View
229
Download
0
Category
Preview:
Citation preview
8/10/2019 5 Troubleshooting and Backing Up GPOs
1/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 1/51
5 Troubleshooting and Backing Up GPOs
Section Topics
Using Group Policy Troubleshooting Tools
Integration of RSoP Functionality
Using Logging Options
Backing Up, Restoring, Importing, and Copying GPOs
Building Migration Tables
Section Objectives
After completing this section, you will be able to:
Describe the Group Policy troubleshooting tools
Describe the GPMC tools that have RSoP functionality
Describe the GPO logging tools used to obtain more detail about the GPO processing issues
Explain how to back up, restore, import, and copy GPOs using the GPMC
Explain how to build migration tables
Section Overview
This section explains how to use the RSoP tools to determine whether policies are being
rocessed in the correct manner. It also explains how to use the available tools to troubleshoot
8/10/2019 5 Troubleshooting and Backing Up GPOs
2/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 2/51
olicy issues; back up, restore, import, copy, and search for GPOs; and migrate GPOs from
one domain to another.
Using Group Policy Troubleshooting Tools
igure 104: Using Group Policy Troubleshooting Tools
inding out where an unwelcome Group Policy setting came from can be hard if you are not
aware of the tools that are available for the various versions of Windows. In Windows Server
2003, you will find some of the Group Policy troubleshooting tools on the Windows operating
system CD in the Support\Toolsfolder. The Windows 2003 Resource Kit has additional
ools for Group Policy troubleshooting. Many of the Group Policy troubleshooting tools are
ow built into the Windows Server 2008 and later operating systems.
Note: The gpotool.exe and replmon.exe tools are considered deprecated and are no
longer supported or enhanced by Microsoft. They are now replaced by other tools and
functionality in newer versions of Windows.
This topic describes some of the more common tools that you can use with Group Policy,
hich are listed in Figure 104. This topic also explains how you can use these tools toroubleshoot Group Policy.
8/10/2019 5 Troubleshooting and Backing Up GPOs
3/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 3/51
Group Policy Results
igure 105: Group Policy Results
icrosoft supplies several command-line tools that you can use to troubleshoot Group Policy
deployment and the health of the existing GPOs. One of these tools is Gpresult (Group Policy
esults). The Gpresult tool is useful for analyzing many facets of Group Policy. It provides
SoP details as shown in Figure 105.
Gpresult Tool Options
igure 106: Gpresult Tool Options
igure 106 shows some of the Gpresult tool options. The complete list is shown in Figure 107.
GPRESULT [/S system [/U username [/P [password]]]] [/SCOPE scope]
8/10/2019 5 Troubleshooting and Backing Up GPOs
4/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 4/51
[/USER targetusername] [/R | /V | /Z] [(/X | /H) [/F]]
Description:
This command line tool displays the Resultant Set of Policy
(RSoP)
information for a target user and computer.
Parameter List:
/S system Specifies the remote system to connect
to.
/U [domain\]user Specifies the user context under which
the command
should execute.
Can not be used with /X, /H.
/P [password] Specifies the password for the
given user
context. Prompts for input if omitted.
Can not be used with /X, /H.
/SCOPE scope Specifies whether the user or the
computer
settings needs to be displayed.
Valid values: "USER","COMPUTER".
/USER [domain\]user Specifies the user name for which
the RSOP data
is to be displayed.
/X Saves the report in XML format at
the location
and with the file name specified
8/10/2019 5 Troubleshooting and Backing Up GPOs
5/51
8/10/2019 5 Troubleshooting and Backing Up GPOs
6/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 6/51
Examples:
GPRESULT /R
GPRESULT /H GPReport.html
GPRESULT /USER targetusername /V
GPRESULT /S system /USER targetusername /SCOPE COMPUTER /Z
GPRESULT /S system /U username /P password /SCOPE USER /V
igure 107: Gpresult Options: Complete List
Note
When you use the super-verbose option (/Z) in the Gpresults tool, the output will
overload the command prompt window. Use the redirect (>) option and direct the output to a
ile: C:\gpresult /Z > gpsettings.txt
Group Policy Update
igure 108: Group Policy Update
8/10/2019 5 Troubleshooting and Backing Up GPOs
7/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 7/51
indows 2000 computer systems used the Secedit command-line tool to refresh Group Policy
settings without rebooting. For Windows XP and later versions, the command-line tool,
Gpupdate is used.
unning gpupdate without any switches will ask for a gpupdate of any policies whose
ersion numbers are not up to date. It will, therefore, only download the policies that have
changed.
Some policy changes do not update with this normal refresh. On other occasions, the version
umbering on the policies may become out of sync. In these situations, it may be necessary to
force a download of all the policies from scratch using the gpupdate /force command.
nfortunately, in a large environment where many policies are available, the gpupdate /force
command will download all of the policies that could apply to the user or computer.
Therefore, use the /force switch only when it is necessary.
sing the Gpupdate Tool
To use the Gpupdate tool, open a command prompt and type gpupdate.exe. You can use
arious switches to control the output of the Gpupdate tool.
The syntax for the Gpupdate.exe command is:
pupdate [/target:{computer | user}] [/force] [/wait:value] [/logoff] [/boot]
ollowing are the details for each of the switches:
By default, both user and computer policy settings are updated. Use the following switch to
specify that only the user or computer policy settings are immediately updated.
