In the course of running your Active Directory network, at some point you'll discover that a GPO file that is giving...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
you a problem. Following the previous tip on troubleshooting GPOs will lead you to the conclusion that the object either is corrupted or is valid. A corrupted GPO must be deleted and re-built. A valid GPO that still results in an unwanted effect on a client must be inspected on a setting-by-setting basis. In this case, the error is human-introduced mis-configuration rather than a programmatical or corruption error.
When tracking down a mis-configured GPO, you need to keep in mind a few rules about GPOs:
- GPOs are applied in the following order: ntconfig.pol (pre Windows-2000 systems only), local GPOs, site GPOs, domain GPOs, then OU GPOs.
- GPOs are cumulative. So, the settings of the last applied GPO will take precedence. The only exception to this is when No Override is enabled on higher-level GPOs.
- GPOs are applied on a setting-by-setting basis. If a GPO does not contain a configuration or change for a specific control, the pre-existing value for that control remains in effect. If a GPO does contain a configuration or change for a specific control, then the pre-existing value for that control is replaced with the current GPO's setting.
Note: A great tool for determining the effect of a policy for a specific control within a GPO is FAZAM from FullArmor. This tool automatically calculates the effective policy as well as displays a graphical representation of the policy structure. This tool works with Windows 2000 and Windows XP (a version will be made available for Windows .NET).
Here are a few rules or guidelines to remember to keep GPO problems to a minimum:
- Try to use a few complex GPOs instead of many simpler GPOs. More individual GPOs means more difficulty in troubleshooting.
- Try not to use the No Override and Block Inheritance options. Use of these options typically indicates a poor AD design.
- Keep in mind that GPOs are only partially applied over slow WAN links (including dial-up). While Registry and Security settings are always applied, Application Deployment, Scripts, Folder Redirection, and Disk Quota controls are not applied by default over slow links.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.