Group Policy troubleshooting

Group PolicyIt is critical for the system administrator, but it is also a headache for the system administrator when the Group Policy is in trouble. The following describes how to troubleshoot the Group Policy in detail.

The power of a group strategy is well known, but it is also well known that the troubles brought about when its results are often not what you expected. It is equally annoying that group policies have countless different features and thousands of settings make it difficult for you to decide when to use this technology for specific issues. I have helped many of my friends use group policies most effectively, and I often find that the same annoying points are more problematic than their problems. The following are some countermeasures.

The group policy setting cannot take effect immediately.

Some special group policy settings sometimes need to be restarted two to three times to take effect. The restart may be disturbing because you are not sure whether the settings are valid. This situation occurs most often on GroupPolicyObject, GPO, a policy object in the "Folder Redirection" or "software installation" group, and mainly on WindowsXP.

Comment:For the problem of "Folder Redirection" GPO, you can also refer to the Microsoft Knowledge Base Article "group policy application problem troubleshooting" http://support.microsoft.com/kb/250842 ). Translator)

This latency is caused by a feature called "quick logon optimization" in Windows XP. To enable Windows XP to start and log on to Windows XP as quickly as possible, Microsoft configures a rule called "Asynchronous foreground Group Policy Processing" by default. This method is basically used to process the Group Policy specified for the computer when the computer is started and the user logon dialog box is displayed when the system is running. In fact, when a user enters the user name and password to start logging on, the Group Policy configured in this machine may be running. Similarly, when a user logs on, the group policies related to the user start to process and may still be running when the desktop is displayed. For specific GPO settings, such as "Folder Redirection" and "software installation", you must have exclusive access to your computer or user environment to run. In other words, they must be run synchronously and cannot be run asynchronously. Before the system provides the user logon dialog box or desktop, these group policies must be processed. So how can we make Windows XP run GPO in synchronous mode? Of course, you must use group policies!

Open the Group Policy Editor, expand "Computer Configuration \ management template \ System \ login", and find the policy item "computer always waits for the Network to start and log on ", enable this option on your Windows XP computer, so that the foreground group policy is processed continuously. It takes a longer time for the user to start the machine and log on to the machine than before, but this also eliminates the trouble of multiple restarts or logins When configuring a specific type of group policy. Windows Vista is also set to asynchronous processing like Windows XP, while windows is set to synchronous frontend processing by default.

Group Policy settings do not work at all

Sometimes the Group Policy does not take effect at all, and I can see 1058 and 1030 event error records under the "application" item in the event log on the problematic client. These errors seem to be because the system cannot read the gpt. ini file. Unfortunately, such errors are common. Because many problems may cause these errors, the best solution is to narrow down the possible cause of the error.

Comment: Event 1058 indicates that the system cannot access gpt. ini, and event 1030 indicates that Windows cannot query the list of Group Policy objects. Refer to the Microsoft Knowledge Base Article "unable to execute Group Policy Processing, events 1030 and 1058 are recorded in the application logs of the domain controller" http://support.microsoft.com/kb/842804), including a detailed discussion of this issue, patch download is also provided. Translator)

If you notice that this error occurs only in computer policy settings, but not in user policy settings, it may be because the network stack times out and the computer starts too fast, the network stack does not have time to initialize the entire group policy before the system attempts to process the Group Policy), so the computer-related policy processing fails. When the user is ready to start logging on, the network stack is initialized and running, so the user-related policies are processed properly.

Microsoft has added a good registry key in some versions of Windows. You can use it to prompt Windows to process the Group Policy after the network stack initialization ends. In Microsoft Knowledge Base Article "on a computer running Windows2000, WindowsXPServicePack1 or WindowsXPServicePack2, group policy application failed" http://support.microsoft.com /? Kbid = 840669. You can also find a GPO setting for the same function in Windows Vista: "Computer Configuration \ management template \ System \ Group Policy \ Startup Policy Processing wait time ".

Other problems may also cause these errors. For example, the gpt. ini file may be inaccessible. This file is stored in a part of GPO, while GPO is stored in the SYSVOL share of each primary domain controller DomainController, DC) in your network environment. When the system runs computer-related or user-related group policies, you must read the file to obtain GPO information. If the file does not exist on the DC read by the system, the Group Policy fails to be applied. You can view the registry key "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \

GroupPolicy \ History \ DCName "to confirm which DC is connected when the Group Policy is running.

After you locate the faulty DC, make sure that SYSVOL is indeed shared, that is, the DFC service has started SYSVOL on the DC to use DFC replication ), also confirm that the TCP/IPNetBIOSHelper service has enabled the client to use this service to communicate with DFS on the client ). In the client's command line window, type:

 
 

  
  
netview\\<> 
  
  
 
 
 

This command verifies that SYSVOL is shared, and uses the netstart command to confirm that all required services are started. Check the location of the file that is not accessible in the event log to confirm that the file exists, the File Permission is consistent with the file permission on other DC instances whose group policies you know are running normally. For permission issues, GroupPolicyManagementConsole and GPMC may be useful. Open GPMC and focus on the problematic DC. To this end, right-click the GPMC primary domain name, select ChangeDomainController, and select the problematic DC, as shown in 1. After you set GPMC to the problematic DC, go to the Group Policy object container and select the problematic GPO. If GPMC finds that the GPO has permission issues, it will prompt you for modification.

Figure 1: modifying the master Domain Controller

Comment:For administrators who manage distributed remote servers, A solution is needed to help them restrict network traffic on slow WAN connections, ensure file availability during WAN interruptions or server failures, and ensure proper backup of branch servers. The DFS solution of WindowsServer2003 helps administrators cope with these challenges by providing two technologies: "DFS namespace" and "DFS replication ", these two technologies can be used together to provide simplified, fault-tolerant file access, load sharing, and WAN-friendly replication.

Refer to the following resources: "Overview of the MicrosoftWindowsServer2003R2 Distributed File System Solution"

Http://technet2.microsoft.com/WindowsServer/zh-CHS/Library/d3afe6ee-3083-49

50-a093-8ab748651b762052.mspx? Mfr = true ),

Distributed File System Technology Center https://www.microsoft.com/china/windowsserver2003

/Technologies/storage/dfs/default. mspx)

And "DeployingandAdministeringFileReplicationServiceforSYSVOLandDFS"

Http://www.microsoft.com/seminar/shared/asp/view.asp? Url =/seminar/en

/2003020.vcon26/manifest. xml ). Translator)

Obfuscation of implementing the loop strategy

If you use the Terminal Server (TerminalServer) component in Windows Server, When you log on to the terminal server and your desktop or laptop, you want to set different group policies for these two users. This is the reason for creating a loop policy, but the implementation of this policy may be confusing.

The loopback policy indicates that, when you log on to a special computer with the loopback function enabled, you can configure group policies for computer objects, instead of user-defined configurations. The simplest way to implement the loopback policy is to place the computer objects on your terminal server into your own management unit OrganizationalUnit, OU in the Active Directory. Create a GPO and link it to the OU. Under this GPO, enable the policy item "Computer Configuration \ management template \ System \ Group Policy \ User Group Policy loopback processing mode ". This policy enables loopback for computers under that OU. Generally, this policy can be used by computer terminals for public purposes to run in a specified way no matter who logs on to the computer.

There are two modes of the loop policy: Merge and replace. You should select a mode based on the functions you want to implement. The merge Mode means that when you log on to the terminal server, the usual user policy is applied first, and then the user policy of the computer is applied. If the general user policy conflicts with the user policy of this machine, the computer policy is applied first because they are the final processing. The replacement mode does not even process common user policies, but only applies the user policies of this computer.

In my experience, the replacement mode is easier to manage and should be preferred unless you need to apply some common user policies when logging on to the terminal server. Note that if you use the merge mode, some policies may be applied twice when a user logs on to the terminal server. For example, if you have logon scripts defined at the domain level, these scripts will be applied to both user objects and computer objects, because the computer objects use the merge mode of the loopback policy, the system first runs a logon script on the user object and then runs the script again on the computer object.

If you have enabled the loopback policy, make sure that it only affects the computers that actually need this function. Therefore, we recommend that you enable loopback policy on a specific OU that only contains the loopback function ). If you enable this policy too frequently, you may get unexpected results and cannot identify the cause of the error, this is because you have set some special and undisclosed registry keys when starting this policy.

Potential conflicts between group policies and iesettings

In WindowsXPServicePack2SP2) and WindowsServer2003SP1, Microsoft adds many InternetExplorerIE settings to the "management template" policy, this seems to conflict with the content in the "IE maintenance" policy "User Configuration \ Windows Settings \ InternetExplorer maintenance"), or at least overlap. So where should you set the IE policy?

Unfortunately, there is no clear answer to this, but you should note that Microsoft is moving the IE settings to the "management template", mainly for style settings, and reduced the importance of the "IE maintenance" policy. The root cause of this move is that Microsoft's design of the "IE maintenance" policy was flawed when it launched the Group Policy. The "IE maintenance" policy has many bugs and is usually difficult to use.

You still have to use the "IE maintenance" policy to set content such as browser proxy settings or favorites. However, for IE Security Settings, you 'd better not use the "IE maintenance" policy, but the policy under "User Configuration \ management template \ Windows component \ InternetExplorer. For example, if you want to configure a trusted site for a special security region, you can use the "site to region allocation list" policy under "User Configuration \ management template \ Windows component \ InternetExplorer \ Internet Control Panel \ Security page. You can also set security settings for individual regions to be visible on the "Security" attribute page in "Internet Options" in the IE menu ), use policies such as "User Configuration \ management template \ Windows component \ InternetExplorer \ Internet Control Panel \ Security Page \ Internet region, Intranet region. Note: Do not set IE security policies at the same time in "IE maintenance" and "management template". They will affect each other and cause unpredictable results.

"IE maintenance" also has the following annoying features: If you have set the "connection settings" GPO for the proxy server, "IE maintenance" imports these settings from the computer you used to edit the GPO. Therefore, if you set a policy for a computer and then set a different machine for another IE connection, when you click the button to modify the settings, you will find that the settings of the new machine are different from those of the machine on which you originally edited GPO. This will lead to endless problems. For this reason, if you have to use the "IE maintenance" policy, you need to go back frequently on the computer on which you made the initial change, continue to modify those settings if you haven't modified the iesetting before the last policy editing ).

Remove a computer from the domain where GPO settings cannot be deleted

Sometimes you just want to clean the dishes and delete all the GPO settings made to specific users or computers. For example, if you want to move a computer from an Active Directory domain to a working group, and you no longer need to have any imposed group policies on it. In this case, you must take a specific series of steps before removing the computer from the Active Directory domain. You can't just remove the machine from the domain, because all the GPO settings on this machine will become "Orphan ", because these settings come from the domain-based GPO and do not exist in the workgroup, you cannot easily Delete these settings.

Before you remove a computer from the domain, first, move the account in the Active Directory of the computer to the OU without any GPO links and make sure that the BlockInheritance mark in that OU is used to block any upstream GPO ). Then restart the computer. For most policy settings, the computer will find that GPO previously applied is no longer applicable when the Group Policy is processed at restart, therefore, the settings that can be deleted, such as the "management template" policy and "software installation" policy, will be deleted during Group Policy Processing.

After the computer is "clean", you can safely remove it from the domain. The only thing to be careful about this method is some policies. For example, the security setting policies configured under "Computer Configuration \ Windows Settings \ Security Settings" will not be deleted because the group policies do not know their default values. In this case, you can use the secedit.exe command line tool to apply the default security template, which exists when you first install Windows. The template file is "setupsecurity. inf", which is under the "C: \ WINDOWS \ security \ templates" Directory of WindowsXPProfessional and WindowsServer2003. You can open the Group Policy Editor of your computer and type gpedit in the "Start" * "run" dialog box. msc), go to "Computer Configuration \ Windows Settings \ Security Settings", right-click the node, select "Import Policy" from the menu, and then select "setupsecurity. inf file import. With this template, you can easily reset security settings.

Comment: The secedit.exe command line tool can automatically create and apply templates and analyze system security, this tool is generally used to analyze or configure the security of multiple computers and to execute tasks during non-working hours, and is called from a batch file or an automatic Task Scheduler. For detailed Syntax of this command, refer to Windows Help to search for "automatic security configuration task" in "Windows Help and Support Center "). Translator)

Summary:

I hope this article will touch on many group policy problems you have encountered and provide some new methods to help solve the problem. Undoubtedly, group policies are very complex. As a powerful configuration management system, there are many internal changes and dependencies, making it more complex. When you encounter some problems and struggle with them, it is enough to know that you are not the only one who suffers.