/target: Computer | User
By default, only the policy settings that have been changed are applied. Use the followingswitch to reapply all the policy settings:
/force
8/10/2019 5 Troubleshooting and Backing Up GPOs
8/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 8/51
Use the following switch to set the number of seconds you have to wait for the processing
of the policy to finish:
/wait:value
Use the following switch to log off from the selected computer after the policy settings have
been updated:
/logoff
Some policy settings can be processed only at startup; for example, computer-based policy
settings usually require a reboot. Use the following switch to restart your computer after the
policy settings have been updated:
/boot
ote
The default update cycle for refreshing Group Policy is 90 minutes (with a
andom 30-minute offset) on domain members and 5 minutes on domain controllers.
GPMC Remote Update
8/10/2019 5 Troubleshooting and Backing Up GPOs
9/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize= 9/51
igure 109: GPMC Remote Update
n Windows Server 2012 and Windows 8 Client, the GPMC now has a GPUpdate option
uilt-in to the console. Using this option will perform a remote GPUpdate against any
computers in the selected OU.
The remote update is sent out as a scheduled request with a random time interval so that all
systems to not attempt to perform the update simultaneously.
Group Policy Verification Tool
igure 110: Group Policy Verification Tool
8/10/2019 5 Troubleshooting and Backing Up GPOs
10/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 10/51
very domain in Active Directory should have more than one domain controller. When you
ave multiple domain controllers, you can use the Gpotool command-line tool to ensure that
he contents of all the linked Sysvolfolders in the domain contain valid and up-to-date GPOs.
ote
The Gpotool is considered a deprecated tool as of Windows Server 2012 and has
een replaced by greater functionality within the GPMC via the Infrastructure Status tab.
The Gpotool tool can also check for version mismatches between the GPT stored in the
Sysvolfolder and the GPC in Active Directory.
f errors occur, check the System and Directory Services event logs on the listed domain
controller showing the problem. For instance, if you want to verify if a GPO called Corporate
esktop Settingson a certain domain called MyDomainis in sync, type the following in a
command prompt window:
Gpotool/gpo:Corporate Desktop Settings/dc:MyDomain
hen you use the Gpotool tool, you can also check the following Group Policy components:
Group Policy object consistency: You can check the GUID of each GPO and all Sysvol
data.
Group Policy object replication: You can check the times and instances of when
replication has occurred.
Friendly-name searching: You can search your GPOs by the given name of each GPO.
Selective search: You can specify which domain controllers the Gpotool tool will query.
Multiple domains: You can check policies in different domains.
Verbose mode: You can display a validation list of each working GPO and a detailed error
8/10/2019 5 Troubleshooting and Backing Up GPOs
11/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 11/51
report of each damaged GPO policy.
ote
You can download the Gpotool tool from www.microsoft.com.
GPMC Infrastructure Status
igure 111: GPMC Infrastructure Status
The GPMC Infrastructure Status tab allows you to check the replication status of the domain
o make sure Group Policy files and settings are being replicated successfully to other domain
controllers.
This tool is informational only and does not provide an option to perform replication. You can
se the Repadmin command-line tool if you need to manually force replication to occur..
Replication Monitor
http://www.microsoft.com/8/10/2019 5 Troubleshooting and Backing Up GPOs
12/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 12/51
igure 112: Replication Monitor
You can use the Active Directory Replication Monitor (Replmon) tool to gather a wide variety
of replication details. You can also use it to monitor the replication status of current GPOs per
domain.
ote
The Replmon tool is considered a deprecated tool as of Windows Server 2008
and has been replaced by the more functional command-line Repadmin.exe tool.
The following topics explain how to use the Replmon tool to check the current GPO
eplication status and to check the GPO version numbers.
sing the Replmon Tool to Check Replication Status
To check the current GPO replication status, follow these steps:
1. Open the Replmontool from the Support Toolsmenu.
2. Right-click Add Monitored Serverand enter the FQDN of the server.
8/10/2019 5 Troubleshooting and Backing Up GPOs
13/51
8/10/2019 5 Troubleshooting and Backing Up GPOs
14/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 14/51
igure 113: Using the Replmon Tool to Check GPO Version Numbers
To find additional details on the replication status, right-click the server icon and, from the
context menu, select Show Group Policy Replication.
Any differences between the GPC and the GPT will result in different version numbers: the
ersioncolumn corresponds to the GPC status, and the Sysvol version represents the GPT.
You can add additional domain controllers to the view of the Replmon tool for comparison
urposes.
Repadmin
8/10/2019 5 Troubleshooting and Backing Up GPOs
15/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 15/51
igure 114: Repadmin
The Repadmin.exe command-line tool can be used to perform all of the functions that are
ound within the graphical Replmon tool and more.
Some operations are certainly more visual in the Replmon tool, but the Repadmin.exe tool hashe advantage of being scriptable and less cumbersome when performing multiple operations.
Since Replmon is deprecated, Repadmin should be used in most situations today.
The syntax for Repadmin is as follows:
C:\>repadmin
Usage: repadmin [/u:{domain\user}] [/pw:
{password|*}]
[/retry[:][:]]
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use
in repadmin and
their
description.
