In troubleshooting Group Policy issues over the years, I tend to see the same problems over and over. In the last part of this series I will share some of those experiences.
Your DCs should be pointing to each other for DNS and your clients should be pointing to the DCs. If your clients are using other DNS servers, you’re going to have problems at some point. If you are, for some reason, required to use third-party DNS for external lookups, put those DNS servers in as Root Hints servers instead of pointing clients or DCs at them.
Just Say NO to top level policies
The Default Domain Policy should be your only top level GPO unless you have a really good reason to add more. In addition, the Default Domain Policy should be edited very sparingly. Why? Anything you link at the top level applies to EVERYTHING in your Domain. Do you really want all of your servers and Admin accounts locked down with the same policies you give to everyday workstations and standard user accounts? Decide on an organizational structure for your OUs where you can link your GPOs instead of linking them at the top level.
Group Policy doesn’t apply to Groups
Despite the name, you can’t apply Group Policy to a Group directly. GPOs can only apply to users and computers. If you need it to apply to a group of users or computers, you’ll need to remove Authenticated Users from the Security Filtering for the GPO and then put your group there to apply it to your subset of objects.
Getting a 5 minute hang at logon?
You’ve got a logon script problem. The default timeout for scripts is 5 minutes.
Group Policy Preferences not applying in XP (or other older OS’es)?
Is the CSE installed? Pre-Windows 7 OS’es will ignore Group Policy Preferences unless the Client Side Extensions are installed.
Enforced policies & block inheritance
If there are GPOs at a higher level that you don’t want to apply, you can use the Block Inheritance option on an OU to stop those GPO’s from applying. To combat this, a GPO can be set as Enforced so that it can’t be overridden at a lower level. If you can avoid both of these options, do so. They can cause major headaches.
Is something disabled?
This is something you’ll see in gpresult.exe output. When you right-click on a GPO, the Link Enabled option should be checked. If it isn’t, the icon next to the GPO will be lighter than other GPO’s. Also, make sure that the GPO Status in the Details tab of a GPO is set to Enabled.
Are you applying settings to the right OS version?
If you’re running a mixed environment of XP, Vista, and 7 like just about everyone, make sure that the policy that you’re trying to apply wasn’t intended to a different OS. When you’re editing a GPO, each option will have a “Supported on” area that tells you which operating systems are supported.
Group Policy – Supported Windows version
This is also something that will show up in gpresult.exe (seeing a trend here?). By default, the Security Filtering for a new GPO is set to Authenticated Users; that’s everybody including Domain Users and Domain Computers. There’s no reason to change it unless you only want that GPO to apply to a subset of objects. You can put Deny’s in the Delegation, but I won’t usually recommend it.
If you’re storing scripts outside of Sysvol, deploying software, mapping drives/printers, or using Folder Redirection, file and share permissions are your biggest enemies. Double, triple, and quadruple check them and they could still be wrong. If you’re having problems accessing a network resource, try connecting to it manually to see if you still can’t connect. The Event Log will also tell you if your user/computer can’t access the resource.
Lowest linked GPO wins. If there is a top level policy set by a Domain Admin and 16 sub-OUs down there is a conflicting policy set by a departmental Admin, the lowest linked policy will win out unless the Enforced option has been checked. When in doubt, go to the OU in the GPMC and check the Group Policy Inheritance tab and you’ll be able to see the order they are processed.
Group Policy Precedence
I’ve seen a few networks where the clients would detect that they were on slow links even if they weren’t. You’ll see in your gpresult.exe output if the client thinks it is on a slow link. If this is a continuing problem, you can disable slow link detection in Group Policy in Computer Config, Policies, Administrative Templates, System, Group Policy, Group Policy slow link detection, and set it to 0.
No user polices? Check to see if Loopback processing is set to Replace.
Is the user or computer where they’re supposed to be? I helped someone troubleshoot a problem for three days only to discover that the user account was in the wrong OU. Moved the user, refreshed the policy, problem resolved.
Apply policy to the correct object type
Make sure that you’re applying user polices to users and computer policies to computers. Separating your users and computers into separate OUs makes this easier to keep track of.
Folder Redirection oddities
Folder Redirection can do some weird things if you don’t watch out your settings. If you’re migrating to a new server name and moving all of the files yourself, make sure that you disable the option to move the users’ files to the new location. If not, you’re going to wind up with some angry users with missing files.
If the move option is disabled in Windows 7, the old folders will still be left behind even if a user logs in to the computer for the first time. You’ll either need to delete those folders or change the option to move the contents of the folder.
If you’re redirecting the My Documents folder, make sure that you mind the naming convention that the GPMC uses. If your file server is still using the old “My Documents,” the GPMC may try to change that to just “Documents.”