Welcome to a series of seven short posts that will lay out all aspects of the GPO aka Group Policy Object – Microsoft’s framework for automated configuration of the Windows operating system.
Read the full article here or skip to the previous article using the link at the bottom of this post.
Troubleshooting GPO Appliance
Obviously, with all the complexity associated with GPO processing, eventually you’ll encounter a situation where computers don’t seem to reflect your GPO settings. There are different methods and tools to troubleshoot this.
The following sections presents some of the basic tools used for troubleshooting GPO appliance.
You can trigger GPO processing on your system using the GPUpdate command. Use the /Force parameter to ensure full processing and limit the scope with the /Target parameter, e.g.:
GPUpdate /Force /Target:Computer
On clients the number one tool for troubleshooting GPO appliance is the GPResult command. It takes various parameters of which the most commonly used are /R and /Scope.
As an example, the following command will show you GPO appliance information related (only) to computer settings:
GPResult /R /Scope:Computer
Replace Computer with User to only get GPO info for user settings. Leave out the /Scope parameter entirely for full information.
The output from the above command has various sections of information. Each section provides valuable information for troubleshooting your GPO processing.
Let’s have a look at the different sections and what information it provides:
CN=DC-01,OU=Domain Controllers,DC=gigacorp,DC=local Last time Group Policy was applied: 8/10/2020 at 8:48:31 PM Group Policy was applied from: DC-01.gigacorp.local Group Policy slow link threshold: 500 kbps Domain Name: GIGACORP Domain Type: Windows 2008 or later
Main information in this section:
- Which OU your computer account is placed in (at the time of GPO appliance)
- What time the GPO’s were applied
- The DC from which your computer received the GPO settings
This information is particularly useful if your computer account was recently moved from one OU to another and the new settings are not applying.
Applied Group Policy Objects ----------------------------- Default Domain Controllers Policy Default Domain Policy Computer Certificate Autoenroll
The information here is a list of GPO’s that were applied to your system. Obviously very important to understand if you’re receiving settings from the GPO’s you expect.
The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- 802.1x LAN Authentication Filtering: Denied (Security) Local Group Policy Filtering: Not Applied (Empty)
Here you see a list of GPO’s that were not applied due to security filtering. This lets you confirm if the security filtering you have setup is actually working.
The computer is a part of the following security groups ------------------------------------------------------- BUILTIN\Administrators Everyone BUILTIN\Pre-Windows 2000 Compatible Access BUILTIN\Users Certificate Service DCOM Access Windows Authorization Access Group NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users This Organization DC-01$ Domain Controllers NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Authentication authority asserted identity Cert Publishers Denied RODC Password Replication Group System Mandatory Level
And finally, a list of the security groups of which your computer is a member. This information can help you troubleshoot situations where security filtering is not working.
Double check if your computer is actually a member of the group you’re using in your security filter. If the group is not there, investigate if any recent change in group membership has replicated to the DC from which you received the GPO.
Resultant Set of Policies
Another very powerful tool to troubleshoot GPO appliance is the Resultant Set of Policies (RSoP) tool. RSoP allows you to collect the GPO processing information from a remote system and is part of the GPMC tool:
Right click Group Policy Results and select Group Policy Results Wizard. Then click Next and select the remote system you want to analyze:
Select the user for which you want to collect GPO information – or select no user if you’re only investigating computer settings:
The RSoP tool will give you all the information we saw from the GPResult tool in the Summary tab. Things get even more interesting when you click the Details tab. Here you find a list of all settings applied from the GPO’s. Expand any section to view details about what was applied and which GPO the setting came from:
I hope this article helped you remove some confusion about GPO processing and troubleshooting.
With security filtering you can easily test any new GPO’s without affecting live users and systems.
Complete your GPO security filtering with the use of Dynamic Groups. Our free tool will allow you to automate your setup based on user and computer attributes.
Using GPResult on the client or RSoP server side you can quickly troubleshoot GPO errors and become the hero of the day 😉
Group Policies can also be managed with the GroupPolicy module for PowerShell. Using PowerShell you can perform tasks that are not feasible doing manually.
As an example on how to manage GPO’s with PowerShell have a look at this article. It shows you how to quickly analyze every single GPO in your domain for security filtering and custom delegation, using only PowerShell and Excel.