Logo
PREGNANCY
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 3) - Troubleshooting Group Policy Applications

3/5/2011 3:45:50 PM

Troubleshooting Group Policy Applications

When policies are used throughout an organization, sometimes the policy settings do not apply to a user or computer as originally intended. To begin basic troubleshooting of Group Policy application issues, you need to understand the policy application hierarchy. First, any local server or workstation policies are applied to the user or computer, followed by site group policies, domain group policies, and, finally, the organizational unit group policies. If nested OUs have group policies, the parent OU policies are processed first, followed by the child OUs, and, finally, the OU containing the Active Directory object (user or computer). You might find it easier to remember “LSD-OU”—the acronym for local, site, domain, and then OU.

Now that you know the order in which policies are applied, you can proceed to use the Group Policy testing and troubleshooting tools provided with Windows Server 2008 R2—namely the Group Policy Modeling tool in the Group Policy Management Console and the command-line utility GPResult.exe, which is the command-line version of the RSoP snap-in.

The Group Policy Modeling Tool

The Group Policy Modeling snap-in can be used to show the effective policy settings for a user who logs on to a server or workstation after all the respective policies have been applied. This tool is good for identifying which policies are being applied and what the effective setting is.

To simulate the policies for a user, use the Group Policy Modeling snap-in as follows:

1.
Launch Server Manager on a domain controller.

2.
Expand the Features folder.

3.
Expand the Group Policy Management Console.

4.
Expand the Forest folder.

5.
Select the Group Policy Modeling snap-in.

6.
Select Action, Group Policy Modeling Wizard to launch the wizard.

7.
Click Next.

8.
Leave the default domain controller selection, which chooses any available domain controller. The domain controller must be running Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Click Next.

9.
Select the User option button in the User Information box, and click Browse.

10.
Enter the name of a user to check, and click OK. Click Next to accept the user and computer selection.

Note

In the Group Policy Modeling Wizard, the net effect of the group policies can be modeled for specific users, computers, or entire containers for either object. This enables an administrator to see the effects for individual objects or for objects placed within the containers, making the tool very flexible.

11.
Click Next on the Advanced Simulation Options page. The advanced simulation options enable you to model slow network connections or specific sites.

12.
Click Next to skip the Alternate AD Paths.

13.
The User Security Groups page shows the groups that the user is a member of. You can add additional groups to see the effects of changes. Leave as is and click Next.

14.
Click Next to skip the WMI Filters for Users page.

15.
Click Next to run the simulation.

16.
Click Finish to view the results.

17.
Click the Show link next to Group Policy Objects.

18.
Click the Show link next to Denied GPOs.

Within the console, you can review each particular setting to see whether a setting was applied or the desired setting was overwritten by a higher-level policy. The report shows why specific GPOs were denied. Figure 3 shows that one GPO was denied to the user object “michellea.” The Desktop Lockdown Group Policy Object was denied due to security filtering. This is the GPO , which was applied only to members of the Oakland Help Desk group. The user michellea is not a member of this group and, hence, does not have the GPO applied.

Figure 3. The Group Policy Modeling report.


Other -----------------
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 1) - Viewing Policies with the Group Policy Management Console & Creating New Group Policies
- Windows Server 2008 R2 Administration : Creating Groups
- Examining Windows Server 2008 R2 Active Directory Groups
- Windows Server 2008 R2 Administration : Configuring Sites (part 2) - Establishing Site Links & Delegating Control at the Site Level
- Windows Server 2008 R2 Administration : Configuring Sites (part 1) - Creating a Site
- Windows Server 2008 R2 Administration : Examining Active Directory Site Administration
- Windows Server 2008 R2 Administration : Defining the Administrative Model
- Migrating to Windows Server 2008 R2 : Lab-Testing Existing Applications
- Migrating to Windows Server 2008 R2 : Verifying Compatibility with Vendors
- Migrating to Windows Server 2008 R2 : Researching Products and Applications
- Migrating to Windows Server 2008 R2 : Preparing for Compatibility Testing
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 5) - Migrating Other Domain Functionality
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 4) - Migrating Computer Accounts
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 3) - Migrating Groups & Migrating User Accounts
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 2)
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Multiple Domain Consolidation Migration (part 1)
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 4) - Upgrading Domain and Forest Functional Levels & Moving AD-Integrated DNS Zones to Application Partitions
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 3) - Moving Operation Master Roles & Retiring “Phantom” Domain Controllers
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 2)
- Migrating from Windows Server 2003/2008 to Windows Server 2008 R2 : Phased Migration (part 1) - Migrating Domain Controllers
 
 
Most view of day
- Automating Windows 7 Installation : Customizing Images Using Deployment Image Servicing and Management (part 1) - Viewing Information about an Image with DISM
- Windows Server 2008 R2 file and print services : Administering Distributed File System Services (part 1) - Configuring and administering DFS Namespaces
- Sharepoint 2013 : New Installation and Configuration - Managed Accounts
- Sharepoint 2013 : Create a Team Site, Create an Enterprise Wiki Site in SharePoint Server, Create a Blog Site
- Microsoft Exchange Server 2013 : Mailbox management - Health mailboxes
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
- Integrating SharePoint 2013 with the Office Applications (part 6) - Microsoft Access
- Microsoft Content Management Server : Implementing Server-Side Validation
- Microsoft Exchange Server 2010 : Working with SMTP Connectors, Sites, and Links (part 2) - Viewing and Managing Active Directory Site Link Details
- Preparing Windows PE : Automating Windows PE, Using Windows PE with BDD
Top 10
- Configuring and Troubleshooting IPv6 in Windows Vista (part 4) - Troubleshooting IPv6 Connectivity
- Configuring and Troubleshooting IPv6 in Windows Vista (part 3) - Configuring IPv6 in Windows Vista Using Netsh , Other IPv6 Configuration Tasks
- Configuring and Troubleshooting IPv6 in Windows Vista (part 2) - Configuring IPv6 in Windows Vista Using the User Interface
- Configuring and Troubleshooting IPv6 in Windows Vista (part 1) - Displaying IPv6 Address Settings
- Deploying IPv6 : IPv6 Enhancements in Windows Vista
- Games and Windows 7 : Games for Windows - LIVE (part 2) - Accessing Games for Windows - LIVE from within Compatible Games
- Games and Windows 7 : Games for Windows - LIVE (part 1) - Using the Games for Windows - LIVE Marketplace
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 3)
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 2) - Working with the REST API in JavaScript
- Sharepoint 2013 : Client-side Programming - Working with the REST API (part 1) - Understanding REST fundamentals
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro