Professional Documents
Culture Documents
We have seen lots of departments in any company, Group policy can be used with their best in such an environment. OUs provide us so much of control that we can apply GPO to each department by creating a new OU for each department. GPO configured on domain level will be applied to each object on that domain, like users, computer, groups, OUs and so on. GPO applied on site will make troubleshooting difficult.
Block Policy Inheritance By default, GPO applied on parent object is inherited by the child object. For example, if we apply any GPO on domain level, it will be inherited by all OUs within the domain. GPO applied on a parent OU will be inherited by the child OU within that OU. Block policy inheritance will block all polices to be inherited to child from parent. Once child select this checkbox, all policy applied on parent will be not inherited to the child.
If we select the check box "Block Policy Inheritance" on Marketing OU, then policies applied from Sales OU will not be inherited to Marketing and Advertising OU.
No-Override If all child select this check-box, then it will block all the GPO applied from parent to child. In this way, each client will start using this feature. As we know, parent object have full control on all its child objects. So, parent can
use No Override feature, where if child have blocked the inheritance, even then GPO will be applied to the child objects.
In this scenario, if Marketing OU has block inheritance, but Sales OU has marked the "Allow override" check box, then GPO will be forcibly applied to all child OUs.
that domain does not host the user's account, the domain controller that processes the user's logon request denies that request, and the user cannot log on. There are many applications which require access to the Global Catalog. Always take into consideration the following guidelines which placing Global Catalog in sites: Provide enough WAN bandwidth Provide redundant Global Catalog Servers. Global Catalog server must have enough disk space. Ensure that Global Catalog server respond to authentication request immediately. Make all domain controllers Global Catalog if forest consists of only one domain.
This trust is manually created by the administrator between a Windows 2003 domain and a non-Windows Kerberos 5 realm.
functionality is not necessary when operating in Windows 2000 or Windows Server 2003 native mode. This role is domain specific. This role also synchronizes time between all Windows 2000/2003based computers. W32Time service is used by Kerberos for authentication. Microsoft recommends at least one PDC Emulator role per Active Directory domain. This role is heavily used in any environment, and so you must make sure that domain controller holding this role has sufficient hardware to perform its role smoothly. The PDC emulator holds the following roles: This role processes the account lockout policies. It performs all the functionalities of Windows NT 4.0 PDC. PDC Emulator gets authentication information when any user enters incorrect passwords.
4. Relative Identifier (RID) Master Role This is also a domain specific role. This role is responsible for generating GUID (Global Unique Identifier). GUID= Domain ID + Object ID Each domain has their unique ID which makes any new object created in any domain a unique Object. Every domain must have at least one RID role. If RID role is not working, we won't be able to create any object, like user or computer accounts and so on. Note: Microsoft recommends PDC Emulator role and RID Master role to be on the same domain controller. 5. Infrastructure Role This role is domain-specific and is used only in complex network which consists of multiple domains. This role keeps cross-domain references when we move any object between domains or OUs. If we have only domain in our environment, then this role is not used at all. Note: The Infrastructure Master role cannot be held on domain controller that is a Global Catalog.
FSMO roles can be seized or transferred depending upon the scenario. Perform seize operation only when the current operation master will never be available again. Before forcing the transfer, first determine the cause and the expected duration of the domain controller or network failure. Do not seize the operation master role if you can transfer it instead. To transfer or seize master roles, ntdsutil command can be used.
A. Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP's for each level. Obviously it may be that some policy settings conflict hence the application order of Site - Domain - Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance). A good definition of each is as follows: No Override - This prevents child containers from overriding policies set at higher levels Block Inheritance - Stops containers inheriting policies from parent containers No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied. Also the highest No Override takes precedence over lower No Override's set. To block inheritance perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers) 2.Right click on the container you wish to stop inheriting settings from its parent and select Properties 3.Select the 'Group Policy' tab 4.Check the 'Block Policy inheritance' option Click here to view image 5.Click Apply then OK To set a policy to never be overridden perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers)
2.Right click on the container you wish to set a Group Policy to not be overridden and select Properties 3.Select the 'Group Policy' tab 4.Click Options 5.Check the 'No Override' option A. Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP's for each level. Obviously it may be that some policy settings conflict hence the application order of Site - Domain - Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance). A good definition of each is as follows: No Override - This prevents child containers from overriding policies set at higher levels Block Inheritance - Stops containers inheriting policies from parent containers No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied. Also the highest No Override takes precedence over lower No Override's set. To block inheritance perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers) 2.Right click on the container you wish to stop inheriting settings from its parent and select Properties 3.Select the 'Group Policy' tab 4.Check the 'Block Policy inheritance' option Click here to view image 5.Click Apply then OK To set a policy to never be overridden perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers)
2.Right click on the container you wish to set a Group Policy to not be overridden and select Properties 3.Select the 'Group Policy' tab 4.Click Options 5.Check the 'No Override' option 6.Click OK 7.Click Apply then OK Troubleshooting Group Policy Infrastructure As mentioned previously, the underlying operating system and network connectivity can influence whether Group Policy settings are applied to users and computers. The system components within the underlying operating system that should be examined when Group Policy fails are: The DNS service should be running and configured correctly on the domain controller(s) within the Active Directory environment. If DNS is not running and is not configured correctly, the Active Directory clients are unable to find domain controllers and ultimately access any GPOs. DNS also plays a role in Group Policys folder redirection feature. A client needs DNS to locate the redirected system folders network location. For a user or computer to fall within a GPOs scope, he/she has to be a member of the site, domain, or OU that the particular GPO is linked to. To access Group Policy templates, clients require access to the SYSVOL share located on the domain controllers. Ensure that clients have the correct permission to access the SYSVOL share. Problems with replication can also result in clients experiencing problems accessing Group Policy templates. Ensure that Active Directory and file system replication are occurring as they should. The tools that users can use to assist with troubleshooting the underlying operating system components that Group Policy depends on are: Replmon, which can verify Active Directory and file system replication. Group Policy Management Console (GPMC) assists with troubleshooting GPO behavior. Users can use the GPMC to determine which GPOs are enabled and being processed, and the manner in which GPOs are linked to sites, domains, and OUs.
Because processing GPOs rely on network connectivity between the client workstation and the domain controller(s) that are members of the sites or domains within Active Directory, network connectivity loss can result in no Group Policy settings being processed. A few issues that should be addressed when network connectivity problems are being experienced are: Verify that the TCP/IP protocol is installed and running within ones environment. For GPOs to be processed, the TCP/IP protocol must be running. GPOs are also dependent on the Internet Control Message Protocol (ICMP) for slow network link detection. The firewall configuration within ones environment determines whether ICMP packets should be enabled between the domain controllers and network clients. Verify that the time and date on the network client is in sync with the time and date of the domain controllers and the remainder of the network clients. The Windows Time Service is normally used to ensure that the time and date of clients and domain controllers are synchronized. If a clients clock is not synchronized, authentication problems occur and the client may not be able to access any GPOs. The tools listed below can be used to verify network connectivity between network clients and Active Directory domain controllers: Netstat utility Ping utility Using Resultant Set of Policy (RSOP) to Troubleshoot Group Policy The Resultant Set Of Policy Wizard and the Gpresult command-line utility can be used to create RSoP queries that determine the RSoPs for any users and computers that are defined in the RSoP query. The Resultant Set Of Policy feature is new in Windows Server 2003 and can assist in greatly reducing the quantity of time spent on troubleshooting GPOs. Through RSoP, users can query the existing policies that they linked to a site, domain, or OU and that are applied to users and computers. RSoP can generate information on the following Group Policy settings: Administrative Templates Folder Redirection Security Settings Software Installation Scripts Internet Explorer Maintenance
Because numerous GPOs are typically applied in Active Directory, the RSoP feature can be used to determine which policies are applied to the user or computer being troubleshooted. RSoP also indicates which Group Policy settings have precedence. RSoP can assist in determining whether security templates have been applied correctly. It also points out instances when any settings are overwritten because of conflicting policy settings. The four types of information that can be viewed in the RSoP console are: Individual Group Policy settings The list of GPOs associated with the RSoP query The scope of management associated with the RSoP query GPO revision information RSoP has two modes: Logging mode: The RSoP logging mode determines which existing policy settings have been applied to a user or computer. Logging mode basically generates information on the existing Group Policy settings. Logging mode should be used for the purposes listed below: Determine how security groups and local policy are affecting policy settings. Discover failed and overwritten Group Policy settings. Planning mode: RSoP planning mode is used to simulate the effects of new Group Policy settings before implementing the GPOs in a production environment. Planning mode should be used for the purposes listed below: To test policy precedence To simulate GPO processing over a slow network link To simulate loopback processing How to create and run an RSoP query to troubleshoot existing policy settings for a specified user and computer: 1.Click Start, Run, and enter mmc in the Run dialog box. Click OK. 2.Click Add/Remove Snap-in on the File menu. 3.Click the Standalone tab then click Add. 4.Select Resultant Set of Policy and click Add. Click Close. 5.Click OK.
6.In the MMC, right click Resultant Set of Policy and select Generate RSoP Data on the shortcut menu. 7.Click Next on the the Resultant Set Of Policy Wizards initial page. 8.Select Logging mode on the Mode Selection page. Click Next. 9.When the Computer Selection page opens, either run the RSoP query on This Computer or Another Computer. 10.The user may also select the Do not display policy settings for the selected computer in the results | display user policy settings only checkbox. Click Next. 11.When the User Selection page opens, either select that the query uses the Current User or the Select A Specific User option. 12.The user may also select the Do not display policy settings for the selected user in the results | display computer policy settings only checkbox. Click Next. 13.Verify the parameters set for the RSoP query on the Summary Of Selections page. Click Next. 14.Click Finish on the Completing The Resultant Set Of Policy Data Wizard page. 15.The RSoP console displays the data that resulted from running the RSoP query. Using Gpresult.exe to Troubleshoot Group Policy The Gpresult.exe command-line utility available in Windows Server 2003 can be used to create RSoP queries that can collect and report RSoP data or information on users and computers. Gpresult.exe can be used to gather the information listed below, which can be useful when Group Policy has to be troubleshooted: Information on the OS, computer, and user. Group Policy information, including: When Group Policy was last applied The domain controller that applied Group Policy Information on all GPOs that are applied and their details Information on the Registry settings that are applied and their details Scripts Software management information and details on published and assigned applications
Disk quota information Internet Protocol (IP) security settings Redirected folder information and their details The Gpresult commands syntax and parameters are listed below: gpresult [/s computer [/u domainuser /p password]] [/user username] [/scope {user| computer}] [/v] [/z] /s computer defines the IP address/remote computers name. The local computer is used by default. /u domainuser specifies the user account that should be used to run the command. The user permissions currently logged on are used by default. /p password the user accounts password /user username the user name for which RSoP information should be shown. /scope {user|computer used to define that user or computer settings should be displayed. Both are displayed by default. /v indicates output to show verbose policy information /z indicates output to show all policy information Using Gpupdate.exe to Troubleshoot Group Policy The Gpupdate.exe command-line utility can be used to perform the following tasks: To refresh GPOs immediately if they are not being processed correctly To refresh a GPO immediately after a change has been made to its Group Policy settings. The Gpupdate.exe command-line utility is new in Windows Server 2003. It replaces the Secedit refresh policy command that was used in Windows 2000. The Gpupdate commands syntax and parameters are listed below: Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync] /Target:{Computer | User}- indicates whether only the computer policy setting or only the user policy settings are refreshed. Both types of policy settings are refreshed by default.
