Group Policy Troubleshooting

The following points should be taken into consideration while Troubleshooting Group Policy. These are the common ones:

Group Policy settings can be applied only when User account or computer account (leaf objects) are in the same container where GPO is applied.

Leaf objects or Groups must have “Read” and “Apply Group Permissions” assigned to them.

Make sure you and users have proper permissions on SYSVOL folder.

Make sure SYSVOL folder is shared properly (type net share \\ip_of_dc) from a client machine or server.

Group Policy Objects may not be processed if Client-Side-Extensions (CSE) are missing in client machine or DLL used to process GPOs are corrupted. You can find the CSE at the following registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtension.

 Make sure NetBIOS Helper service is running in server using services.msc snap-in.

 Make sure you haven’t enabled *No Override* option on parent GPOs if yo’re using one. Check this in Default Domain GPO.

 For permissions, you should have the following set for each object:

Remove *Authenticated Users* group from list of objects listed on Security Tab.

Sales Dept should have “Read” and “Apply Group Policy” permissions.

Administrators, Enterprise Administrators and Domain Administrators should be set to “Deny Apply Group Policy”.

Finally you can troubleshoot Group Policy either using GPMC (RSOP) or enabling User Environment Debugging on one of your client machine and then finding the culprit.

How to enable User Profile Debugging:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;221833

Leave a Reply

Your email address will not be published. Required fields are marked *