Re: Group Policy debug tool?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Darren Mar-Elia (fermentedgrape_at_yahoo.com)
Date: 04/27/04 

Date: Mon, 26 Apr 2004 17:38:28 -0700

At the risk of spinning endlessly on this, I think you're missing my point
Christoffer. Gpresult, even in verbose mode, simply tells you all of the
settings that have been processed by a user or computer. I believe, and I
may be wrong here since we haven't heard from the original poster, that what
he was asking is how you can make a one-to-one correlation between a user's
particular activity and the policy that is controlling it. In some obvious
cases (e.g. Remove Run from Start Menu) then you can look at the policy
using GPREsult and say definitely where that behavior is coming from.
However, this is not always the case with all policy. For example, I used to
see very strange behavior with "Hide Drives" policy and certain 16-bit apps.
It was not altogether clear that Hide Drives was causing this until after
excessive trial and error. Similarly, certain granting or restricting of
security options can have indirect consequences on user experience and the
behavior of certain applications. In other words, RSoP alone won't tell you
what policy is resulting in a particular behavior. That's why something like
RegMon gets you much closer--because you can see which registry value, and
thus policy, may be read during a particular operation.

"Chriss3" <noSpamHere@chrisse.se> wrote in message
news:%23HJ34x9KEHA.3684@TK2MSFTNGP12.phx.gbl...
> In fact gpresult do this. run gpresult /v and you will see which policy is
> affecting the user or computer.
>
> The best tool may be GPMC.
>
> --
> Regards
> Christoffer Andersson
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
> "Darren Mar-Elia" <fermentedgrape@yahoo.com> skrev i meddelandet
> news:OL2E1m7KEHA.556@tk2msftngp13.phx.gbl...
> > Well, yes, but the point is that they don't tell you which policy is
> > affecting a particular user activity. They tell you what policy settings
> > were processed during the last processing cycle, as stored in WMI, but
> you
> > still have to figure out which user activity is being impacted by which
> > policy setting.
> >
> >
> > "Chriss3" <noSpamHere@chrisse.se> wrote in message
> > news:uBbQA56KEHA.808@tk2msftngp13.phx.gbl...
> > > gpresult as well rsop.msc can be targeted to monitor a remote
computer.
> > >
> > > --
> > > Regards
> > > Christoffer Andersson
> > >
> > > No email replies please - reply in the newsgroup
> > > ------------------------------------------------
> > > http://www.chrisse.se - Active Directory Tips
> > > "Darren Mar-Elia" <fermentedgrape@yahoo.com> skrev i meddelandet
> > > news:uobct$yKEHA.2952@TK2MSFTNGP10.phx.gbl...
> > > > Actually, neither of these will get you what you want Adam.
> Userenv.log
> > > just
> > > > tells you what each CSE is doing as the policy is applied and
> gpedit.log
> > > is
> > > > only good if you are having problems actually editing a GPO. What it
> > > sounds
> > > > like you're asking for is something that will tell you which policy
is
> > > > blocking a particular user activity in realtime. Nothing like that
> > exists
> > > > that I know of. You're on track with suggesting something similar to
> > > Regmon,
> > > > and in fact you may be able to use Regmon to get some sense of this.
> The
> > > > challenge of course is that Regmon is great for telling you about
> things
> > > > going on in the registry that are obvious, but if you're dealing
with
> > > stuff
> > > > like you've described here, using Regmon will be like trying to find
a
> > > > needle in a haystack.
> > > >
> > > > One option is to just run gpresult or rsop.msc on the affected
client
> > and
> > > > then go through each of the policies that have been set to determine
> > which
> > > > one could be the most likely culprit. The one you've described below
> > > sounds
> > > > like some kind of IE security setting, so I would start with any IE
> > policy
> > > > that has been set up. Its also possible that they used some
> restrictions
> > > > outside of GPO, like the IEAK, to control some of this IE behavior,
in
> > > which
> > > > case you may not find it in GPO. No good answer, unfortunately.
> > > >
> > > > Darren
> > > >
> > > > "Chriss3" <noSpamHere@chrisse.se> wrote in message
> > > > news:OX2pvqwKEHA.3076@TK2MSFTNGP10.phx.gbl...
> > > > > JSI Tip 3799. How do I monitor group policy functions?
> > > > > http://www.jsiinc.com/SUBH/tip3700/rh3799.htm
> > > > >
> > > > > 250842 - Troubleshooting Group Policy Application Problems
> > > > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;250842
> > > > >
> > > > > You can also use the command line tool gpresult.
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
> > > > >
> > > > > --
> > > > > Regards
> > > > > Christoffer Andersson
> > > > >
> > > > > No email replies please - reply in the newsgroup
> > > > > ------------------------------------------------
> > > > > http://www.chrisse.se - Active Directory Tips
> > > > > "Adam Leinss" <aleinss@toughguy.net> skrev i meddelandet
> > > > > news:30538e20.0404251224.581996ec@posting.google.com...
> > > > > > Does a group policy debug tool exist? We had a 3rd party come
in
> to
> > > > > > do our group policy setup. Now that we are implementing Windows
> > 2000
> > > > > > in departments we are finding users are restricted by group
policy
> > in
> > > > > > silly ways, such as not being able to save a DOC file from a web
> > site.
> > > > > > We then have to go into the GPMC and through guesswork drill
down
> > to
> > > > > > what we think the policy is that is blocking the particular
action
> > the
> > > > > > user is trying to do. It would be nice to turn on the tool, do
> the
> > > > > > action and then when that user gets the restriction have that
> > logged
> > > > > > somewhere so we can track what policy is causing the action.
> > > > > >
> > > > > > If you ever used Regmon to monitor a program's access to the
> > registry
> > > > > > or Filemon to monitor a program's access to file(s), I'm
thinking
> > this
> > > > > > utility would work that way.
> > > > > >
> > > > > > Thanks,
> > > > > > Adam
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: How to configure LogOff script to remove a folder from users m
    ... A copy of the GPRESULT output won't be much use in this case, ... Director of IT (MCP, MCDBA) ... Just right click the OU and select "link existing group policy". ...
    (microsoft.public.windows.group_policy)
  • Re: Permission denied - network properties W2K Server
    ... I've disabled all the settings in this catagory on both ... You can use gpresult to see what policies are ... >by giving the administrators deny permissions to apply ... >> another admin has configured the security policy. ...
    (microsoft.public.win2000.group_policy)
  • Re: syntax problem with gpresult - and problem with Group Pol in gener
    ... Because GP runs out of Winlogon, that sort of would confirm my suspicion, but one way to check is to view the profile of one of these service accounts on a machine in question. ... You can drill into them to the policy location and verify that you are getting policy settings under them. ... I am running gpresult with the following syntax and cannot get the ... for usage. ...
    (microsoft.public.win2000.group_policy)
  • Re: SFS / Local / Group policy
    ... File and Print sharing not enabled on certain machines. ... I have already ran the gpresult from the command line and no help what so ... policy is through the use of setting up the local policy and then this gets ... "Is your GPO being applied? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Shutdown/Removed Power User rights from desktop
    ... Settings, Local Policies, User Rights Assignment, Shutdown the system. ... If a security policy setting is undefined it may have been define at ... >> have the support tools installed but can not find gpresult. ...
    (microsoft.public.win2000.security)