/help Same as /?
/?: Displays the list of possible arguments ,
appropriate
syntaxes and examples for the specified command
.
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced
users only./listhelp Displays the variations of syntax available for
the DSA_NAME,
8/10/2019 5 Troubleshooting and Backing Up GPOs
16/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 16/51
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that
still work but
are no longer supported by Microsoft.
Supported commands (use /? for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to
immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC
needs to issue
to become consistent with its source
replication partners.
/replicate Triggers the immediate replication of the
specified directory
partition to the destination domain controller
from the
source DC.
/replsingleobj Replicates a single object between any two
domain
controllers that have common directory
partitions.
/replsummary The replsummary operation quickly and
concisely summarizes
the replication state and relative health of a
forest.
8/10/2019 5 Troubleshooting and Backing Up GPOs
17/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 17/51
/rodcpwdrepl Triggers replication of passwords for the
specified user(s)
from the source (Hub DC) to one or more Read
Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a
specified object
stored in Active Directory, such as attribute
ID, version
number, originating and local Update Sequence
Number (USN),
and
originating server's GUID and Date and Time
stamp.
/showrepl Displays the replication status when specified
domain
controller
last attempted to inbound replicate Active
Directory
partitions.
/showutdvec displays the highest committed Update Sequence
Number (USN)
that the targeted DC's copy of Active
Directory shows as
committed for itself and its transitive
partners.
/syncall Synchronizes a specified domain controller with
all replication
8/10/2019 5 Troubleshooting and Backing Up GPOs
18/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 18/51
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a
backslash
{domain\user} that has permissions to perform
operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered
with the /u
parameter.
/retry This parameter will cause repadmin to repeat its
attempt to bind
to the target dc should the first attempt fail
with one of
the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints
available from
the
endpoint mapper"
/csv Used with /showrepl to output results in comma
separated
value format. See /csvhelp
Note: Most commands take their parameters in the order of
"Destination or
Target DSA_LIST", then a "Source DSA_NAME" if
8/10/2019 5 Troubleshooting and Backing Up GPOs
19/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 19/51
required, and finally
the
NC or Object DN if required.
(or ) is a Directory Service
Agent binding
string. For Active Directory Domain Services, this
is simply a
network
label (such as a DNS, NetBios, or IP address) of a
Domain
Controller.
For Active Directory Lightweight Directory
Services, this must be
a
network label of the AD LDS server followed by a
colon and the
LDAP
port of the AD LDS instance
Examples (AD DS): dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000
ad-am-01.microsoft.com:2000
is the Distinguished Name of the
root of the NCExample: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with
International
or
Unicode characters will only display correctly if
appropriate fonts
and
language support are loaded.
8/10/2019 5 Troubleshooting and Backing Up GPOs
20/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 20/51
Get-GPResultantSetOfPolicy
igure 115: Get-GPResultantSetOfPolicy
Get-GPResultantSetOfPolicy is a PowerShell cmdlet that can perform the same type of
operations as the Gpresult.exe comand. However, this tool is more powerful since it is able to
ully utilize the PowerShell pipeline and object structure.
The Get-GPResultantSetOfPolicy cmdlet can output the RSOP data in either an HTML or
ML format. The HTML output will be identical to that produced by GPresult or the Policyesults output in the GPMC.
Get-GPResultantSetOfPolicy syntax:
PS C:\test> help Get-GPResultantSetOfPolicy -full
NAME
Get-GPResultantSetOfPolicy
SYNOPSIS
Outputs the Resultant Set of Policy (RSoP) information
for a user, a
computer, or both to a file.
SYNTAX
8/10/2019 5 Troubleshooting and Backing Up GPOs
21/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 21/51
Get-GPResultantSetOfPolicy [-Computer ] [-User
] -Path
-ReportType []
DESCRIPTION
The Get-GPResultantSetofPolicy cmdlet outputs the
Resultant Set of Policy
(RSoP) information for a user, a computer, or both to a
file.
-Computer Specifies the name of the computer for
which to generate
the report.
-Path Specifies the path to the report file.
-ReportType Specifies the report type in either HTML
or XML.
-User The name of the use for which to
generate the report.
-------------------------- EXAMPLE 1 ----------------------
----
C:\PS>get-gpresultantsetofpolicy -reporttype xml
-path c:\reports\LocalUserAndComputerReport.xml
-------------------------- EXAMPLE 2 ----------------------
----
C:\PS>Get-GPResultantSetOfPolicy -reporttype xml -computer
computer-
08.contso.com
8/10/2019 5 Troubleshooting and Backing Up GPOs
22/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 22/51
-path c:\reports\computer-08.xml
Invoke-GPUpdate
igure 116: Invoke-GPUpdate
nvoke-GPUpdate is a new PowerShell cmdlet that can perform more powerful GPUpdate
operations. It can be used to update the local or a remote machine or users settings. It can
also be used to schedule a GPUpdate in the future, up to 31 days later. The refresh isautomatically offset by a random delay.
nvoke-GPUpdate syntax:
NAME
Invoke-GPUpdate
SYNOPSIS
Schedule a remote Group Policy refresh (gpupdate) on the
specified
computer.
