You are on page 1of 51

16/11/2014

5 Troubleshooting and Backing Up GPOs

5 Troubleshooting and Backing Up GPOs


Section Topics
Using Group Policy Troubleshooting Tools
Integration of RSoP Functionality
Using Logging Options
Backing Up, Restoring, Importing, and Copying GPOs
Building Migration Tables

Section Objectives

After completing this section, you will be able to:


Describe the Group Policy troubleshooting tools
Describe the GPMC tools that have RSoP functionality
Describe the GPO logging tools used to obtain more detail about the GPO processing issues
Explain how to back up, restore, import, and copy GPOs using the GPMC
Explain how to build migration tables

Section Overview
This section explains how to use the RSoP tools to determine whether policies are being
processed in the correct manner. It also explains how to use the available tools to troubleshoot
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

1/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

policy issues; back up, restore, import, copy, and search for GPOs; and migrate GPOs from
one domain to another.

Using Group Policy Troubleshooting Tools

Figure 104: Using Group Policy Troubleshooting Tools


Finding out where an unwelcome Group Policy setting came from can be hard if you are not
aware of the tools that are available for the various versions of Windows. In Windows Server
2003, you will find some of the Group Policy troubleshooting tools on the Windows operating
system CD in the Support\Tools folder. The Windows 2003 Resource Kit has additional
tools for Group Policy troubleshooting. Many of the Group Policy troubleshooting tools are
now built into the Windows Server 2008 and later operating systems.

Note: The gpotool.exe and replmon.exe tools are considered deprecated and are no
longer supported or enhanced by Microsoft. They are now replaced by other tools and
functionality in newer versions of Windows.

This topic describes some of the more common tools that you can use with Group Policy,
which are listed in Figure 104. This topic also explains how you can use these tools to
troubleshoot Group Policy.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

2/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Group Policy Results

Figure 105: Group Policy Results


Microsoft supplies several command-line tools that you can use to troubleshoot Group Policy
deployment and the health of the existing GPOs. One of these tools is Gpresult (Group Policy
Results). The Gpresult tool is useful for analyzing many facets of Group Policy. It provides
RSoP details as shown in Figure 105.
Gpresult Tool Options

Figure 106: Gpresult Tool Options


Figure 106 shows some of the Gpresult tool options. The complete list is shown in Figure 107.

GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

3/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

[/USER targetusername] [/R | /V | /Z] [(/X | /H) <filename> [/F]]

Description:
This command line tool displays the Resultant Set of Policy
(RSoP)
information for a target user and computer.

Parameter List:
/S

system

Specifies the remote system to connect

[domain\]user

Specifies the user context under which

to.

/U

the command
should execute.
Can not be used with /X, /H.
/P

[password]

Specifies the password for the

given user
context. Prompts for input if omitted.
Can not be used with /X, /H.
/SCOPE

scope

Specifies whether the user or the

computer
settings needs to be displayed.
Valid values: "USER","COMPUTER".

/USER

[domain\]user

Specifies the user name for which

the RSOP data


is to be displayed.

/X

<filename>

Saves the report in XML format at

the location
and with the file name specified
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

4/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

by the <filename> parameter.


(valid in Windows
Vista SP1 and Windows Server 2008)

/H

<filename>

Saves the report in HTML format at

the location
with the file name specified by
the <filename> parameter. (valid
in Windows
Vista SP1 and Windows Server 2008)

/F

Forces gpresult to overwrite the

file name
specified in the /X or /H command.

/R

Displays RSoP summary data.

/V

Specifies that verbose information

should be
displayed. Verbose information provides additional detailed
settings that have
been applied with a precedence of 1.

/Z

Specifies that the super-verbose

information
should be displayed. Super-verbose information provides
additional detailed
settings that have been applied with a precedence of 1 and
higher. This allows
you to see if a setting was set in multiple places. See the Group
Policy
online help topic for more information.

/?

Displays this help message.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

5/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Examples:
GPRESULT /R
GPRESULT /H GPReport.html
GPRESULT /USER targetusername /V
GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
GPRESULT /S system /U username /P password /SCOPE USER /V

Figure 107: Gpresult Options: Complete List

Note

When you use the super-verbose option (/Z) in the Gpresults tool, the output will
overload the command prompt window. Use the redirect (>) option and direct the output to a
file: C:\gpresult /Z > gpsettings.txt

Group Policy Update

Figure 108: Group Policy Update


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

6/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Windows 2000 computer systems used the Secedit command-line tool to refresh Group Policy
settings without rebooting. For Windows XP and later versions, the command-line tool,
Gpupdate is used.
Running gpupdate without any switches will ask for a gpupdate of any policies whose
version numbers are not up to date. It will, therefore, only download the policies that have
changed.
Some policy changes do not update with this normal refresh. On other occasions, the version
numbering on the policies may become out of sync. In these situations, it may be necessary to
force a download of all the policies from scratch using the gpupdate /force command.
Unfortunately, in a large environment where many policies are available, the gpupdate /force
command will download all of the policies that could apply to the user or computer.
Therefore, use the /force switch only when it is necessary.
Using the Gpupdate Tool
To use the Gpupdate tool, open a command prompt and type gpupdate.exe. You can use
various switches to control the output of the Gpupdate tool.
The syntax for the Gpupdate.exe command is:
gpupdate [/target:{computer | user}] [/force] [/wait:value] [/logoff] [/boot]
Following are the details for each of the switches:
By default, both user and computer policy settings are updated. Use the following switch to
specify that only the user or computer policy settings are immediately updated.
/target: Computer | User
By default, only the policy settings that have been changed are applied. Use the following
switch to reapply all the policy settings:
/force
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

