In troubleshooting Group Policy issues over the years, I tend to see the same problems over and over. In the last part of this series I will share some of those experiences.

DNS

Your DCs should be pointing to each other for DNS and your clients should be pointing to the DCs. If your clients are using other DNS servers, you’re going to have problems at some point. If you are, for some reason, required to use third-party DNS for external lookups, put those DNS servers in as Root Hints servers instead of pointing clients or DCs at them.

Just Say NO to top level policies

The Default Domain Policy should be your only top level GPO unless you have a really good reason to add more. In addition, the Default Domain Policy should be edited very sparingly. Why? Anything you link at the top level applies to EVERYTHING in your Domain. Do you really want all of your servers and Admin accounts locked down with the same policies you give to everyday workstations and standard user accounts? Decide on an organizational structure for your OUs where you can link your GPOs instead of linking them at the top level.

(more…)

Of course, Group Policy relies on Active Directory. Part 5 in your Group Policy troubleshooting series covers typical Active Directory problems that prevent Group Policy from working properly.

DNS

If you’ve gotten to the point where it looks like Active Directory (AD) is the problem, you’re most likely looking at some kind of replication issue. By far, the most common cause of AD replication problems (short of failed DCs) is DNS. Are you using AD integrated DNS? Are your DCs pointing to each other for DNS? Are the firewalls between each DC open on the correct ports?

Event Log

So the obvious place to look first is the Event Log. If you’re having replication problems, you’ll have errors in the Event Log, most likely a lot of them. Take a look here first for anything actionable.

GPOTool

GPOTool.exe is a handy utility that Microsoft puts into the Microsoft Product Support Reports suite of utilities. It is buried a bit, but after extracting the executable before installing the tools, GPOTool.exe can be found in your computer’s temp.

Running GPOTool.exe from one of your DCs without any switches will run through all of your GPOs and verify that your Group Policy Templates and Containers are synced and consistent across all of the DCs. You can also use the /gpo option if you just want to check one specific GPO.

(more…)

Client issues are often cause for Group Policy problems. In part 4 of this series, I will discuss tools such as gpupdate and gpresult which helo you to tacke these problems.

When all else fails, reboot!

There are a few changes in Group Policy that require a reboot for the computer or a logoff/logon for the user. If you have clients that go long periods without rebooting or users that just lock their computers at the end of the day, this could be why some policies aren’t updating. If you’re deploying software to computers, using Folder Redirection, or have startup/shutdown scripts, you’ll need your computers to restart occasionally. The same goes for logon/logoff scripts, if you’re relying on scripts in your policy for changes, users will need to actually log out on occasion to get changes. If you can, time your policy changes that require a reboot with Patch Tuesday since the computers will, most likely, reboot to apply patches.

Wait… or run gpupdate

Group Policy refreshes every 90 minutes with a randomized offset of 30 minutes. If you change a policy right now, it could be as much as 2 hours before all of your clients get the policy. (Depending on how long Sysvol replication takes in your AD (or if you have a DC on the other side of a slow connection), it could possibly be longer.) If you made the change an hour ago and clients aren’t getting the setting, that’s completely normal. On the client, you can run gpupdate.exe to update changes that have been made to Group Policy. Running a gpupdate.exe /force will ignore any processing optimizations and reapply all of the Group Policy. Or, you can just keep on waiting until all of your computers complete their regular refresh.

(more…)

Group Policy settings are not applied? In this third part of our Group Policy troubleshooting series you will learn how to identify the source of the problem.

So you’ve got computers or users with Group Policy problems. Where do you start? Troubleshooting any problem is usually a process of elimination. A lot of people want to run directly to the Event Log of the computer having the problem. Before jumping on the first computer where Group Policy is not applied, I suggest asking a few questions first so you can eliminate possible causes. A little detective work up front can make tracking down the actual problem much easier and may save you some time digging through logs.

Is this a local system or a remote (probably VPN-connected) system?

Some policies behave differently depending on whether a user/computer is connected directly to a LAN or remotely over a slower connection. For a remote user, the computer may have identified the connection as a slow link and may not be enforcing all settings properly. Additionally, some settings like Folder Redirection and scripts only run during a reboot and may require pre-logon VPN access to network resources like file servers or they won’t run. If the user is connected remotely, you may need to recommend that they connect to the VPN prior to logging into AD so their policy can process.

(more…)

You test your Group Policy changes before you push them out, right? This second part of six shows you how you can test Group Policy settings before you deploy them.

I can’t stress enough how important it is to test out your new Group Policy settings before you start pushing them out to end users. How do you know they will work correctly in the real world if you haven’t tested them in a controlled lab setting first?

Creating a Group Policy test environment

In larger environments, IT departments may have a Test Active Directory Forest just for testing things like Group Policy. Unless you’re applying Group Policy to thousands or tens of thousands of computers, that may be overkill for your organization. Here’s what I typically do to test:

In my Active Directory (AD) organization, I like to keep a “Test” Organizational Unit (OU) that mimics a typical OU for a department. In that OU, I keep the same sub-OU layout, a few test user accounts, and test computers (usually virtual machines) where I can put any of my test Group Policy before I make it available to end users.

(more…)

In this series of six parts, I will show you how to prevent and solve Group Policy problems. In this first part, I will outline why communication with your users is important.

Group Policy is a great tool that can make your life a lot easier as a systems administrator. But, what do you do when computers or users aren’t getting the correct policies? In this series, we’ll take a look at things you can do to prevent problems, common problems people have with Group Policy, and steps you can take to troubleshoot misbehaving Group Policy.