SYNTAX
Invoke-GPUpdate [[-Computer] ] [[-
8/10/2019 5 Troubleshooting and Backing Up GPOs
23/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 23/51
RandomDelayInMinutes] ]
[-AsJob []] [-Boot []] [-
Force
[]] [-LogOff []] [-Target
]
[]
Invoke-GPUpdate [[-Computer] ] [[-
RandomDelayInMinutes] ]
[-AsJob []] [-Boot []] [-
LogOff
[]] [-Sync []] [-Target
]
[]
-AsJob Runs the cmdlet as a background job.
-Boot Causes a computer restart after
policies are applied
for CSEs that require a restart.
-Computer The name of the remote computer to
schedule a refreshfor.
-Force Reapplies all policy settings instead
of only
updating changes.
-Logoff Causes a logoff after policies are
applied for CSEs
that require a logoff / logon to be applied.
8/10/2019 5 Troubleshooting and Backing Up GPOs
24/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 24/51
-ReandomDelayInMinutes The amount of time that the Task
Scheduler will wait
before running the refresh.
-Sync Causes user policies applied at logon
to be performed
Synchronously instead of the default Asynchronous processing.
-Target Refresh only the User or Computer
policy settings.
-------------------------- EXAMPLE 1 --------------------------
PS C:\> Invoke-GPUpdate
This command schedules a Group Policy refresh on the computer on
which you are
running theInvoke-GPUpdate cmdlet.
-------------------------- EXAMPLE 2 --------------------------
PS C:\> Invoke-GPUpdate -computer COMPUTER-02 -Target user -Sync
This command schedules a Group Policy refresh on a remotecomputer
(CONTOSO\COMPUTER-02) which will only schedule to update the user
policy
settings in synchronous mode.
Integration of RSoP Functionality
8/10/2019 5 Troubleshooting and Backing Up GPOs
25/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 25/51
igure 117: Integration of RSoP Functionality
You can troubleshoot Group Policy via the RSoP (Resultant Set of Policy) snap-in to the
MC (Rsop tool [rsop.msc]). When you are planning and testing or troubleshooting Group
olicy, RSoP helps to trace how the policy links are applied for a specified user and a
specified computer. It also identifies effective settings and winning policy objects.
n the spirit of making the GPMC the primary tool for Group Policy management, Microsoft
as integrated RSoP functionality into the GPMC (with a slight change to the names of the
ools).
This integration means that:
RSoP logging mode in the RSoP console becomes Group Policy Results in the GPMC.
RSoP planning mode in the RSoP console becomes Group Policy Modeling in the
GPMC.
hen you consider the HTML reporting capabilities of the GPMC, it is hard to see why
anybody would continue to use the RSoP tool if they have access to GPMC. In fact,
icrosoft recommends that you abandon the older tool.
Group Policy Results
8/10/2019 5 Troubleshooting and Backing Up GPOs
26/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 26/51
igure 118: Group Policy Results
The Group Policy Results tool in the GPMC corresponds to the RSoP logging mode and
resents real information that reflects how the policy is applied. To start a modeling run, in
he console pane of the GPMC window, right-click the Group Policy Resultsnode, and
select Group Policy
Results Wizard.
The wizard prompts you to make the following choices:
Specify which computer you want to process: the local computer or a different computer
that you specify.
Select how you want to display policy settings: the user object only, not the computer
object. (This is a check box.)
Specify which user account you want to process: the current logged-on user or a
different user that you specify. (You are limited to users who have logged on to your
computer and for whose accounts you have read access.)
hen the run is complete, the details pane of the GPMC shows three tabs:
8/10/2019 5 Troubleshooting and Backing Up GPOs
27/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 27/51
Summary: An HTML report of the warnings, errors and alerts that may have occurred
during polciy processing.
Settings: An HTML report of the policy settings, the GPO list, security group
memberships, and WMI filters that would be applied in the scenario
Events: A list of policy-related events from the event log of the target computer and a
useful troubleshooting resource
These three tabs correlate with a new sub-node in the console pane under the Group Policy
esults node. These sub-nodes will continue to accumulate with every new run of the wizard.
y right-clicking the sub-node corresponding to a specific modeling session, you can:
Save the results to disk.
Run the query again.
Run a new query with this one as a template.
Choose Advanced View to invoke the RSoP console and view the precedence information
that does not appear in the HTML Settings report. (The HTML Setting report only lists thewinning GPO.)
Group Policy Modeling
igure 119: Group Policy Modeling
Group Policy Modeling in the GPMC corresponds to the RSoP planning mode, meaning that it
ermits you to perform a simulation before actually applying the policy. It requires that at least
one domain controller in the Active Directory forest is running Windows Server 2003 or later;
8/10/2019 5 Troubleshooting and Backing Up GPOs
28/51
8/10/2019 5 Troubleshooting and Backing Up GPOs
29/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 29/51
Save the results to disk.
Run the query again.
Run a new query with this one as a template.
Choose Advanced View to invoke the RSoP console and view the precedence informationthat does not appear in the HTML Settings report.
Creating an HTML File for Reporting
igure 120: Creating an HTML File for Reporting
The GPMC, and the Gpresult and Get-GPResultantSetOfPolicy command-line tools have the
ability to produce reports in the form of HTML file output. These reports can be invaluable
hen it comes to viewing and analyzing the policies that are configured and determine where
he policies came from.
