Troubleshooting GPO Appliance

GPO troubleshooting

Welcome to a series of seven short posts that will lay out all aspects of the GPO aka Group Policy Object – Microsoft’s framework for automated configuration of the Windows operating system.

Read the full article here or skip to the previous article using the link at the bottom of this post.

Troubleshooting GPO Appliance

Obviously, with all the complexity associated with GPO processing, eventually you’ll encounter a situation where computers don’t seem to reflect your GPO settings. There are different methods and tools to troubleshoot this.

The following sections presents some of the basic tools used for troubleshooting GPO appliance.

GPUpdate

You can trigger GPO processing on your system using the GPUpdate command. Use the /Force parameter to ensure full processing and limit the scope with the /Target parameter, e.g.:

GPUpdate /Force /Target:Computer

GPResult

On clients the number one tool for troubleshooting GPO appliance is the GPResult command. It takes various parameters of which the most commonly used are /R and /Scope.

As an example, the following command will show you GPO appliance information related (only) to computer settings:

GPResult /R /Scope:Computer

Replace Computer with User to only get GPO info for user settings. Leave out the /Scope parameter entirely for full information.

The output from the above command has various sections of information. Each section provides valuable information for troubleshooting your GPO processing.

Let’s have a look at the different sections and what information it provides:

    CN=DC-01,OU=Domain Controllers,DC=gigacorp,DC=local
    Last time Group Policy was applied: 8/10/2020 at 8:48:31 PM
    Group Policy was applied from:      DC-01.gigacorp.local
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        GIGACORP
    Domain Type:                        Windows 2008 or later

Main information in this section:

  • Which OU your computer account is placed in (at the time of GPO appliance)
  • What time the GPO’s were applied
  • The DC from which your computer received the GPO settings

This information is particularly useful if your computer account was recently moved from one OU to another and the new settings are not applying.

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy
        Computer Certificate Autoenroll

The information here is a list of GPO’s that were applied to your system. Obviously very important to understand if you’re receiving settings from the GPO’s you expect.

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        802.1x LAN Authentication
            Filtering:  Denied (Security)

        Local Group Policy
            Filtering:  Not Applied (Empty)

Here you see a list of GPO’s that were not applied due to security filtering. This lets you confirm if the security filtering you have setup is actually working.

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Certificate Service DCOM Access
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        DC-01$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
        Authentication authority asserted identity
        Cert Publishers
        Denied RODC Password Replication Group
        System Mandatory Level

And finally, a list of the security groups of which your computer is a member. This information can help you troubleshoot situations where security filtering is not working.

Double check if your computer is actually a member of the group you’re using in your security filter. If the group is not there, investigate if any recent change in group membership has replicated to the DC from which you received the GPO.

Resultant Set of Policies

Another very powerful tool to troubleshoot GPO appliance is the Resultant Set of Policies (RSoP) tool. RSoP allows you to collect the GPO processing information from a remote system and is part of the GPMC tool:

GPO RSoP

Right click Group Policy Results and select Group Policy Results Wizard. Then click Next and select the remote system you want to analyze:

Resultant Set of Policies

Select the user for which you want to collect GPO information – or select no user if you’re only investigating computer settings:

GPO RSoP

The RSoP tool will give you all the information we saw from the GPResult tool in the Summary tab. Things get even more interesting when you click the Details tab. Here you find a list of all settings applied from the GPO’s. Expand any section to view details about what was applied and which GPO the setting came from:

GPO RSoP

Summary

I hope this article helped you remove some confusion about GPO processing and troubleshooting.

With security filtering you can easily test any new GPO’s without affecting live users and systems.

Complete your GPO security filtering with the use of Dynamic Groups. Our free tool will allow you to automate your setup based on user and computer attributes.

Using GPResult on the client or RSoP server side you can quickly troubleshoot GPO errors and become the hero of the day 😉

Group Policies can also be managed with the GroupPolicy module for PowerShell. Using PowerShell you can perform tasks that are not feasible doing manually.

As an example on how to manage GPO’s with PowerShell have a look at this article. It shows you how to quickly analyze every single GPO in your domain for security filtering and custom delegation, using only PowerShell and Excel.