7/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Use the following switch to set the number of seconds you have to wait for the processing
of the policy to finish:
/wait:value
Use the following switch to log off from the selected computer after the policy settings have
been updated:
/logoff
Some policy settings can be processed only at startup; for example, computer-based policy
settings usually require a reboot. Use the following switch to restart your computer after the
policy settings have been updated:
/boot

Note

The default update cycle for refreshing Group Policy is 90 minutes (with a
random 30-minute offset) on domain members and 5 minutes on domain controllers.

GPMC Remote Update

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

8/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 109: GPMC Remote Update


In Windows Server 2012 and Windows 8 Client, the GPMC now has a GPUpdate option
built-in to the console. Using this option will perform a remote GPUpdate against any
computers in the selected OU.
The remote update is sent out as a scheduled request with a random time interval so that all
systems to not attempt to perform the update simultaneously.

Group Policy Verification Tool

Figure 110: Group Policy Verification Tool


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize=

9/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Every domain in Active Directory should have more than one domain controller. When you
have multiple domain controllers, you can use the Gpotool command-line tool to ensure that
the contents of all the linked Sysvol folders in the domain contain valid and up-to-date GPOs.
Note

The Gpotool is considered a deprecated tool as of Windows Server 2012 and has
been replaced by greater functionality within the GPMC via the Infrastructure Status tab.
The Gpotool tool can also check for version mismatches between the GPT stored in the
Sysvol folder and the GPC in Active Directory.
If errors occur, check the System and Directory Services event logs on the listed domain
controller showing the problem. For instance, if you want to verify if a GPO called Corporate
Desktop Settings on a certain domain called MyDomain is in sync, type the following in a
command prompt window:
Gpotool/gpo:Corporate Desktop Settings/dc:MyDomain
When you use the Gpotool tool, you can also check the following Group Policy components:
Group Policy object consistency: You can check the GUID of each GPO and all Sysvol
data.
Group Policy object replication: You can check the times and instances of when
replication has occurred.
Friendly-name searching: You can search your GPOs by the given name of each GPO.
Selective search: You can specify which domain controllers the Gpotool tool will query.
Multiple domains: You can check policies in different domains.
Verbose mode: You can display a validation list of each working GPO and a detailed error
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

10/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

report of each damaged GPO policy.

Note

You can download the Gpotool tool from www.microsoft.com.

GPMC Infrastructure Status

Figure 111: GPMC Infrastructure Status


The GPMC Infrastructure Status tab allows you to check the replication status of the domain
to make sure Group Policy files and settings are being replicated successfully to other domain
controllers.
This tool is informational only and does not provide an option to perform replication. You can
use the Repadmin command-line tool if you need to manually force replication to occur..

Replication Monitor

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

11/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 112: Replication Monitor


You can use the Active Directory Replication Monitor (Replmon) tool to gather a wide variety
of replication details. You can also use it to monitor the replication status of current GPOs per
domain.
Note

The Replmon tool is considered a deprecated tool as of Windows Server 2008


and has been replaced by the more functional command-line Repadmin.exe tool.
The following topics explain how to use the Replmon tool to check the current GPO
replication status and to check the GPO version numbers.
Using the Replmon Tool to Check Replication Status
To check the current GPO replication status, follow these steps:
1.

Open the Replmon tool from the Support Tools menu.

2.

Right-click Add Monitored Server and enter the FQDN of the server.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

12/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

3.

On the View menu, select Options.

4.

Click the Status Logging tab, select GPO Policy Objects under Monitored Servers,
and then click OK.

5.

Click the Update Manually button and type 1 for the refresh monitor cycle.

After 1 minute, and for every minute thereafter, the current GPOs display an updated status
as shown in Figure 112.

Note
To install the support tools, on the Windows 2000 and Windows 2003 Server CDs, click
rktools.msi in the Support\Tools folder.
The Replmon tool is not included in any toolset specific to Windows
Server 2008 or later. However, you can install the rktools.exe package from Windows Server
2003 on Windows Vista or later operating systems to obtain these tools.
Using the Replmon Tool to Check GPO Version Numbers

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

13/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 113: Using the Replmon Tool to Check GPO Version Numbers
To find additional details on the replication status, right-click the server icon and, from the
context menu, select Show Group Policy Replication.
Any differences between the GPC and the GPT will result in different version numbers: the
Version column corresponds to the GPC status, and the Sysvol version represents the GPT.
You can add additional domain controllers to the view of the Replmon tool for comparison
purposes.

Repadmin

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

14/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 114: Repadmin


The Repadmin.exe command-line tool can be used to perform all of the functions that are
found within the graphical Replmon tool and more.
Some operations are certainly more visual in the Replmon tool, but the Repadmin.exe tool has
the advantage of being scriptable and less cumbersome when performing multiple operations.
Since Replmon is deprecated, Repadmin should be used in most situations today.
The syntax for Repadmin is as follows:

C:\>repadmin
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:
{password|*}]
[/retry[:<retries>][:<delay>]]
[/csv]

Use these commands to see the help:

/?

