A brief Guide to checking your Group Policy Health



Similar documents
Windows 2008 Server DIRECTIVAS DE GRUPO. Administración SSII

Group Policy 21/05/2013

Group Policy for Beginners

Managing Windows Environments with Group Policy

HOW TO SILENTLY INSTALL CLOUD LINK REMOTELY WITHOUT SUPERVISION

Endpoint Client Installation using Group Policy (Logon Script):

Administering Group Policy with Group Policy Management Console

How to Configure Microsoft System Operation Manager to Monitor Active Directory, Group Policy and Exchange Changes Using NetWrix Active Directory

NetIQ Advanced Authentication Framework. FIDO U2F Authentication Provider Installation Guide. Version 5.1.0

VMware User Environment Manager

Active Directory Installation on Windows Server 2012

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

ACTIVE DIRECTORY DEPLOYMENT

TECHNICAL NOTE. The following information is provided as a service to our users, customers, and distributors.

SAS 9.3 Foundation for Microsoft Windows

How to Create a Delegated Administrator User Role / To create a Delegated Administrator user role Page 1

Administration Guide. . All right reserved. For more information about Specops Gpupdate and other Specops products, visit

Specops Command. Installation Guide

MS-6425C - Configuring Windows Server 2008 Active Directory Domain Services

MS 50255B: Managing Windows Environments with Group Policy (4 Days)

Administration Guide. . All right reserved. For more information about Specops Deploy and other Specops products, visit

DigitalPersona Pro Server for Active Directory v4.x Quick Start Installation Guide

Administrator s Guide

MailStore Outlook Add-in Deployment

6425C - Windows Server 2008 R2 Active Directory Domain Services

How to monitor AD security with MOM

Searching for accepting?

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Create, Link, or Edit a GPO with Active Directory Users and Computers

Microsoft. Jump Start. M11: Implementing Active Directory Domain Services

Installing Samsung SDS CellWe EMM cloud connectors and administrator consoles

UNCLASSIFIED DISABLING USB STORAGE DEVICES THROUGH GROUP POLICY

CONFIGURING TARGET ACTIVE DIRECTORY DOMAIN FOR AUDIT BY NETWRIX AUDITOR

Using Management Shell Reports and Tracking User Access in the NetVanta UC Server

DriveLock Quick Start Guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Backup / migration of a Coffalyser.Net database

LT Auditor Windows Assessment SP1 Installation & Configuration Guide

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

ContentWatch Auto Deployment Tool

CONVERTING FROM NETKEEPER ISAM v6.32 to NETKEEPER SQL

Active Directory Disaster Recovery Workshop. Lab Manual Revision 1.7

NetIQ Advanced Authentication Framework - Administrative Tools. Installation Guide. Version 5.1.0

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Buffalo Technology: Migrating your data to Windows Storage Server 2012 R2

Windows Server 2003 Logon Scripts Paul Flynn

How to Install Multiple Monitoring Agents on a Microsoft Operating System. Version StoneGate Firewall/VPN 2.6 and SMC 3.2

Configuring and Troubleshooting Windows 2008 Active Directory Domain Services

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

HP Universal Print Driver Series for Windows Active Directory Administrator Template White Paper

Table of Contents Introduction... 2 Azure ADSync Requirements/Prerequisites:... 2 Software Requirements... 2 Hardware Requirements...

Enable Backup and Restore for Group Policy

Administrator s Guide

SELF SERVICE RESET PASSWORD MANAGEMENT DATABASE REPLICATION GUIDE

Using SMIGRATE to Backup, Restore and Migrate Team Sites in SharePoint Products and Technologies 2003

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

SPHOL205: Introduction to Backup & Restore in SharePoint Hands-On Lab. Lab Manual

Guide to deploy MyUSBOnly via Windows Logon Script Revision 1.1. Menu

Course 6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

What s New Guide: Version 5.6

Configure Single Sign on Between Domino and WPS

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

Active Directory backup and restore with Acronis Backup & Recovery 10

Module 8: Implementing Group Policy

Moving the Web Security Log Database

Deployment of Keepit for Windows

DeviceLock Management via Group Policy

MS 6419 Configuring, Managing and Maintaining Windows Server 2008-based Servers

Click Studios. Passwordstate. Upgrade Instructions to V7 from V5.xx

Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

Customizing the SSOSessionTimeout.jsp page for Kofax Front Office Server 3.5.2

ONLINE BACKUP MANAGER MS EXCHANGE MAIL LEVEL BACKUP

SystemTools Software Inc. White Paper Series Hyena Installation Requirements

ecopy ShareScan 5.0 SQL installs guide

PC Power Down. MSI Deployment Guide

Managing Windows Environments with Group Policy 50255D; 5 Days, Instructor-led

RDS Online Backup Suite v5.1 Brick-Level Exchange Backup

Secure Messaging Server Console... 2

ms-help://ms.technet.2005mar.1033/winnetsv/tnoffline/prodtechnol/winnetsv/maintain...

Rentavault Online Backup. MS Exchange Mail Level Backup

Technical documentation: SPECOPS PASSWORD POLICY

Using Logon Agent for Transparent User Identification

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Nintex Workflow 2010 Installation Guide. Installation Guide Nintex USA LLC, All rights reserved. Errors and omissions excepted.

ESET REMOTE ADMINISTRATOR. Migration guide

ShadowControl ShadowStream

Deploying System Center 2012 R2 Configuration Manager

R4: Configuring Windows Server 2008 Active Directory

6425C: Configuring and Troubleshooting Windows Server 2008 Active Directory Domain Services

MS-50255: Managing, Maintaining, and Securing Your Networks Through Group Policy. Course Objectives. Required Exam(s) Price.

Databoks Remote Backup. MS Exchange Mail Level Backup

How To Upgrade Your Microsoft SQL Server for Accounting CS Version

Windows Server Password Recovery Techniques Courtesy of Daniel Petri

Technical Bulletin. SQL Express Backup Utility

Mapping ITS s File Server Folder to Mosaic Windows to Publish a Website

TECHNICAL DOCUMENTATION SPECOPS DEPLOY / APP 4.7 DOCUMENTATION

Solcon Online Backup. MS Exchange Mail Level Backup

OutSystems Platform 9.0 SEO Friendly URLs

Transcription:

A brief Guide to checking your Group Policy Health Group Policies are an essential part of every Windows Client infrastructure and it is therefore critical to regularly spend some effort to ensure that things are in a healthy state. I would define a healthy Group Policy infrastructure as following: All Group Policies are correctly synched across all domain controllers There are no unlinked Group Policies (unless it s by purpose because we use them only ad-hoc for testing purposes) There are no Group Policies that are completely disabled (unless it s by purpose because we use them only ad-hoc for testing purposes) There are no orphaned Group Policies Group Policies do apply correctly on targeted clients. There are a number of tools and scripts available that can help with the health assessment of your group policy infrastructure. Group Policy Management Console Group Policy Management Console Sample Scripts (download from here) GPOTOOL.exe Included in the Windows Server 2003 Resource Kit Tools, download from here or a newer version from here included within the Microsoft Product Support Reporting Tool). 1 P a g e K e e n a n B u c k

PowerShell Console Before starting your GPO health assessment where most likely you end up deleting GPOs, I recommend that you create a backup of your current GPO state. You can create a backup by using the Group Policy Management Console or the PowerShell Backup-GPO cmdlet. When using the GPMC select the Group Policy Objects branch and select Backup Up All from the right context menu, you will then be asked to define the path where the backup will be saved and a description, then click Backup and wait for the process to complete. When using PowerShell simply open a PowerShell command prompt and enter the below command. Note that you must create the target backup folder before running the command. Backup-GPO All Path C:\Data\GPO_Backup Another thing you want to consider doing is to create a report of all your current GPOs for example by running the following command within PowerShell get-gporeport -All -ReportType HTML -Path c:\data\allgpo.html OK, so now that we have created a Backup and a report we are ready to move on. Let s first have a look whether all of our GPOs are being replicated nicely across all of our domain controllers. To do so, we are going to use the GPOTool from Microsoft checks the consistency of Group Policy Objects (GPOs) between the Sysvol- and Active Directory (AD)-based portions of GPOs checks GPO replication searches GPOs targets specific domain controllers (DCs) to allow testing of specific DC Group Policy status displays GPO information checks cross-domain GPOs I recommend to redirect the GPOTool output into a text file so that you can analyse the results in notepad by simply running the following command. GPOTool.exe >gposynch.txt Or if you want to get more details use the verbose option. command. GPOTool.exe /verbose >gposynch.txt 2 P a g e K e e n a n B u c k

Once GPOTool has completed open the gposynch.txt file and you will see the results. If all is OK the Status for a given GPO will be reported as following: Policy {3B3C58EE-D65A-41A3-BADF-DA6BA75E1BD6} Friendly name: VDI_Desktop_Personal Policy OK 3 P a g e K e e n a n B u c k

Or when using verbose mode, the results look like this Policy {3B3C58EE-D65A-41A3-BADF-DA6BA75E1BD6} Friendly name: VDI_Desktop_Personal Policy OK Details: DC: LAB-DC02.LAB.NET Friendly name: VDI_Desktop_Personal Created: 5/21/2011 2:18:47 PM Changed: 6/25/2011 5:04:13 PM DS version: 41(user) 45(machine) Sysvol version: 41(user) 45(machine) Flags: 0 (user side enabled; machine side enabled) User extensions: [{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659- B8C9-0B1937907C83}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A- EC9F-4659-B8C9-0B1937907C83}] Machine extensions: [{00000000-0000-0000-0000-000000000000}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{7150F9BF-48AD-4DA4-A49C- 29EF4A8369BA}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}][{827D319E-6EAC- 11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{C631DF4C-088F-4156-B058-4375F0853CD8}{D02B1F72-3407-48AE- BA88-E8213C6761F1}] Functionality version: 2 DC: LAB-DC01.LAB.NET Friendly name: VDI_Desktop_Personal Created: 5/21/2011 2:18:47 PM Changed: 6/25/2011 5:03:44 PM DS version: 41(user) 45(machine) Sysvol version: 41(user) 45(machine) Flags: 0 (user side enabled; machine side enabled) User extensions: [{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659- B8C9-0B1937907C83}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A- EC9F-4659-B8C9-0B1937907C83}] Machine extensions: [{00000000-0000-0000-0000-000000000000}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{7150F9BF-48AD-4DA4-A49C- 29EF4A8369BA}{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}][{827D319E-6EAC- 11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{C631DF4C-088F-4156-B058-4375F0853CD8}{D02B1F72-3407-48AE- 4 P a g e K e e n a n B u c k

BA88-E8213C6761F1}] Functionality version: 2 The GPOTool checks the Active Directory and the Sysvol part of each GPO, if DS version and Sysvol version are equal your GPO is being successfully synched across all Domain Controllers. But you might also find results that look as following: Policy {66AC7F00-4C27-4D23-BB33-1A9BB6CC1A56} Error: Property gpcfunctionalityversion not found on LAB-DC02.LAB.NET Error: Property displayname not found on LAB-DC02.LAB.NET Error: Property versionnumber not found on LAB-DC02.LAB.NET Error: Property gpcfilesyspath not found on LAB-DC02.LAB.NET Error: Property flags not found on LAB-DC02.LAB.NET Error: Version mismatch on LAB-DC02.LAB.NET, DS=not found, sysvol=1 Error: Functionality version on LAB-DC02.LAB.NET is not found, version 2 expected Friendly name: not found Error: Property gpcfunctionalityversion not found on LAB-DC01.LAB.NET Error: Property displayname not found on LAB-DC01.LAB.NET Error: Property versionnumber not found on LAB-DC01.LAB.NET Error: Property gpcfilesyspath not found on LAB-DC01.LAB.NET Error: Property flags not found on LAB-DC01.LAB.NET Error: Version mismatch on LAB-DC01.LAB.NET, DS=not found, sysvol=1 Error: Functionality version on LAB-DC01.LAB.NET is not found, version 2 expected Details: DC: LAB-DC02.LAB.NET Friendly name: not found Created: 9/16/2008 11:51:39 AM Changed: 4/17/2009 7:52:40 AM DS version: not found Sysvol version: 0(user) 1(machine) Flags: not found User extensions: not found Machine extensions: not found Functionality version: not found 5 P a g e K e e n a n B u c k

DC: LAB-DC01.LAB.NET Friendly name: not found Created: 9/16/2008 11:51:39 AM Changed: 4/21/2009 9:26:52 AM DS version: not found Sysvol version: 0(user) 1(machine) Flags: not found User extensions: not found Machine extensions: not found Functionality version: not found Whenever you find errors, I recommend that you re-run the gpotool again after a few minutes, I have made the experience that sometimes the tools seems to report SYSVOL mismatches, but then a few minutes later it wouldn t, I guess this is probably because replication was going on in the background when the tool was run. Errors are usually related to GPOs not being in synch, the GPO is in Active Directory but there is no related folder within the SYSVOL directory or there is a GUID folder in the SYSVOL directory but no GPO object in AD anymore. The best is to carefully analyse each case if you come across orphaned GUID folders within the SYSVOL folder that have no corresponding object in AD, you can delete it (I suggest you make a copy before). When coming across a GPO object in AD that has no folder in SYSVOL it s probably best to delete that one as well. You can delete them using the Group Policy Management Console or using the Remove- GPO PowerShell cmdlet. If the GPO has no Name defined you won t see it in the Group Policy Management console, in that case delete the GPO using the GUID. Remove-GPO GUID <GUID OF GPO> 6 P a g e K e e n a n B u c k

