In the course of running your Active Directory network, at some point you'll discover that a GPO file that is giving you a problem. Following the previous tip on troubleshooting GPOs will lead you to the conclusion that the object either is corrupted or is valid. A corrupted GPO must be deleted and re-built. A valid GPO that still results in an unwanted effect on a client must be inspected on a setting-by-setting basis. In this case, the error is human-introduced mis-configuration rather than a programmatical or corruption error.
When tracking down a mis-configured GPO, you need to keep in mind a few rules about GPOs:
- GPOs are applied in the following order: ntconfig.pol (pre Windows-2000 systems only), local GPOs, site GPOs, domain GPOs, then OU GPOs.
- GPOs are cumulative. So, the settings of the last applied GPO will take precedence. The only exception to this is when No Override is enabled on higher-level GPOs.
- GPOs are applied on a setting-by-setting basis. If a GPO does not contain a configuration or change for a specific control, the pre-existing value for that control remains in effect. If a GPO does contain a configuration or change for a specific control, then the pre-existing value for that control is replaced with the current GPO's setting.
Note: A great tool for determining the effect of a policy for a specific control within a GPO is FAZAM from FullArmor. This tool automatically calculates the effective policy as well as displays a graphical representation of the policy structure. This tool works with Windows 2000 and Windows XP (a version will be made available for Windows .NET).
Here are a few rules or guidelines to remember to keep GPO problems to a minimum:
- Try to use a few complex GPOs instead of many simpler GPOs. More individual GPOs means more difficulty in troubleshooting.
- Try not to use the No Override and Block Inheritance options. Use of these options typically indicates a poor AD design.
- Keep in mind that GPOs are only partially applied over slow WAN links (including dial-up). While Registry and Security settings are always applied, Application Deployment, Scripts, Folder Redirection, and Disk Quota controls are not applied by default over slow links.
James Michael Stewart is a researcher and writer for Lanwrights, Inc.