2. Troubleshooting Group Policies
Group Policy administration also requires the
ability to report and troubleshoot Group Policy processing.
Managing Group Policy Logging and Tracing
When group policies are not processing as
intended, it may become necessary to enable logging to decipher where
the issues are occurring. Before logging and tracing defaults are
changed, it is important to note that logging for warnings and errors
is enabled by default for all extensions. Changing logging and tracing
behavior should be done only if the information stored in the event
logs on the affected system are not sufficient for determining the
cause of the GPO processing issues.
To troubleshoot GPP
Drive Maps, for example, you can change the default logging settings
for that individual extension. To do so, you must first enable the
logging and enable user/computer trace settings within a GPO, and then
the GPO must be applied to the affected system by linking the GPO to
the appropriate OU.
To enable logging and tracing on the GPP Drive Maps extension, follow these steps:
1. Create a new GPO named GPOLogSettings using the GPMC.
2. Open the GPO for
editing and drill down to Computer Configuration\Administrative
Templates\System\Group Policy\Logging and tracing and select it.
3. On the Settings page, double-click the Configure Drive Maps Preference Logging and Tracing setting to open it for editing.
4. Read the entire
explanation in the Help section, select the Enabled radio button, pull
down the Tracing menu, and select On, as shown in Figure 1.
Figure 1. Enabling GPO Preference Drive Maps Logging and Tracing
5. In the User Trace Form field, note the path to the trace file and click OK to save the settings to the new GPO.
6. Back in the GPMC, link the new GPO to the appropriate OU containing the affected system.
7. Now you can force a
Group Policy refresh on the OU within the GPMC by right-clicking the OU
and selecting Group Policy Update and then clicking Yes in the
confirmation window.
The Remote Group
Policy Update results window will show the results of the remote
update, and if successful, the new log setting GPO has been applied.
8. Because for this
example we used the user-based preference extension Drive Maps, we need
to have the user log off and log on to refresh the user-based GPO
processing and then we can review the trace file located at
%COMMONAPPDATA%\GroupPolicy\Preference\Trace\User.log, which will
translate to Windows Vista and later as %systemdrive%\ProgramData or
C:\ProgramData.
One important point to note is that if the
GPO is not getting applied at all, there will be no tracefile. So, the
Group Policy administrator must ensure that the policy is linked
correctly and that that the security filtering is applied to the GPO
correctly. This is where Group Policy Modeling can be used.
Group Policy Results
Now if the Group Policy administrator is sure
the GPO is linked and is configured correctly, the actual processing
can be checked on the affected system and for the affected user using
GPO Resultant Set of Policies (RSoP). Windows 8 and Windows Server
2012, the GPMC includes new reporting capabilities that will assist
Group Policy administrators tremendously. To run the Group Policy
results tool, follow these steps:
1. Open the GPMC on an administrative system.
2. Expand the forest and select the Group Policy Results container.
3. Right-click the container and select Group Policy Results Wizard. Click Next on the Welcome page.
4. In the Computer
Selection page, select the This Computer radio button or the Another
Computer radio button and browse or type in the system name, and then
click Next.
5. In the User
Selection Windows, choose to load the policy processing for the
existing user or any other listed that had previously logged on to the
system, and then click Next.
6. On the Summary of Selections, review the selections, and then click Next to run the tool.
7. When the wizard completes, click Finish to return to the GPMC window, where the collected data will be presented.
8. In the resulting
GPMC windows, the Group Policy administrator can review the results
listed on the Summary, Details, and Policy Events tabs to review the
GPO processing data, as shown in Figure 2.
Figure 2. Review Group Policy results data.