Today I got a GPO issue reported on a client where RSOP was showing exclamation marks on the r configuration.
Going to the Computer Configuration properties showed:
In that specific instance, this technet blog from NedPyle [MSFT] really did clue me up. But the steps detailed below really apply to trouble shooting GPOs from the client in general.
Whenever I am faced with a GPO not applying properly on the client, I enable logging as follow:
- As per this technet article - Create the following value:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Entry: UserEnvDebugLevel
Type: REG_DWORD
Value data: 30002 (Hexadecimal)
Next create the following folder %Systemroot%\Debug\UserMode\
Next Run a GPudate /force and reboot the client.
To analyse the log I like to install PolicyReporter which is a free tool from SysPro Software on the same client where I enabled the logging previously.
Please note that you have to navigate to %programfiles%\Policy Reporter\PolMan.exe as no shortcut is created by the installer to launch the tool.
After opening the tool as admnistrator, select "Policy Log Viewer", and on the next screen "This Machine"
Although you can analyse logs on any machine with this tool, When installing it on a machine you are troubleshooting, the History tab can retrieve information from the domain, such as the version of the GPO applied and the reject reasons.
The beauty of this tool is that it breaks down this large log and highlights for you the important statements.
The Tree view is broken down in the following main sections:
- Searching for policies: lists each OU where policies are being searched for. If the policy can be accessed and applied and also display the version being applied.
- Reading previous status: checks the status for entries that are found under the "Windows Settings > Security Settings" section in GPEdit.
- Processing Extensions: details which policy applies which settings to the machine, which policies were checked and were identical, or which policies were skipped as they did not apply for filtering reason or anything else.
When reading those logs it is extremely usefull to know a key word you are looking for rather than trying to read the whole log on your own. For instance with my Site to Zone assignment problem Ned advised to look for "ListBox_Support_ZoneMapKey" to confirm the root cause of the issue. Also in my experience the logging on Vista and above is way more detailed than on XP so it can be worth applying your XP GPO (if applicable) to a Vista, W7 or W8 client for debugging purpose.
Well that pretty much wraps it up for today, time to enjoy the week end....
No comments:
Post a Comment