Group Policy Troubleshooting

The following points should be taken into consideration while Troubleshooting Group Policy. These are the common ones:

Group Policy settings can be applied only when User account or computer account (leaf objects) are in the same container where GPO is applied.

Leaf objects or Groups must have “Read” and “Apply Group Permissions” assigned to them.

Make sure you and users have proper permissions on SYSVOL folder.

Make sure SYSVOL folder is shared properly (type net share \\ip_of_dc) from a client machine or server.

Group Policy Objects may not be processed if Client-Side-Extensions (CSE) are missing in client machine or DLL used to process GPOs are corrupted. You can find the CSE at the following registry location:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtension.

 Make sure NetBIOS Helper service is running in server using services.msc snap-in.

 Make sure you haven’t enabled *No Override* option on parent GPOs if yo’re using one. Check this in Default Domain GPO.

 For permissions, you should have the following set for each object:

Remove *Authenticated Users* group from list of objects listed on Security Tab.

Sales Dept should have “Read” and “Apply Group Policy” permissions.

Administrators, Enterprise Administrators and Domain Administrators should be set to “Deny Apply Group Policy”.

Finally you can troubleshoot Group Policy either using GPMC (RSOP) or enabling User Environment Debugging on one of your client machine and then finding the culprit.

How to enable User Profile Debugging:;EN-US;221833

DNS and Active Directory best practices.


1. DNS is pointing to itself in TCP/IP property.

2. You have configured Forwarders tab in DNS Server property to access Internet.

3. You have checked the box “Register this connection in DNS” in TCP/IP property.

4. SOA RR entry is pointing to the same DNS Server address. Expand Forward Lookup Zone > and then in Right Pane find the SOA and NS records and make sure they are configured to use this DNS Server’s IP Address.

5. If you have *two NICs* make sure DNS is only *listening* on the LAN Interface.

6. Issue Ipconfig /registerdns command in Domain controller.

7. Remove if you have configured your Internal NIC to use ISP DNS server address.

8. And also make sure DNS Dynamic update is enabled on DNS Zone.

9. Make sure clients are configured to use suffix.

This DNS server won’t forward requests to ISP DNS server until it is configured to do so. You need to configure this server using Forwarders tab in DNS Server property.


For Internet access:

For internet access, delete the root zone on your DNS in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP’s DNS.

Using Forwarders in DNS: –


Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
HOW TO: Configure DNS for Internet Access in Windows 2000

Troubleshooting Common Active Directory Setup Issues in Windows 2000

10 DNS Errors That Will Kill Your Network
Troubleshooting Active Directory DNS Errors in Windows 2000
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
SRV Resource Records May Not Be Created on Domain Controller
How to Verify the Creation of SRV Records for a Domain Controller
How Domain Controllers Are Located in Windows
How Domain Controllers Are Located in Windows XP
HOW TO: Configure DNS for Internet Access in Windows Server 2003
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003

Determining the Server GUID of a Domain Controller
GUID Records Are Not Registered If MX Record with Wildcard Character Is Present
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
Windows 2000 DNS and Active Directory Information and Technical Resources
Setting Up the Domain Name System for Active Directory
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
HOW TO: Configure DNS for Internet Access in Windows 2000

Windows Log on and Log off immediately.

You may face this problem when logging on to Windows. When you type user name and password you are again presented with User name and Password dialogue box. You try hard to get in but to no avail.

You may not be able to log on to system using either Normal Mode or Safe Mode. This occur only when Winlogon service tries to load the Windows default shell (explorer.exe) and user shell (userinit.exe) from registry. This service searches for Explorer.exe and Userinit.exe in the following path of registry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Edit these values and type the correct path of shell :

            Shell = explorer.exe


NOTE: These files may also be deleted by spywares. You may need to extract them using Windows CD. 

Steps for rectifying this problem:

  • Log on to a networked computer.
  • Run Regedit.exe
  • Point your cursor to HKEY_LOCAL_MACHINE
  • Select File > Connect Remote Registry
  • Type computer name (infected computer)
  • Navigate to the following location in registry of destination or infected computer

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

  • Edit these two values in right pane:



  • Change these two values to


                  Userinit = x:\windows\system32\userinit.exe

  • Exit from Registry
  • Restart Infected computer.
  • You should be able to log on to computer.

