Best Practice Ezine #57 Group Policy Tips
If you remember, Group Policies control user and computer registry settings. As I result, you can specify precisely which features your users receive after they logon. My mission is to give you tips for planning and troubleshooting Windows Server 2003 Group Policies with XP clients. However, much of the advice is relevant to earlier operating systems.
Contents for Group Policies in Windows Server 2003
My best advice for creating and amending Group Policies is get a copy of GPMC (Group Policy Management Console) from Microsoft’s site. Not only will it save you time when you need to document which policies are in operation, but also you can play ‘what if’ games with the Modeling section at the bottom of the GPMC.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
If you are still at the planning stage, do take the trouble create your OUs with Group Policy in mind. For example, why not create a Servers OU and then apply Group Policy to that OU. The trap is that neither the default Computers nor the default Users container is an OU. You only have to look at the yellow object to see the difference between Computers and Domain Controllers. The Domain Controllers folder has that little book symbol and therefore is an OU capable of receiving Group Policies. If you warm to this theme, you may wish to create a desktop and a laptop OU so that you can apply different Group Policies to those machines.
It is possible to change the default container where you create users and computers; the utilities are redircmp and redirusr. In Windows Server 2003 you can run them from the command line, for earlier operating systems, try the resource kit. Actually, redircmp and redirusr do not get the ‘Guy seal of approval’ because I prefer to specify the OU when I script a new user with CSVDE or VBScript.
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
The first rule of troubleshooting is start with the most likely source. In the case of Group Policy, I bet that the problem is that either the User or the Computer is in a different OU from where you created the Group Policy. A variation of this problem is that you apply the policy to the Computer Configuration section, whereas you intended it for the User Configuration section.
Troubleshooting Group Policies can be very frustrating. To see if my amendments have worked, I refresh the user settings with gpupdate. So to save time, I create a simple VBScript, which runs gpupdate /force. (Mad Mick prefers a batch file). Next, I create a shortcut and assign it to a keyboard combination Ctrl Shift g. Note that for some computer settings gpupdate /force often does not work, so you will need a reboot, for example Software Installation policies.
For more exotic Group Policy problems realize that there are synchronization delays. For this reason, I always troubleshoot on the domain controller that holds the FSMO role called PDC emulator. If you are testing polices anywhere else, then you should be aware of two causes of replication latency. Firstly, Active Directory, which replicates the GPO objects, and secondly, the File Replication Service, which distributes the actual policy files. These are the physical files found under the \sysvol\sysvol folder. Incidentally, each policy takes about 4 MB of disk space, so if you have 50 separate policies it can start eating into your free disk space.
Some administrators cause self-inflicted Group Policies problems, for instance, by renaming the Group Policy or renaming the default .adm files. My advice is don’t rename anything to do with Group Policies. I also have reports of problems caused by Group Policies containing spaces.
I have yet to meet anyone who has actually used Group Policies built-in Backup. There are two reasons why everyone suffers from this particular ‘Achilles’ heel’, firstly, you have to find the Group Policy Objects container, right-click the Group Policy, then select Back Up. My point is that if you select the normal Group Policy shortcut, there is no Backup on the menu. Secondly, everyone argues that a System State backup will cover Group Policies. This is only partially correct as my old mate ‘Mad’ Mick found out. What Mick discovered at his customer’s site, was that you could only restore a System State version of a Group Policy via an authoritative restore. Fortunately, Mick is an expert with NTDSUTIL, but even so, an authoritative restore took him half the morning.
My current project is developing WMI filters for Group Policies. I am experimenting with WQL to control which machines get which Group Policy. WQL is like SQL and at the heart of the WMI filter is a statement in the format:
In my experience, only a few gifted network managers actively seek Group Policies that help their users. Most administrators focus on Group Policies that disable or deny features. This is a shame because they miss an opportunity to be helpful. My advice is put on your Mr Nice hat and investigate settings that improve users’ experience. For Example, you could set policies for, Printer Locations, assigning software, Proxy IP settings and useful URL’s in IE. Why not add logoff to the Start Menu and so encourage users to leave their machines in a secure state? There are also numerous policies to help Laptop users, for example synchronizing before logoff.
Good news to finish with, Windows 2003 Server SP1 introduces hundreds more Group Policy settings, particularly for the Internet Explorer in the inetres.adm.
See more interesting Windows Active Directory articles