“An ounce of prevention is worth a pound of cure.” — Benjamin Franklin. Those words definitely ring true for deploying new Group Policy settings. There are a number of things you can do before deploying changes that may cost you some time up front, but will definitely save you time and grief down the road.

(more…)

In this article you will learn how to create Group Policy Objects (GPOs) by leveraging the power of Windows Management Instrumentation (WMI).

The traditional method for scoping Group Policy Objects (GPOs) in Windows Server 2008 Active Directory is to perform the following actions:

• Ensure that the GPO is linked to the appropriate Active Directory object (for instance, site, domain, OU)
• Use security filtering to ensure that the GPO affects only specified user and/or computer accounts

Security filtering a GPO

What many Windows systems administrators do not know (or may not want to know due to the learning curve involved) is that we can also use Windows Management Instrumentation (WMI) filtering to dynamically scope Group Policy.

(more…)

This article introduces Group Policy Preferences, explains how they differ from Group Policy settings, compares Preferences to logon scripts, and covers a few Group Policy Preferences gotchas.

The introduction of Group Policy Preferences into Group Policy seems to have quite a few people confused. I think that confusion has been compounded by all of the people who skipped Windows Vista, stayed with Windows XP, and are just now starting to implement Windows 7 on the desktop.

Group Policy Preferences

(more…)

The third part in this series about MDT (Microsoft deployment toolkit) covers the basics of Windows deployment.

MDT Workbench

MDT has two main sections within the Workbench: Information Center and Deployment Shares. Information Center contains links to documentation, online links (news), and components, where you download software. The other section is where you can create, populate, and manage deployment shares.

MDT 2012 workbench

(more…)

The second part of the Microsoft Deployment Toolkit (MDT) series describes all the things you need to get started with OS deployment.

Before you even bother installing MDT, I suggest you install the MDT prerequisites listed in the following table, in order. For XP, you also need to install PowerShell.

MDT requirements

(more…)

The PowerShell script discussed here allows you to change the local administrator password on multiple remote computers. You can also use the script to change the password of other accounts.

I still remember the days (way back in 2003-2004) when we were asked to change the local administrator password manually on all 2000+ computers in a weekend. Back then, system administrators in my region were pretty far removed from automation. But things evolved greatly after that, and system administrators started using programming languages (like VBScript) to automate tasks. Automation tasks have become much easier these days with the introduction of PowerShell.

So, let us see how we can change the local administrator password for a given list of computers using a PowerShell script.

Changing the administrator password with PowerShell

$password = Read-Host "Enter the password" -AsSecureString
$confirmpassword = Read-Host "Confirm the password" -AsSecureString
$pwd1_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
$pwd2_text = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($confirmpassword))
if($pwd1_text -ne $pwd2_text) {
    Write-Error "Entered passwords are not same. Script is exiting"
    exit
}

(more…)

In this blog post I will provide you with the basics of using Visio 2010 to create a server room rack diagram.

As a Windows systems administrator, you may be required to document the contents of your server racks. The reasons for this documentation are myriad and manifold:

• Compliance with industry/governmental regulations
• Compliance with organizational IT policy
• Theft protection/insurance reimbursement
• Accountability to stakeholders
• General industry best practice

Microsoft Visio 2010 is a part of the Microsoft Office System suite that is optimized for the visualization of all business processes. Visio is especially well-suited to our work in IT.

(more…)

In this tutorial you will learn how to point the authoritative time server in your Active Directory domain at an Internet-based atomic time source.

As you probably already know, the Kerberos authentication protocol has limited tolerance for time skew between client and server. Specifically, the time difference between domain computers needs to be less than five minutes.

Some Windows administrators want to synchronize their Windows Server 2008 system clocks to an external atomic time source. How can we accomplish this goal? Well, read on!

The Windows Time Service: Basic operation

The Windows Time (W32Time) service exists in both Windows Server 2008 R2 as well as Windows 7, and is the “engine” that drives system time synchronization within an Active Directory domain.

By default, the domain controller that holds the PDC Emulator FSMO role is the authoritative time source for the domain. More broadly, the PDC Emulator in the forest root domain holds the authoritative time for the entire forest. Check out the following Visio diagram:

(more…)

There are many reasons for slow performance immediately following logon. In my last post I explained how you can troubleshoot slow logon by limiting the user profile size. This post explains how to keep the 3-headed monster from becoming one of them.

While constantly checking Task Manager and Resource Manager, I would sometimes notice high CPU utilization due to what I call the 3-headed monster. Here’s the definition for that:

3-headed monster

The user experience of Windows Indexing, System Restore, and/or Windows Error Reporting causing less than desirable states of desktop responsiveness especially during logon process. These are three Windows “features” I would consider disabling to improve performance immediately following logon. Disabling these will also improve overall performance.

Indexing

Let’s start with indexing. The theory of indexing is sound and I think can be applicable to home desktop users. However; on workstations in the business environment, I’m not so sure.

(more…)

In this tutorial I will show you how to share a folder in Apple Mac OS X and access those shared resources from Windows.

In a previous article, you learned how to connect to Windows-based Server Message Block (SMB) shares from Mac OS X. Here we turn the tables and discover how we can share file resources in Mac OS X Snow Leopard with Windows-based client computers.

If you are like me, then you are accustomed to the enterprise-class file sharing and access control that are afforded to us in Windows. This being said, you are likely to find the Mac OS X file sharing options to be rather limited.

Setting up a Mac for Windows Sharing

From your Mac OS X Snow Leopard desktop, open the Apple menu and select System Preferences.

Opening System Preferences

(more…)