How to manually create Default Domain GPOs

There is a way to create Default Domain GPO. There are two GPO created when you promote a member computer or a stand-alone server to domain controller.

These two GPOs are :

  • Default Domain Group Policy
  • Default Domain Controller Group Policy.

These GPO are stored in the SYSVOL folder. Netlogon service creates two permanent GUID for these two GPO under SYSVOL folder:


Domain Default GPO GUID {31B2F340-016D-11D2-945F-00C04FB984F9}

Domain Controller Default GPO GUID {31B2F210-016D-11D2-945F-00C04FB981F1}

Windows OS identifies default domain policies by its GUIDs located in SYSVOL folder. These GUIDs are unique for Default Domain Policy and Default Domain Controller Policy created by default.

You can use the following steps to create the Default GPOs manually:

1. Open ADUC

2. Right click on > Property

3. Switch to Group Policy tab

4. Create a policy named “Default Domain Policy” or you can rename it if you want. AD Tools queries default domain policies by their GUIDs located in SYSVOL folder and not by name.

5. Click this GPO > Property > note down the GUID of this GPO created.

6. Go to SYSVOL folder and change the GUID to default domain policy or default domain controller policy.

7. Next you need to use a small script using ADSI to set this unique GUID into GPC of this policy in AD database. You can also edit Schema manually to do so.
Here are some articles that you can use to troubleshoot Group Policy:

You can also use ADSI Edit to create the GUID in GPC:

GPC container.


Troubleshooting Group Policy issues in Windows
How to reset security settings in GPO
Scripting GPO

Using Dcgpofix.exe:

You can also use Dcgpofix.exe to restore Default GPO.

Have a look here for Dcgpofix.exe:

The Dcgpofix tool does not restore security settings in the Default Domain Controller Policy to their original state

LDIFDE – Export / Import data from Active Directory

LDIFDE is a robust utility. This utility enables you to import/export information from/to Active Directory. LDIFDE queries any available domain controller to retrieve/update AD information.


1. You can use LDIFDE to find any object. It may be a printer, a server, a computer, a user, a person. All these objects are identified with *ObjectClass=object_class_name (either printer or user or OU).

2. By default account is disabled when imported and also password is set to NULL.

3. To modify AD attribute you must put “-“ on a single line followed by a completely blank line on the next line. Please see the format below.

4. When a user is exported to LDF file, by default “changetype” is Add.

5. LDIFDE doesn’t support changing Group Membership. You can use CSVDE or ADDUSERS.exe or DStools for Windows 2003 Editions.

6. LDIFDE doesn’t support exporting Passwords.

7. By default “User must change password at next logon” attribute is selected.

8. LDIFDE doesn’t support importing Passwords. To change user’s password you need to convert from Plain Text to Base64 character. We can use a utility to convert from Plain Text to Base64.

9. Note that if no credentials are specified LDIFDE will use the currently logged on user’s credentials.

10. If you do an LDIFDE or CSVDE export, many of the attributes for user and group objects are owned by the system and cannot be re imported. Here’s a trick. Run the export with the –m switch. This enables SAM Logic, which is another way of saying that the export skips the attributes that are owned by the system. This gives you a template to use when building your import files or spreadsheets.

11. You can also export all user accounts from a forest (including data from all domains). This requires that you run the LDIFDE command against a Global Catalog Server with –t switch to specify the port No.

12. You must place a “-“ and then a blank line very next followed by the “-“ for modify and change operation to work properly. Otherwise LDIFDE will fail!

13. Using the setting “userAccountControl: 66048” enables the newly created account. By default, an account is created disabled. Note that user account can’t be enabled with blank password if you have a complex password policy defined on the domain. So you’re first step is to change the password and then enable the account.

                        userAccountControl: 514 for disable account

14. There are more export-specific options but not Import. Note that while exporting user accounts/OU/person you can use –o with –I but you can’t use both the switches while importing the file to AD. This is because both the switches are export-specific.