Displays a list of commands available for use

in repadmin and
their
description.
/help

Same as /?

/?:<cmd>

Displays the list of possible arguments <args>,

appropriate
syntaxes and examples for the specified command
<cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced
users only.
/listhelp

Displays the variations of syntax available for

the DSA_NAME,
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

15/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

DSA_LIST, NCNAME and OBJ_LIST strings.


/oldhelp

Displays a list of deprecated commands that

still work but


are no longer supported by Microsoft.

Supported <cmd> commands (use /?<cmd> for detailed help):


/kcc

Forces the KCC on targeted domain controller(s) to

immediately
recalculate its inbound replication topology.
/prp

This command allows an admin to view or modify the


password replication policy for RODCs.

/queue

Displays inbound replication requests that the

DC

needs to issue
to become consistent with its source
replication partners.

/replicate

Triggers the immediate replication of the

specified directory
partition to the destination domain controller
from the
source DC.
/replsingleobj Replicates a single object between any two
domain
controllers that have common directory
partitions.

/replsummary The replsummary operation quickly and


concisely summarizes
the replication state and relative health of a
forest.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

16/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

/rodcpwdrepl Triggers replication of passwords for the


specified user(s)
from the source (Hub DC) to one or more Read
Only DC's.

/showattr Displays the attributes of an object.

/showobjmeta Displays the replication metadata for a


specified object
stored in Active Directory, such as attribute
ID, version
number, originating and local Update Sequence
Number (USN),
and
originating server's GUID and Date and Time
stamp.
/showrepl Displays the replication status when specified
domain
controller
last attempted to inbound replicate Active
Directory
partitions.

/showutdvec displays the highest committed Update Sequence


Number (USN)
that the targeted DC's copy of Active
Directory shows as
committed for itself and its transitive
partners.

/syncall Synchronizes a specified domain controller with


all replication
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

17/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

partners.
Supported additional parameters:

/u:

Specifies the domain and user name separated by a

backslash
{domain\user} that has permissions to perform
operations in
Active Directory. UPN logons not supported.
/pw:

Specifies the password for the user name entered

with the /u
parameter.

/retry This parameter will cause repadmin to repeat its


attempt to bind
to the target dc should the first attempt fail
with one of
the
following error status:

1722 / 0x6ba : "The RPC Server is unavailable"


1753 / 0x6d9 : "There are no more endpoints
available from
the
endpoint mapper"

/csv

Used with /showrepl to output results in comma

separated
value format. See /csvhelp

Note: Most commands take their parameters in the order of


"Destination or
Target DSA_LIST", then a "Source DSA_NAME" if
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

18/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

required, and finally


the
NC or Object DN if required.
<DSA_NAME> (or <DSA_LIST>) is a Directory Service
Agent binding
string. For Active Directory Domain Services, this
is simply a
network
label (such as a DNS, NetBios, or IP address) of a
Domain
Controller.
For Active Directory Lightweight Directory
Services, this must be
a
network label of the AD LDS server followed by a
colon and the
LDAP
port of the AD LDS instance
Examples (AD DS):

dc-01
dc-01.microsoft.com

Examples (AD LDS): ad-am-01:2000


ad-am-01.microsoft.com:2000

<Naming Context> is the Distinguished Name of the


root of the NC
Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with
International
or
Unicode characters will only display correctly if
appropriate fonts
and
language support are loaded.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

19/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Get-GPResultantSetOfPolicy

Figure 115: Get-GPResultantSetOfPolicy


Get-GPResultantSetOfPolicy is a PowerShell cmdlet that can perform the same type of
operations as the Gpresult.exe comand. However, this tool is more powerful since it is able to
fully utilize the PowerShell pipeline and object structure.
The Get-GPResultantSetOfPolicy cmdlet can output the RSOP data in either an HTML or
XML format. The HTML output will be identical to that produced by GPresult or the Policy
Results output in the GPMC.
Get-GPResultantSetOfPolicy syntax:

PS C:\test> help Get-GPResultantSetOfPolicy -full

NAME
Get-GPResultantSetOfPolicy

SYNOPSIS
Outputs the Resultant Set of Policy (RSoP) information
for a user, a
computer, or both to a file.

SYNTAX
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

20/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Get-GPResultantSetOfPolicy [-Computer <String>] [-User


<String>] -Path
<String> -ReportType <ReportType> [<CommonParameters>]

DESCRIPTION
The Get-GPResultantSetofPolicy cmdlet outputs the
Resultant Set of Policy
(RSoP) information for a user, a computer, or both to a
file.

-Computer

Specifies the name of the computer for

which to generate
the report.

-Path

Specifies the path to the report file.

-ReportType

Specifies the report type in either HTML

or XML.

-User

The name of the use for which to

generate the report.