/Force specifies that all policy settings be reapplied. Only the policy settings that have changed from the last Group Policy refresh are refreshed by default. /Wait:<value> specifies the number of seconds to wait for all policy processing to finish. The default value is 600 seconds. A value of 0 indicates to Gpupdate not to wait, while a value of 1 indicates to Gpupdate to wait indefinitely. /Logoff compels the user to logoff the computer after the Group Policy settings are refreshed. /Boot results in a reboot after the Group Policy settings are refreshed. /Sync results in the next policy application occurring synchronously on computer startup or user logon. Using the Group Policy Management Console (GPMC) to Troubleshoot Group Policy The Group Policy Management Console (GPMC) incorporates numerous Group Policy operations into one management console and therefore enables the user to manage Group Policy settings within his/her environment from one location. The GPMC can be used to examine all sites, domains, OUs, and GPOs within an enterprise. The GPMC consists of an MMC, a set of automated scripts that can be run from the command line, and a set of batch files. The scripts included in the Group Policy Management Console (GPMC) can be used to list and view the following GPO information: Information on a GPO All the GPOs in a domain All disabled GPOs View unlinked GPOs in a domain View GPOs by policy extension View GPOs by security group View GPOs with duplicate names View GPOs with no security filtering View scope of management information Because of the information that can be viewed on the GPMC, it can be of assistance when GPO behavior needs to be troubleshooted. It allows users to examine a specific GPOs settings and can also be used to determine how a users GPOs are linked to sites, domains, and OUs. To access the GPMC, click Start, Administrative Tasks, and Group Policy Management. The Group Policy Results report collects
information on a computer and user to list the policy settings that are enabled. To create a Group Policy Results report, right click Group Policy Results and select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results Wizard, which guides the user through various pages to set parameters for the information that should be displayed in the Group Policy Results report. Troubleshooting Policy Inheritance To successfully troubleshoot policy inheritance issues, the user must thoroughly understand how policy inheritance affects the application of Group Policy settings within GPOs. The user also needs to understand how enabling the Block Policy Inheritance and No Override options affect policy inheritance. Inheritance signifies that Group Policy settings that affect user and computer configurations are the resultant set of policies inherited from parent containers. Policies are usually passed down from a parent container to its associated child containers. When a parent OUs policy setting is set to Enabled or Disabled and the child OU does not have the same policy setting configured, the child OUs inherit its parent OUs policy setting. The exception is that a Group Policy setting defined for a child OU overrides the same setting that it inherited from its parent OU. Group policy settings are processed in the order specified below: 1.Local GPO: Because the local GPO is applied first, it means that policies defined at the local computer have the least priority. 2.Site GPO: Site GPOs are GPOs that are linked to sites. The Administrator determines and defines the order of the different site GPOs. 3.Domain GPOs: Domain GPOs are applied next. GPOs linked to a domain have precedence over site GPOs and local GPOs. 4.OU GPOs linked to the OU highest in the Active Directory hierarchy are applied before any other OUs. OU GPOs linked to the OU closest to the user or computer are then applied. When the OU that contains the user or computer has a GPO linked to it, that GPO is applied last. Block Policy Inheritance can be explicitly specified for a site, domain, or OU and is not applied to any GPOs or GPO links. When enabled for a site, domain, or OU, it prevents any Group Policy settings from passing down from higher up in the tree to the particular site, domain, or OU for which it is enabled. The only exception is that any GPO links that have the No Override settings enabled are not blocked, but are applied. When the No Override setting is enabled for a GPO that is linked to a site, domain, or OU, no other GPOs override Group Policy settings contained in that particular GPO. Because of the hierarchical manner in which GPOs are applied and there happens to be more than one GPO that has the No Override setting enabled, the GPO highest in the tree has precedence.
A few techniques for troubleshooting Group Policy inheritance are: GPOs can only be linked to sites, domains, and OUs then applied to users and computers. While child OUs inherit their associated parent OUs Group Policy Settings by default, child domains do not inherit Group Policy settings from parent domains. A factor to consider when troubleshooting policy inheritance is that when both the Block Inheritance and No Override options are enabled, the No Override option has precedence. Remember that the Block Inheritance applies to the entire site, domain, or OU and can therefore prevent Group Policy settings from being applied. In a situation where a particular GPO is not being applied, verify that the GPO is not being blocked. Verify that the user or computer belong to a security group that has the Allow.