15. The default mode is Export Mode. You need to specify –I to turn Import Mode on.

16. If you want to carry the line to next line then the first must be a space and then start new line.

17. If you do not specify a server when you use LDIFDE to export objects that are in the domain-naming context, LDIFDE searches for a global catalog server. When LDIFDE searches for a global catalog server, it may not use the domain of the object name or the user account that you specify to determine what global catalog server to connect to. LDIFDE may connect to a global catalog server that is in the same site as the client, but that is a member of a different domain in the forest. This global catalog server may not have all the required Active Directory attributes for the objects that you want to export.  To work around this issue, use the -s server_name command-line option to specify a server when you use LDIFDE.

18. Ldifde sets password to blank unless you don’t have a complex password policy defined in your domain. Hence you can’t enable accounts with Blank Password.

19. Note that –o switch overrides –I switch if you plan to use both. Suppose you want to omit badPwdCount attribute from export and in the same command you specify –I switch to export this field. In this case attribute won’t be exported.

20. The contents of an object are on consecutive lines, starting with DN property. There must be an Empty Line if you want to perform an operation on another object.

21. Each property and its value must be on a separate line such as: givenname: dinesh. There should be a colon and a space.

22. DN property and its value must be placed at first line and any other property/value can be at any line.

23. Multiple values of a property should be on a separate line such as:

            Otherhomephoneno: 512 513

            Otherhomephoneno: 514 859

24. An empty value can be written by including only the property name with colon such as:    sn:

25. A line that starts with pound (#) sign is a comment line.

26. Base64 Encoding works as follow:

a. The value to be encoded is divided into three-byte sections

b. Each 24-bit Section is divided into four 6-bit value

               c. Each 6-bit value is mapped to one of the following 64 characters: uppercase alphabets A through Z, lowercase alphabets a through z, numbers 0 through 9, plus

               sign (+), or slash (/).This results in a string of basic alphabets, numbers, and possibly some plus signs and slashes. If the number of bytes in the original value is not a 

               multiple of three, the encoded value will have one or two equals signs (=) at the end, so the number of characters is always a multiple of four.

27. LDIFDE exports only attributes those have their values in AD. It doesn’t export attributes those don’t have values. For example: if description is not defined for a user then it won’t export description attribute.

28. When exporting ONLY ONE USER, make sure you don’t have dash (-) after the end of file.

29. When a new user account is created, it is made member of Domain Users group by default.

30. LDIFDE doesn’t accept blank values. Do not include blank values in LDF files. You will see errors.

31. LDIFDE doesn’t accept space in value while exporting. For example if samaccountname is Jacson Sam then you should enclose it within the quotas.


1. Command to export the user with a given name of SAM Account

ldifde -f exportuser.ldf -s computer_name -r (samaccountname=SAMLNAME)

2. Command to export Organizational Units:

Running this command exports all OUs except domain controllers into a file named ExportOU.ldf. 

ldifde -f exportOu.ldf -s Server1 -d “dc=Export,dc=com” -p subtree -r “(objectClass=organizationalUnit)” -l “cn,objectclass,ou”

3. Export the User Accounts from the Source Domain

ldifde -f Exportuser.ldf -s Server1 -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,samAccountName”

Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.

4. Command to Import users from a LDF file:

ldifde -i -f Exportuser.ldf -s Server2

5. Exporting User Account attributes except attributes those can’t be imported: (Using –o switch)

This is another example filter that will export all User Account data except for the attributes that cannot be imported:

ldifde -f Exportuser.ldf -s <Server1> -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -o “badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType”

Another Example: To export for any given SamAccountName:

ldifde -f Exportuser.ldf -s <Server1> -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -o “badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType”

6. Exporting Objects from an Entire Forest (any given attribute will be exported with –i switch)

If you need to import everything from a forest you need to run LDIFDE command against Global Catalog server:

For example, to perform the export operation outlined against a GC, the LDIFDE command would be:

ldifde -f Exportuser.ldf -s Server1 -t 3268 -d “dc=Export,dc=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -l “cn,givenName,objectclass,sAMAccountName”

7. Simple Import of current domain: It will import only domain data NOT the Forest-Specific.

ldifde -i -f INPUT.LDF

8. Simple Export of current domain:   It will export only domain related data NOT the Forest-Specific.

ldifde -f OUTPUT.LDF

9. Export of a domain with supplied credentials:


           -d “cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com”

           -r “(objectClass=user)”