-------------------------- EXAMPLE 1 -------------------------

C:\PS>get-gpresultantsetofpolicy -reporttype xml


-path c:\reports\LocalUserAndComputerReport.xml
-------------------------- EXAMPLE 2 ------------------------C:\PS>Get-GPResultantSetOfPolicy -reporttype xml -computer
computer08.contso.com
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

21/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

-path c:\reports\computer-08.xml

Invoke-GPUpdate

Figure 116: Invoke-GPUpdate


Invoke-GPUpdate is a new PowerShell cmdlet that can perform more powerful GPUpdate
operations. It can be used to update the local or a remote machine or users settings. It can
also be used to schedule a GPUpdate in the future, up to 31 days later. The refresh is
automatically offset by a random delay.
Invoke-GPUpdate syntax:

NAME
Invoke-GPUpdate

SYNOPSIS
Schedule a remote Group Policy refresh (gpupdate) on the
specified
computer.

SYNTAX
Invoke-GPUpdate [[-Computer] <String>] [[https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

22/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

RandomDelayInMinutes] <Int32>]
[-AsJob

[<SwitchParameter>]] [-Boot [<SwitchParameter>]] [-

Force
[<SwitchParameter>]] [-LogOff

[<SwitchParameter>]] [-Target

<String>]
[<CommonParameters>]

Invoke-GPUpdate [[-Computer] <String>] [[RandomDelayInMinutes] <Int32>]


[-AsJob

[<SwitchParameter>]] [-Boot [<SwitchParameter>]] [-

LogOff
[<SwitchParameter>]] [-Sync

[<SwitchParameter>]] [-Target

<String>]
[<CommonParameters>]

-AsJob

Runs the cmdlet as a background job.

-Boot

Causes a computer restart after

policies are applied


for CSEs that require a restart.

-Computer

The name of the remote computer to

schedule a refresh
for.
-Force

Reapplies all policy settings instead

of only
updating changes.

-Logoff

Causes a logoff after policies are

applied for CSEs


that require a logoff / logon to be applied.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

23/51

16/11/2014

-ReandomDelayInMinutes

5 Troubleshooting and Backing Up GPOs

The amount of time that the Task

Scheduler will wait


before running the refresh.
-Sync

Causes user policies applied at logon

to be performed
Synchronously instead of the default Asynchronous processing.

-Target

Refresh only the User or Computer

policy settings.

-------------------------- EXAMPLE 1 --------------------------

PS C:\> Invoke-GPUpdate

This command schedules a Group Policy refresh on the computer on


which you are
running theInvoke-GPUpdate cmdlet.

-------------------------- EXAMPLE 2 --------------------------

PS C:\> Invoke-GPUpdate -computer COMPUTER-02 -Target user -Sync

This command schedules a Group Policy refresh on a remote


computer
(CONTOSO\COMPUTER-02) which will only schedule to update the user
policy
settings in synchronous mode.

Integration of RSoP Functionality


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

24/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 117: Integration of RSoP Functionality


You can troubleshoot Group Policy via the RSoP (Resultant Set of Policy) snap-in to the
MMC (Rsop tool [rsop.msc]). When you are planning and testing or troubleshooting Group
Policy, RSoP helps to trace how the policy links are applied for a specified user and a
specified computer. It also identifies effective settings and winning policy objects.
In the spirit of making the GPMC the primary tool for Group Policy management, Microsoft
has integrated RSoP functionality into the GPMC (with a slight change to the names of the
tools).
This integration means that:
RSoP logging mode in the RSoP console becomes Group Policy Results in the GPMC.
RSoP planning mode in the RSoP console becomes Group Policy Modeling in the
GPMC.

When you consider the HTML reporting capabilities of the GPMC, it is hard to see why
anybody would continue to use the RSoP tool if they have access to GPMC. In fact,
Microsoft recommends that you abandon the older tool.

Group Policy Results

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

25/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 118: Group Policy Results


The Group Policy Results tool in the GPMC corresponds to the RSoP logging mode and
presents real information that reflects how the policy is applied. To start a modeling run, in
the console pane of the GPMC window, right-click the Group Policy Results node, and
select Group Policy

Results Wizard.

The wizard prompts you to make the following choices:


Specify which computer you want to process: the local computer or a different computer
that you specify.
Select how you want to display policy settings: the user object only, not the computer
object. (This is a check box.)
Specify which user account you want to process: the current logged-on user or a
different user that you specify. (You are limited to users who have logged on to your
computer and for whose accounts you have read access.)

When the run is complete, the details pane of the GPMC shows three tabs:
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

26/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Summary: An HTML report of the warnings, errors and alerts that may have occurred
during polciy processing.
Settings: An HTML report of the policy settings, the GPO list, security group
memberships, and WMI filters that would be applied in the scenario
Events: A list of policy-related events from the event log of the target computer and a
useful troubleshooting resource

These three tabs correlate with a new sub-node in the console pane under the Group Policy
Results node. These sub-nodes will continue to accumulate with every new run of the wizard.
By right-clicking the sub-node corresponding to a specific modeling session, you can:
Save the results to disk.
Run the query again.
Run a new query with this one as a template.
Choose Advanced View to invoke the RSoP console and view the precedence information
that does not appear in the HTML Settings report. (The HTML Setting report only lists the
winning GPO.)

