You are currently offline, waiting for your internet to reconnect

Group Policy Troubleshooting - Basic and Advanced Check

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

Author:
Nirmal Sharma MVP
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
SUMMARY
This article explains how you can perform some basic checks when Group Policy is not working for client computers.
MORE INFORMATION
I have found and seen couple of articles on Group Policy Troubleshooting but here are some common things I have come across: The following points should be taken into consideration while Troubleshooting Group Policy. These are the common ones:
 
Group Policy settings can be applied only when User account or computer account (leaf objects) are in the same container where GPO is applied.
 
 
  • Leaf objects or Groups must have “Read” and “Apply Group Permissions” assigned to them.
 
  • Make sure you and users have proper permissions on SYSVOL folder.
 
  • Make sure SYSVOL folder is shared properly (type net share \\ip_of_dc) from a client machine or server.
 
  • Group Policy Objects may not be processed if Client-Side-Extensions (CSE) are missing in client machine or DLL used to process GPOs are corrupted. You can find the CSE at the following registry location:
 
          HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtension.
 
  • Make sure NetBIOS Helper service is running in server using services.msc snap-in.
 
  • Make sure you haven’t enabled *No Override* option on parent GPOs if you’re using one. Check this in Default Domain GPO.
 
  • For permissions, you should have the following set for each object:
 
    • Remove *Authenticated Users* group from list of objects listed on Security Tab.
    • Sales Dept (for example) should have “Read” and “Apply Group Policy” permissions.
    • Administrators, Enterprise Administrators and Domain Administrators should be set to “Deny Apply Group Policy”.
 
  • Finally you can troubleshoot Group Policy either using GPMC (RSOP) or enabling User Environment Debugging on one of your client machine and then finding the culprit.
 
         How to enable User Profile Debugging:
 
         
 
Properties

Article ID: 555982 - Last Review: 09/18/2007 01:11:03 - Revision: 1.0

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • kbpubmvp kbpubtypecca kbhowto KB555982
Feedback