10. Exporting User or Person or Organizational Unit:

ldifde -v -s w2ks -d “dc=slowe,dc=com” -p subtree -r “(objectClass=clss_name)” -f usersonly.txt

You’ll notice a number of additional parameters here:

  • ·        -v turns on verbose mode so that I could see the results
  • ·        -d specifies the root of the search. While it was not required for this search, I included it to show you the format.
  • ·        -p narrows the search to the subtree in question. The other options for the –p parameter are base and onelevel.
  • ·        -r is used in the example with a parameter of “(objectClass=person)”. This parameter specifies the LDAP filter to use for LDIFDE. In my case, I wanted only people, so I chose an objectClass of “person.”

11. A Simple VBScript to change a user’s password: You can also modify strUser and strOU value:

strUser = InputBox(“Enter full name of user”)

strOU = InputBox(“Enter OU where user’s account resides”)

Set objUser = GetObject(“LDAP://CN=” & strUser & “,OU=” & strOU & “,DC=testdomain,DC=local”)

objUser.SetPassword “password”

MsgBox “Done!”

12. To change a user’s password using LDIFDE tool:

The following sample Ldif file (chPwd.ldif) changes a password to newPassword:

dn: CN=TestUser,DC=testdomain,DC=com
changetype: modify
replace: unicodePwd

ldifde -i -f chPwd.ldif -t 636 -s dcname -b username domain password

Default Server for Active Directory



This article explains about the problem when opening a Group Policy in a forest where you have more than 1 or more domain controllers and running on a different sites.


When you open up Active Directory Users and Computers > Right Click an OU > Property > Go to Group Policy Tab and Open the GPMC or Edit Group Policy > then again you right click on a Policy and click on Edit > then snap-in will open the policy but it will open on a very distant server.

You will see something like that:

Policy Name [name of the distant server]


This happens because when you open a GPO it contacts the Domain Controller for editing GPO according to the settings configured in GPO. By default it contacts PDC Emulator to avoid the collisions in FRS.


To resolve this you can set a policy setting in GPO:

If multiple administrators manage a common GPO, all administrators should use the same domain controller when editing a particular GPO in order to avoid collisions in the File Replication service (FRS).

Use the Change Domain Controller function to specify the domain controller to be used for a given domain or for all sites in a forest. In each case, you have four options:

The domain controller with the Operations Master token for the PDC emulator (the default option)

Any available domain controller

Any available domain controller running Windows Server 2003 or later.

This domain controller: Select a specific domain controller to be used.

More Information

Group Policy: Change Domain Controller Selection:

Problem with Customized MSI Files.

Title of Article

Problem with manually configured MSI files.


The article explains the problem with customized MSI files deploying through Group Policy – Software Installation snap-in.


In a situation you may need to create a customized MSI for your configuration or application or vendor of an application may supply a Customized MSI to deploy application updates. MSI will work correctly when you install and double click on the local machine. You may get the error when you deploy MSI using Group Policy – Software Installation snap-in. When you open the MSI log you will get the following errors:

MSI (s) (70:78) [08:38:54:515]: Executing op: ActionStart(Name=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,,)
MSI (s) (70:78) [08:38:54:515]: Executing op: CustomActionSchedule(Action=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,ActionType=1025,


notransaction /action=install /LogFile= /targetdir=”C:\Program Files\xxxxx\Browser\\” /sourcedir=”\” “C:\Program Files\xxxxx\Browser\rowser.exe” “C:\WINNT\TEMP\CFG2.tmp”)
MSI (s) (70:F0) [08:38:54:562]: Invoking remote custom action. DLL: C:\WINNT\Installer\MSI6.tmp,