Group Policy Modeling

Figure 119: Group Policy Modeling


Group Policy Modeling in the GPMC corresponds to the RSoP planning mode, meaning that it
permits you to perform a simulation before actually applying the policy. It requires that at least
one domain controller in the Active Directory forest is running Windows Server 2003 or later;
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

27/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

if that is not the case, the node will not appear in the GPMC.
To start a modeling run, in the console pane of the GPMC window, right-click the Group
Policy Objects node, and select Group Policy Modeling Wizard. However, you will
probably find it more convenient to right-click the specific domain or OU node, which
preloads the wizard with the appropriate data.
In a modeling run, you can select the following:
User container
Computer container
Slow network simulation (yes/no)
Loopback mode (no/merge/replace)
Site name
User security groups
Computer security groups
WMI filters for users
WMI filters for computers

When the run is complete, the details pane of the GPMC shows three tabs:
Summary: An HTML report of the GPO list, security group memberships, and WMI filters
Settings: An HTML report of the policy settings that would be applied in the scenario
Query: A listing of the selections that you made when running the wizard

These three tabs correlate with a new sub-node in the console pane under the Group Policy
Modeling node. These sub-nodes continue to accumulate with every new run of the wizard.
By right-clicking the sub-node corresponding to a specific modeling session, you can:
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

28/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Save the results to disk.


Run the query again.
Run a new query with this one as a template.
Choose Advanced View to invoke the RSoP console and view the precedence information
that does not appear in the HTML Settings report.

Creating an HTML File for Reporting

Figure 120: Creating an HTML File for Reporting


The GPMC, and the Gpresult and Get-GPResultantSetOfPolicy command-line tools have the
ability to produce reports in the form of HTML file output. These reports can be invaluable
when it comes to viewing and analyzing the policies that are configured and determine where
the policies came from.
Any user with read access to a given GPO can open the GPMC and view or report on its
settings, which helps IT support the users and OU administrators.
You even have some control over what appears on the report, via the Show and Hide links at
each section header. At the top of the report, you can also click Show All to expand all
sections. The GPMC also allows you to:
Report on the settings contained in any particular GPO.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

29/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Under Group Policy Objects, right-click an entry and select Save Report to create an
HTML file with the settings (see Figure 120). The report contains the full contents of the
Settings tab, plus information from the Scope, Details, and Delegation tabs.
Right-click anywhere on the Settings tab and select Print to print the report as it appears
on the window.
Report on the results of an RSoP session (that is, Group Policy Results or Group Policy
Modeling).
Under Group Policy Results or Group Policy Modeling, right-click a saved session
and select Save Report to create an HTML file with the settings.
Right-click anywhere on the Settings tab and select Print to print the report as it appears
on the window.

A couple of GMC reporting tips are:


To view the HTML reports that the GPMC saves, you must use at least Windows Internet
Explorer 6 or Netscape 7.
To use the show/hide capability, you must use at least Windows Internet Explorer 6.

A few problems with GPMC reporting are:


The reported data for IPSec and Wireless settings is incomplete.
The reported data for Windows Internet Explorer Security Zones and Privacy settings is
incomplete (customized Java settings do not appear).
The reported data for Windows Internet Explorer Content Ratings is incomplete (settings
details do not appear).

New Error Reporting Details

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

30/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 121: New Error Reporting Details


The HTML reports that are generated by the GPMC, Gpupdate.exe and GetGPResultantSetOfPolicy now contain additional error reporting information. These additional
details are very useful in troubleshooting group policy issues.
After running Group Policy Results or Group Policy Modeling, the Summary tab may contain
a red X with a link listing the number of errors detected. Click on the link to display the
specific errors that occurred.
The Policy Events tab displays all Group Policy related events from the Event Log.

Using Logging Options

Figure 122: Using Logging Options


You can obtain basic troubleshooting information related to Group Policy through the
Windows Event Viewer. For additional troubleshooting, more detail can be enabled and sent to
the Windows Event Log and a separate Userenv.log file.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

31/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

The Userenv.log File

Figure 123: The Userenv.log File


You can obtain complete details on the users logon process through the local registry. The
Userenv.log file is populated with a detailed verbose log of the logon process.
To turn on debug logging, modify the registry on the computer on which the logging occurs.
Use the Regedit tool to add the following registry value at the following location:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
Value: UserEnvDebugLevel
Value Type: REG_DWORD
You can enter the following values for UserEnvDebugLevel:
NONE 0x00000000
NORMAL 0x00000001
VERBOSE 0x00000002

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

32/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

LOGFILE 0x00010000
DEBUGGER 0x00020000
You can combine the previous values. For example, you can combine VERBOSE
0x00000002 and LOGFILE 0x00010000 to get 0x00010002. This turns on both LOGFILE
and VERBOSE.
Note

The default value is NORMAL|LOGFILE (0x00010001). To disable logging,


select NONE (where the value is 0X00000000).
On the next reboot and logon, the Userenv.log file is written to:
%SystemRoot%\Debug\UserMode.
Make sure you check these two essential components in the Userenv.log file:
Verify that the distinguished name of the computer or user is being recognized. If Windows
cannot determine the distinguished name, it will not be able to properly parse Active
Directory to determine which GPOs to apply to the user or computer.
Determine if any GPOs are being skipped because the user does not have the proper
permissions on the GPO. (The user should have read and applied Group Policy
permissions.)

