Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


March 19, 2001

Group Policy Tools


A Web Exclusive from Windows IT Pro
Robert McIntosh
Windows 2000 Ready
InstantDoc #20337
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Migration Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Several months ago, I wrote a series of articles about Group Policy capabilities and implementation. Judging from the response I received, Group Policy is a hot topic for a lot of us. Because most of your questions addressed migration and troubleshooting, let's discuss three helpful troubleshooting tools included in the Microsoft Windows 2000 Resource Kit. I'll also share some tips I learned from my own experience that might help you as you design your own Group Policy implementation.

Gpolmig.exe
First, let's talk about migration. Because of the differences that exist between Win2K Group Policies and Windows NT 4.0 System Policies, I recommend that you build your Group Policy Objects (GPOs) from scratch instead of migrating your existing System Policy settings. Group Policy capabilities are more extensive than System Policy capabilities, and you must apply Group Policies differently. In other words, the differences between the technologies are too great to justify a migration effort. However, if you really must perform a migration, you can use the resource kit utility gpolmig.exe, a command-line tool that lets you migrate settings from NT 4.0 System Policies to Win2K GPOs. Because of NT 4.0 and Win2K registry and setting-location differences, you need to test GPOs after the migration to verify that they're producing the desired effect.

Gpresult.exe
Most of the troubleshooting questions I've received ask why a particular Group Policy affects a particular user or computer or why a GPO isn't producing the desired results. In these situations, the resource kit utility gpresult.exe can be very useful. Gpresult.exe is a command-line utility that lets you see which GPOs you've applied to the local machine and the user who's logged on. Gpresult.exe also lets you see software you installed using Group Policy, folders you've redirected using Group Policy, IP Security (IPSec) settings, disk quota information, applied registry settings, and information about the last time you applied Group Policy. In other words, GPResult tells you not only what GPOs you've applied to the user and computer, but also what effect those GPOs have had. GPResult can accomplish in a few seconds what might otherwise take half an hour to figure out using Active Directory Users and Computers and Group Policy Editor (GPE).

If we review how you apply GPOs, we might answer many of your migration and troubleshooting questions before they arise. Remember that you apply GPOs to computer objects and user objects based on where those objects reside in the Active Directory (AD) hierarchy. When you look at a GPO in GPE, you see that it consists of Computer Configuration, which applies to computer objects, and User Configuration, which applies to user objects. If a user's user object—not the computer object representing the machine that the user logs on to—resides in the Sales Organizational Unit (OU), and you apply a GPO to the Sales OU, only the GPO's User Configuration settings will apply to that user. The Group Policy settings that apply to the computer configuration will come from the GPO that you apply (or link) to the OU that the computer object is a member of. This arrangement might seem complex, but in a large environment, it's more manageable than System Policy. You apply System Policies to groups, but a user can be a member of multiple groups, all of which can have different System Policies applied. The advantage of Group Policy's application is that a user or a computer will exist in only one AD location at a time.

Gpotool.exe
Another resource kit tool that's useful for supporting Group Policy is gpotool.exe. Client machines receive Group Policy settings from the Win2K domain controller (DC) that authenticates them. The authenticating DC stores these settings in its SYSVOL share, and its SYSVOL contents replicate to every other DC in the domain. This replication ensures that you apply the same Group Policy settings regardless of which DC performs authentication. Gpotool.exe checks to verify that replication occurs properly by comparing the GPO instances on each DC and verifying their consistencies. This step can be useful when you have to troubleshoot inconsistencies.

Some Suggestions
When you begin to realize all of Group Policy's capabilities, you might feel like the proverbial kid in the candy store. However, like that kid, you can run into problems if you try to implement too much too quickly. Instead of trying to implement a Group Policy design that accomplishes everything, start simply. For example, identify a Top 10 list of problems that your IT support group faces and design Group Policies to address those issues. Also, think as broadly as possible, identifying Group Policy settings that should apply to the vast majority of the users and computers on your network. Such thinking will help you implement a design that you can apply at the domain level with one or a few GPOs, which will simplify troubleshooting.

End of Article

Reader Comments

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 24, 2008

An often irreverent look at some of the week's other news, including a Vista Capable dismissal request, Zune price reductions, Morrow musings, Novell and Microsoft sitting in a tree ... two years later, Yahoo!, IE 6 on Windows Mobile, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

PsExec

This freeware utility lets you execute processes on a remote system and redirect output to the local system. ...
Windows OSs Whitepapers Why SaaS is the Right Solution for Log Management
Related Events Introduction to Identity Lifecycle Manager "2"

Windows, Unix, Linux Interoperability

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Free Download –VS 2008 Training
Experts Ken Getz & Robert Green plus labs, code, courseware

Is Your Approach to VMware Server Recovery Outdated?
Is your data protected from server failure? Download this white paper to find the best way to back up, recover, and restore your VMware ESX Server 3.x.

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Register for SolarWinds VM Monitor
Get X-Ray Vision into Your ESX Servers with SolarWinds FREE VM Monitor

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

How healthy is your Exchange Server? Find out Now!
Automatic Exchange Server Maintenance helps prevent disasters and improves performance. Download a FREE Exchange Server analysis tool.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing