Computer Performance, Windows Server 2003

Guy recommends :
Free Solarwinds
VM Console

Solarwinds VM Console Free Download

Find out which of your VMs are a waste of space and which VMs need more resources.
Custom Search

Guy recommends:
Free network monitor

Solarwinds Network Device Monitor

Solarwinds' free monitor makes it easy to check the performance and health of a router or firewall.

Download your free Network Device Monitor

Guy's Review of
Computer Utilities

 1) FreePing
 2) Engineer's Toolset
 3) Xobni
 4) PuTTY
 5) WMI Monitor
 6) BgInfo
 7) Net-SNMP
 8) IP Address Tracker
 9) DNS Stuff
10) WinDiff Compare

Troubleshooting Group Policy in Windows Server 2003

Troubleshooting Group Policy Tips

I have distilled my troubleshooting tips for solving problems with Group Policy on Windows Server 2003.  My advice ranges from the obvious, gpupdate, to the obscure, spaces in policy names.

  1. Refresh the Policy with Gpupdate
  2. Check User and Computer are in the Correct OU
  3. Synchronization check FSMO, check FRS
  4. Which Group Policies are in force? - GPMC
  5. Do I need to reboot?
  6. Why can't I open the Group Policy Editor?
  7. What causes 'Failed to open the Group Policy object'
  8. Why do I get the 'Missing Active Directory Container' message?
  9. Error: 'The Feature you are trying to install cannot be found'?
  10. My VBScript Policy does not execute via Group Policy?
  11. Spaces in Script names?
  12. Where do I start creating a Group Policy?
  13. If all else fails - check the event viewer
  14. I have made a terrible foul up.  My policies are a disaster
  15. Group Policy Block Inheritance
  16. Group Policy Troubleshooting Tools

  ‡

Get Into the Troubleshooting State of Mindtroubleshooting group policy

My first tip for troubleshooting Microsoft's Group Policy is this: Put yourself in the right frame of mind.  Get into 'State' as Anthony Robbins would say.  Believe that you are going to solve this problem.

80% of all computer problems are caused by a simple fault.  In the case of Group Policies, check that the user or computer is in the OU that you are testing.  By default, all computers are in the Computer folder.  That means that if you set a policy at an OU, the computer settings will have no effect on any computers still in the original computers folder.

A variation of this problem is, that people do not realize that Windows Server 2003 Domain Controllers have their own special policy, again find the Domain Controller container and configure that default policy.  I would advise against moving the Domain Controllers into an OU.

So, if you logon as a user and none of your policy settings apply - check to see that the user account is in the same OU as the policy you are testing.  Incidentally, when troubleshooting, this is why I always include one or two trivial computer settings along with main user setting that I am testing.  If the trivial computer settings work, but the one I am testing fails, then that pin points where the fault lies.

Now for specific and practical Group Policy advice:

Guy's Troubleshooting Advice

 When troubleshooting, ask your self what was the last thing I did?  Now undo those settings and see if that cures your problem.
Q1) Have you refreshed the Group Policy settings? Run Gpupdate /force
Q2) Why is my Group Policy not working?

a) Is the user and the computer in the correct OU?  Check which OU the user and the computer is located.

b) Check Block Inheritance.

c) Possibly a No Override policy is preventing your settings.

d) Has the user 'Apply Policy' Permission?  Or have they 'Deny Policy' Permission?
Q3) Could it be a synchronization problem?

There are two factors in Group Policy synchronization. Active directory replication from the FSMO master to the other DCs.  Also FRS (file replication services) replicating the very group policies under the sysvol\sysvol folder.

Be ruthless, logon an as an administrator at the Windows 2003 server, which holds the FSMO PDC Emulator master and see if that cures the problem.
Q4) You want to know which Policies are in force
Q5) Can I refresh the policy without a reboot? That depends!  Most do.  Gpupdate /force refreshes the policy instantly, however some policies require a reboot or a user to logon again.  For example, Software policies.
Q6) Why can't I open the policy editor? Perhaps you only have 'Read only' permission.  Full control is needed to open the GPO.

Guy Recommends:  Solarwinds' Log & Event Management ToolSolarwinds Log and Event Management Tool

LEM will alert you to problems such as when a key application on a particular server is unavailable.  It can also detect when services have stopped, or if there is a network latency problem.  Perhaps this log and event management tool's most interesting ability is to take corrective action, for example by restarting services, or isolating the source of a maleware attack.

Yet perhaps the killer reason why people use LEM is for its compliance capability, with a little help from you, it will ensure that your organization complies with industry standards such as CISP or FERPA.  LEM is a really smart application that can make correlations between data in different logs, then use its built-in logic to take corrective action, to restart services, or thwart potential security breaches.

Download your FREE trial of Solarwinds Log & Event Management tool.
Q7) What causes 'Failed to open the Group Policy object' Most likely a DNS problem.  Try NSLookup, Ping, Ipconfig to confirm or deny the diagnosis.
Q8) Why do I get the 'Missing Active Directory Container' message? Hopefully, the problem is just a delayed DC replication.  Try and force domain replication in Active Directory Sites and Services, drill down trough Server to  NTDS and synchronise.
Q9) How can I stop this error:  'The Feature you are trying to install cannot be found'? Check the share and NTFS permission on the .MSI package folder.
Q9) My Script Policy does not work For specific help with logon scripts, Check out this section
Q10) My VBScript Policy does not execute via Group Policy? The script runs perfectly as a console user, but not as a logon script on a Workstation.  Solution: make sure that on the Workstation, the primary DNS server = Domain controller.

If necessary set the DNS server manually rather than relying on DHCP

I thank Bob Phillips for this tip.
Q11) Spaces in Script names? Beware spaces in logon script names.  E.g. Head Quarters.vbs .  Try Head_Quarters.vbs. 

Thanks again to Bob Phillips for this tip.
Q12) Where do I start creating a Group Policy?
  • On Windows Server 2003, navigate to the Active Directory Users and Computers.
  • Right click the Domain object, Properties, Group Policy (Tab)
  • Next 'click' the Edit (button) and you will see the policy settings.
Q13) If all else fails Check the Event Viewer.  Filter the Application Log for Source = SceCli.  Really we should have checked here FIRST!

If you find a suspicious entry, then check the ID numbers and details in TechNet.
Q14) I have made a terrible foul up.  My policies are a disaster Run DcGpoFix to return the default Group Policies to their original state.

 
Q15) Would Block Inheritance help? Judicious use of Block Inheritance can isolate a probem.

Group Policy Troubleshooting Tools

  • Resultant Set Of Policy (RSOP) Wizard
  • Gpresult
  • Gpupdate
  • DcGpoFix
  • Dsacls
  • WinPolicies
  • GPOTool
  • Event Viewer and Application Log

Solarwinds Config GeneratorGuy Recommends: The Free Config Generator

Solarwinds' Config Generator is a free tool, which puts you in charge of controlling changes to network routers and other SNMP devices.  Boost your network performance by activating network device features you've already paid for.

Guy says that for newbies the biggest benefit of this free tool is that it will provide the impetus for you to learn more about configuring the SNMP service with its 'Traps' and 'Communities'.

Download your free copy of Config Generator

Group Policy Drive MapsGroup Policy Map Drive

The modern group policy method of drive mapping does not require any knowledge of either VBScript or PowerShell.  In Windows Server 2008 you can launch the GPMC and configure Drive Maps in the Preferences section.  See more on Group Policy Drive Maps.

Summary of Troubleshooting Group Policy Settings

While it has some risks, I would logon to a Domain Contoller then get a very simple, innocuous policy working for an administrator.  It's amazing what a little success can do.  From there create a test OU with a test user and experiment.

If you have just set a policy and it does not work, check what refresh settings are necessary, logoff --> logon, or reboot.  The next level of troubleshooting is to see if it's a latency problem, you applied the Policy, but the setting has not reached the client machine.  Hence my tip of trying the policies on the domain controller.

See more Group Policies for Windows Users

Group Policies   • GPO Internet Explorer   • Group Policy Block Inheritance   • Logon Script Policies

Start Menu Group Policies   • Network Policies  • GPMC   • Troubleshooting Group Policies

Group Policy Overview  • Group Policy Results  • System Group Policies   • Software Installation

If you like this page then please share it with your friends

 

 *

Custom Search

Guy Recommends:
Orion's NPM - Network Performance MonitorReview of Orion NPM

Orion's performance monitor is designed for detecting network outages.  NPM makes it easy to see what's working, and what needs your attention.

This utility guides you through creating network maps.  It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.

Download a free trial of Network Performance Monitor

 

Home Copyright © 1999-2012 Computer Performance LTD All rights reserved

Please report a broken link, or an error.