Entrypoint: ManagedInstall
MSI (s) (70!F4) [08:39:00:406]: Note: 1: 2262 2: Error 3: -2147287038
MSI (s) (70!F4) [08:39:00:406]: Note: 1: 2262 2: Error 3: -2147287038
MSI (s) (70!F4) [08:39:00:437]:
MSI (s) (70:F0) [08:39:00:453]: Leaked MSIHANDLE (12) of type 790531 for thread 1268
MSI (s) (70:F0) [08:39:00:453]: Note: 1: 2769 2: _341744F6_503A_48FB_AB56_E563AB3D8D89.install 3: 1
MSI (s) (70:F0) [08:39:00:453]: Note: 1: 2262 2: Error 3: -2147287038
Error 1001. Exception occurred while initializing the installation:
System.IO.FileNotFoundException: File or assembly name Browser.exe, or one of its dependencies, was not found..
DEBUG: Error 2769:  Custom Action _341744F6_503A_48FB_AB56_E563AB3D8D89.install did not close 1 MSIHANDLEs.
The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2769. The arguments are: _341744F6_503A_48FB_AB56_E563AB3D8D89.install, 1,
MSI (s) (70:78) [08:39:00:468]: User policy value ‘DisableRollback’ is 0
MSI (s) (70:78) [08:39:00:468]: Machine policy value ‘DisableRollback’ is 0
Action ended 08:39:00: InstallFinalize. Return value 3.
MSI (s) (70:78) [08:39:00:468]: Executing op: Header(Signature=1397708873,Version=301,Timestamp=881018074,LangId=1033,Platform=0,ScriptType=2

MSI (s) (70:78) [08:39:00:468]: Executing op: DialogInfo(Type=0,Argument=1033)
MSI (s) (70:78) [08:39:00:468]: Executing op: DialogInfo(Type=1,Argument=xxxxx Browser)
MSI (s) (70:78) [08:39:00:468]: Executing op: RollbackInfo(,RollbackAction=Rollback,RollbackDescription=Rolling back action:,RollbackTemplate=[1],CleanupAction=RollbackCleanup,CleanupDescription=Removing backup files,CleanupTemplate=File: [1])
MSI (s) (70:78) [08:39:00:468]: Executing op: ActionStart(Name=_341744F6_503A_48FB_AB56_E563AB3D8D89.install,,)
MSI (s) (70:78) [08:39:00:484]: Executing op: ProductInfo(ProductKey={B9F52B16-7040-4DA8-9D05-D6C366B468F2},ProductName= xxxxx Browser,PackageName=Browser.msi,Language=1033,Version=16842759,Assignment=1,

MSI (s) (70:78) [08:39:00:484]: Executing op: ActionStart(Name=CreateShortcuts,Description=Creating shortcuts,Template=Shortcut: [1])
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=23\xxxxx\)
MSI (s) (70:78) [08:39:00:484]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Start Menu\Programs
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=25)
MSI (s) (70:78) [08:39:00:484]: SHELL32::SHGetFolderPath returned: C:\Documents and Settings\All Users\Desktop
MSI (s) (70:78) [08:39:00:484]: Executing op: SetTargetFolder(Folder=23\xxxxx\)

And the following Event ID will be logged:

Event Type:     Error
Event Source:     MsiInstaller
Event Category:     None
Event ID:     11001
Date:          03/04/2006
Time:          08:39:00
Computer:     WD-UKSPARE6
The description for Event ID ( 11001 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: Product: xxxxx Browser — Error 1001. Exception occurred while initializing the installation:
System.IO.FileNotFoundException: File or assembly name Browser.exe, or one of its dependencies, was not found.., (NULL), (NULL), (NULL).
0000: 7b 42 39 46 35 32 42 31   {B9F52B1
0008: 36 2d 37 30 34 30 2d 34   6-7040-4
0010: 44 41 38 2d 39 44 30 35   DA8-9D05
0018: 2d 44 36 43 33 36 36 42   -D6C366B
0020: 34 36 38 46 32 7d         468F2}  


This happens for the following reasons:

1. This happens because of the NULL returned by Winlogon service at the time of processing GPO and applications (MSI). NULL is returned only when the value is not returned to variable assigned in programming or while customizing MSI file. This variable could also be an UNC path pointing to the current machine where this MSI is being processed. MSI terminology uses UNC and %computername% variable to find machine name where it is currently being processed.

2. This also happens when variables used in customized MSI will point to a local directory in the computer where this MSI is being processed. For example: in above error browser.exe couldn’t be located by MSI Installer Service because it points to a local path.


Make sure MSI is configured with proper variable and settings in it and while receiving Customized MSI from vendor make sure that it can be deployed using Group Policy – Software Installation snap-in.

More Information

Please visit

Group Policy: