Group Policy Troubleshooting

Group Policy Troubleshooting

Hey guys,

I would like to show you how we can create group policy debugging log settings using creating the gpsvc.log.

Gpsvc log is needed while we are trying to solve Windows issues with GPO.

To be honest, I used it a couple of times, when I had a problem with Windows 10/ Windows 7 machines that for some reason weren’t able to get some GPO settings, eventually using this log I was able to find the solution.

There is a certain order that I am working with for solving GPO issues on Windows Machines; thereby I would like to share my orders with you as I usually do.

  • First, check your GPO, make sure you are not applying Computer settings on user or vice versa, you can create a security group that should do the work.
  • Do not forget the GPO’s order:
  • Group policies order- respectively: Local, Site, Domain, OU, which means that if you applied policy per OU, it is always will be stronger than Local, Site, Domain. {LSDO}, unless >
  • You enabled the “Enforced” option it is stronger. Usually, default domain policy is configured as “Enforced.”
  • Hopefully, you haven’t forgotten, although you have enabled “Block Inheritance on a particular ” Force is stronger and applies on that OU.
  • Great, I would run the Group Policy Result from GPO management console before you are going to the user, using GPR you can get “GpResult” of client side.

Still, have a problem?

  • Run GPO update and ensure that you are able to apply it as it supposes to be.
  • Go to the Client, run “gpresult /r” and see what goes on, make sure there is no “Filter Out warning” issue which means that you have applied GPO on the computer and added users to the policy.
  • Still struggling with it? Run “gpresult /h GPOResult.html” it generates you the GPO on HTML file that shows you the GPO settings.
  • Along with that, I would run the “Rsop.msc” it shows you the applied GPO or any existing error.
  • Let suppose that it still doesn’t work, and you can’t figure out what is the problem, verify that you are able to access and see the SYSVOL folder.
  • Let’s open the Event view and go over the Group Policy folder, Guys, it helped me a lot! Especially with folder Redirection issues, I saw that policy not applied because of X, Y, Z. reasons.
  • Another way to investigate your problem is to analyze the “GPSVC.LOG”, but by default, this log does not appear, we have to enable it,

Let see how can we do it:

Open the registry: and navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Create a new key and call it:

Diagnostics

Under this folder create a new REG_DWORD and call it GPSvcDebugLevel, modify it and In the Value data box, type “30002”, make sure it’s “Hexadecimal.”

Then go to:
%windir%\debug\

And looking for “usermode” folder, under this folder you see the “GPSVC. Log”, if you do not see that, under “.\debug\” so create this folder [usermode] and then re-run “Gpupdate /force” or just restart the machine.

Group Policy troubleshooting

You can get more details and more deep troubleshooting with the following URL:

https://technet.microsoft.com/en-us/library/cc775423%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

For summary:

Many peoples think that GPO it is easy, that’s a little bit true, anyone can create GPO and assign the suite OU, but not anyone knows what are the implications of applying GPO, how is it working? How to solve problems, as most of you were already knowing GPO can make troubles to your site, whether is replications issues or users logging process issues.

By the way, for any slow login issue, please monitor it with Process Monitor tool (Free).

Group Policy is a powerful tool, you can make your life easier if you know how to use it correctly, be careful! One change could affect everyone; there is no place for mistakes.
Personally, All throughout my workplaces wherever I used to work, always had internal LAB that I was checking everything on LAB environment before initiating it on production, On enough, let’s say everything went by is good in LAB, Re-check the same policy on Production on 2-3 clients for a week, be a responsible person, be a professional.

Another suggestion is to keep on convection name like:

ISRAEL – WSUS SETTINGS
USA– WSUS SETTINGS
ISRAEL– R&D – Screen Saver

It helps to anyone, no matter who will be there, It will be readable and understandable for anyone, and maybe one day we will stop with “I inherited it
Do not forget, when you deleting a policy under you domain it doesn’t mean that you are deleting the policy at all, you have to delete it from “Group Policy Objects” – Each policy has different SID.

Backup your policies settings once a week directly to your storage (not to DC), believe me, it is better restoring only policies than whole Active Directory in the crisis scenario, you can create a daily backup using the following article:

Two methods for backing up Group Policy

 

I really suggest working with Starter GPO’s which provides you to collect templates and deploy them per customer, and then change the settings that you want to change, again, per customer.

All right guys, do not forget the order
(Local isn’t appear here, Run ‘gpedit.msc‘ on client):

You can change your GPO troubleshooting order as per you want.