Any user with read access to a given GPO can open the GPMC and view or report on its
settings, which helps IT support the users and OU administrators.
You even have some control over what appears on the report, via the Showand Hidelinks at
each section header. At the top of the report, you can also click Show Allto expand all
sections. The GPMC also allows you to:
Report on the settings contained in any particular GPO.
8/10/2019 5 Troubleshooting and Backing Up GPOs
30/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 30/51
Under Group Policy Objects, right-click an entry and select Save Reportto create an
HTML file with the settings (see Figure 120). The report contains the full contents of the
Settingstab, plus information from the Scope, Details, and Delegationtabs.
Right-click anywhere on the Settingstab and select Printto print the report as it appears
on the window.
Report on the results of an RSoP session (that is, Group Policy Results or Group Policy
Modeling).
Under Group Policy Resultsor Group Policy Modeling,right-click a saved session
and select Save Reportto create an HTML file with the settings.
Right-click anywhere on the Settingstab and select Printto print the report as it appearson the window.
A couple of GMC reporting tips are:
To view the HTML reports that the GPMC saves, you must use at least Windows Internet
Explorer 6 or Netscape 7.
To use the show/hide capability, you must use at least Windows Internet Explorer 6.
A few problems with GPMC reporting are:
The reported data for IPSecand Wirelesssettings is incomplete.
The reported data for Windows Internet Explorer Security Zones and Privacysettings is
incomplete (customized Java settings do not appear).
The reported data for Windows Internet Explorer Content Ratings is incomplete (settings
details do not appear).
New Error Reporting Details
8/10/2019 5 Troubleshooting and Backing Up GPOs
31/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 31/51
igure 121: New Error Reporting Details
The HTML reports that are generated by the GPMC, Gpupdate.exe and Get-
GPResultantSetOfPolicy now contain additional error reporting information. These additional
details are very useful in troubleshooting group policy issues.
After running Group Policy Results or Group Policy Modeling, the Summary tab may contain
a red X with a link listing the number of errors detected. Click on the link to display the
specific errors that occurred.
The Policy Events tab displays all Group Policy related events from the Event Log.
Using Logging Options
igure 122: Using Logging Options
You can obtain basic troubleshooting information related to Group Policy through the
indows Event Viewer. For additional troubleshooting, more detail can be enabled and sent to
he Windows Event Log and a separate Userenv.logfile.
8/10/2019 5 Troubleshooting and Backing Up GPOs
32/51
8/10/2019 5 Troubleshooting and Backing Up GPOs
33/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 33/51
LOGFILE 0x00010000
EBUGGER 0x00020000
You can combine the previous values. For example, you can combine VERBOSE
0x00000002 and LOGFILE 0x00010000 to get 0x00010002. This turns on both LOGFILE
and VERBOSE.
ote
The default value is NORMAL|LOGFILE (0x00010001). To disable logging,
select NONE(where the value is 0X00000000).
On the next reboot and logon, the Userenv.logfile is written to:
%SystemRoot%\Debug\UserMode.
ake sure you check these two essential components in the Userenv.logfile:
Verify that the distinguished name of the computer or user is being recognized. If Windows
cannot determine the distinguished name, it will not be able to properly parse Active
Directory to determine which GPOs to apply to the user or computer.
Determine if any GPOs are being skipped because the user does not have the proper
permissions on the GPO. (The user should have read and applied Group Policy
permissions.)
vent Logs
8/10/2019 5 Troubleshooting and Backing Up GPOs
34/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 34/51
igure 124: Event Logs
The Application Event Log records all GPO events with a minimum amount of detail. To get
erbose results for troubleshooting, you must edit the registry. After you edit it, the
Application Event Log will provide you with additional details about which GPO is being
applied.
le verbose logging of GPOs, you must add a registry key to the following location:
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Diagnostics
nder the Diagnosticssub-key, add a REG_DWORD value named
unDiagnosticsLoggingGlobaland assign it a value of 1.
After a reboot, the diagnostic logging will be enabled. Every major step in processing GPOs
riggers an event log entry.
elpful Hint
Many Group Policy error codes have not been well documented. However, you
can find a reference list on microsoft.com. Search for Troubleshooting Group Policy Using
8/10/2019 5 Troubleshooting and Backing Up GPOs
35/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 35/51
vent Logs.
Backing Up, Restoring, Importing, and Copying GPOs
igure 125: Backing Up, Restoring, Importing, and Copying GPOs
n a large, complex environment, it is important to provide the ability to restore GPOs
independent of the full backups of the Active Directory environment. The Group Policy
anagement Console includes the ability to perform backups and restores of individual
olicies, or all policies in the domain.
This topic explains how to back up, restore, import, and copy GPOs.
Backing Up GPOs
igure 126: Backing Up GPOs
Considering the importance of GPOs, having backups is highly desirable. The GPOs do exist
in Active Directory and the Sysvolshares, so if you have multiple domain controllers, you
8/10/2019 5 Troubleshooting and Backing Up GPOs
36/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 36/51
already have redundancy. However, without the GPMC, you do not have a convenient way
of restoring individual GPOs and importing GPO settings into other GPOs. Both of these
capabilities are enabled by the GPMC backup facility. When you are backing up GPOs,
emember the following: Backing up refers to the process of copying the contents of a live
GPO into any specified folder location on the computer or network where you have write
ermissions (see Figure 126).