Event Logs

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

33/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 124: Event Logs


The Application Event Log records all GPO events with a minimum amount of detail. To get
verbose results for troubleshooting, you must edit the registry. After you edit it, the
Application Event Log will provide you with additional details about which GPO is being
applied.
le verbose logging of GPOs, you must add a registry key to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Diagnostics
Under the Diagnostics sub-key, add a REG_DWORD value named
RunDiagnosticsLoggingGlobal and assign it a value of 1.
After a reboot, the diagnostic logging will be enabled. Every major step in processing GPOs
triggers an event log entry.
Helpful Hint

Many Group Policy error codes have not been well documented. However, you
can find a reference list on microsoft.com. Search for Troubleshooting Group Policy Using
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

34/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Event Logs.

Backing Up, Restoring, Importing, and Copying GPOs

Figure 125: Backing Up, Restoring, Importing, and Copying GPOs


In a large, complex environment, it is important to provide the ability to restore GPOs
independent of the full backups of the Active Directory environment. The Group Policy
Management Console includes the ability to perform backups and restores of individual
policies, or all policies in the domain.
This topic explains how to back up, restore, import, and copy GPOs.

Backing Up GPOs

Figure 126: Backing Up GPOs


Considering the importance of GPOs, having backups is highly desirable. The GPOs do exist
in Active Directory and the Sysvol shares, so if you have multiple domain controllers, you
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

35/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

already have redundancy. However, without the GPMC, you do not have a convenient way
of restoring individual GPOs and importing GPO settings into other GPOs. Both of these
capabilities are enabled by the GPMC backup facility. When you are backing up GPOs,
remember the following: Backing up refers to the process of copying the contents of a live
GPO into any specified folder location on the computer or network where you have write
permissions (see Figure 126).
You can back up multiple policy objects to the same folder.
You can back up multiple versions of the same policy object to the same folder.
You can restore or import backed-up GPOs.
The GPMC includes a user interface for managing backed-up policy objects (right-click the
Group Policy Objects node and select Manage Backups).

The following topic describes how to back up GPOs.


Procedure for Backing Up GPOs (1)

Figure 127: Procedure for Backing Up GPOs


The procedure for backing up a GPO in the console is straightforward:
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

36/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

1.

Navigate to the domain of interest in the console pane.

2.

Expand the Group Policy Objects node.

3.

Right-click the policy object that you want to back up, and select Back Up.
Procedure for Backing Up GPOs (2)

Figure 128: Procedure for Backing Up GPOs (cont.)


4.

Select a target folder to which you have write access. You can browse to this location,
and you can also create a new folder, if necessary.

5.

Create a description for the backup. This description will appear later when you are
managing your backups from within the GPMC.

6.

Click the Back Up button.

7.

Click OK when the backup is complete.

An alternative method is available if you wish to back up all the GPOs in a given domain. You
can use this approach to re-create the entire Group Policy structure on another domain.
To back up all the GPOs, navigate to the domain of interest, right-click the Group Policy
Objects node, and then select Back Up All. Follow steps 4 through 7 to finish backing up all
the GPOs.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

37/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Managing the Backups


You can manage the backups that you have created from the Manage Backups dialog box.
Right-click the Group Policy Objects node and select Manage Backups. In the Manage
Backups dialog box, you will see the following information:
Backup location
List of backed up GPOs, including domain, name, timestamp, description, and GPO ID
A check box to show only the latest version of each GPO
A Restore button, which restores the selected GPO to its original domain
A Delete button
A View Settings button, which generates an HTML report listing the settings in the selected
GPO (a convenient feature)
A Close button

Restoring GPOs

Figure 129: Restoring GPOs


You would generally restore a GPO when you have deleted it and want it back, or when you
have modified it (either its contents or its ACL) and want to return it to some prior condition.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

38/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

In these situations, restoring a GPO is much the same as restoring a file or folder.
When you are restoring backed up files, remember the following:
Restoring refers to the process of putting a backed-up GPO back into its original location
(that is, domain) with all its original settings intact (including security settings).
Even if you are restoring a deleted GPO, it will have the same GUID that it had originally.
You cannot restore a GPO to a domain other than the one from which it was backed up.

The following topics describe how to restore GPOs and some of the caveats of restoring them.
Procedure for Restoring GPOs
The procedure for restoring a GPO varies depending on whether the GPO exists or has been
deleted.
If the GPO still exists, and you just want to return it to some prior state, right-click the
GPO in the Group Policy Objects container and select Restore from Backup.
Follow the wizard.
To restore a GPO with this procedure, you must have the following permissions on it:
edit settings, delete, and modify security.
If the GPO has been deleted, right-click the Group Policy Objects container, select
Manage Backups, find the backed-up GPO, select it, and click the Restore button.
To restore a GPO with this procedure, you must have the right to create GPOs.

Caveats of Restoring GPOs


Restoring GPOs has some drawbacks:
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

39/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

If you restore a deleted GPO, the links it had are not automatically restored. You have to
restore them manually.
If you restore a deleted GPO that includes software deployment settings, and those settings
included the option to uninstall when the application falls outside the scope of
management, users might see those assigned or published applications uninstall and then
reinstall, after the restoration of the GPO. The reason for this is that Windows thinks the
applications are new because they get a new deployment object GUID after the restore
(even though the GUID of the actual GPO remains the same as it was).
If you rename a domain, you cannot restore a GPO that was backed up before the rename
operation.

