It also identifies effective settings and winning policy objects.
In the spirit of making the GPMC the primary tool for Group Policy management, Microsoft
has integrated RSoP functionality into the GPMC (with a slight change to the names of the
tools).
This integration means that:
RSoP logging mode in the RSoP console becomes Group Policy Results in the GPMC.
RSoP planning mode in the RSoP console becomes Group Policy Modeling in the
GPMC.
When you consider the HTML reporting capabilities of the GPMC, it is hard to see why
anybody would continue to use the RSoP tool if they have access to GPMC. In fact,
Microsoft recommends that you abandon the older tool.
25/51
16/11/2014
Figure 118: Group Policy Results

The Group Policy Results tool in the GPMC corresponds to the RSoP logging mode and
presents real information that reflects how the policy is applied. To start a modeling run, in
the console pane of the GPMC window, right-click the Group Policy Results node, and
select Group Policy
Results Wizard.
The wizard prompts you to make the following choices:

Specify which computer you want to process: the local computer or a different computer
that you specify.
Select how you want to display policy settings: the user object only, not the computer
object. (This is a check box.)
Specify which user account you want to process: the current logged-on user or a
different user that you specify. (You are limited to users who have logged on to your
computer and for whose accounts you have read access.)
When the run is complete, the details pane of the GPMC shows three tabs:
26/51
16/11/2014
Summary: An HTML report of the warnings, errors and alerts that may have occurred
during polciy processing.
Settings: An HTML report of the policy settings, the GPO list, security group
memberships, and WMI filters that would be applied in the scenario
Events: A list of policy-related events from the event log of the target computer and a
useful troubleshooting resource
These three tabs correlate with a new sub-node in the console pane under the Group Policy
Results node. These sub-nodes will continue to accumulate with every new run of the wizard.
By right-clicking the sub-node corresponding to a specific modeling session, you can:
Save the results to disk.
Run the query again.
Run a new query with this one as a template.
Choose Advanced View to invoke the RSoP console and view the precedence information
that does not appear in the HTML Settings report. (The HTML Setting report only lists the
winning GPO.)
Group Policy Modeling
Figure 119: Group Policy Modeling

Group Policy Modeling in the GPMC corresponds to the RSoP planning mode, meaning that it
permits you to perform a simulation before actually applying the policy. It requires that at least
one domain controller in the Active Directory forest is running Windows Server 2003 or later;
27/51
16/11/2014
if that is not the case, the node will not appear in the GPMC.
To start a modeling run, in the console pane of the GPMC window, right-click the Group
Policy Objects node, and select Group Policy Modeling Wizard. However, you will
probably find it more convenient to right-click the specific domain or OU node, which
preloads the wizard with the appropriate data.
In a modeling run, you can select the following:
User container
Computer container
Slow network simulation (yes/no)
Loopback mode (no/merge/replace)
Site name
User security groups
Computer security groups
WMI filters for users
WMI filters for computers
When the run is complete, the details pane of the GPMC shows three tabs:
Summary: An HTML report of the GPO list, security group memberships, and WMI filters
Settings: An HTML report of the policy settings that would be applied in the scenario
Query: A listing of the selections that you made when running the wizard
These three tabs correlate with a new sub-node in the console pane under the Group Policy
Modeling node. These sub-nodes continue to accumulate with every new run of the wizard.
By right-clicking the sub-node corresponding to a specific modeling session, you can:
28/51
16/11/2014
Save the results to disk.

