I picked up the following advice for troubleshooting application of group policy objects (GPOs) from John Howard at a recent Microsoft TechNet UK event and thought it might be useful if I posted it here:
- Is the client operating system Windows 2000 or later? Group policy is not available with legacy clients.
- Are computer and user accounts valid in the Active Directory (AD) domain? Group policy is not available with NT domains.
- Are the accounts in the correct organizational unit (OU)?
- Can clients access the sysvol share on the domain controller? GPOs are partly stored in AD, but also within sysvol.
- Is AD replicating correctly? AD information and sysvol information are replicated via the file replication service (FRS).
- What is the connectivity like between the client and the nearest domain controller (it may be useful to know that slow link detection relies on ICMP – if ICMP is disabled then this may cause some issues and further information is contained in Microsoft knowledge base article 816045).
- Have changes been made to the default policies that may be causing issues? Microsoft recommend that the default policies are not changed, but instead to new policies created to override the defaults (policy precedence is discussed in the priority order for the application of GPOs post from September 2004.
- Check DNS – Microsoft UK claim that 50% of the GPO calls received by their product support services (PSS) division are actually DNS issues.
If none of the above resolve the issue, then the issue is likely to be with a GPO itself and there are several tools available to assist with diagnosing this. The group policy modelling wizard and group policy results wizard (which includes WMI filtering) are both included within the group policy management console (GPMC), a free download from Microsoft which also provides reports on policy settings (discussed in the new features of Windows Server 2003 Active Directory post from February 2005). GPMC makes use of the resultant set of policy (RSoP) service to ascertain the policies that would have been applied. Although it is an older utility, the
gpresult.exe command line tool (along with
gpupdate.exe) is extremely useful for diagnosing the application of GPOs.