4. Troubleshooting Group Policy Applications
When policies are used throughout an
organization, sometimes the policy settings do not apply to a user or
computer as originally intended. To begin basic troubleshooting of
Group Policy application issues, you need to understand the policy
application hierarchy. First, any local server or workstation policies
are applied to the user or computer, followed by site group policies,
domain group policies, and, finally, the organizational unit group
policies. If nested OUs have group policies, the parent OU policies are
processed first, followed by the child OUs, and, finally, the OU
containing the Active Directory object (user or computer). You might
find it easier to remember LSD-OU—the acronym for local, site, domain,
and then OU.
Now that you know the order in which policies
are applied, you can proceed to use the Group Policy testing and
troubleshooting tools provided with Windows Server 2012, namely the
Group Policy Modeling tool in the Group Policy Management Console and
the command-line utility GPResult.exe, which is the command-line
version of the Resultant Set of Policy (RSoP) snap-in.
The Group Policy Modeling Tool
The Group Policy Modeling snap-in can be used
to simulate the policy settings for a user who logs on to a server or
workstation after all the respective policies have been applied. This
tool is good for identifying which policies are being applied and what
the effective setting is based on the defined simulation.
To simulate the policies for a user, use the Group Policy Modeling snap-in as follows:
1. Launch Server Manager on a machine that has the GPMC feature installed.
2. Expand the Tools menu and run Group Policy Management Console.
3. Expand the Forest folder.
4. Select the Group Policy Modeling folder.
5. Select Action, Group Policy Modeling Wizard to launch the wizard.
6. Click Next.
7. Leave the default domain controller selection, which chooses any available domain controller. Click Next.
8. Select the User option button in the User Information box, and click Browse.
9. Enter the name of a user to check, and click OK. Click Next to accept the user and computer selection.
Note
In the Group Policy Modeling Wizard, the net
effect of the group policies can be modeled for specific users,
computers, or entire containers for either object. This enables an
administrator to see the effects for individual objects or for objects
placed within the containers, making the tool very flexible.
10. Click Next on the
Advanced Simulation Options page. The advanced simulation options
enable you to model slow network connections, loopback processing mode,
or specific sites.
11. Click Next to skip the Alternate AD Paths.
12. The User Security
Groups page shows the groups that the user is a member of. You can add
additional groups to see the effects of changes. Leave as is and click
Next.
13. Click Next to skip the WMI Filters for Users page.
14. Click Next to run the simulation.
15. Click Finish to view the results.
16. Select the Details tab and if needed use Show link next to Group Policy Objects and next to Denied GPOs.
Within the console, you can review each
particular setting to see whether a setting was applied or the desired
setting was overwritten by a higher-level policy. The report shows why
specific GPOs were denied. Figure 3
shows that two GPOs were denied to the user object tsmith. The Default
Domain Policy GPO was denied because it is empty (of user settings) and
the Remote Control Executives GPO was denied because of security
filtering. The user tsmith is not a
member of this group and, hence, does not have the GPO applied.
Figure 3. The Group Policy Modeling report.