You can back up multiple policy objects to the same folder.
You can back up multiple versions of the same policy object to the same folder.
You can restore or import backed-up GPOs.
The GPMC includes a user interface for managing backed-up policy objects (right-click the
Group Policy Objectsnode and select Manage Backups).
The following topic describes how to back up GPOs.
rocedure for Backing Up GPOs (1)
igure 127: Procedure for Backing Up GPOs
The procedure for backing up a GPO in the console is straightforward:
8/10/2019 5 Troubleshooting and Backing Up GPOs
37/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 37/51
1. Navigate to the domain of interest in the console pane.
2. Expand the Group Policy Objectsnode.
3. Right-click the policy object that you want to back up, and select Back Up.
Procedure for Backing Up GPOs (2)
Figure 128: Procedure for Backing Up GPOs (cont.)
. Select a target folder to which you have write access. You can browse to this location,
and you can also create a new folder, if necessary.
5. Create a description for the backup. This description will appear later when you are
managing your backups from within the GPMC.
6. Click the Back Upbutton.
7. Click OKwhen the backup is complete.
An alternative method is available if you wish to back up all the GPOs in a given domain. You
can use this approach to re-create the entire Group Policy structure on another domain.
To back up all the GPOs, navigate to the domain of interest, right-click the Group Policy
Objectsnode, and then select Back Up All. Follow steps 4 through 7 to finish backing up all
he GPOs.
8/10/2019 5 Troubleshooting and Backing Up GPOs
38/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 38/51
anaging the Backups
You can manage the backups that you have created from the Manage Backups dialog box.
ight-click the Group Policy Objectsnode and select Manage Backups. In the Manage
ackups dialog box, you will see the following information:
Backup location
List of backed up GPOs, including domain, name, timestamp, description, and GPO ID
A check box to show only the latest version of each GPO
A Restorebutton, which restores the selected GPO to its original domain
A Deletebutton
A View Settingsbutton, which generates an HTML report listing the settings in the selected
GPO (a convenient feature)
A Closebutton
Restoring GPOs
igure 129: Restoring GPOs
You would generally restore a GPO when you have deleted it and want it back, or when you
ave modified it (either its contents or its ACL) and want to return it to some prior condition.
8/10/2019 5 Troubleshooting and Backing Up GPOs
39/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 39/51
n these situations, restoring a GPO is much the same as restoring a file or folder.
hen you are restoring backed up files, remember the following:
Restoring refers to the process of putting a backed-up GPO back into its original location
(that is, domain) with all its original settings intact (including security settings).
Even if you are restoring a deleted GPO, it will have the same GUID that it had originally.
You cannot restore a GPO to a domain other than the one from which it was backed up.
The following topics describe how to restore GPOs and some of the caveats of restoring them.
rocedure for Restoring GPOs
The procedure for restoring a GPO varies depending on whether the GPO exists or has been
deleted.
If the GPO still exists, and you just want to return it to some prior state, right-click the
GPOin the Group Policy Objectscontainer and select Restore from Backup.
Follow the wizard.
To restore a GPO with this procedure, you must have the following permissions on it:
edit settings, delete, and modify security.
If the GPO has been deleted, right-click the Group Policy Objectscontainer, select
Manage Backups, find the backed-up GPO, select it, and click the Restorebutton.
To restore a GPO with this procedure, you must have the right to create GPOs.
Caveats of Restoring GPOs
estoring GPOs has some drawbacks:
8/10/2019 5 Troubleshooting and Backing Up GPOs
40/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 40/51
If you restore a deleted GPO, the links it had are not automatically restored. You have to
restore them manually.
If you restore a deleted GPO that includes software deployment settings, and those settings
included the option to uninstall when the application falls outside the scope of
management, users might see those assigned or published applications uninstall and then
reinstall, after the restoration of the GPO. The reason for this is that Windows thinks the
applications are new because they get a new deployment object GUID after the restore
(even though the GUID of the actual GPO remains the same as it was).
If you rename a domain, you cannot restore a GPO that was backed up before the rename
operation.
Importing GPOs
igure 130: Importing GPOs
mporting a GPO transfers the settings in a backed-up GPO to an existing and active GPO.
mporting never creates a new GPO.
An export command for GPOs does not exist. Backing up a GPO is the functional
equivalent of exporting it.
The following topics explain why you might want to import GPOs and how to import them.
8/10/2019 5 Troubleshooting and Backing Up GPOs
41/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 41/51
easons for Importing GPOs
n certain situations, you might want to import a GPO rather than simply restore it. For
instance:
You do not want to create a new GPO, but instead, you want to augment the settings
contained in an existing GPO without changing any of the security settings (ACEs) of that
existing GPO.
You want to migrate a GPO from one domain to another, but you do not have connectivity
and trust relationships between the domains. To elaborate:
If you did have connectivity with trusts, you would simply perform a copy operation
(drag-and-drop) instead of a back-up-and-restore cycle.