Importing GPOs

Figure 130: Importing GPOs


Importing a GPO transfers the settings in a backed-up GPO to an existing and active GPO.
Importing never creates a new GPO.
An export command for GPOs does not exist. Backing up a GPO is the functional
equivalent of exporting it.
The following topics explain why you might want to import GPOs and how to import them.
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

40/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Reasons for Importing GPOs


In certain situations, you might want to import a GPO rather than simply restore it. For
instance:
You do not want to create a new GPO, but instead, you want to augment the settings
contained in an existing GPO without changing any of the security settings (ACEs) of that
existing GPO.
You want to migrate a GPO from one domain to another, but you do not have connectivity
and trust relationships between the domains. To elaborate:
If you did have connectivity with trusts, you would simply perform a copy operation
(drag-and-drop) instead of a back-up-and-restore cycle.
The restore operation always restores a GPO to the domain from which it was backed
up, so you cannot use it to migrate a GPO from one domain to another.

Procedure for Importing GPOs


To import a backed-up GPO:
1.

In the Group Policy Objects node of the console, right-click an existing GPO, and
select Import.

2.

Specify the backed-up GPO whose settings you would like to import. You can also
specify a migration table.

Copying GPOs

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

41/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 131: Copying GPOs


You can use the GPMC to copy and paste GPOs, either via the context menu of the GPO or
by dragging and dropping. How is this different from importing GPOs?
A copy operation always creates a new GPO at the destination location; an import operation
never does.
A copy operation always starts with an active GPO; an import operation starts with a
backed-up GPO.

The following topic describes the requirements for copying GPOs.


Requirements for Copying GPOs
In order to copy a GPO from one location to another, the source and target locations must
have physical connectivity and a trust relationship. If you are copying a GPO from one
domain to another within the same forest, these requirements are usually not a problem.
However, if you are copying a GPO from one domain to another in a different forest, then
you must either have a forest trust in place (Windows Server 2003 and later only), or you
must perform a backup-and-import operation rather than a copy operation.

Building Migration Tables


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

42/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 132: Building Migration Tables


Active Directory was not created to enable administrators to copy a large number of objects
between domains. Therefore, the process for copying a GPO from one domain to another is a
little complex. If all you have in a particular GPO are Administrative Templates settings, that
is, registry-based policies, then you can use a simple drag-and-drop method to copy GPOs.
However, if your GPO contains more settings, then you should expect some migration
conflicts.
This topic explains how to use migration tables to resolve SID and UNC path conflicts and
how to build a migration table.

Using Migration Tables to Resolve SID and UNC Path


Conflicts
Migration tables can help resolve the SID and UNC path conflicts that can arise from moving
GPOs from one domain to another.
SID Conflicts
GPOs tend to contain domain-specific SIDs. For example, user rights (part of the Security
Settings node of a Group Policy Object) typically include references to domain groups, such
as Backup Operators.
The SID for the Backup Operators group in Domain A is not the same as the SID for the
Backup Operators group in Domain B. This mismatch is a problem, so you would need, in
this case, the ability to map the migration of SIDs. In addition, explicit, user-specific access
controls might have been set forth in the origin domain; these, too, would need to map over to
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

43/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

different SIDs in the destination domain.


The types of policies that could include SID information and, therefore, possibly need
remapping, include the following:
File system permissions (NTFS)
Folder redirection
Software settings (specifically, ACLs on software deployment objects)
User rights assignments
UNC Path Conflicts
Another potential migration problem arises from the fact that some GPOs contain settings
that use UNC notation to reference specific network paths. For example, an assigned
software package might specify a distribution point within the domain; in fact, it is likely to
do so. When that policy moves to a new domain, the distribution point might no longer be
available due to permissions issues. Even if it is available, there might be performance (and
administrative) problems associated with the cross-domain traffic.

The types of policies that could include UNC information, and therefore possibly need
remapping, include the following:
Folder redirection
Software settings
Logon, logoff, startup, and shutdown scripts

Building a Migration Table

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

44/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

Figure 133: Building a Migration Table


The solution to the problem of moving GPOs from one domain to another is to build a
migration table for security principals and UNC paths that require translation. Put the old
setting on the left and the new setting on the right.
After you create the migration table, you can specify the migration table during the GPO copy
operation, and it will act much like a global search-and-replace facility for all occurrences of
the specified SIDs and paths.
You can build migration tables with the Mtedit tool. You can either run the tool or invoke it
from within the GPMC by right-clicking the Domains node and selecting Open Migration
Table Editor. (You can also right-click the Group Policy Objects node to get to this menu
choice.) The XML data files associated with the Mtedit tool have the extension .migtable.
The sample migration table included by Microsoft with the GPMC appears in Figure 133 and
illustrates many of the possible combinations of format for each of the three columns.
Note the <Map by Relative name> entry in the Destination Name column. This is
shorthand for Replace the original domain name with the destination domain name, but keep
everything else the same. That is, testdomain1\Group02 would become
testdomain2\Group02.
Note also the <Same As Source> entry in the Destination Name column. This is shorthand
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

45/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

for Dont change a thing; in fact, this entry doesnt even need to be here except perhaps to
clarify that we know this entry doesnt need to change.
Helpful Hint