Run the query again.
Run a new query with this one as a template.
Choose Advanced View to invoke the RSoP console and view the precedence information
that does not appear in the HTML Settings report.
Creating an HTML File for Reporting
Figure 120: Creating an HTML File for Reporting

The GPMC, and the Gpresult and Get-GPResultantSetOfPolicy command-line tools have the
ability to produce reports in the form of HTML file output. These reports can be invaluable
when it comes to viewing and analyzing the policies that are configured and determine where
the policies came from.
Any user with read access to a given GPO can open the GPMC and view or report on its
settings, which helps IT support the users and OU administrators.
You even have some control over what appears on the report, via the Show and Hide links at
each section header. At the top of the report, you can also click Show All to expand all
sections. The GPMC also allows you to:
Report on the settings contained in any particular GPO.
29/51
16/11/2014
Under Group Policy Objects, right-click an entry and select Save Report to create an
HTML file with the settings (see Figure 120). The report contains the full contents of the
Settings tab, plus information from the Scope, Details, and Delegation tabs.
Right-click anywhere on the Settings tab and select Print to print the report as it appears
on the window.
Report on the results of an RSoP session (that is, Group Policy Results or Group Policy
Modeling).
Under Group Policy Results or Group Policy Modeling, right-click a saved session
and select Save Report to create an HTML file with the settings.
Right-click anywhere on the Settings tab and select Print to print the report as it appears
on the window.
A couple of GMC reporting tips are:

To view the HTML reports that the GPMC saves, you must use at least Windows Internet
Explorer 6 or Netscape 7.
To use the show/hide capability, you must use at least Windows Internet Explorer 6.
A few problems with GPMC reporting are:

The reported data for IPSec and Wireless settings is incomplete.
The reported data for Windows Internet Explorer Security Zones and Privacy settings is
incomplete (customized Java settings do not appear).
The reported data for Windows Internet Explorer Content Ratings is incomplete (settings
details do not appear).
New Error Reporting Details
30/51
16/11/2014
Figure 121: New Error Reporting Details

The HTML reports that are generated by the GPMC, Gpupdate.exe and GetGPResultantSetOfPolicy now contain additional error reporting information. These additional
details are very useful in troubleshooting group policy issues.
After running Group Policy Results or Group Policy Modeling, the Summary tab may contain
a red X with a link listing the number of errors detected. Click on the link to display the
specific errors that occurred.
The Policy Events tab displays all Group Policy related events from the Event Log.
Using Logging Options
Figure 122: Using Logging Options

You can obtain basic troubleshooting information related to Group Policy through the
Windows Event Viewer. For additional troubleshooting, more detail can be enabled and sent to
the Windows Event Log and a separate Userenv.log file.
31/51
16/11/2014
The Userenv.log File
Figure 123: The Userenv.log File

You can obtain complete details on the users logon process through the local registry. The
Userenv.log file is populated with a detailed verbose log of the logon process.
To turn on debug logging, modify the registry on the computer on which the logging occurs.
Use the Regedit tool to add the following registry value at the following location:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD
You can enter the following values for UserEnvDebugLevel:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002
32/51
16/11/2014
LOGFILE 0x00010000
DEBUGGER 0x00020000
You can combine the previous values. For example, you can combine VERBOSE
0x00000002 and LOGFILE 0x00010000 to get 0x00010002. This turns on both LOGFILE
and VERBOSE.
Note
The default value is NORMAL|LOGFILE (0x00010001). To disable logging,

select NONE (where the value is 0X00000000).
On the next reboot and logon, the Userenv.log file is written to:
%SystemRoot%\Debug\UserMode.
Make sure you check these two essential components in the Userenv.log file:
Verify that the distinguished name of the computer or user is being recognized. If Windows
cannot determine the distinguished name, it will not be able to properly parse Active
Directory to determine which GPOs to apply to the user or computer.
Determine if any GPOs are being skipped because the user does not have the proper
permissions on the GPO. (The user should have read and applied Group Policy
permissions.)
Event Logs
33/51
16/11/2014
Figure 124: Event Logs

The Application Event Log records all GPO events with a minimum amount of detail. To get
verbose results for troubleshooting, you must edit the registry. After you edit it, the
Application Event Log will provide you with additional details about which GPO is being
applied.
le verbose logging of GPOs, you must add a registry key to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Diagnostics
Under the Diagnostics sub-key, add a REG_DWORD value named
RunDiagnosticsLoggingGlobal and assign it a value of 1.
After a reboot, the diagnostic logging will be enabled. Every major step in processing GPOs
triggers an event log entry.
Helpful Hint
Many Group Policy error codes have not been well documented. However, you
can find a reference list on microsoft.com. Search for Troubleshooting Group Policy Using
34/51
16/11/2014
Event Logs.
Backing Up, Restoring, Importing, and Copying GPOs
Figure 125: Backing Up, Restoring, Importing, and Copying GPOs

In a large, complex environment, it is important to provide the ability to restore GPOs
independent of the full backups of the Active Directory environment. The Group Policy
Management Console includes the ability to perform backups and restores of individual
policies, or all policies in the domain.
This topic explains how to back up, restore, import, and copy GPOs.
Backing Up GPOs
Figure 126: Backing Up GPOs

Considering the importance of GPOs, having backups is highly desirable. The GPOs do exist
in Active Directory and the Sysvol shares, so if you have multiple domain controllers, you
35/51
16/11/2014
already have redundancy. However, without the GPMC, you do not have a convenient way
of restoring individual GPOs and importing GPO settings into other GPOs. Both of these
capabilities are enabled by the GPMC backup facility. When you are backing up GPOs,
remember the following: Backing up refers to the process of copying the contents of a live
GPO into any specified folder location on the computer or network where you have write
permissions (see Figure 126).
You can back up multiple policy objects to the same folder.
You can back up multiple versions of the same policy object to the same folder.
You can restore or import backed-up GPOs.
The GPMC includes a user interface for managing backed-up policy objects (right-click the
Group Policy Objects node and select Manage Backups).
The following topic describes how to back up GPOs.

Procedure for Backing Up GPOs (1)
Figure 127: Procedure for Backing Up GPOs

The procedure for backing up a GPO in the console is straightforward:
36/51
16/11/2014
1.
Navigate to the domain of interest in the console pane.
2.
Expand the Group Policy Objects node.
3.
Right-click the policy object that you want to back up, and select Back Up.
Procedure for Backing Up GPOs (2)
Figure 128: Procedure for Backing Up GPOs (cont.)

4.
Select a target folder to which you have write access. You can browse to this location,
and you can also create a new folder, if necessary.
5.
Create a description for the backup. This description will appear later when you are
managing your backups from within the GPMC.
6.
Click the Back Up button.
7.
Click OK when the backup is complete.
An alternative method is available if you wish to back up all the GPOs in a given domain. You
can use this approach to re-create the entire Group Policy structure on another domain.
To back up all the GPOs, navigate to the domain of interest, right-click the Group Policy
Objects node, and then select Back Up All. Follow steps 4 through 7 to finish backing up all
the GPOs.
37/51
16/11/2014
Managing the Backups

You can manage the backups that you have created from the Manage Backups dialog box.
Right-click the Group Policy Objects node and select Manage Backups. In the Manage
Backups dialog box, you will see the following information:
Backup location
List of backed up GPOs, including domain, name, timestamp, description, and GPO ID
A check box to show only the latest version of each GPO
A Restore button, which restores the selected GPO to its original domain
A Delete button
A View Settings button, which generates an HTML report listing the settings in the selected
GPO (a convenient feature)
A Close button
Restoring GPOs
Figure 129: Restoring GPOs

You would generally restore a GPO when you have deleted it and want it back, or when you
have modified it (either its contents or its ACL) and want to return it to some prior condition.
38/51
16/11/2014
In these situations, restoring a GPO is much the same as restoring a file or folder.
When you are restoring backed up files, remember the following:
Restoring refers to the process of putting a backed-up GPO back into its original location
(that is, domain) with all its original settings intact (including security settings).
Even if you are restoring a deleted GPO, it will have the same GUID that it had originally.
You cannot restore a GPO to a domain other than the one from which it was backed up.
The following topics describe how to restore GPOs and some of the caveats of restoring them.
Procedure for Restoring GPOs
The procedure for restoring a GPO varies depending on whether the GPO exists or has been
deleted.
If the GPO still exists, and you just want to return it to some prior state, right-click the
GPO in the Group Policy Objects container and select Restore from Backup.
Follow the wizard.
To restore a GPO with this procedure, you must have the following permissions on it:
edit settings, delete, and modify security.
If the GPO has been deleted, right-click the Group Policy Objects container, select
Manage Backups, find the backed-up GPO, select it, and click the Restore button.
To restore a GPO with this procedure, you must have the right to create GPOs.
Caveats of Restoring GPOs

Restoring GPOs has some drawbacks:
39/51
16/11/2014
If you restore a deleted GPO, the links it had are not automatically restored. You have to
restore them manually.
If you restore a deleted GPO that includes software deployment settings, and those settings
included the option to uninstall when the application falls outside the scope of
management, users might see those assigned or published applications uninstall and then
reinstall, after the restoration of the GPO. The reason for this is that Windows thinks the
applications are new because they get a new deployment object GUID after the restore
(even though the GUID of the actual GPO remains the same as it was).
If you rename a domain, you cannot restore a GPO that was backed up before the rename
operation.
Importing GPOs
Figure 130: Importing GPOs

Importing a GPO transfers the settings in a backed-up GPO to an existing and active GPO.
Importing never creates a new GPO.
An export command for GPOs does not exist. Backing up a GPO is the functional
equivalent of exporting it.
The following topics explain why you might want to import GPOs and how to import them.
40/51
16/11/2014
Reasons for Importing GPOs

In certain situations, you might want to import a GPO rather than simply restore it. For
instance:
You do not want to create a new GPO, but instead, you want to augment the settings
contained in an existing GPO without changing any of the security settings (ACEs) of that
existing GPO.
You want to migrate a GPO from one domain to another, but you do not have connectivity
and trust relationships between the domains. To elaborate:
If you did have connectivity with trusts, you would simply perform a copy operation
(drag-and-drop) instead of a back-up-and-restore cycle.
The restore operation always restores a GPO to the domain from which it was backed
up, so you cannot use it to migrate a GPO from one domain to another.
Procedure for Importing GPOs

To import a backed-up GPO:
1.
In the Group Policy Objects node of the console, right-click an existing GPO, and
select Import.
2.
Specify the backed-up GPO whose settings you would like to import. You can also
specify a migration table.
Copying GPOs
41/51
16/11/2014
Figure 131: Copying GPOs

You can use the GPMC to copy and paste GPOs, either via the context menu of the GPO or
by dragging and dropping. How is this different from importing GPOs?
A copy operation always creates a new GPO at the destination location; an import operation
never does.
A copy operation always starts with an active GPO; an import operation starts with a
backed-up GPO.
The following topic describes the requirements for copying GPOs.

Requirements for Copying GPOs
In order to copy a GPO from one location to another, the source and target locations must
have physical connectivity and a trust relationship. If you are copying a GPO from one
domain to another within the same forest, these requirements are usually not a problem.
However, if you are copying a GPO from one domain to another in a different forest, then
you must either have a forest trust in place (Windows Server 2003 and later only), or you
must perform a backup-and-import operation rather than a copy operation.
Building Migration Tables

42/51
16/11/2014
Figure 132: Building Migration Tables

Active Directory was not created to enable administrators to copy a large number of objects
between domains. Therefore, the process for copying a GPO from one domain to another is a
little complex. If all you have in a particular GPO are Administrative Templates settings, that
is, registry-based policies, then you can use a simple drag-and-drop method to copy GPOs.
However, if your GPO contains more settings, then you should expect some migration
conflicts.
This topic explains how to use migration tables to resolve SID and UNC path conflicts and
how to build a migration table.
Using Migration Tables to Resolve SID and UNC Path

Conflicts
Migration tables can help resolve the SID and UNC path conflicts that can arise from moving
GPOs from one domain to another.
SID Conflicts
GPOs tend to contain domain-specific SIDs. For example, user rights (part of the Security
Settings node of a Group Policy Object) typically include references to domain groups, such
as Backup Operators.
The SID for the Backup Operators group in Domain A is not the same as the SID for the
Backup Operators group in Domain B. This mismatch is a problem, so you would need, in
this case, the ability to map the migration of SIDs. In addition, explicit, user-specific access
controls might have been set forth in the origin domain; these, too, would need to map over to
43/51
16/11/2014
different SIDs in the destination domain.

