Troubleshooting Group Policy Jeremy Moskowitz, Group Policy MVP Chief Propeller-Head: GPanswers.com Founder: PolicyPak Software (policypak.com) Twitter: @jeremymoskowitz.

Download Report

Transcript Troubleshooting Group Policy Jeremy Moskowitz, Group Policy MVP Chief Propeller-Head: GPanswers.com Founder: PolicyPak Software (policypak.com) Twitter: @jeremymoskowitz. 

Troubleshooting Group Policy
Jeremy Moskowitz, Group Policy MVP
Chief Propeller-Head: GPanswers.com
Founder: PolicyPak Software (policypak.com)
Twitter: @jeremymoskowitz
Our Trouble Spot Road Map
• New Areas – New potential problems
• Updated “under the hood” changes
• The Central Store. The “Why” and “Problems”
• Updated logging model
• RSoP differences for Windows XP vs. Windows Vista+ clients
• Troubleshooting Group Policy Preference Extensions
2
Under the hood changes
• “No Brain energy required”
• Group Policy runs as a “hardened” service
• 3rd party CSEs are isolated
• Changes in behavior when clients are offline for a while… (next
slide)
3
Network Location Awareness: NLA 2.0
• Offline for a while? Get Group Policy next time
you connect.
• No more “ping”/ ICMP requirement
• Key takeaway:
• Group Policy refreshes only if you missed your last refresh
cycle
4
NLA / Reporting
• Look for NLA events with slow ? fast link transitions
5
Group Policy Internals
• Group Policy has two “halves”
• GPC: Group Policy Container
• Record in Active Directory
• GPT: Group Policy Template
• “Downloadable” bits from SYSVOL
6
Group Policy Troubleshooting (for the GPO iteself)
• GPOtool
• Determines general GPO health
• Litmus Tests:
• Creating new user in Active Directory
Users & Computers
• Creating new .txt file in SYSVOL
• Deeper SYSVOL / DFS problems
• Sonar
• Ultrasound
• “Troublehsooting FRS”
• www.tinyurl.com/7lt5
7
Why did Microsoft move away from ADM files?
• ADM files
• Conf.adm
• Inetres.adm
• System.adm
• Wmplayer.adm
• Wuau.adm
• Simple
• But … problems (next page)
8
Problems to Solve
• 1: How do we prevent burning 4MB within each Group Policy
Object?
• 2A: How do we deal with multiple languages and
• 2B: …preventing “write overlaps”?
• 3: How do we distribute new definitions updates to all admins?
9
Central Store Success / Problems
• Central Store not created
properly
• ADML language files not in
precise place
• SYSVOL replication is
damaged
• Older clients are used to
manage/edit GPOs
10
Why you need a Windows 7 management machine
Our Trouble Spot Road Map
• New Areas – New potential problems
• Updated “under the hood” changes
• The Central Store. The “Why” and “Problems”
• Updated logging model
• RSoP differences for Windows XP vs. Windows Vista+ clients
• Troubleshooting Group Policy Preference Extensions
12
Quick Review of XP Troubleshooting
• Major events in the Event log
• Step-by-step events in the
\windows\debug\usermode\Userenv.log
• Tip: Use SysProSoft PolicyReporter to make more “meaningful”
• http://www.sysprosoft.com/policyreporter.shtml
Breakdown of Stuff in Userenv.log
Different
Thread
ID
Same
Process
Different
Thread
ID
Clues
Timestamp
Red
Herrings
Windows 7 Group Policy Troubleshooting
• Userenv.log—going away… (Next slide)
• “Basic news”—in System log
Windows 7 Group Policy Troubleshooting
“Micro-news” in the GroupPolicy Operational Log
Replaces
UserEnv log
Making Lemonade from Logs
• Focus in on ONE “Group Policy Event Cycle”
• Use the Operational logs


Get
ActivityID
and…
Make an Event Filter
<QueryList><Query Id="0" Path="Application"><Select
Path="Microsoft-WindowsGroupPolicy/Operational">*[System/Correlation/@ActivityID='
{INSERT ACTIVITY ID HERE}']</Select></Query></QueryList>
GPlogview Tool
• Download:
• http://go.microsoft.com/fwlink/?LinkId=75004
• Log one cycle
• Gplogview -a <activityID> -o output.txt
•
Gplogview -a 9A867233-04FF-4625-B7D1-6DEB763E2DCA -o output.txt
• Monitor incoming cycle (two windows)
• Gplogview –m
• Caveats
• Must be run in “admin” command shell
DEMO
Eventing and GPlogview
Our Trouble Spot Road Map
• New Areas – New potential problems
• Updated “under the hood” changes
• The Central Store. The “Why” and “Problems”
• Updated logging model
• RSoP differences for Windows XP vs. Windows Vista+ clients
• Troubleshooting Group Policy Preference Extensions
21
GPresult on Windows 7
Gpresult Wackiness
• Why can’t I see computer-side RSOP?
• Totally frustrating
(as the error is about the user, not the computer)
Permissions Delegation for Seeing Own Computer RSOP
• Domain Level or OU level
Our Trouble Spot Road Map
• New Areas – New potential problems
• Updated “under the hood” changes
• The Central Store. The “Why” and “Problems”
• Updated logging model
• RSoP differences for Windows XP vs. Windows Vista+ clients
• Troubleshooting Group Policy Preference Extensions
25
Troubleshooting Group Policy Prefs
• Reporting…
• Eventing…
• Tracing…
Reporting
• GPRESULT: /H
shows
GPPrefs
output
• GPMC:
Multiple
items at a
level can be
tricky
• Rename your
pref items for
clarity
Events
• App Log on all platforms shows the bad news
• Windows 7 has own “source”
• So you can filter “bad news” based on just the problem area
• Windows 7 Operational log:
• Not for GPPEs
• Rather, just for GPOs overall
Tracing
• Used for final
troubleshooting
• Planning
(RSoP.msc)
logging is not
used
Logs go to
%COMMONAPPDATA%\GroupPolicy\Preference\Trace\Com
puter.log and User.log (usually c:\ProgramData\...)
Group Policy Prefs Tracing Example
Tracing Gotchas
31
• Win7 RSAT doesn’t contain the ADMX settings.
• Option 1:
• Copy the WS08 or R2 “GroupPolicyPreferences.admx/adml” to
central store
• Option 2:
• Install the ADMX/ADML from MSI
• http://tinyurl.com/ll22cf
• Installs to C:\Program Files\Microsoft Group
Policy\Preferences\
• Move up to Central Store
Stay up to date with TechNet Belux
Register for our newsletters and stay up to date:
http://www.technet-newsletters.be
• Technical updates
• Event announcements and registration
• Top downloads
Join us on Facebook
Download
MSDN/TechNet Desktop Gadget
http://www.facebook.com/technetbe
http://bit.ly/msdntngadget
http://www.facebook.com/technetbelux
LinkedIn: http://linkd.in/technetbelux/
Twitter: @technetbelux
TechDays 2011 On-Demand
• Watch this session on-demand via TechNet Edge
http://technet.microsoft.com/fr-be/edge/
http://technet.microsoft.com/nl-be/edge/
• Download to your favorite MP3 or video player
• Get access to slides and recommended resources by the speakers
Do MORE with Group Policy
THANK YOU