The restore operation always restores a GPO to the domain from which it was backed
up, so you cannot use it to migrate a GPO from one domain to another.
rocedure for Importing GPOs
To import a backed-up GPO:
1. In the Group Policy Objectsnode of the console, right-click an existing GPO, and
select Import.
2. Specify the backed-up GPO whose settings you would like to import. You can also
specify a migration table.
Copying GPOs
8/10/2019 5 Troubleshooting and Backing Up GPOs
42/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 42/51
igure 131: Copying GPOs
You can use the GPMC to copy and paste GPOs, either via the context menu of the GPO or
y dragging and dropping. How is this different from importing GPOs?
A copy operation always creates a new GPO at the destination location; an import operation
never does.
A copy operation always starts with an active GPO; an import operation starts with a
backed-up GPO.
The following topic describes the requirements for copying GPOs.
equirements for Copying GPOs
n order to copy a GPO from one location to another, the source and target locations must
ave physical connectivity and a trust relationship. If you are copying a GPO from one
domain to another within the same forest, these requirements are usually not a problem.
owever, if you are copying a GPO from one domain to another in a different forest, then
ou must either have a forest trust in place (Windows Server 2003 and later only), or you
ust perform a backup-and-import operation rather than a copy operation.
Building Migration Tables
8/10/2019 5 Troubleshooting and Backing Up GPOs
43/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 43/51
igure 132: Building Migration Tables
Active Directory was not created to enable administrators to copy a large number of objects
etween domains. Therefore, the process for copying a GPO from one domain to another is a
little complex. If all you have in a particular GPO are Administrative Templatessettings, that
is, registry-based policies, then you can use a simple drag-and-drop method to copy GPOs.
owever, if your GPO contains more settings, then you should expect some migration
conflicts.
This topic explains how to use migration tables to resolve SID and UNC path conflicts and
ow to build a migration table.
Using Migration Tables to Resolve SID and UNC Path
Conflicts
igration tables can help resolve the SID and UNC path conflicts that can arise from moving
GPOs from one domain to another.
SID Conflicts
GPOs tend to contain domain-specific SIDs. For example, user rights (part of the Security
Settings node of a Group Policy Object) typically include references to domain groups, such
as Backup Operators.
The SID for the Backup Operators group in Domain A is not the same as the SID for the
ackup Operators group in Domain B. This mismatch is a problem, so you would need, inhis case, the ability to map the migration of SIDs. In addition, explicit, user-specific access
controls might have been set forth in the origin domain; these, too, would need to map over to
8/10/2019 5 Troubleshooting and Backing Up GPOs
44/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 44/51
different SIDs in the destination domain.
The types of policies that could include SID information and, therefore, possibly need
emapping, include the following:
File system permissions (NTFS)
Folder redirection
Software settings (specifically, ACLs on software deployment objects)
User rights assignments
UNC Path Conflicts
Another potential migration problem arises from the fact that some GPOs contain settings
that use UNC notation to reference specific network paths. For example, an assigned
software package might specify a distribution point within the domain; in fact, it is likely to
do so. When that policy moves to a new domain, the distribution point might no longer be
available due to permissions issues. Even if it is available, there might be performance (and
administrative) problems associated with the cross-domain traffic.
The types of policies that could include UNC information, and therefore possibly need
emapping, include the following:
Folder redirection
Software settings
Logon, logoff, startup, and shutdown scripts
Building a Migration Table
8/10/2019 5 Troubleshooting and Backing Up GPOs
45/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 45/51
igure 133: Building a Migration Table
The solution to the problem of moving GPOs from one domain to another is to build a
igration table for security principals and UNC paths that require translation. Put the old
setting on the left and the new setting on the right.
After you create the migration table, you can specify the migration table during the GPO copy
operation, and it will act much like a global search-and-replace facility for all occurrences ofhe specified SIDs and paths.
You can build migration tables with the Mtedit tool. You can either run the tool or invoke it
rom within the GPMC by right-clicking the Domainsnode and selecting Open Migration
Table Editor. (You can also right-click the Group Policy Objectsnode to get to this menu
choice.) The XML data files associated with the Mtedit tool have the extension .migtable.
The sample migration table included by Microsoft with the GPMC appears in Figure 133 and
illustrates many of the possible combinations of format for each of the three columns.
ote the entry in the Destination Namecolumn. This is
shorthand for Replace the original domain name with the destination domain name, but keep
everything else the same. That is, testdomain1\Group02would become
estdomain2\Group02.
ote also the entry in the Destination Namecolumn. This is shorthand
8/10/2019 5 Troubleshooting and Backing Up GPOs
46/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 46/51
or Dont change a thing; in fact, this entry doesnt even need to be here except perhaps to
clarify that we know this entry doesnt need to change.
elpful Hint
You can use migration tables both for copying and for importing GPOs.
cronyms
The following acronyms are used in this section:
ACE access control entry
ACL access control list
CD compact disc
RS File Replication Service
GPC Group Policy container
GPMC Group Policy Management Console
GPO Group Policy object
GPT Group Policy template
GUID globally unique identifier
TML Hypertext Markup Language
D identification or identifier PSec IP Security
T Information Technology
MC Microsoft Management Console
TFS New Technology File System
OU organizational unit
DC Primary domain controller
SoP Resultant Set of Policy
SID security identifier
SP1 Service Pack 1
8/10/2019 5 Troubleshooting and Backing Up GPOs
47/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 47/51
NC Universal Naming Convention
AN wide area network
MI Windows Management
Instrumentation
ML Extensible Markup Language
Section Review
Summary
A few of the command-line tools that you can use to troubleshoot Group Policy
deployment and the health of the existing GPOs are:
Group Policy Results: This tool provides RSoP details.
Group Policy Update: This tool refreshes Group Policy settings without rebooting.
GPO Verification tool: This tool ensures that the contents of all the linked Sysvol
folders in the domain contain valid and up-to-date GPOs. It also checks for version
mismatches between the GPT stored in the Sysvolfolder and the GPC in Active
Directory.
Replication Monitor: This tool gathers a wide variety of replication details. It also
monitors the replication status of current GPOs per domain.
The RSoP helps to trace how the policy links are applied for a specified user and a
specified computer. It also identifies effective settings and winning policy objects.
Some of the RSoP tools that you can use to troubleshoot GPO processing are:
Group Policy Results: This tool presents real information that reflects how the policy
is applied.
Group Policy Modeling: This tool permits you to perform a simulation before actuallyapplying the policy.
HTML file for reporting: Both the GPMC and the Gpresult command-line tools can
8/10/2019 5 Troubleshooting and Backing Up GPOs
48/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 48/51
produce reports in the form of HTML file output. Using these reports, you can view and
analyze the policies that are configured and determine where the policies came from.
The GPO logging tools that you can use to obtain more detail about the GPO processing
issues are:
The Userenv.log: This log contains a detailed verbose log of the logon process.
Event logs: These logs record all GPO events with a minimum amount of detail.
You can back up, restore, import, and copy GPOs. The purpose of these functions are:
Back Up: This function copies the contents of a live GPO into any specified folder
location on the computer or network where you have write permissions.
Restore: This function restores a GPO when you have deleted it and want it back, or
when you have modified it (either its contents or its ACL) and want to return it to some
prior condition.
Import: This function transfers the settings in a backed-up GPO to an existing and active
GPO. (The import process does not create a new GPO.)
Copy: This function creates a new GPO at the destination location. It starts with anactive GPO.
Use the Mtedit tool to build migration tables. You can either run the tool or invoke it from
within the GPMC (right-click the Domainsnode and select Open Migration Table
Editor).
nowledge Check
1. Name and describe the two GPO logging tools.
2. Describe the following tools:
Group Policy Results
Replication Monitor
3. Which tool is used to build migration tables?
8/10/2019 5 Troubleshooting and Backing Up GPOs
49/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 49/51
a. Userenv
b. GPO Migration
c. Mtedit
d. Event log
. Match each GPO process with its correct description. Write the letter of the description
in the Answer column.
Answer GPO
Process
Description
1.________
Restore A.Creates a new GPO at the destination location. It starts with an active
GPO.
2.________
Back up B.Restores a GPO when you have deleted it and want it back, or when
you have modified it (either its contents or its ACL) and want to return it
to some prior condition.
3.________ Copy C.Transfers the settings in a backed-up GPO to an existing and ac tive
GPO.
4.________
Import D.Copies the contents of a live GPO into any specified folder location on
the computer or network where you have write permissions.
5. Which RSoP tool does the following text describe?
This tool presents real information that reflects how the policy is applied.
a. Group Policy Results
b. HTLM file for reporting
c. Group Policy Modeling
d. Group Policy Verification
Knowledge Check Answer Key
8/10/2019 5 Troubleshooting and Backing Up GPOs
50/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
https://skillpipe.courseware-marketplace.com/reader/en-GB/Book/BookPrintView/b6175ac1-149e-4f52-83bd-6350c9133320?ChapterNumber=6&FontSize 50/51
The correct answers to the Knowledge Check questions are bolded.
1. Name and describe the two GPO logging tools.
The Userenv.log: Contains a detailed verbose log of the logon process.
Event logs: Record all GPO events with a minimum amount of detail.
2. Describe the following tools:
Group Policy Results: This tool provides RSoP details.
Replication Monitor: This toolgathers a wide variety of replication details. It also
monitors the replication status of current GPOs per domain.
3. Which tool is used to build migration tables?
a. Userenv
b. GPO Migration
c. Mtedit
d. Event log
. Match each GPO process with its correct description.
Answer Group
Policy
Feature
Description
1. BRestore A.Creates a new GPO at the destination location. It starts with an active GPO.
2. DBack up B.Restores a GPO when you have deleted it and want it back, or when you
have modified it (either its contents or its ACL) and want to return it to some
prior condition.
3. ACopy C.Transfers the settings in a backed-up GPO to an existing and active GPO.
4. CImport D.Copies the contents of a live GPO into any specified folder location on the
computer or network where you have write permissions.
8/10/2019 5 Troubleshooting and Backing Up GPOs
51/51
16/11/2014 5 Troubleshooting and Backing Up GPOs
5. Which RSoP tool does the following text describe?
This tool presents real information that reflects how the policy is applied.
a. Group Policy Results
b. HTLM file for reporting
c. Group Policy Modeling
d. Group Policy Verification
Recommended