The types of policies that could include SID information and, therefore, possibly need
remapping, include the following:
File system permissions (NTFS)
Folder redirection
Software settings (specifically, ACLs on software deployment objects)
User rights assignments
UNC Path Conflicts
Another potential migration problem arises from the fact that some GPOs contain settings
that use UNC notation to reference specific network paths. For example, an assigned
software package might specify a distribution point within the domain; in fact, it is likely to
do so. When that policy moves to a new domain, the distribution point might no longer be
available due to permissions issues. Even if it is available, there might be performance (and
administrative) problems associated with the cross-domain traffic.
The types of policies that could include UNC information, and therefore possibly need
remapping, include the following:
Folder redirection
Software settings
Logon, logoff, startup, and shutdown scripts
Building a Migration Table
44/51
16/11/2014
Figure 133: Building a Migration Table

The solution to the problem of moving GPOs from one domain to another is to build a
migration table for security principals and UNC paths that require translation. Put the old
setting on the left and the new setting on the right.
After you create the migration table, you can specify the migration table during the GPO copy
operation, and it will act much like a global search-and-replace facility for all occurrences of
the specified SIDs and paths.
You can build migration tables with the Mtedit tool. You can either run the tool or invoke it
from within the GPMC by right-clicking the Domains node and selecting Open Migration
Table Editor. (You can also right-click the Group Policy Objects node to get to this menu
choice.) The XML data files associated with the Mtedit tool have the extension .migtable.
The sample migration table included by Microsoft with the GPMC appears in Figure 133 and
illustrates many of the possible combinations of format for each of the three columns.
Note the <Map by Relative name> entry in the Destination Name column. This is
shorthand for Replace the original domain name with the destination domain name, but keep
everything else the same. That is, testdomain1\Group02 would become
testdomain2\Group02.
Note also the <Same As Source> entry in the Destination Name column. This is shorthand
45/51
16/11/2014
for Dont change a thing; in fact, this entry doesnt even need to be here except perhaps to
clarify that we know this entry doesnt need to change.
Helpful Hint
You can use migration tables both for copying and for importing GPOs.
Acronyms
The following acronyms are used in this section:
ACE
access control entry
ACL
access control list
CD
compact disc
FRS
File Replication Service
GPC
Group Policy container
GPMC Group Policy Management Console

GPO
Group Policy object
GPT
Group Policy template
GUID
globally unique identifier
HTML Hypertext Markup Language