You can use migration tables both for copying and for importing GPOs.
Acronyms
The following acronyms are used in this section:
ACE

access control entry

ACL

access control list

CD

compact disc

FRS

File Replication Service

GPC

Group Policy container

GPMC Group Policy Management Console


GPO

Group Policy object

GPT

Group Policy template

GUID

globally unique identifier

HTML Hypertext Markup Language


ID

identification or identifier

IPSec

IP Security

IT

Information Technology

MMC

Microsoft Management Console

NTFS

New Technology File System

OU

organizational unit

PDC

Primary domain controller

RSoP

Resultant Set of Policy

SID

security identifier

SP1

Service Pack 1

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

46/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

UNC

Universal Naming Convention

WAN

wide area network

WMI

Windows Management
Instrumentation

XML

Extensible Markup Language

Section Review
Summary
A few of the command-line tools that you can use to troubleshoot Group Policy
deployment and the health of the existing GPOs are:
Group Policy Results: This tool provides RSoP details.
Group Policy Update: This tool refreshes Group Policy settings without rebooting.
GPO Verification tool: This tool ensures that the contents of all the linked Sysvol
folders in the domain contain valid and up-to-date GPOs. It also checks for version
mismatches between the GPT stored in the Sysvol folder and the GPC in Active
Directory.
Replication Monitor: This tool gathers a wide variety of replication details. It also
monitors the replication status of current GPOs per domain.
The RSoP helps to trace how the policy links are applied for a specified user and a
specified computer. It also identifies effective settings and winning policy objects.
Some of the RSoP tools that you can use to troubleshoot GPO processing are:
Group Policy Results: This tool presents real information that reflects how the policy
is applied.
Group Policy Modeling: This tool permits you to perform a simulation before actually
applying the policy.
HTML file for reporting: Both the GPMC and the Gpresult command-line tools can
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

47/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

produce reports in the form of HTML file output. Using these reports, you can view and
analyze the policies that are configured and determine where the policies came from.
The GPO logging tools that you can use to obtain more detail about the GPO processing
issues are:
The Userenv.log: This log contains a detailed verbose log of the logon process.
Event logs: These logs record all GPO events with a minimum amount of detail.
You can back up, restore, import, and copy GPOs. The purpose of these functions are:
Back Up: This function copies the contents of a live GPO into any specified folder
location on the computer or network where you have write permissions.
Restore: This function restores a GPO when you have deleted it and want it back, or
when you have modified it (either its contents or its ACL) and want to return it to some
prior condition.
Import: This function transfers the settings in a backed-up GPO to an existing and active
GPO. (The import process does not create a new GPO.)
Copy: This function creates a new GPO at the destination location. It starts with an
active GPO.
Use the Mtedit tool to build migration tables. You can either run the tool or invoke it from
within the GPMC (right-click the Domains node and select Open Migration Table
Editor).

Knowledge Check
1.

Name and describe the two GPO logging tools.

2.

Describe the following tools:


Group Policy Results
Replication Monitor

3.

Which tool is used to build migration tables?

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

48/51

16/11/2014

4.

5 Troubleshooting and Backing Up GPOs

a.

Userenv

b.

GPO Migration

c.

Mtedit

d.

Event log

Match each GPO process with its correct description. Write the letter of the description
in the Answer column.
Answer

GPO

Description

Process
Restore
1.________

A.Creates a new GPO at the destination location. It starts with an active


GPO.

Back up
2.________

B.Restores a GPO when you have deleted it and want it back, or when
you have modified it (either its contents or its ACL) and want to return it
to some prior condition.

3.________

Copy

C.Transfers the settings in a backed-up GPO to an existing and active


GPO.

Import
4.________

5.

D.Copies the contents of a live GPO into any specified folder location on
the computer or network where you have write permissions.

Which RSoP tool does the following text describe?


This tool presents real information that reflects how the policy is applied.
a.

Group Policy Results

b.

HTLM file for reporting

c.

Group Policy Modeling

d.

Group Policy Verification

Knowledge Check Answer Key


https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

49/51

16/11/2014

5 Troubleshooting and Backing Up GPOs

The correct answers to the Knowledge Check questions are bolded.


1.

Name and describe the two GPO logging tools.


The Userenv.log: Contains a detailed verbose log of the logon process.
Event logs: Record all GPO events with a minimum amount of detail.

2.

Describe the following tools:


Group Policy Results: This tool provides RSoP details.
Replication Monitor: This tool gathers a wide variety of replication details. It also
monitors the replication status of current GPOs per domain.

3.

4.

Which tool is used to build migration tables?


a.

Userenv

b.

GPO Migration

c.

Mtedit

d.

Event log

Match each GPO process with its correct description.


Answer

Group

Description

Policy
Feature
1.

2.

Restore

A.Creates a new GPO at the destination location. It starts with an active GPO.

Back up

B.Restores a GPO when you have deleted it and want it back, or when you
have modified it (either its contents or its ACL) and want to return it to some
prior condition.

3.

4.

Copy

C.Transfers the settings in a backed-up GPO to an existing and active GPO.

Import

D.Copies the contents of a live GPO into any specified folder location on the
computer or network where you have write permissions.

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

50/51

16/11/2014

5.

5 Troubleshooting and Backing Up GPOs

Which RSoP tool does the following text describe?


This tool presents real information that reflects how the policy is applied.
a.

Group Policy Results

b.

HTLM file for reporting

c.

Group Policy Modeling

d.

Group Policy Verification

https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize

51/51