Microsoft

Verify group policies with tools from the Windows 2000 Resource Kit

When you have a large number of group policies and some of them conflict, you need a way to sort them out. Brien Posey shows you two tools that can help you regain control over group policy problems.

In Windows 2000, it can sometimes be difficult to keep track of which group policies are in effect for a particular user or computer. When you have dozens of group policies, some of which can counteract and conflict with each other, you need a way to determine what the effective group policy is and which group policy affects what user. The Windows 2000 Resource Kit contains a couple of tools that can help you see exactly how the group policies are affecting the user, making it easier to solve group policy problems. In this Daily Drill Down, I’ll introduce you to the Group Policy Results tool and the Group Policy Verification tool and demonstrate how to use them.

Why the complexity?
Group policies aren’t stand-alone entities. They are made up of a collection of group policy objects (GPOs). Each GPO has the potential to contain hundreds of settings. As you combine the GPOs you create, you develop a group policy that affects your users.

While this may sound simple, most GPOs overlap each other, and there are rules that govern which settings apply when contradictory settings overlap. What further complicates group policies is that some GPOs are directed at the user, some are directed at the computer, and still others are directed at both. Remember that even though you create a user-based GPO, it doesn’t affect every user in the Active Directory tree. You must explicitly associate the GPO with the user for the user to be affected. When you have more than just a couple of GPOs, it can be a real trick to sort them out and figure out which ones apply to which users and computers, as well as what the final outcome of the collective group policy will be. However, the Group Policy Verification tool and the Group Policy Results tool—both parts of the Windows 2000 Server Resource Kit—can help simplify such tasks.

What is the Windows 2000 Server Resource Kit?
Designed to help network administrators support Windows 2000, the Windows 2000 Server Resource Kit is a rather large collection of books and tools. The kit sells for about $300 and is available from most major bookstores or online from Microsoft Press. If a copy of the Resource Kit isn’t in your budget, you can download most of the kit's tools for free. You can download the Group Policy Verification tool and the Group Policy Results tool that I’ll be using in this article from Microsoft’s Windows 2000 Resource Kit Web page.

Group Policy Results tool
The Group Policy Results tool displays information about the results of the group policies that have been applied to a logged in user, the computer, or both. The tool is extremely easy to use, and in fact, can be run without any parameters whatsoever.

The tool starts by displaying information such as the OS, the build number, and the mode in which the Terminal Services are running. Next, the tool displays user information such as the login name, Active Directory (AD) location, site name, security privileges, and group memberships. After that, the tool displays some computer-specific information such as the computer’s name, AD location, the domain and type, and the site to which the computer belongs.

Finally, the tool displays a lot of information about the group policy, such as the last time that the policy was applied and the domain controller that applied it. You may also receive information regarding various registry settings, redirected folders, disk quotas, IPSec settings, and information regarding scripts. You can read a sample output here.

This tool is extremely helpful in that it tells you exactly which group policy objects apply to different areas. For example, if you were having trouble with IPSec not working correctly, you could look at the sample output and see that in this particular case, IP security is being regulated by the Default Domain Policy. You could then investigate the Default Domain Policy to make sure you’ve configured it correctly.

There are several options you can use with this tool. Following the GPRESULT command with the /V switch runs the utility in Verbose mode. The /S switch runs the utility in Super Verbose mode. The /C switch tells the utility to display only computer-related information, while the /U switch tells the utility to display only user-related information.

The output from Super Verbose mode would be too long to include in this Daily Drill Down, but here you can see an excerpt from the Verbose mode output showing only the group policy-related information, which includes a lot of detail

The Group Policy Verification tool
The other tool to look at how group policies have been applied is the Group Policy Verification tool. This tool allows administrators to check GPO integrity and monitor group policy replication. It reads and compares GPOs on each domain controller within the domain, and by doing so, can tell you if the latest group policy changes have been replicated to the other domain controllers.

This tool can also display detailed information about individual GPOs. In fact, you can even get information, such as functionality versions and extension GUIDs, that you can’t view through the group policy snap-in. This tool can even browse a particular domain controller, search for specified information, and check group policies in another domain.

To view basic information about the group policies within your domain, simply enter the GPOTOOL command from within a command-prompt window. Then, you’ll see a report, such as this one.

As you can see in the report above, the first policy the tool examined generated an error. If this happens to you, you can usually view more information on the error by entering the GPOTOOL command followed by the /VERBOSE switch. In fact, there are several different switches that you can use with this tool, as well, including:
  • ·        /GPO:GPO[,GPO…]—This switch allows you to specify a preferred policy, a partial GUID, or a friendly name. If you don’t use this switch, the tool will process all of the policies in the domain.
  • ·        /DOMAIN:name—This switch allows you to specify the DNS name for the domain hosting the group policies you want to look at. If you don’t specify a domain name, the tool assumes you want to look at the current domain.
  • ·        /DC:DC[,DC…]—This switch allows you to tell the tool which domain controllers you want to look at. If you don’t specify any domain controllers, the tool will look at all of the domain controllers within the specified or current domain.
  • ·        /CHECKACL—This switch tells the tool to check the Access Control List on the SYSVOL. By default, the tool skips this step so it can complete tasks faster.

Conclusion
When you start using group policies on your network, you may quickly find out that you’re inadvertently creating policies that conflict with each other. The outcomes of applying group policies may not be what you expected or intended. In such a case, you need to track the results of your applied group policies. Although it can be tough to figure out which GPOs form a user’s individual group policy, the Windows 2000 Server Resource Kit contains tools that make the job easier. Both the Group Policy Results tool and the Group Policy Verification tool can help you gain control over group policies deployed on your network.
0 comments

Editor's Picks