ID
identification or identifier
IPSec
IP Security
IT
Information Technology
MMC
Microsoft Management Console
NTFS
New Technology File System
OU
organizational unit
PDC
Primary domain controller
RSoP
Resultant Set of Policy
SID
security identifier
SP1
Service Pack 1
46/51
16/11/2014
UNC
Universal Naming Convention
WAN
wide area network
WMI
Windows Management
Instrumentation
XML
Extensible Markup Language
Section Review
Summary
A few of the command-line tools that you can use to troubleshoot Group Policy
deployment and the health of the existing GPOs are:
Group Policy Results: This tool provides RSoP details.
Group Policy Update: This tool refreshes Group Policy settings without rebooting.
GPO Verification tool: This tool ensures that the contents of all the linked Sysvol
folders in the domain contain valid and up-to-date GPOs. It also checks for version
mismatches between the GPT stored in the Sysvol folder and the GPC in Active
Directory.
Replication Monitor: This tool gathers a wide variety of replication details. It also
monitors the replication status of current GPOs per domain.
The RSoP helps to trace how the policy links are applied for a specified user and a
specified computer. It also identifies effective settings and winning policy objects.
Some of the RSoP tools that you can use to troubleshoot GPO processing are:
Group Policy Results: This tool presents real information that reflects how the policy
is applied.
Group Policy Modeling: This tool permits you to perform a simulation before actually
applying the policy.
HTML file for reporting: Both the GPMC and the Gpresult command-line tools can
47/51
16/11/2014
produce reports in the form of HTML file output. Using these reports, you can view and
analyze the policies that are configured and determine where the policies came from.
The GPO logging tools that you can use to obtain more detail about the GPO processing
issues are:
The Userenv.log: This log contains a detailed verbose log of the logon process.
Event logs: These logs record all GPO events with a minimum amount of detail.
You can back up, restore, import, and copy GPOs. The purpose of these functions are:
Back Up: This function copies the contents of a live GPO into any specified folder
location on the computer or network where you have write permissions.
Restore: This function restores a GPO when you have deleted it and want it back, or
when you have modified it (either its contents or its ACL) and want to return it to some
prior condition.
Import: This function transfers the settings in a backed-up GPO to an existing and active
GPO. (The import process does not create a new GPO.)
Copy: This function creates a new GPO at the destination location. It starts with an
active GPO.
Use the Mtedit tool to build migration tables. You can either run the tool or invoke it from
within the GPMC (right-click the Domains node and select Open Migration Table
Editor).
Knowledge Check
1.
Name and describe the two GPO logging tools.
2.
Describe the following tools:

Replication Monitor
3.
Which tool is used to build migration tables?
48/51
16/11/2014
4.
a.
Userenv
b.
GPO Migration
c.
Mtedit
d.
Event log
Match each GPO process with its correct description. Write the letter of the description
in the Answer column.
Answer
GPO
Description
Process
Restore
1.________
A.Creates a new GPO at the destination location. It starts with an active

GPO.
Back up
2.________
B.Restores a GPO when you have deleted it and want it back, or when
you have modified it (either its contents or its ACL) and want to return it
to some prior condition.
3.________
Copy
C.Transfers the settings in a backed-up GPO to an existing and active

GPO.
Import
4.________
5.
D.Copies the contents of a live GPO into any specified folder location on
the computer or network where you have write permissions.
Which RSoP tool does the following text describe?

This tool presents real information that reflects how the policy is applied.
a.
b.
HTLM file for reporting
c.
d.
Group Policy Verification
Knowledge Check Answer Key

49/51
16/11/2014
The correct answers to the Knowledge Check questions are bolded.

1.
Name and describe the two GPO logging tools.

The Userenv.log: Contains a detailed verbose log of the logon process.
Event logs: Record all GPO events with a minimum amount of detail.
2.
Describe the following tools:

Group Policy Results: This tool provides RSoP details.
Replication Monitor: This tool gathers a wide variety of replication details. It also
monitors the replication status of current GPOs per domain.
3.
4.
Which tool is used to build migration tables?

a.
Userenv
b.
GPO Migration
c.
Mtedit
d.
Event log
Match each GPO process with its correct description.

Answer
Group
Description
Policy
Feature
1.
2.
Restore
A.Creates a new GPO at the destination location. It starts with an active GPO.
Back up
B.Restores a GPO when you have deleted it and want it back, or when you
have modified it (either its contents or its ACL) and want to return it to some
prior condition.
3.
4.
Copy
C.Transfers the settings in a backed-up GPO to an existing and active GPO.
Import
D.Copies the contents of a live GPO into any specified folder location on the
computer or network where you have write permissions.
50/51
16/11/2014
5.
Which RSoP tool does the following text describe?

This tool presents real information that reflects how the policy is applied.
a.
b.
HTLM file for reporting
c.
d.
Group Policy Verification
51/51

5 Troubleshooting and Backing Up GPOs

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

5 Troubleshooting and Backing Up GPOs

Hochgeladen von

Copyright:

Verfügbare Formate

16/11/2014