Now that we have deleted the corrupt old GPOs we will now have a look at those that are not linked, and therefore in most cases are not needed anymore. Again you can either use the Group Policy Management Console or use the script FindUnlinkedGPOs.wsf that comes with the GPMC sample scripts. again, using the GPMC is ok if you just have a few of them, if you have many GPOs I recommend running the FindUnlinkedGPOs.wsf script. cscript C:\Program Files\Microsoft Group Policy\GPMC Sample Scripts\FindUnlinkedGPOs.wsf > unlinked.txt Result == GPOs that are not linked anywhere in LAB.NET == NOTE: links to sites, as well as external domains, will not be checked. {34FA3C94-8A78-4B4F-8387-9120B4DE0EE0} Alex_Test01 {48A3083B-09C7-47B9-BFBA-D3068447FE43} Alex_citrix_users {788AB4E6-FCCB-49E0-A831-4904936A0118} Alex_Silverlight Now whether you delete these GPOs is up to you, maybe they are not linked by purpose but are used only on an ad-hoc basis for testing purposes, if there are more GPO Admins within your enterprise you might want to ask them first before just deleting them. Another script you want to run is the FindDisabledGPOs.wsf, this script lists those GPO s where both the user and computer side of the GPO settings are disabled. Another annoyance are GPOs with the same name. If you have naming conventions for GPOs this should not happen, but anyway it is worth checking for these as well. Run the script FindDuplicateNamedGPOs.wsf to find any GPOs with duplicate names. 7 P a g e K e e n a n B u c k

Sample Scenario Case Now here is a case I want to share with you, the log file reported the following: Policy {66AC7F00-4C27-4D23-BB33-1A9BB6CC1A56}\0ACNF:008821e1-046f-477a- 8424-2c942f0c9b26 Error: Cannot access \\LAB-DC01.LAB.NET\sysvol\LAB.NET\policies\{66AC7F00-4C27-4D23-BB33-1A9BB6CC1A56}\0ACNF:008821e1-046f-477a-8424-2c942f0c9b26, error 3 Error: Cannot access \\LAB-DC02.LAB.NET\sysvol\LAB.NET\policies\{66AC7F00-4C27-4D23-BB33-1A9BB6CC1A56}\0ACNF:008821e1-046f-477a-8424-2c942f0c9b26, error 3 Details: DC: LAB-DC01.LAB.NET Friendly name: LAB-SAB-Wireless Created: 9/16/2008 11:51:18 AM Changed: 4/21/2009 9:26:52 AM DS version: 0(user) 1(machine) Sysvol version: not found Flags: 0 (user side enabled; machine side enabled) User extensions: not found Machine extensions: [{0ACDD40C-75AC-47AB-BAA0-BF6DE7E7FE63}{2DA6AA7F- 8C88-4194-A558-0D36E7FD3E64}] Functionality version: 2 DC: LAB-DC02.LAB.NET Friendly name: LAB-SAB-Wireless Created: 9/16/2008 11:51:18 AM Changed: 4/17/2009 7:52:40 AM DS version: 0(user) 1(machine) Sysvol version: not found Flags: 0 (user side enabled; machine side enabled) User extensions: not found Machine extensions: [{0ACDD40C-75AC-47AB-BAA0-BF6DE7E7FE63}{2DA6AA7F- 8C88-4194-A558-0D36E7FD3E64}] Functionality version: 2 8 P a g e K e e n a n B u c k

What is interesting here is that the Policy GUID is much longer than the other ones, in fact it looks like something went terribly wrong here. The GUID for this Policy looks like this {66AC7F00-4C27-4D23-BB33-1A9BB6CC1A56}\0ACNF:008821e1-046f-477a-8424-2c942f0c9b26 whereas a usual policy looks as following {5A12BC2A-39B2-48A4-BA61-886E942275B9} Now most likely because this GPO has such a weird GUID, it is not shown in the Group Policy Management Console, and it cannot be deleted using the PowerShell Cmdlet because the command fails, most likely due to it s weird GUID. So what to do with a GPO object we can t get rid of using the standard tools and procedures? We are going to use ADSI Edit. IMPORTANT NOTE! BE VERY CAREFULL WHEN USING ADSI EDIT, doing the wrong thing can cause severe damage to your Active Directory Infrastructure. When opening ADSI Edit and navigating to the Policies branch, we see the two damaged GPO objects. After deleting these using the above tool the GPOTool did not report the errors anymore. 9 P a g e K e e n a n B u c k

End 10 P a g e K e e n a n B u c k

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information