More on troubleshooting Group Policy Objects

James Michael Stewart, Contributor

In the course of running your Active Directory network, at some point you'll discover that a GPO file that is giving you a problem. Following the previous tip on troubleshooting GPOs will lead you to the conclusion that the object either is corrupted or is valid. A corrupted GPO must be deleted and re-built. A valid GPO that still results in an unwanted effect on a client must be inspected on a setting-by-setting basis. In this case, the error is human-introduced mis-configuration rather than a programmatical or corruption error.

When tracking down a mis-configured GPO, you need to keep in mind a few rules about GPOs:

  • GPOs are applied in the following order: ntconfig.pol (pre Windows-2000 systems only), local GPOs, site GPOs, domain GPOs, then OU GPOs.
  • GPOs are cumulative. So, the settings of the last applied GPO will take precedence. The only exception to this is when No Override is enabled on higher-level GPOs.
  • GPOs are applied on a setting-by-setting basis. If a GPO does not contain a configuration or change for a specific control, the pre-existing value for that control remains in effect. If a GPO does contain a configuration or change for a specific control, then the pre-existing value for that control is replaced with the current GPO's setting.

Note: A great tool for determining the effect of a policy for a specific

Requires Free Membership to View

control within a GPO is FAZAM from FullArmor. This tool automatically calculates the effective policy as well as displays a graphical representation of the policy structure. This tool works with Windows 2000 and Windows XP (a version will be made available for Windows .NET).

Here are a few rules or guidelines to remember to keep GPO problems to a minimum:

  • Try to use a few complex GPOs instead of many simpler GPOs. More individual GPOs means more difficulty in troubleshooting.
  • Try not to use the No Override and Block Inheritance options. Use of these options typically indicates a poor AD design.
  • Keep in mind that GPOs are only partially applied over slow WAN links (including dial-up). While Registry and Security settings are always applied, Application Deployment, Scripts, Folder Redirection, and Disk Quota controls are not applied by default over slow links.

James Michael Stewart is a researcher and writer for Lanwrights, Inc.

This was first published in June 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.