Follow this blog:: RSS; Email Alert

Data Center

Identify network settings applied via Group Policy

April 6, 2010, 12:06 PM PDT

Takeaway: When network settings keep returning without explanation, Group Policy may be overwriting your locally applied settings. Rick Vanover shows you how to track these down.

If you use Twitter to follow various technical topics, you can frequently find that people may use it as a tech support forum. This has to drive tech companies mad as no formal support process starts with a Tweet, yet the Twitter user community can pipe up with feedback to the situation. This is why many people use Twitter for this very purpose. Recently, I found that a colleague of mine on Twitter was having network settings applied via Group Policy. I and fellow blogger Andrew Storrs quickly determined that we were dealing with a Group Policy overwriting the explicit local configuration.

For network settings in Windows, there are a number of settings that can be applied. Some of these settings are not done locally, but centrally through Group Policy. The tell-tale sign if Group Policy is overriding a local setting is — after a few hours, days, or a reboot — the configuration is removed. The answer is to run a Resultant Set of Policy analysis on the local system. To do this, open a management console on a Windows Server (or client) by running MMC. Then click the Add/Remove Snap-In from the File Menu. Figure A shows this Snap-In being added:

Figure A

Click image to enlarge.

Right-click on the Resultant Set Of Policy link in the console, then answer a few questions such as on which computer (presumably the local system) and user to run the policy analysis. This will run a local scan to see what configurations are applied to the server. This will include network as well as non-network settings.

Interpreting the results can be a little confusing, but in regards to network settings, there are a few primary locations for settings applied via Group Policy. Figure B shows one server’s report:

Figure B

Click image to enlarge.

Areas that are frequently associated with network settings are highlighted in red. This can include Windows Firewall settings, if applied. In Figure B, there is a Windows Firewall setting applied to disable the domain profile. Frequently, Windows servers start with a default setting which may have included a “by hand” setting to disable one of the other profiles of Windows Firewall.

Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

About Rick Vanover

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio.

Common virtualization gotchas when joining an external network

802.11: Time to clear up some antenna misconceptions

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

See All Comments

Staff Picks
Top Rated
Most Recent
My Contacts

No messages found

0 Votes

+ -

try "gpresult" command-line

david.hunt@... 14th Apr 2010

MS Provides a command-line tool that displays RSOP.

I find it quite handy and it can easily be combined with a tool line "egrep.exe" (Open Source) to filter the output for script based policy status testing purposes.

It can be run for a remote PC or a different user to that which is logged in. See the Windows "Command-line" help for the switches.

View in thread

0 Votes

+ -

Not quite true!

bulk@... 9th Apr 2010

"If a user logs in locally to the machine, local policy applies. If on the domain, domain policy applies."

This is an over-simplfication.

If the machine that local user logs on to is a member of a domain, any GPO's linked to a site, domain or OU that contain that machine's account will be applied at startup and periodically thereafter.

Local policy is ALWAYS applied. It's just that any settings applied may be overidden later. The whole sequence is:

Machine policies are applied at machine logon (startup);
User policies are applied at user logon;

In both cases, the sequence is;
L = Local
S = Site
D = Domain
OU = Org Unit

Richard

View in thread

0 Votes

+ -

order of precedence in Group Policy

CG IT 7th Apr 2010

and that is probably what's happening when a local machine policy works and a domain policy does not. If a user logs in locally to the machine, local policy applies. If on the domain, domain policy applies.

Conflicts between policies are handled by highest priority applies [each policy has a priority eg a number in processing].

View in thread

Once logged in, adding contacts is simple. Just mouse over any member's photo or click any member's name then click the "Follow" button. You can easily manage your contacts within your account contacts page.

See all comments